Feeds

Microsoft DENIES it gives backdoor access to Outlook encryption

Tells Attorney General gagging orders hurt US Constitution

Protecting users from Firesheep and other Sidejacking attacks with SSL

Microsoft has written to the US Attorney General asking him to let the company be more open about what information it hands over to the NSA, and has published a rebuttal of the claims from NSA whistleblower Edward Snowden about the privacy of its users.

"The Constitution guarantees the fundamental freedom to engage in free expression unless silence is required by a narrowly tailored, compelling Government interest," said Microsoft's general counsel Brad Smith in a somewhat groveling letter to AG Eric Holder.

"It's time to face some obvious facts," Smith wrote. "Numerous documents are now in the public domain. As a result, there is no longer a compelling Government interest in stopping those of us with knowledge from sharing more information, especially when this information is likely to help allay public concerns.

Smith also published a blog post in which he rebutted claims that Microsoft has built backdoor access for federal investigations into some of its most popular software and services. Snowden's evidence has been misreported, Smith said, and Microsoft wants to set the record straight.

Possibly the most damaging allegation is that Microsoft installed a backdoor in the encryption system used in Outlook.com. Snowden's documents indicate this was installed at the request of the NSA and developed by Microsoft in conjunction with the FBI.

"We do not provide any government with direct access to emails or instant messages. Full stop," Smith said. "We do not provide any government with the technical capability to access user content directly or by itself. Instead, governments must continue to rely on legal process to seek from us specified information about identified accounts."

When Microsoft receives a valid information request from law enforcement, it has no need to disable the encryption of messages, Smith said. Instead, Microsoft can take the data from its own servers (where it sits unencrypted) and then pass it on if legally required to do so.

As for Microsoft's cloud service SkyDrive, Smith said that – like any other cloud provider – Redmond has to obey legal requests for data. The company had made changes in SkyDrive this year to "comply with an increasing number of legal demands governments worldwide," but he said direct access to the system's servers by analysts is not given.

Skype users should stop worrying as well, Smith suggested, and denied Snowden's claims that Microsoft had made changes to Skype so that investigators would get easier access to call data, saying changes like the shift to supernodes and storing Skype IM data on Redmond's own servers were simply improvements to Microsoft's back-end systems.

"As Internet-based voice and video communications increase," Smith wrote, "it is clear that governments will have an interest in using (or establishing) legal powers to secure access to this kind of content to investigate crimes or tackle terrorism. We therefore assume that all calls, whether over the Internet or by fixed line or mobile phone, will offer similar levels of privacy and security," he said.

Smith also took special care to reassure Microsoft's business and government customers that none of their data has been given to the government for national security purposes, although it does deal with a small number of criminal investigation requests, including four last year. Microsoft's encryption of such data has no backdoors, he said, and Redmond doesn't share encryption keys with government.

"The United States has been a role model by guaranteeing a Constitutional right to free speech. We want to exercise that right," Smith concludes. "With U.S. Government lawyers stopping us from sharing more information with the public, we need the Attorney General to uphold the Constitution." ®

The next step in data security

More from The Register

next story
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
'Speargun' program is fantasy, says cable operator
We just might notice if you cut our cables
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.