Microsoft confirms encryption across cloud services

Microsoft has confirmed that by the end of 2014, it will have encrypted all stored user content, any content transfers between itself and its users, as well as any transfer of customer data as it moves between its data centres.

Writing in a blog post, Brad Smith, Microsoft general counsel and executive vice president, legal and corporate affairs, said that the company would use 2048-bit encryption keys and Perfect Forward Secrecy.

"All of this will be in place by the end of 2014, and much of it is effective immediately," Smith said. "We're working with other companies across the industry to ensure that data traveling between services — from one email provider to another, for instance — is protected."

In concert with the new encryption, Smith said that Microsoft would use legal means to ensure that customers were notified when legal orders related to their data are received by the company.

Special Feature

IT Security in the Snowden Era

The Edward Snowden revelations have rocked governments, global businesses, and the technology world. When we look back a decade from now, we expect this to be the biggest story of 2013. Here is our perspective on the still-unfolding implications along with IT security and risk management best practices.

Read now

"Where a gag order attempts to prohibit us from doing this, we will challenge it in court," he said. "We've done this successfully in the past, and we will continue to do so in the future to preserve our ability to alert customers when governments seek to obtain their data."

"We'll assert available jurisdictional objections to legal demands when governments seek this type of customer content that is stored in another country."

Smith said that the company believes that governments should gain access to information and data in the same way it did before IT moved to the cloud, by going directly to Microsoft's customers, and that the company should only be propelled to disclose data in "the most limited circumstances".

"And when those limited circumstances arise, courts should have the opportunity to review the question and issue a decision."

It was reported last week that Microsoft intended to make such a move, and follows similar encryption announcements from Google and Yahoo.

The moves by the technology giants are a response to the Muscular program run by the NSA and GCHQ that allowed the spy agencies to tap the traffic moving between Google and Yahoo data centres.

Smith said that it was appropriate for Microsoft and governments to become more transparent on privacy and security issues.

"Ultimately, we're sensitive to the balances that must be struck when it comes to technology, security and the law," he said. "We believe these new steps strike the right balance, advancing for all of us both the security we need and the privacy we deserve."