Some thoughts on Microsoft and the NSA

Remember the old proverb about blind men describing an elephant? That’s the situation we’re in when trying to get our heads around all the news swirling around Edward Snowden’s revelations about the NSA, PRISM, and the extent of cooperation (or coercion) between the US Government via the NSA, and internet services providers like Microsoft. And unlike the kind of “leaks” we’re used to dealing with, that is, early information about soon to be public information about the next great smartphone or the latest version of our favorite software, the truth is we may never learn completely what the NSA has been, is, and will be doing when it comes to internet communications via Microsoft or the other service providers.

Last week, The Guardian published a set of revelations focusing almost entirely on the NSA’s relationship with Microsoft. The Guardian helpfully boiled the revelations down to a few bullet points:

The files provided by Edward Snowden illustrate the scale of co-operation between Silicon Valley and the intelligence agencies over the last three years. They also shed new light on the workings of the top-secret Prism program, which was disclosed by the Guardian and the Washington Post last month.

The documents show that:

• Microsoft helped the NSA to circumvent its encryption to address concerns that the agency would be unable to intercept web chats on the new portal;

• The agency already had pre-encryption stage access to email on, including Hotmail;

• The company worked with the FBI this year to allow the NSA easier access via Prism to its cloud storage service SkyDrive, which now has more than 250 million users worldwide;

• Microsoft also worked with the FBI’s Data Intercept Unit to “understand” potential issues with a feature in that allows users to create email aliases;

• In July last year, nine months after Microsoft bought Skype, the NSA boasted that a new capability had tripled the amount of Skype video calls being collected through Prism;

• Material collected through Prism is routinely shared with the FBI and CIA, with one NSA document describing the program as a “team sport”.

A number of other publications were quick to assail Microsoft for its relationship with the NSA, including Slate, which published a Timeline of Skype’s dealings with the NSA, concluding that:

…it should be clear now that users should not consider Skype a secure means of communication. Making an international call by Skype is still probably a moderately safer bet than making an international call by an unencrypted landline or mobile phone. But activists, journalists, and others who want to ensure that their communications remain confidential should not take a gamble with Skype or any other Microsoft service

However,  Microsoft’s General Counsel Brad Smith took to the Microsoft on the Issues blog to address the revelations coming from Snowden via The Guardian, and the rash of posts that followed:

In short, when governments seek information from Microsoft relating to customers, we strive to be principled, limited in what we disclose, and committed to transparency. Put together, all of this adds up to the following across all of our software and services:

  • Microsoft does not provide any government with direct and unfettered access to our customer’s data. Microsoft only pulls and then provides the specific data mandated by the relevant legal demand.
  • If a government wants customer data – including for national security purposes – it needs to follow applicable legal process, meaning it must serve us with a court order for content or subpoena for account information.
  • We only respond to requests for specific accounts and identifiers. There is no blanket or indiscriminate access to Microsoft’s customer data. The aggregate data we have been able to publish shows clearly that only a tiny fraction – fractions of a percent – of our customers have ever been subject to a government demand related to criminal law or national security.
  • All of these requests are explicitly reviewed by Microsoft’s compliance team, who ensure the request are valid, reject those that are not, and make sure we only provide the data specified in the order. While we are obligated to comply, we continue to manage the compliance process by keeping track of the orders received, ensuring they are valid, and disclosing only the data covered by the order.

So, while Smith doesn’t dispute the allegations asserted in The Guardian post, he insists that they’re only true in a small and tightly controlled set of circumstances. What isn’t said is where and how this access occurs (from a special set of Microsoft servers?, from NSA servers within Microsoft?), although from Brad Smith’s letter it does seem apparent that Microsoft is funneling some accounts to some kind of area where NSA access is available:

To be clear, we do not provide any government with the ability to break the encryption, nor do we provide the government with the encryption keys. When we are legally obligated to comply with demands, we pull the specified content from our servers where it sits in an unencrypted state, and then we provide it to the government agency.

This appears to be different than what Google has done to comply with NSA requests. In a Q-n-A session The Guardian hosted with Google’s Chief Legal Officer David Drummond, he said, on June 19th:

There is no free-for-all, no direct access, no indirect access, no back door, no drop box.

Still, with all the wrangling over how much access Microsoft is providing to the NSA, if Edward Snowden is to be believed, the NSA may have other means of access, anyway. In his most recent statement from the Moscow Airport after meeting with officials from WikiLeaks, Snowden said:

Hello. My name is Ed Snowden. A little over one month ago, I had family, a home in paradise, and I lived in great comfort. I also had the capability without any warrant to search for, seize, and read your communications. Anyone’s communications at any time. That is the power to change people’s fates.

It is also a serious violation of the law. The 4th and 5th Amendments to the Constitution of my country, Article 12 of the Universal Declaration of Human Rights, and numerous statutes and treaties forbid such systems of massive, pervasive surveillance.

Microsoft says it only provides access under strict guidelines, and rarely. Yet Snowden says he could read “anyone’s communications at any time”. Either someone is lying, or the NSA has other means of access to our communications that we haven’t heard about yet. Either way it’s the tip of the iceberg, a story that will continue to play out for a long time.