Microsoft asks US govt to allow it to disclose how NSA requests are handled

17 Jul 2013

Just days after on-the-run former NSA contractor Edward Snowden alleged Microsoft gave the US National Security Agency (NSA) and other agencies access to Outlook, Hotmail and Skype communications, the software giant says it has asked the US attorney general to permit it and other companies to disclose how it handles national security requests for customer information.

Following similar pronouncements by Google and Apple, Microsoft’s general counsel and executive vice-president of Legal and Corporate Affairs Brad Smith said US government lawyers have yet to respond to the petition it filed in court on 19 June, seeking permission to publish the volume of national security requests it has received.

“We hope the attorney general can step in to change this situation,” Smith said.

Last week, Snowden claimed Microsoft provided the US security apparatus with blanket access to services like and Skype, claims which Microsoft hotly denied.

Smith said in terms of (formerly Hotmail): “We do not provide any government with direct access to emails or instant messages. Full stop. Like all providers of communications services, we are sometimes obligated to comply with lawful demands from governments to turn over content for specific accounts, pursuant to a search warrant or court order. This is true in the United States and other countries where we store data. When we receive such a demand, we review it and, if obligated to, we comply.

“We do not provide any government with the technical capability to access user content directly or by itself. Instead, governments must continue to rely on legal process to seek from us specified information about identified accounts.

“Not surprisingly, we remain subject to these types of legal obligations when we update our products and even when we strengthen encryption and security measures to better protect content as it travels across the web. Recent leaked government documents have focused on the addition of HTTPS encryption to instant messaging, which is designed to make this content more secure as it travels across the internet.

“To be clear, we do not provide any government with the ability to break the encryption, nor do we provide the government with the encryption keys. When we are legally obligated to comply with demands, we pull the specified content from our servers where it sits in an unencrypted state, and then we provide it to the government agency,” Smith said.

SkyDrive and Skype

Smith said the same policies apply to its online storage service SkyDrive.

“All providers of these types of storage services have always been under legal obligations to provide stored content when they receive proper legal demands. In 2013, we made changes to our processes to be able to continue to comply with an increasing number of legal demands by governments worldwide. None of these changes provided any government with direct access to SkyDrive. Nor did any of them change the fact that we still require governments to follow legal processes when requesting customer data. The process used for producing SkyDrive files is the same whether it is for a criminal search warrant or in response to a national security order, in the United States or elsewhere.”

Smith also denied Microsoft had made changes to its Skype videoconferencing service in order to facilitate NSA requests.

“The reporting last week made allegations about a specific change in 2012. We continue to enhance and evolve the Skype offerings and have made a number of improvements to the technical back-end for Skype, such as the 2012 move to in-house hosting of ‘supernodes’ and the migration of much Skype IM traffic to servers in our data centres. These changes were not made to facilitate greater government access to audio, video, messaging or other customer data.

“Looking forward, as internet-based voice and video communications increase, it is clear that governments will have an interest in using (or establishing) legal powers to secure access to this kind of content to investigate crimes or tackle terrorism. We therefore assume that all calls, whether over the internet or by fixed line or mobile phone, will offer similar levels of privacy and security. Even in these circumstances, Microsoft remains committed to responding only to valid legal demands for specific user account information.

“We will not provide governments with direct or unfettered access to customer data or encryption keys.”

Enterprise privacy

Smith said that in relation to enterprise email and document storage, in 2012 the company only complied with four requests related to business or government customers.

“In three instances, we notified the customer of the demand and they asked us to produce the data. In the fourth case, the customer received the demand directly and asked Microsoft to produce the data. We do not provide any government with the ability to break the encryption used between our business customers and their data in the cloud, nor do we provide the government with the encryption keys.”

Smith said Microsoft does not provide any government with direct or unfettered access to its customer data.

“We only respond to requests for specific accounts and identifiers. There is no blanket or indiscriminate access to Microsoft’s customer data. The aggregate data we have been able to publish shows clearly that only a tiny fraction – fractions of a percent – of our customers have ever been subject to a government demand related to criminal law or national security,” Smith said.

Internet security image via Shutterstock

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years