Brad Smith, General Counsel & Executive Vice President of Legal & Corporate Affairs at Microsoft, recently updated Microsoft's blog with a post assuring customers that their personal data is safe from government snooping. The company is taking steps to ensure governments use a legal process rather than technological brute force to access customer data.
"Like many others, we are especially alarmed by recent allegations in the press of a broader and concerted effort by some governments to circumvent online security measures – and in our view, legal processes and protections – in order to surreptitiously collect private customer data," Smith writes. "In particular, recent press stories have reported allegations of governmental interception and collection – without search warrants or legal subpoenas – of customer data as it travels between customers and servers or between company data centers in our industry."
In light of the allegations, Microsoft has decided to expand encryption across all services, reinforce legal protections for customer data, and enhance the transparency of the company's software code, making it easier for customers to reassure themselves that products do not contain back doors. For the latter, Microsoft plans to open transparency centers in Europe, the Americas and Asia so that government customers can review the company's source code and make sure no back doors are installed.
On the encryption front, customer content moving between users and Microsoft will be encrypted by default. All key platform, productivity and communications services will encrypt customer content as it moves between data centers. Microsoft will also use best-in-class industry cryptography to protect these channels, including Perfect Forward Secrecy and 2048-bit key lengths. All of this will be in place by the end of 2014, and much of it is effective immediately, he writes.
"We also will encrypt customer content that we store. In some cases, such as third-party services developed to run on Windows Azure, we'll leave the choice to developers, but will offer the tools to allow them to easily protect data," Smith adds. "We're working with other companies across the industry to ensure that data traveling between services – from one email provider to another, for instance – is protected."
As for reinforcing legal protections, Microsoft will take new steps to reinforce legal protections for customer data. As an example, Microsoft will notify businesses and government customers if the company receives legal orders related to their data. If a gag order prevents Microsoft from doing so, then the company will challenge it in court. Microsoft will also assert available jurisdictional objections to legal demands when governments request customer content stored in another country.
"Except in the most limited circumstances, we believe that government agencies can go directly to business customers or government customers for information or data about one of their employees – just as they did before these customers moved to the cloud – without undermining their investigation or national security," he writes. "And when those limited circumstances arise, courts should have the opportunity to review the question and issue a decision."
To read the full blog, head here.
