Microsoft: We do not give the NSA keys to bypass email encryption

Microsoft says it does not provide the NSA or any U.S. government agency with the ability to bypass its encryption or give 'direct access' to user data.
Written by Zack Whittaker, Contributor
Image: Microsoft

Microsoft has denied claims first surfaced last week that it gave the U.S. government the ability to bypass its email and storage encryption or other security measures.

The Guardian newspaper on Thursday claimed that Microsoft had helped the U.S. National Security Agency (NSA) to "circumvent its encryption" to enable Web chats on its Outlook.com service to be intercepted.

The paper also claimed that Microsoft "developed a surveillance capability" to deal with encryption issues that the intelligence agency faced.

Skype, which was acquired by Microsoft in October 2011, is claimed to have also worked with U.S. intelligence agencies to allow NSA analysts to access video and audio conversations through PRISM.

Microsoft's general counsel Brad Smith denied these claims in a note published on Tuesday, labeling such reports as having "significant inaccuracies in the interpretations of leaked government documents reported in the media last week."

Microsoft's chief lawyer confirmed, however, that the software giant did discuss legal compliance with the U.S. government, as the report stated. "In none of these discussions did Microsoft provide or agree to provide any government with direct access to user content or the ability to break our encryption," he confirmed.

The company believes it has a constitutional right to free speech to share more information about its alleged cooperation with the government, and yet it is being prevented from doing so.

Citing a petition filed in court on June 19, Microsoft said it had yet to receive a response from the court on seeking permission to publish the specific number of "national security requests" the company gets from the U.S. government. These requests are secret, and have only recently in the past couple of years been released — albeit in number ranges, rather than specific figures.

In regards to Outlook.com, which now has 400 active million users since the Hotmail switch-off in May, Smith said: "We do not provide any government with direct access to emails or instant messages. Full stop."

He noted that like all communication service providers, Microsoft must comply with governments to turn over specific account data, subject to a valid warrant or court order.

"This is true in the United States and other countries where we store data. When we receive such a demand, we review it, and, if obligated to, we comply," Smith said.

He directly hit back at encryption-bypass claims, as suggested by the documents seen but not released by The Guardian last week, saying: "We do not provide any government with the technical capability to access user content directly or by itself. Instead, governments must continue to rely on legal process to seek from us specified information about identified accounts."

Smith noted that the U.S. government is not given any ability to "break the encryption" that the company uses to transport data from user to user.

He clarified that data is stored on Microsoft's servers "in an unencrypted state," so that it can be handed to government agencies subject to valid orders.

For SkyDrive, changes were made in 2013 to comply with an increase in requests from governments around the world, but Microsoft confirmed that the process for receiving SkyDrive files is the same for any other legal request by any government, home or abroad.

Smith also confirmed that though Skype switched to a "supernode" system before Microsoft acquired the Internet calling service, Microsoft insists these changes "were not made to facilitate greater government access to audio, video, messaging, or other customer data."

Confirmed by Skype's principal architect Matthew Kaufman in an email list reply in late June, he said Skype's move to the cloud was for scalability, not surveillance reasons. Kaufman, however, declined to comment at the time on whether the infrastructure change made wiretapping and surveillance easier for governments.

Smith also noted that should Microsoft receive a request for data belonging to business or enterprise customers, the company will forward the request to the customer unless it is prevented from doing so.

Under the Patriot Act, which significantly expanded the use of National Security Letters (NSLs), or so-called gagging orders, Microsoft may not be allowed to disclose to the customer that it had to hand over their data for law enforcement purposes.

This remains rare, Microsoft said. In its 2012 transparency report released earlier this year, the software giant said it had only complied with four requests. In three of those instances, Microsoft informed the customer.

"In the fourth case, the customer received the demand directly, and asked Microsoft to produce the data," Smith wrote.

Smith reiterated that Microsoft only responds to requests for specific accounts and identifiers, ruling out unfettered or "direct access" to its servers. The company also refuted "blanket or indiscriminate access" to customer data, hinting but not directly naming the Foreign Intelligence Surveillance Act (FISA), which are understood to have been used against telcos to acquire vast amounts of data on fiber cables.

PRISM is just one strand of a two-pronged operation out of the NSA's mass surveillance program. PRISM is designed to be used in conjunction with another system.

The second program, dubbed "Upstream," applies to Tier 1 fiber companies. Investigative reporting by ZDNet in June detailed how those companies were likely ordered under law to allow U.S. intelligence agencies to wiretap vast amounts of data belonging to U.S. citizens and foreign nationals.

Editorial standards