Documents obtained from former NSA contractor Edward Snowden suggest — but do not prove — that the company is right to be concerned. Two previously unreleased slides that describe operations against Google and Yahoo include references to Microsoft’s Hotmail and Windows Live Messenger services. A separate NSA e-mail mentions Microsoft Passport, a Web-based service formerly offered by Microsoft, as a possible target of that same surveillance project, called MUSCULAR, which was first disclosed by The Washington Post last month.
Though Microsoft officials said they had no independent verification of the NSA targeting the company in this way, general counsel Brad Smith said Tuesday that it would be “very disturbing” and a possible constitutional breach if true.
Microsoft’s move to expand encryption would allow it to join
and other major technology firms in hardening its defenses in response to news reports about once-secret NSA programs. The resulting new investments in encryption technology stand to complicate surveillance efforts — by governments, private companies and criminals — for years, experts say.
Though several legislative efforts are underway to curb the NSA’s surveillance powers, the wholesale move by private companies to expand the use of encryption technology may prove to be the most tangible outcome of months of revelations based on documents that Snowden provided to The Post and Britain’s Guardian newspaper. In another major shift, the companies also are explicitly building defenses against U.S. government surveillance programs in addition to combating hackers, criminals or foreign intelligence services.
“That’s a pretty big change in the way these companies have operated,” said Matthew Green, a Johns Hopkins University cryptography expert. “And it’s a big engineering effort.”
In response to questions about Microsoft, the NSA said in a statement Tuesday, “NSA’s focus is on targeting the communications of valid foreign intelligence targets, not on collecting and exploiting a class of communications or services that would sweep up communications that are not of bona fide foreign intelligence interest to the U.S. government.”
A U.S. official, who was not authorized to discuss the matter publicly and spoke on the condition of anonymity, said Tuesday that collection can be done at various points and does not necessarily happen on a company’s private fiber-optic links.
A 2009 e-mail from a senior manager of the NSA’s MUSCULAR project specifies that a targeting tool called “MONKEY PUZZLE” is capable of searching only across certain listed “realms,” including Google, Yahoo and Microsoft’s Passport service. It is not clear what service a fourth listed realm, “emailAddr,” refers to. “NSA could send us whatever realms they like right now, but the targeting just won’t go anywhere unless it’s of one of the above 4 realms,” the e-mail said.
The tech industry’s response to revelations about NSA surveillance has grown far more pointed in recent weeks as it has become clear that the government was gathering information not only through court-approved channels in the United States — overseen by the Foreign Intelligence Surveillance Court — but also through the massive data links overseas, where the NSA needs authority only from the president. That form of collection has been done surreptitiously by gaining access to fiber-optic connections on foreign soil.
Smith, the Microsoft general counsel, hinted at the extent of the company’s growing encryption effort at a shareholders meeting last week. “We’re focused on engineering improvements that will further strengthen security,” he said, “including strengthening security against snooping by governments.”
People familiar with the company’s planning, who spoke on the condition of anonymity to discuss matters not yet publicly announced, said that while officials do not have definitive proof that the NSA has targeted Microsoft’s communication links, they have been engaged in a series of high-level meetings to pursue encryption initiatives “across the full range of consumer and business services.” A cost estimate was not available; key decisions are due to be made at a meeting of top executives this week in Redmond, Wash., where Microsoft is headquartered.
When asked about the NSA documents mentioning surveillance of Microsoft services, Smith issued a sharply worded statement: “These allegations are very disturbing. If they are true these actions amount to hacking and seizure of private data and in our view are a breach of the protection guaranteed by the Fourth Amendment to the Constitution.”
That echoes a similar statement by Google’s general counsel, David Drummond, who said last month that he was “outraged” by the report in The Post about the NSA tapping into the links connecting the company’s network of data centers. Google in September announced an ambitious new set of encryption initiatives, including among data centers around the world. Yahoo made a similar announcement last week.
Microsoft, Google and Yahoo also have joined other major tech firms, including Apple, Facebook and AOL, in calling for limits to the NSA’s surveillance powers. Most major U.S. tech companies are struggling to cope with a global backlash over U.S. snooping into Internet services.
The documents provided by Snowden are not entirely clear on the way the NSA might gain access to Microsoft’s data, and it is possible that some or all of it happens on the public Internet as opposed to on the private data center links leased by the company. But several documents about MUSCULAR, the NSA project that collects communications from links between Google and Yahoo data centers, discuss targeting Microsoft online services. The company’s Hotmail e-mail service also is one of several from which the NSA has collected users’ online address books.
The impact of Microsoft’s move toward expanded encryption is hard to measure. And even as most major Internet services move to encrypt their communications, they typically are decoded — at least briefly — as they move between different companies’ systems, making them vulnerable.
Privacy activists long have criticized Microsoft as lagging behind some rivals, such as Google and Twitter, in implementing encryption technology. A widely cited scorecard of privacy and security by tech companies, compiled by the Electronic Frontier Foundation in San Francisco, gives Microsoft a single check mark out of a possible five.
“Microsoft is not yet in a situation where we really call them praiseworthy,” said Peter Eckersley, director of technology projects at the foundation. “Microsoft has no excuse for not being a leader in encryption and security systems, and yet we often see them lagging behind the industry.”
Encryption, while not impervious to targeted surveillance, makes it much more difficult to read communications in bulk as they travel the Internet. The NSA devotes substantial resources to decoding encrypted traffic, but the work is more targeted and time consuming, sometimes involving hacking into individual computers of people using encryption technology.
Documents provided by Snowden, and first reported by the Guardian, show that Microsoft worked with U.S. officials to help circumvent some forms of encryption on the company’s services. Microsoft has disputed the Guardian report and said it provides information to the government only when legally compelled to do so.
Soltani is an independent security researcher and consultant.