What Happened?
Last summer, Edward Snowden shined a bit of light on the Prism program that the NSA runs. He named several companies that handed data over to the NSA, including Microsoft. The documents proved that:
- Microsoft allowed and even assisted the NSA in decrypting things that were encrypted on Outlook.com and Hotmail.
- The NSA has full access to Skydrive, Microsoft’s cloud-based service
- After Microsoft bought Skype, the NSA was able to triple the amount of video calls that were collected through Prism
- Any and all information that Prism collects is shared with both the FBI and CIA.
Microsoft noted that when they update their software, they make the proper preparations to deal with “existing or future lawful demands”, and that the company only provided data when the government demanded the data. The leak showed that not only did the NSA have direct access to Microsoft’s services through the Prism program, but they also had access to Apple, Google, Facebook, and Yahoo.
How Are They Protecting User Data?
Microsoft has gone back to the drawing board after the public response to the NSA’s surveillance methods. First and foremost, they want to expand their encryption methods. This won’t just be for Outlook; it’ll cover Azure and Office 365 as well. For Skydrive, Microsoft is moving to 2048-bit keys. This applies to both data sent between the server and customer, as well as the data to the company’s data centers. This means that no matter where you go, you’ll have access to your data. The faster data centers will serve to accommodate a consumer market that expects faster speeds from both their ISPs (such as premium tiered Internet services from Verizon) and their cloud applications.
The company has reiterated its intent to protect user data, saying that this service will be fully implemented by the end of 2014. Microsoft finally added Secure Socket Layer (SSL) searching to Bing, and there’s been a push for Microsoft to add certificate pinning in Internet explorer. Microsoft has also said they’ll reinforce the legal authorities that they use to protect customer data, and, like it does now, will notify corporate and government customers if they receive a request for user data. If a request is made for your data, it might be wise for one to consult a criminal law expert to see how to proceed as legal action could be taken. They also plan to open a center for government customers to let them take a look at the source code.
What’s Next?
Well, that’s the big question. Microsoft has said that it will allow non-U.S. customers to get access to and store data in cloud data centers outside of the US. For example, a customer in Ireland could store data in the British servers. That’s a great move for privacy, but some critics question the tactic and whether it’d put the data of non-Americans outside of the NSA’s grasp. Any data that comes in or leaves the U.S. is subject to NSA scrutiny. Microsoft is the only company allowing non-U.S. data storage, even though the leaks showed that the NSA has a hand in both Google and Yahoo. By storing data outside of the United States, users should feel a bit more secure. It doesn’t guarantee the NSA can’t see it by any means, but it does decrease the chance that they will.
What do you think about Microsoft’s response and the decision to allow users choose where it stores the data? Do you think other companies like Google will follow and allow users to store data on Google Drive servers outside of the United States? More importantly, do you think this move would put data out of the NSA’s reach? Leave a comment below and let us know what you think about this whole situation.