JavaScript disabled. Please enable JavaScript to use My News, My Clippings, My Comments and user settings.

If you have trouble accessing our login form below, you can go to our login page.

If you have trouble accessing our login form below, you can go to our login page.

Microsoft beefs up anti-NSA security

Date

Craig Timberg, Barton Gellman and Ashkan Soltani

Zoom in on this story. Explore all there is to know.

Microsoft is convinced it must "invest in protecting customers’ information" from a wide range of threats.

Microsoft is convinced it must "invest in protecting customers’ information" from a wide range of threats. Photo: Bloomberg

Microsoft is moving toward a major new effort to encrypt its internet traffic amid fears that the National Security Agency may have broken into its global communications links, said people familiar with the emerging plans.

Suspicions at Microsoft, while building for several months, sharpened in October when it was reported that the NSA was intercepting traffic inside the private networks of Google and Yahoo, two industry rivals with similar global infrastructures, said people with direct knowledge of the company’s deliberations. They said top Microsoft executives are meeting this week to decide what encryption initiatives to deploy and how quickly.

Documents obtained from former NSA contractor Edward Snowden suggest - though do not prove - that the company is right to be concerned. Two previously unreleased slides that describe operations against Google and Yahoo include references to Microsoft’s Hotmail and Windows Live Messenger services. A separate NSA email mentions Microsoft Passport, a web-based service formerly offered by Microsoft, as a possible target of that same surveillance project, called MUSCULAR, which was first disclosed by The Washington Post last month.

Though Microsoft officials said they had no independent verification of the NSA targeting the company in this way, general counsel Brad Smith said Tuesday that it would be ‘‘very disturbing’’ and a possible constitutional breach if true.

Microsoft’s move to expand encryption would allow it to join Google, Yahoo, Facebook and other major technology firms in hardening their defences in response to news reports about once-secret NSA programs. The resulting new investments in encryption technology stand to complicate surveillance efforts - by governments, private companies and criminals - for years, experts say.

Though several legislative efforts are underway to curb the NSA’s surveillance powers, the wholesale move by private companies to expand the use of encryption technology may prove to be the most tangible outcome of months of revelations based on documents that Snowden provided to The Washington Post and Britain’s The Guardian newspaper.

In another major shift, the companies also are explicitly building defenses against US government surveillance programs, in addition to combating hackers, criminals or foreign intelligence services.

‘‘That’s a pretty big change in the way these companies have operated,’’ said Matthew Green, a Johns Hopkins University cryptography expert. ‘‘And it’s a big engineering effort.’’

In response to questions about Microsoft, the NSA said in a statement Tuesday, ‘‘NSA’s focus is on targeting the communications of valid foreign intelligence targets, not on collecting and exploiting a class of communications or services that would sweep up communications that are not of bona fide foreign intelligence interest to the U.S. government.’’

A US official, who was not authorised to discuss the matter publicly and spoke on the condition of anonymity, said Tuesday that collection can be done at various points and does not necessarily happen on a company’s private fiber-optic links.

A 2009 email from a senior manager of the NSA’s MUSCULAR project specifies that a targeting tool called ‘‘MONKEY PUZZLE’’ is capable of searching only across certain listed ‘‘realms,’’ including Google, Yahoo and Microsoft’s Passport service. It is not clear what service a fourth listed realm, ‘‘emailAddr,’’ refers to.

‘‘NSA could send us whatever realms they like right now, but the targeting just won’t go anywhere unless it’s of one of the above 4 realms,’’ the email said.

The tech industry’s response to revelations about NSA surveillance has grown far more pointed in recent weeks as it has become clear that the government was gathering information not only through court-approved channels in the United States - overseen by the Foreign Intelligence Surveillance Court - but also through the massive data links overseas, where the NSA needs only authority from the president.

That form of collection has been done surreptitiously by gaining access to fiber-optic connections on foreign soil. Smith, the Microsoft general counsel, hinted at the extent of the company’s growing encryption effort at a shareholder’s meeting last week.

‘‘We’re focused on engineering improvements that will further strengthen security,’’ he said, ‘‘including strengthening security against snooping by governments.’’

People familiar with the company’s planning, who spoke on the condition of anonymity to discuss matters not yet publicly announced, said that while officials do not have definitive proof that the NSA has targeted Microsoft’s communication links, they have been engaged in a series of high-level meetings to pursue encryption initiatives ‘‘across the full range of consumer and business services.’’

A cost estimate was not available; key decisions are due to be made at a meeting of top executives this week in Redmond, Washington, where Microsoft is headquartered.

When asked about the NSA documents mentioning surveillance of Microsoft services, Smith issued a sharply worded statement: ‘‘These allegations are very disturbing. If they are true these actions amount to hacking and seizure of private data and in our view are a breach of the protection guaranteed by the Fourth Amendment to the Constitution.’’

That echoes a similar statement by Google’s general counsel, David Drummond, who said last month that he was ‘‘outraged’’ over the report in The Washington Post about the NSA tapping into the links connecting the company’s network of data centers. Google in September announced an ambitious new set of encryption initiatives, including among data centers around the world. Yahoo made a similar announcement last week.

Microsoft, Google and Yahoo also have joined other major tech firms, including Apple, Facebook and AOL, in calling for limits to the NSA’s surveillance powers. Most major US tech companies are struggling to cope with a global backlash over US snooping into internet services.

The documents provided by Snowden are not entirely clear on the way the NSA might gain access to Microsoft’s data, and it is possible that some or all of it happens on the public internet as opposed to on the private data center links leased by the company. But several documents about MUSCULAR, the NSA project that collects communications from links between Google and Yahoo data centers, discuss targeting Microsoft online services.

The company’s Hotmail email service also is one of several from which the NSA has collected users’ online address books.The impact of Microsoft’s move toward expanded encryption is hard to measure. And even as most major internet services move to encrypt their communications, they typically are decoded - at least briefly - as they move between each company’s systems, making them vulnerable.Privacy activists long have criticized Microsoft as lagging behind some rivals, such as Google and Twitter, in implementing encryption technology.

A widely cited scorecard of privacy and security by tech companies, compiled by the Electronic Frontier Foundation in San Francisco, gives Microsoft a single check mark out of a possible five.

‘‘Microsoft is not yet in a situation where we really call them praiseworthy,’’ said Peter Eckersley, technology projects director at the foundation. ‘‘Microsoft has no excuse for not being a leader in encryption and security systems, and yet we often see them lagging behind the industry.’’

Encryption, while not impervious to targeted surveillance, makes it much more difficult to read communications in bulk as they travel the internet. The NSA devotes substantial resources to decoding encrypted traffic, but the work is more targeted and time consuming, sometimes involving hacking into individual computers of people using encryption technology.

Documents provided by Snowden, and first reported by The Guardian, show that Microsoft worked with US officials to help circumvent some forms of encryption on the company’s services.

Soltani is an independent security researcher and consultant.

The Washington Post

3 comments

  • We will hear all sorts of stories out of the US tech companies for a few years to come, as they mitigate the damage done by the NSA leaks. But the long and short of it is: After ta couple of years, the spying will continnue as it has done in the past, but govts will be more carefull with whom has access to their operational data. This spying will not go away, but rather slowly fade until we all forget. no matter what your government tells you they are doing -they in fact will do the opposite.

    Commenter
    Kevin Dudd
    Location
    Melbourne
    Date and time
    November 27, 2013, 5:03PM
    • Maybe its just me, but all this stuff really does is listen to a bunch of average people doing average things.

      The real bad guys out there will figure out a way.

      And what about people just sending a normal letter? Or how about them just talking to each other? Can it really be that hard?

      Commenter
      Rob
      Date and time
      November 27, 2013, 5:34PM
      • I support any moves by Microsoft to protect it's customer data. Particularly since the growth of Azure in providing web services. The more important issue however, is the underlying question of why the worlds largest software Company is in the position where it has to protect itself against it's own government? This indicates a much deeper problem which points to a breakdown of the rule of law and the protection of citizens in Western Democracies. This of course is a direct result of terrorist attacks against the United States and others, however if the only defence Western democracies have, is to break down their own legal systems, then we have to ask the question. Have the terrorists in fact already won? Are we destroying our own legal systems in a panic response? Even in war Western democracies and adversaries have adhered to conventions to protect prisoners of war. Western governments need to be reminded of this because by attacking their own Companies and Citizens they are in fact breaking down the very democracy they purport to protect.

        Commenter
        DejaView
        Location
        Melbourne
        Date and time
        November 27, 2013, 6:29PM
        Comments are now closed
        This Column is advertiser content
        Advertisement
        Featured advertisers
        Advertisement