Microsoft accused of handing NSA access to encrypted messages

A report following the U.S. government's outed spying program accuses Microsoft of handing over secure and encrypted emails and messages to the National Security Agency.
Written by Zack Whittaker, Contributor
(Credit: Microsoft)

Latest reports from The Guardian accuse Microsoft of close collaboration with the National Security Agency (NSA), a month after the first disclosures came detailing the U.S. government's mass surveillance program.

The report, published on Thursday, cites a document provided by former NSA contractor turned whistleblower Edward Snowden, claim to indicate the "scale of co-operation" between Silicon Valley technology giants and the intelligence community.

The document, which was not published at the time of The Guardian's initial reporting, is also understood to shed new light on the PRISM program, a system that is believed to automate the process in which orders under the Foreign Intelligence Surveillance Act (FISA) are issued to data-holding companies.

Among the allegations, the files provided by Snowden seem to show Microsoft helped the NSA "circumvent its encryption" to enable Web chats to be intercepted in its Hotmail replacement, Outlook.com. The report cites an NSA internal December newsletter, stating that Microsoft "developed a surveillance capability" to deal with encryption issues.

This was tested and went live in mid-December 2012, said the report, just months before Outlook.com replaced Hotmail in February 2013.

Also, it's alleged that Skype, which was bought by Microsoft in October 2011, also worked with U.S. intelligence agencies to allow analysts to access video and audio conversations through PRISM.

PRISM is just one strand of a two-pronged operation out of the NSA's mass surveillance program. PRISM is designed to be used in conjunction with another system. Dubbed "Upstream," investigative reporting by ZDNet in June detailed how Tier 1 fiber companies were likely ordered under law to allow vast amounts of data belonging to U.S. citizens and foreign nationals to be wiretapped.

The new document is also understood to detail how the NSA shares data with the Central Intelligence Agency (CIA) and the Federal Bureau of Investigation (FBI), in what is reportedly described as a "team sport." 

Another leaked slide from the Snowden collection in late June offered a wider picture of the PRISM program. The data flow diagram noted that in conjunction with the NSA, the FBI's Data Interception Technology Unit (DITU) role was disclosed. The FBI's DITU is understood to be the unit acting domestically on U.S. soil to wiretap Tier 1 companies.

Skype said at the time in 2008 that it "would not be able to comply" with wiretap requests.

However, in late June, just weeks after the PRISM program came to light, Skype principal architect Matthew Kaufman took to an email list to claim the move from peer-to-peer nodes to Microsoft-owned cloud servers was for scalability, not surveillance. 

However, later statements by Skype in mid-2012 state that, "Skype to Skype calls do not flow through our data centres." The Microsoft-owned unit stated: "These calls continue to be established directly between participating Skype nodes (clients)."

The FBI's DITU unit was also "working with Microsoft to understand an additional feature in Outlook.com which allows users to create email aliases, which may affect our tasking processes," according to another newsletter entry cited by the publication, dated April 2013. Just two months later in mid-June, Microsoft announced it would swap out linked accounts — multiple accounts that could be easily switched between — for aliases — which would allow users to set up multiple inboxes. The software giant said this was a security measure.

In a statement to the publication, Microsoft said it has "clear principles" which guides how the software giant deals with government demands for law enforcement. It also said it examines "all demands very closely, and we reject them if we believe they aren't valid."

"We only ever comply with orders about specific accounts or identifiers, and we would not respond to the kind of blanket orders discussed in the press over the past few weeks, as the volumes documented in our most recent disclosure clearly illustrate."

In March, Microsoft revealed its first transparency report following pressure from civil liberties and privacy groups. Out of 75,300 requests, just 1,558 disclosures — or 2.2 percent — were made to law enforcement.

Microsoft emailed over the same statement to The Guardian, but reiterated that it "does not provide any government with blanket or direct access to SkyDrive, Outlook.com, Skype or any Microsoft product."

Editorial standards