Senior legal counsel says internal systems will adopt ‘Perfect Forward Secrecy’ to encrypt links between servers,
Microsoft’s chief lawyer pledged to open up some of its code for peer review to reassure customers that there are no ‘back doors’ to allow unauthorised access to informaiton.
Microsoft’s chief lawyer says that government snooping on its servers constitutes a threat as serious as “sophisticated malware or cyber attacks”.
He also pledged to open up some of its code for peer review to reassure customers that there are no “back doors” to allow unauthorised access to informaiton.
Brad Smith, Microsoft’s general counsel, said that the company is adding encryption to connections between its servers, to thwart unauthorised snooping by government agencies tapping into fibre-optic cables. That follows identical moves by Google and Yahoo to protect their internal communications against unauthorised surveillance.
Smith said: “We are taking steps to ensure governments use legal process rather than technological brute force to access customer data,” citing press coverage of “a broader and concerted effort by some governments to circumvent online security measures – and in our view, legal processes and protections – in order to surreptitiously collect private customer data.”
The move follows revelations in the Guardian in June that GCHQ, the UK’s spying agency, taps into fibre-optic cables which make landfall in Britain in a program called “Mastering the Internet”, and in October that the US’s National Security Agency (NSA) taps into the private communications links used by companies including Google and Yahoo to extract data “at will”.
Many larger companies appeared to have had encryption enabled for customers connecting to their servers – but then transmitted data between their centres without encryption because it allows for faster data communications: encrypting and decrypting data carries a processing overhead that could result in slower processing, and was seen as unnecessary. But the Snowden revelations suggest that that left a vital are unprotected from snooping.
“If true, these efforts threaten to seriously undermine confidence in the security and privacy of online communications,” Smith wrote. “Indeed, government snooping potentially now constitutes an ‘advanced persistent threat’, alongside sophisticated malware and cyber attacks.”
Google instituted a system called “Perfect Forward Secrecy” to connect its websites after the Guardian revelations. Yahoo and Twitter have also done so.
Smith said that Microsoft will expand encryption across its services, reinforce legal protection of customer data, and make its computer programs more easily available for examination in “transparency centres” around the world so that larger customers can check code. It already runs a form of that “code checking” system for some large businesses and governments, which can examine the source code of its Windows and other software for “back doors”.
Smith said: “We all want to live in a world that is safe and secure, but we also want to live in a country that is protected by the Constitution. We want to ensure that important questions about government access are decided by courts rather than dictated by technological might. And we’re focused on applying new safeguards worldwide, recognising the global nature of these issues and challenges.”