Last year, I asked how anyone could trust Microsoft again in the wake of the revelations that the company provides information about bugs to the NSA before it releases it to customers. But a new document suggests that the problem doesn't end there. It concerns the NSA's PRISM programme, first disclosed by the Guardian in June 2013:
The National Security Agency has obtained direct access to the systems of Google, Facebook, Apple and other US internet giants, according to a top secret document obtained by the Guardian.
The NSA access is part of a previously undisclosed program called Prism, which allows officials to collect material including search history, the content of emails, file transfers and live chats, the document says.
The Guardian has verified the authenticity of the document, a 41-slide PowerPoint presentation – classified as top secret with no distribution to foreign allies – which was apparently used to train intelligence operatives on the capabilities of the program. The document claims "collection directly from the servers" of major US service providers.
That last claim has always been one of the most hotly-contested - naturally enough, since computer companies need to be able to say that they were unaware of what the NSA was up to if they are to retain any of their customers' trust. One very revealing slide shows when different companies were added to the PRISM collection; the very first name there is Microsoft, back in November 2011. The new document, published on the Cryptome site, suggests that Microsoft's involvement with the NSA's surveillance goes well beyond knowing what was happening:
Beginning on 7 March 2013, PRISM now collects Microsoft Skydrive data as part of PRISM's standard Stored Communications collection package
"Skydrive" is now known as OneDrive. So far, this is of a piece with the Guardian story, and indicates that the NSA have access to Skydrive/OneDrive, without saying how that was obtained. But the document goes on:
This success is the result of the FBI working for many months with Microsoft to get this tasking and collection solution established.
That seems unequivocal: Microsoft actively worked with the FBI to provide direct access to its consumers' files. Of course, that's assuming the leaked document is genuine, but that seems likely, given that it fits in with other information we have about PRISM.
The implications of this are serious. It means that Microsoft's efforts to allay fears that the NSA can access customers' files when stored on its servers outside the US by "challenging" court orders to hand over such information would seem to be little more than theatre - played out to give the appearance that there are no backdoors into its systems. But if the Cryptome document is genuine, there are indeed backdoors, put there with Microsoft's help, that render judicial decisions completely moot.
Similarly, moves by both Microsoft and Amazon, among others, to set up local data centres in the EU will not on their own protect European data unless that is encrypted by the companies themselves, and the cloud computing providers do *not* have access to the keys. Indeed, if the data is encrypted in this way, local storage is not so important, since the NSA will have an equally hard time decrypting it wherever it is held - as far as we know, that is.
Because of that recent US court judgment ordering Microsoft to hand over emails held in Ireland, many people are now aware of the dangers of cloud computing in the absence of encryption under the control of the customer. But very few seem to have woken up to the problems of backdoors in proprietary software that I mentioned at the start of this post. One important exception is the German government, which according to Sky News is working on an extremely significant law in this area:
Software developers who supply products to the German government or companies critical to its infrastructure could be forced to hand over their top-secret source code.
Source code is effectively the building blocks of software which tech firms jealously guard to avoid companies copying their products.
As a result, if the draft legislation becomes law, many companies from outside Germany would likely refuse to compete for technology contracts in the country.
But not, of course, open source companies, which comply automatically with the new requirement. This could be a huge opportunity for free software in Germany, and not only there; if this law is passed it could be a wake-up call for companies throughout Europe, and maybe beyond, just as the Irish case has been in the field of cloud computing.