About a month ago, I wrote about the extraordinary fact that Microsoft routinely hands over zero-day exploits in its applications to the US government for the latter to use in the short window before they are announced and plugged. On thing that allows is for "foreign" governments and companies to be targetted and various levels of access to be gained in a way that is hard to protect against.
However, that does leave companies with the hope that at least encrypted transmissions and content remains protected, even with Microsoft products. But a recent story from the Guardian, based on information supplied by Edward Snowden, now seems to place even that in doubt:
Microsoft helped the NSA to circumvent its encryption to address concerns that the agency would be unable to intercept web chats on the new Outlook.com portal;
The agency already had pre-encryption stage access to email on Outlook.com, including Hotmail;
The company worked with the FBI this year to allow the NSA easier access via Prism to its cloud storage service SkyDrive, which now has more than 250 million users worldwide;
Microsoft also worked with the FBI's Data Intercept Unit to "understand" potential issues with a feature in Outlook.com that allows users to create email aliases;
In July last year, nine months after Microsoft bought Skype, the NSA boasted that a new capability had tripled the amount of Skype video calls being collected through Prism;
Material collected through Prism is routinely shared with the FBI andCIA, with one NSA document describing the program as a "team sport".
The Guardian article then goes on to fill in some of the details.
Microsoft has naturally been scrambling to limit the damage from this claim. Here are some of the key points from its post:
Outlook.com (formerly Hotmail): We do not provide any government with direct access to emails or instant messages. Full stop.
This "direct" access claim, which cropped up in the earliest leaks from Snowden, is still one of the most bitterly contested. Snowden has not only repeated the claim, but also said that the companies that deny it – not just Microsoft, but Google and others too – are being economical with the truth.
In any case, we know that the NSA has access to the entire Internet stream as it enters the US and other countries like the UK that monitor and store everything. That means the NSA only needs the encryption keys, not the data, which it already has. On this front, Microsoft has the following to say:
To be clear, we do not provide any government with the ability to break the encryption, nor do we provide the government with the encryption keys. When we are legally obligated to comply with demands, we pull the specified content from our servers where it sits in an unencrypted state, and then we provide it to the government agency.
That last comment is interesting, because it means that if the NSA has access to Microsoft's servers in some unorthodox way – one that can be classed as "indirect" - it wouldn't even need the encryption keys to read stuff.
The comment about SkyDrive is similar:
SkyDrive: We respond to legal government demands for data stored in SkyDrive in the same way. All providers of these types of storage services have always been under legal obligations to provide stored content when they receive proper legal demands. In 2013 we made changes to our processes to be able to continue to comply with an increasing number of legal demands governments worldwide. None of these changes provided any government with direct access to SkyDrive.
There's that "direct" access again. But maybe the NSA has direct access to a copy of SkyDrive, called something else, but not the original. In that case, Microsoft could truthfully write that the government does not have "direct access to SkyDrive", just its contents held on a differently-named database.
We will not provide governments with direct or unfettered access to customer data or encryption keys.
But what about indirect access to a shadow system?
On Enterprise Email and Document Storage:
We do not provide any government with the ability to break the encryption used between our business customers and their data in the cloud, nor do we provide the government with the encryption keys.
Again, indirect access to unencrypted data held on a copy is not ruled out by that statement.
Basically, we don't know, and so each person will need to make up his or her own mind as to whom to believe. But at the very least, the leaks make the company's advertising slogan "Your privacy is our priority" a joke, since Microsoft's real priority is clearly doing what the NSA tells it to do.
These latest revelations, combined with the previous ones about patches, must raise the question I posed last time: how can any responsible IT manage continue to use such programs and services in the full knowledge that they are not only vulnerable to undisclosed zero-day attacks, but that supposedly secret, encrypted data may be readily available to the NSA and others?
The Wikileaks documents have revealed how the US government works closely with US companies, passing them vital information that it gathers from its diplomats in other countries. It is inconceivable that secret information gleaned from breaking into corporate systems and eavesdropping on supposedly secure conversations is not similarly passed on to US companies to give them a competitive advantage.
That implies that any non-US company using Microsoft's products runs the risk of having its corporate secrets passed to US competitors, with possibly serious financial consequences. How long, then, before shareholders start suing companies for negligently continuing to use Microsoft products? How long before companies start recognising that fact in the company accounts, when the presence of what can only be called spyware has to be declared as an operating risk for the future – one that might cause the company to fail catastrophically?
Taken together, this growing body of evidence that Microsoft's enterprise software not only offers no real advantages over free software equivalents when it comes to performance, price, resilience and power, but that it represents a serious potential vulnerability for confidential company information, makes the use of open source yet more compelling. The question now is clearly not: why would a company use open source? But: what sane company would use anything else?