Microsoft 'alarmed' by NSA spying. (But let's not forget it knew about the risks at least two years ago)

Microsoft's chief lawyer compared the National Security Agency to hackers, and tried to reassure business users that their data was as safe as it can be. But the software giant knew about the effects of the Patriot Act at least two years ago. Why? I was the guy asking the questions.
Written by Zack Whittaker, Contributor

I almost choked on my coffee this morning.

Thanks to the ongoing spate of leaks from former U.S. government contractor Edward Snowden, we now have a much clearer picture — even if the water is still a little muddy — of the vast scale of the American and British mass global surveillance efforts. At the heart of the programs are the Silicon Valley giants, who continue to declare their innocence from complicity in handing over huge amounts of user and customer data.

Microsoft is just one of the named seven major companies at the heart of the scandal.

In a blog post published Wednesday night, Microsoft's chief lawyer Brad Smith said the company was "alarmed" by recent allegations that some governments were able to "circumvent" online security and legal processes and protections to collect data — hinting but not directly outing the U.S. National Security Agency and Britain's GCHQ.

Excuse me?

My first reaction: You knew about this at very least two years ago, when this then-22 years old London-dwelling reporter asked the company's then-U.K. managing director if the software giant could guarantee that European data wouldn't leave the EU "under any circumstances," even under a request by the Patriot Act.

It turns out the company couldn't. 

"Microsoft cannot provide those guarantees. Neither can any other company," Gordon Frazer said on the record, in view of about two-dozen journalists and reporters at the London launch of Office 365 in June 2011.

It was pretty big news at the time. ReadWrite grabbed it, as did Wired and Engadget, Ars Technica, and others. It was the first time a European company admitted that U.S. law could extraterritorially dip into EU-based companies owned by a U.S. corporation and take data at will for inspection by U.S. intelligence and law enforcement agencies.

The Europeans caught wind of this. According to my sources on the ground at the time, following a series of "WHAT?!"-type phone calls from Brussels-based bureaucrats, they were pissed. They were absolutely out-of-this-world incensed. 

It led to European Parliament members submitting questions in session to the European Commissioner in charge of justice, Viviane Reding, who spent the following years denying there was an issue, in a stubborn bid to save face amid concerns that the U.S. government had been circumventing what the EU thought to be "strong" Europe-wide data protection rules. 

The revelations ultimately led to a diplomatic spat between the EU and the U.S., which led Reding on a year-and-a-half backroom deal session to hammer out exactly what the U.S. could and couldn't do in regards to respecting European privacy laws. (Which as a result, like thousands of other Americans and foreign nationals, it wouldn't surprise me in the least to be "one of those" on a list that gets me singled out almost every damn time I get on a plane.)

Like others, Microsoft is joining the effort to bolster the encryption in its products and the links between its datacenters. It'll take until the end of 2014 — a far later timeline than Yahoo's efforts to ramp up security by just the first quarter.

But it's still a little bit too late considering the software giant was fully aware of these issues in June 2011. In fact, probably longer considering I had personally been banging the drum and in touch with Microsoft staff and legal counsel on a near-daily basis for months prior to my initial write-ups.

The software giant also said Wednesday will "take new steps to reinforce legal protections for our customers' data," by basically doing what it did in the past. It will notify business and government customers if the company receive legal orders related to their data. But if it can't, it won't. Microsoft may challenge gag orders (which they note it has done in the past — and successfully) but it may not win in every case. 

"And we'll assert available jurisdictional objections to legal demands when governments seek this type of customer content that is stored in another country," Smith wrote. Which, frankly, is at the very heart of the issue.

That's the crux of the problem. The Patriot Act, along with the Foreign Intelligence Surveillance Act (FISA), and other acts of law can still be used to circumvent the supra-national European-wide data protection laws. Just because a handful of specific NSA and GCHQ-related programs have been disclosed doesn't mean the law has changed. 

I hate to say, "I told you so," but, well... yeah.

Editorial standards