Microsoft: We do not give the NSA keys to bypass email encryption

Microsoft: We do not give the NSA keys to bypass email encryption

Summary: Microsoft says it does not provide the NSA or any U.S. government agency with the ability to bypass its encryption or give 'direct access' to user data.

SHARE:
TOPICS: Microsoft, Security
78
build99
(Image: Microsoft)

Microsoft has denied claims first surfaced last week that it gave the U.S. government the ability to bypass its email and storage encryption or other security measures.

The Guardian newspaper on Thursday claimed that Microsoft had helped the U.S. National Security Agency (NSA) to "circumvent its encryption" to enable Web chats on its Outlook.com service to be intercepted.

The paper also claimed that Microsoft "developed a surveillance capability" to deal with encryption issues that the intelligence agency faced.

Skype, which was acquired by Microsoft in October 2011, is claimed to have also worked with U.S. intelligence agencies to allow NSA analysts to access video and audio conversations through PRISM.

Microsoft's general counsel Brad Smith denied these claims in a note published on Tuesday, labeling such reports as having "significant inaccuracies in the interpretations of leaked government documents reported in the media last week."

Microsoft's chief lawyer confirmed, however, that the software giant did discuss legal compliance with the U.S. government, as the report stated. "In none of these discussions did Microsoft provide or agree to provide any government with direct access to user content or the ability to break our encryption," he confirmed.

The company believes it has a constitutional right to free speech to share more information about its alleged cooperation with the government, and yet it is being prevented from doing so.

Citing a petition filed in court on June 19, Microsoft said it had yet to receive a response from the court on seeking permission to publish the specific number of "national security requests" the company gets from the U.S. government. These requests are secret, and have only recently in the past couple of years been released — albeit in number ranges, rather than specific figures.

In regards to Outlook.com, which now has 400 active million users since the Hotmail switch-off in May, Smith said: "We do not provide any government with direct access to emails or instant messages. Full stop."

He noted that like all communication service providers, Microsoft must comply with governments to turn over specific account data, subject to a valid warrant or court order.

"This is true in the United States and other countries where we store data. When we receive such a demand, we review it, and, if obligated to, we comply," Smith said.

He directly hit back at encryption-bypass claims, as suggested by the documents seen but not released by The Guardian last week, saying: "We do not provide any government with the technical capability to access user content directly or by itself. Instead, governments must continue to rely on legal process to seek from us specified information about identified accounts."

Smith noted that the U.S. government is not given any ability to "break the encryption" that the company uses to transport data from user to user.

He clarified that data is stored on Microsoft's servers "in an unencrypted state," so that it can be handed to government agencies subject to valid orders.

For SkyDrive, changes were made in 2013 to comply with an increase in requests from governments around the world, but Microsoft confirmed that the process for receiving SkyDrive files is the same for any other legal request by any government, home or abroad.

Smith also confirmed that though Skype switched to a "supernode" system before Microsoft acquired the Internet calling service, Microsoft insists these changes "were not made to facilitate greater government access to audio, video, messaging, or other customer data."

Confirmed by Skype's principal architect Matthew Kaufman in an email list reply in late June, he said Skype's move to the cloud was for scalability, not surveillance reasons. Kaufman, however, declined to comment at the time on whether the infrastructure change made wiretapping and surveillance easier for governments.

Smith also noted that should Microsoft receive a request for data belonging to business or enterprise customers, the company will forward the request to the customer unless it is prevented from doing so.

Under the Patriot Act, which significantly expanded the use of National Security Letters (NSLs), or so-called gagging orders, Microsoft may not be allowed to disclose to the customer that it had to hand over their data for law enforcement purposes.

This remains rare, Microsoft said. In its 2012 transparency report released earlier this year, the software giant said it had only complied with four requests. In three of those instances, Microsoft informed the customer.

"In the fourth case, the customer received the demand directly, and asked Microsoft to produce the data," Smith wrote.

Smith reiterated that Microsoft only responds to requests for specific accounts and identifiers, ruling out unfettered or "direct access" to its servers. The company also refuted "blanket or indiscriminate access" to customer data, hinting but not directly naming the Foreign Intelligence Surveillance Act (FISA), which are understood to have been used against telcos to acquire vast amounts of data on fiber cables.

PRISM is just one strand of a two-pronged operation out of the NSA's mass surveillance program. PRISM is designed to be used in conjunction with another system.

The second program, dubbed "Upstream," applies to Tier 1 fiber companies. Investigative reporting by ZDNet in June detailed how those companies were likely ordered under law to allow U.S. intelligence agencies to wiretap vast amounts of data belonging to U.S. citizens and foreign nationals.

Topics: Microsoft, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

78 comments
Log in or register to join the discussion
  • Of course the problem is...

    when you keep everything secret people suspect everything you do.
    NoAxToGrind
    • If there was no privacy, mahem would ensue

      If google gets to know everything Apple is doing and vice versa, how would you be able to conduct business? Why not install cameras in your bedroom and feed the signal to your neighbors?

      BTW MS submits all their source code to the US government as a condition of the government trusting to use Windows et al on their machines. Trust and privacy do exist in this world. We can't have just one though.
      LarsDennert
      • Uh, no (about "submitting the source code")

        As I understand it, governments, and corporations, can get access to Windows source code in read-only form under standard support agreements. This has nothing to do with any conditions imposed by the US or other government.

        I also understand (this is from memory from several years ago) that some security software isn't included in the disclosed source (which kind of negates what you are saying).

        This isn't new. I can remember being a Microsoft customer (I was at a large customer) hand being one of 4 folks there who had access to Windows NT's source code.
        Flydog57
        • Only a handful of people know what's in Windows

          Windows is on every single computer in the world and nobody but nobody knows what is in it. It's in your home, at work and nobody but nobody know what is in it. This is scary as the computer is the best bugging device in the world. Microsoft's Always-On policy and the sonar which is in the now mandatory kinect device can see in the dark. Microsoft Windows has all this information and is connected to the internet and nobody but nobody knows what is on their computers, in their houses, at their places ot work. Nobody knows what is in Windows.
          tjordanchat
          • I know

            I have WinHex
            I can read every bit of my computer.

            Thank You
            Ashtonian
  • I have a bridge in Brooklyn

    Somehow this smells like very poorly done damage control. Next we will here how the NSA gets the keys. Drip ... drip...drip...
    Linux_Lurker
    • You're right, this smells like very poorly done damage control

      on your part.

      You took it verbatim what the Guardian claimed, hoping it was true, because it was about MS, finding out it wasn't

      You know that with MS on record as stating it was all untrue, and with reveling the documents would prove that (something the Guardian hasn’t done, hoping we’ll just “take their word” on it) I think its pretty safe to assume you're realizing MS didn’t do what was claimed.

      Why would they say that on record if they knew that release of the documents would make them look foolish.

      Next we’lll hear how you were brainwashed. Drip ...drip...drip...

      :)
      William Farrel
      • like for example...

        "We use encryption"
        And
        "Everything is stored on our servers unencrypted"
        "So that we can fulfill orders to hand data quickly"

        Adds up nicely, eh?
        danbi
        • Cuz you're an unbiased source when it comes to MS, huh?

          "My favorite companies never lie to their customers, but MS has to be lying all the time"

          That's what I read when you post something.
          Throw All The Things
      • Court Orders

        I have read many reports that companies are under FISA court orders not to reveal their cooperation with NSA. Since some reports finger MS as cooperating with NSA the court orders appear to force MS not reveal the extent of the cooperation. What MS has given to the NSA is hidden but one should assume it is more than has reported. By not fighting the court order MS has put its corporate reputation at risk. The real damage is not that many complain about the quality of MS products but customers do not trust MS over there cooperation with NSA.

        As the scandal unfolds even more damage is likely to occur to MS' reputation in a dripwise manner.
        Linux_Lurker
      • Actually,

        If you look on The Guardian's web site, they include the documents they refer to in that article. Just no links to those documents from the article mentioned. Pretty simply to find them there, though.

        So.... YES I believe The Guardian and verbatim. Microsoft has a history of outright lies, lies by omission and evasion of the truth in the past. The Guardian, in fact, has backed up their claims.
        benched42
  • Pants on fire!

    someone get MS a fire extinguisher.
    Neo2012
    • At some point, the truth of all this will likely be revealed

      Microsoft knows this. Knowing this, it would be spectacularly stupid to be spouting lies now - don't you think?

      The Microsofts, Googles, et al are in a very bad place right now. Someone is leaking secret government documents. These documents are getting interpreted (usually by non-technical folks) in a way to sell newspapers. Because of the secrecy imposed by the Patriot Act, no one can say "uh, no, here's the real truth".
      Flydog57
  • Parinoia = All Americans are probable terrorists

    It seems the authorities like NSA, police, and other government agencies are more paranoid than anyone else.
    dufas
    • No the problem is the old "Cake and eat too..."

      American people "the Gov't needs to protect us against these low intelligent thugs and events like 9-11 and New York etc..." but wait you cannot interfere in my personal affairs. You can't have it both ways. Crap like 9-11 will happen, or the NSA and such get to poke around and look for patterns. If there were a happy medium Lord knows UK and EU would have figured it out with their mess they have.
      ScanBack
      • And, not or

        Crap like 9-11 will happen AND the NSA gets to listen to everyone. Prism did nothing to stop the Boston bombing.
        akaltman
        • Valid point to an extent

          Do you know how many terrorist plots DID Prism prevent?? 1, 10, 100, more?? Zero?
          Unless it can be shown that Prism stopped NOTHING, then the individuals whose lives were saved (could be you, could be me) should be grateful - VERY grateful. Problem is, we don't know whom amongst us fall into that category. The media sensationalizes security failures and will devote many news cycles to such, but barely mentions the successes or complains about the semantics behind them. The terrorists only have to get it right once to be considered successful. The folks protecting us have to get it right every time or else people die. What would your surviving family say if you were killed and the terrorist act doing so could have been prevented, but wasn't because intelligence gathering was blocked?
          jimsj
      • Learn what you are taught and nothing else.

        If you want total security, go to prison. There you're fed, clothed, given medical care and so on. The only thing lacking... is freedom.

        Dwight D. Eisenhower
        trust2112
  • Microsoft's cloud has no silver lining

    With a secret program like this, enough doubt will remain over Microsoft's cooperation with the NSA that they can kiss their cloud ambitions good bye.
    akaltman
    • I disagree. I think the fact that they publicly stated this

      tells users the real story, so their cloud ambitions will remain fine.

      The Gardian on the other hand will now be looked at with suspicion, people wondering what large competitor of MS's put them up to this, IMHO.
      William Farrel