I have to agree Microsoft needs to get out in front of this immediately. I recently had a conversation with a coworker who described the fear she had using her new computer. She used words like worrying, uneasy, and dirty feeling.
Also.
>The company said it responds only to orders for "specific accounts and identifiers," and never provides "blanket or indiscriminate access to Microsoft's customer data"
Does not mean they did not provide the mechanism to access encrypted data in transit.
I think that's exactly what is said at http://blogs.technet.com/b/microsoft_on_the_issues/archive/2... : "Recent leaked government documents have focused on the addition of HTTPS encryption to Outlook.com instant messaging, which is designed to make this content more secure as it travels across the Internet. To be clear, we do not provide any government with the ability to break the encryption, nor do we provide the government with the encryption keys."
Nah. The third option is that both are telling the truth.
Microsoft doesn't do end-to-end encryption so it can be forced to turn over the cleartext. (Skype calls go through MS servers in unencrypted form, and Outlook/Hotmail messages are stored in cleartext.)
Don't forget the possibility that collaboration is on a "need-to-know" basis internally within Microsoft, and/or that the data is being captured by agents or coercion at the data center level.
I suspect you've been watching too many spy movies. If a Microsoft employee surreptitiously "captured" user data when asked by the NSA, he would be guilty of multiple federal felonies and subject to significant civil liability. I suppose if this were a movie, the president would secretly pardon him, or he'd get a new identity under the witness protection program or something, but, alas, this is not fiction.
Microsoft's deputy general counsel and VP John Frank has a top secret security clearance. So do at least three of its attorneys -- all those clearences were granted by FedGov precisely so the company could respond to legal requests.
Surely government institutions would never break their own rules, or lie to anyone?
To be clear, I'm not saying anything is true or not. I'm just saying we shouldn't rule anything out. It's possible that some of the tech companies are themselves partially or fully in the dark.
Government institutions frequently break their own rules, lie, and violate the law.
I suppose anything's possible, in some abstract sense, but we're talking about reality here, which excludes some more creative theories. And, alas for screenwriters, there is precisely zero evidence to support your "in the dark" theory. :)
> Does not mean they did not provide the mechanism to access encrypted data in transit.
they are required , by the law , to deny any involvement with the NSA if caught. They are required to lie ,by the law. So at this point you cant believe anything they say.
Both Google and Microsoft need to offer end-to-end encryption/easy to use client-side encryption without having any access to any keys themselves, wherever possible (chat, e-mail, cloud storage). End of story - if they really do "care about our privacy".
Otherwise they're just disingenuous at this point, because they know that while they say that in public, they give access to spy agencies all over the world to a lot of those accounts, that probably have nothing to do with "terrorists". Even if they think all the requests the US government is doing are "legitimate", do they really want to make it just as easy for the Saudi Arabian government or others to do the same?
This is what I thought too but as others have pointed out elsewhere in this thread how would they provide additional services on top like search and I don't know what.
Come to think of it though, if the service is free (i.o.w. you are the data and advertisers are the actual customers wouldn't Google/Facebook or whoever be more concerned with the security and privacy of those paying the bills rather than the data-points generating harvestable content.
So it really does seem that we need to move ultimately to federated, paid-for services for communication at least, like POTS but for email and chat and whatever.
They care about privacy... but they care about staying in business more.† They are in the business of providing web services (i.e., things you ask their servers to do to your data.) If they can't do anything with your files besides store them, they don't have a business.
† (To assume otherwise would be odd, wouldn't it? It's like taking someone saying "I like ice-cream" to mean "I would allow you to shoot me in exchange for some ice-cream." We assume people have an implicit preference for staying living. We should probably assume companies do too.)
Remember that Google is in the advertising business. If they can't scan users informations for showing context-sensitive ads, it would defeat their business model.
>> When we are legally obligated to comply with demands, we pull the specified content from our servers where it sits in an unencrypted state...
Why would the public's private data sit in unencrypted state on Microsoft's servers? What would be the point of encryption if corporation servers can see what you think you are securing via assumed privacy?
I'm not being snarky but what gave you the impression it sat there encrypted?
(caveat: I'm not a security expert) Encryption is used for data 'in flight' as well as 'at rest'. As far as I know, very few companies/services go out of their way to encrypt your stuff at rest (it's within their systems/firewall/etc at that point). Even if they did, they hold the encryption keys so can 'see' it anyway.
If you want a situation where a company cannot see your data, you have to hold the encryption keys yourself (nb: knowing the password != holding the encryption key. My rule of thumb for this is if I can do a password reset on a service, then that service can see everything I put into it.)
Yes, although there's a cutting-edge form of encryption called homomorphic encryption that would allow full-text search on encrypted data if an implementation is ever perfected. IBM is working on it, among many others:
Erm, no. It's actually quite easy, if you're prepared to do a little more work.
You just create a search index before encrypting the data. Then you encrypt the index. Each time you need to search, you decrypt the index, get a reference to one or more results, fetch those, and decrypt them.
That's trivialising what can become a pretty complex scenario, but it illustrates the point.
Actually, I did an email archiver as a side project, I still have the Lucene index of my emails (including searchable attachments, of course). It's 233MB. How long do you think it would take to decrypt it with AES256 everytime I search for something? How long it takes when you search in Gmail? Can you point me to any implementation that does it like that? Or any implementation that does it at all?
I wasn't saying it's impossible, just that it's pretty hard.
I don't know of anything open source. Initialising the AES crypto provider takes a lot longer than decrypting ~250 Mb data, so keep it initialized for the duration of the session.
That said, I did it in a native client app, where state is easier to maintain.
How many consumer-focused Internet companies encrypt user data in storage by default -- in a way that the company itself cannot decrypt given a lawful court order? (I'm not talking here about transit HTTPS/TLS encryption.) I don't know of a whole lot.
What I find interesting about all these cases is who knew that this was happening? Were Steve Ballmer/Larry Page/Mark Zuckerberg/etc. as surprised as we were when this all got released? I wouldn't be surprised if they were (with maybe the exception of Mark since it's a smaller company).
Sure, but I don't think many people at Microsoft have security clearance to begin with. Like when the NSA reached out to some middle management Joe on the Outlook.com team, he/she probably did not have security clearance.
Entire groups of people at MS have clearances. Their software runs large chunks of the DOD, they can and do put consultants on site in secured locations when needed. Who else is going to fix an exchange cluster that has been mis-configured by a lowest bidder tech?
Purely a PR move, after the recent revelations. MS for years collaborated with various governments, often providing information before being asked. And now we are supposed to believe that they are concerned about it?
Agree with you. This is the same as facebook now pretending to care about offering you a way to 'permanently delete' your data despite a 9-year history of completely the opposite.
I am surprised that Microsoft took as much flak for it as it did when pretty much every other online property including Google and Facebook has complied with these demand (as they are legally supposed to do).
Besides it is also interesting to note that providers such as Google and Facebook probably have a lot more interesting data that the government is likely interested in. It is more likely that data from the likes of Google and Facebook that can be used to track an individual or can be detrimental to them as compared to the data that Microsoft has.
I don't quite read it the same way - it means they, as a company, have little incentive to parse your email for choice bits and serve you advertising based on the results, because they don't make their money that way.
The people making this campaign probably knew nothing about PRISM anyhow.
The ones suffering are Microsoft. (IMHO) I don't think that many of their corporate customers are still considering investing in their software. This could be a huge turning point for them.
And unfortunate or not, I think they deserve to lose customers. Actually, I am surprised their stock is not plummeting right now.
Think your perspective is a bit off there if you think this should be causing a stock meltdown or a mass exodus. Most people, rightly or wrongly, probably aren't all that interested in Microsoft's involvement, but more concerned about where Snowden is and whether he's leaking our classified information to other nations. Yes, there are people upset at the tech companies and the NSA, but I don't think it's nearly as widespread as it is in the tech echo chamber.
EDIT: To clarify, maybe this SHOULD cause a mass exodus in an ideal world. But I don't think that matches up with reality, and therefore I don't think a mass exodus/stock meltdown is really an expected outcome.
The people in charge of buying software and services buy what they are told to buy by their bosses. The bosses making those decisions oftentimes are uninformed and unconcerned with the things you might imagine that they would be.
I know its fashionable to bash Microsoft but give me a break.
Why focus just on tech what about all those financial transactions flowing through Wall Street. Is everyone going to start banking in Antarctica now?
What has happened with American tech companies wrt the NSA can happen to any company anywhere in the world holding data. If the government walks in one day, and says give me the keys, lives are on the line, most people I know will hand over the keys.
Most big "enterprisey" customers who use MS servers or exchange or office etc. aren't even remotely contemplating about switching to anything else. That's a pretty safe business for MS at this moment. That will likely change, but it's hard to predict when.
So they should invest in Google apps or Apple? The first leak from Snowden showed every top company is helping NSA and by law ordered to lie. The whole thing sucks for US tech ..
Also.
>The company said it responds only to orders for "specific accounts and identifiers," and never provides "blanket or indiscriminate access to Microsoft's customer data"
Does not mean they did not provide the mechanism to access encrypted data in transit.