When all of the Year in Review stories start to go live later this month I think the one which will dominate every list will be the NSA and its listening in/looking at data from many different areas.
We have seen all of the responses to this issue since that story broke earlier in the year and now Microsoft’s General Counsel Brad Smith, who is the companies Executive VP of Legal and Corporate Affairs, has detailed steps Microsoft will take in the near future to protect customer data from this type of snooping.
Like many others, we are especially alarmed by recent allegations in the press of a broader and concerted effort by some governments to circumvent online security measures – and in our view, legal processes and protections – in order to surreptitiously collect private customer data. In particular, recent press stories have reported allegations of governmental interception and collection – without search warrants or legal subpoenas – of customer data as it travels between customers and servers or between company data centers in our industry. If true, these efforts threaten to seriously undermine confidence in the security and privacy of online communications. Indeed, government snooping potentially now constitutes an “advanced persistent threat,” alongside sophisticated malware and cyber attacks.
In the blog post he lays out three key steps Microsoft will take to protect this sensitive data:
- Expanding Encryption
- Customer content moving between our customers and Microsoft will be encrypted by default.
- All of our key platform, productivity and communications services will encrypt customer content as it moves between our data centers.
- We will use best-in-class industry cryptography to protect these channels, including Perfect Forward Secrecy and 2048-bit key lengths.
- All of this will be in place by the end of 2014, and much of it is effective immediately.
- We also will encrypt customer content that we store. In some cases, such as third-party services developed to run on Windows Azure, we’ll leave the choice to developers, but will offer the tools to allow them to easily protect data.
- We’re working with other companies across the industry to ensure that data traveling between services – from one email provider to another, for instance – is protected.
- Reinforcing Legal Protections
- We are committed to notifying business and government customers if we receive legal orders related to their data. Where a gag order attempts to prohibit us from doing this, we will challenge it in court.
- Increasing Transparency
- We will open a network of transparency centers that will provide these customers with even greater ability to assure themselves of the integrity of Microsoft’s products. We’ll open these centers in Europe, the Americas and Asia, and we’ll further expand the range of products included in these programs.
He goes on to state that the company understands there is a balance that is needed between technology, security and laws but that they are focused on safeguards for your data.