No NSA backdoor into Australian Parliament: Microsoft

The Department of Parliamentary Services says Microsoft has reassured the government that there is no backdoor in Microsoft products used by parliamentarians.
Written by Josh Taylor, Contributor on

The Australian Department of Parliamentary Services (DPS) has said that Microsoft has informed the department that parliamentarians should not worry about their data being accessed by the US National Security Agency (NSA), stating that there is no backdoor installed on Microsoft software suites used in the Australian parliament.

In a Senate Estimates hearing in November, Parliament CIO Eija Seittenranta faced a grilling from Greens Senator Scott Ludlam over the department's assessment of IT security in the wake of the leaks from NSA whistleblower Edward Snowden showing that the NSA claimed to have direct access to the systems of Microsoft, Google, Yahoo, and a number of other tech giants.

Seittenranta confirmed that most of the servers run on Microsoft software, but it is up to the government security agency, the Australian Signals Directorate (ASD), to provide advice on vulnerabilities and backdoors that might be in the software.

At the time, she said the department had not sought advice from the ASD, nor had it advised Australia's elected representatives that their data on the parliament servers might be vulnerable to NSA spying.

The department has since sought clarification from the ASD and Microsoft on the vulnerabilities posed by the allegations on the NSA spying program, and in a follow-up response (PDF) to Ludlam's questioning posted on the parliament website last week, the department said that the "speculation" about the backdoors relates to cloud products rather than software products for internal environments.

"DPS has not been provided with any specific advice that Microsoft products or any other products have been backdoored by foreign intelligence services," the department said.

"Microsoft has advised DPS that there is no backdoor within the Microsoft suite of products, nor [has Microsoft] attempted to source information from the parliamentary network or provide information to any other entity."

During the hearing in November, DPS assistant secretary of IT infrastructure and services Steve McCauley confirmed that all outbound traffic from the DPS network is routed via the ASD for inspection first for sensitive data.

The ASD is also a member of Microsoft's Government Security Program, which the company said gives governments controlled access to Microsoft source code.

The DPS also said that its intrusion and analysis tools were used after the Snowden leaks to determine whether there had been data leakage and could find no trace of any PRISM-related capability on the parliamentary networks.

Additionally, the DPS said the major risk with the PRISM program relates to data hosted in the cloud, and parliamentarian data is not stored in the cloud.

"We are taking all reasonable steps to prevent systems such as the alleged PRISM system compromising our ICT environment," the department said.

"Our security tools have not identified any evidence of this style of illicit data collection from the parliamentary network."

The ASD told the department that it is not able to provide commentary on the matter.

The DPS told Ludlam that questions on the backdoors in Microsoft products would be best directed to Microsoft, the Australian Signals Directorate, or the Reform Government Surveillance group started by Microsoft, Apple, Google, Facebook, and others to call for the US government to change its spying program.

It comes as last week, Foreign Minister Julie Bishop labelled Snowden's actions as "unprecedented treachery", while Communications Minister Malcolm Turnbull said Snowden's leaks have had a "profound" impact on US tech companies such as Cisco operating in Asia.

US President Barack Obama gave a speech earlier this month, where he outlined plans to change the way the NSA collects data, including ceasing the NSA from storing call records and other such metadata, and instead requiring US telcos to hand the data to a third agency, which will require the NSA to get judicial approval before gaining access to the data.

Editorial standards