Microsoft: Live@edu email not encrypted on cloud servers

Microsoft's outsourced email service for students, used by tens of millions of students worldwide, does not encrypt email data in their datacenters. So who could benefit from this?
Written by Zack Whittaker, Contributor

Microsoft's Live@edu service, used by tens of millions of students worldwide, does not encrypt data stored on their data centers in the cloud.

Before we really jump in here, even though I am using Microsoft as an example primarily because they provide my student email to Outlook Live, it doesn't mean that the other cloud services are playing fair with security when it comes to your data.

When students use Outlook Live, they are pushed through the Windows Live ID authentication process and presented with their inbox, secured over a https 128-bit SSL-enabled connection. For the average user, they will feel confident in that their email is secure knowing that yellow padlock in their browser is present.



The connection between the client computer and web browser to the Exchange 2010 server where the student's email is held is secure. In fact I can go one step further and say that any connection in or out of the data center where the email is stored is secured and encrypted.

The data center itself is pretty secure; with only vetted staff allowed into the building and network access is locked down to prevent any unauthorised access to the servers or any data. The only vague reference to Microsoft's cloud in terms of the data security is pg. 18 of Microsoft's "Securing the Cloud" document which states:

"...data assets falling into the moderate impact category are subject to encryption requirements when they are residing on removable media or when they are involved in external network transfers. High impact data, in addition to those requirements, is subject to encryption requirements for storage and for internal system and network transfers as well."

On the same page, some dimension is given to exactly what these categories may entail in regards to the data assets:

"Highly sensitive assets require multifactor [sic] authentication, including such measures as password, hardware tokens, smart cards, or biometrics."

It makes sense for governments, but for ordinary university students, all you need is a username and a password. You can bet your bottom dollar that student email data is in the low category of data assets.

But this didn't prove anything; it was a mere hypothesis. I got in touch with a Microsoft director, who confirmed after many stages of negotiating dialogue:

"The connection for mail is via SSL and the password is encrypted on the server. The data on the server is not encrypted. It is perhaps worth noting that access to the server doesn't equal access to the mail file, as the data is stored in a database which requires specific client software to access it."

There we have it. Student email data that is held on data centers around the world, usually as close to their physical location as possible is not encrypted, even though the SSL connection between the client and the data center may allude to the data being secured.

So why is this a problem?


Do you remember last month when certain countries in the Persian Gulf banned certain BlackBerry devices and functions because the governments of that locale could not monitor, intercept or access the data to aid counter terrorism efforts? It is the same principle here, just in reverse.

From the BBC:

"BlackBerry handsets, made by Research in Motion (RIM), automatically encrypt messages and send them to computer servers in Canada. Concerned governments have said they want access to these messages and the keys to decrypt them.

RIM has said the company's products were "designed to preclude RIM, or any third party, from reading encrypted information under any circumstances since RIM does not store or have access to the encrypted data".

"RIM cannot accommodate any request for a copy of a customer's encryption key, since at no time does RIM, or any wireless network operator or any third party, ever possess a copy of the key."

Research in Motion, with its headquarters in Canada, is known worldwide for respecting the privacy of its customers, though perhaps not so much its own staff. The location of its data centers could also be part of a correlation shown before, in that universities and colleges in Canada are reluctant to move towards cloud computing.

Why? Because the vast majority of stable, cheap and reliable cloud services and thus data centers are housed in the United States, where the Patriot Act has primary jurisdiction.

If a Canadian company were providing cloud services to strictly Canadian citizens from a data center housed in Canada, the Patriot Act would have absolutely no powers. Student users in the EU have their email housed in Dublin, and therefore an EU 'protected' data center.

The rules which govern the data transfer between the EU and the US - to aid network load balancing, data backups and reliable up-time across Microsoft's cloud network, the US Safe Harbour agreement is tenuous to say the least.

When I first wrote about it, you - the readers put forward your theories and hypotheses. I cannot personally vouch for any particular comment or contributor, but the one thing that keeps cropping up is: the Patriot Act.

While students studying in the United States can be provided student email through Outlook Live and similar competing service, a Patriot Act request would be made all the more easy in that the federal authorities have been given the cloud-stored, unencrypted email data handed to them on a plate.

All roads seem to flow back to the Patriot Act, don't they? Have your say, give your opinion: write a TalkBack.

Editorial standards