“The goal is clear: We want to be sure that governments use legal processes rather than brute force to access user data,” Brad Smith, Microsoft’s general counsel, said in an interview.
Smith said that concern at the company surged in October, when The Washington Post reported, based on documents provided by former NSA contractor Edward Snowden, that the NSA and its British counterpart were tapping into the private communications links of Google and Yahoo as information flowed among those companies’ data centers.
Smith said that report was “like an earthquake sending shock waves through the tech sector” because it made clear that government surveillance was not limited to known legal processes, such as those approved by the Foreign Intelligence Surveillance Court, but was happening by other means as well.
Both Google and Yahoo, which have announced their own major encryption initiatives in recent months, have global networks that resemble Microsoft’s. In addition, documents provided by Snowden to The Post suggested — while not proving — that Microsoft also was a target of the NSA program that collected data moving between centers.
Privacy advocates long have considered Microsoft a laggard in adopting encryption technology and resisting surveillance efforts. The Electronic Frontier Foundation, a civil liberties group based in San Francisco, awards the company a single check mark out of a possible five for its encryption efforts.
Wednesday’s announcement signals a major new corporate commitment to such issues and was accompanied by promises to make the computer coding for Microsoft’s services more transparent and to more vigorously resist data requests from police and intelligence agencies.
In a company blog post, Smith said, “We all want to live in a world that is safe and secure, but we also want to live in a country that is governed by the Constitution.”
The company also is taking the position, Smith said in the interview, that the Foreign Intelligence Surveillance Court, which oversees some NSA intelligence-gathering efforts, does not have jurisdiction to approve the collection of data outside U.S. borders.
The company did not immediately release an estimated cost or a timeline for completing the new encryption efforts. It did, however, promise to implement “best-in-class cryptography” for data flowing between customers and Microsoft and moving between data centers around the world. It also plans to encrypt data that’s in storage. Among the products getting new encryption are Outlook.com, Office 365, SkyDrive and Azure.
The company said the encryption effort will include implementing “perfect forward secrecy,” a way of safeguarding encryption keys, and 2,048-bit key lengths. Both are considered relatively advanced technologies. Data flowing between customers and Microsoft will be encrypted by default, which privacy advocates consider superior to systems that users must personally activate.
“I think it’s a substantial announcement and it’s a substantial undertaking. Encryption is key to privacy on the Internet,” said Greg Nojeim, director of the Project on Freedom, Security and Technology for the Center for Democracy and Technology, a Washington-based advocacy group that receives some industry support.
Encryption technology does not prevent surveillance of a particular target, but it makes it harder to gain access to vast swaths of Internet communications, as NSA has been doing for years. When The Post reported the Microsoft’s plans for encryption
last week, NSA officials said that U.S. government surveillance is focused on gathering intelligence against legitimate foreign targets, “not on collecting and exploiting a class of communications or services that would sweep up communications that are not of bona fide foreign intelligence interest to the U.S. government.”
Microsoft also said Wednesday night that it would attempt to reach deals with other technology companies to protect data moving between its services and theirs. Those connections long have been a weak link, allowing for relatively easy surveillance even if the data is encrypted for the rest of its journey across the Internet.
The other elements of Wednesday’s announcement are aimed at government and business customers, not ordinary consumers.
The company said it would make its computer source code available for review by governments worldwide to demonstrate that it does not include “back doors” allowing easy access to user information.
Microsoft also said it would attempt to alert businesses and governments whenever there are legal requests for their data, although it will not do the same for other customers. Smith said that notifying individuals who are targets of government surveillance could undermine investigations.