Wednesday morning EDT in Orlando Florida will see Neal Suggs (Microsoft Vice President and Associate General Counsel) take to the big stage at the Microsoft pre-eminent Worldwide Partner Conference to address customer and partner Trust in Microsoft following the Snowden revelations. The very name of the session enforces how Snowden continuous to haunt Microsoft ‘Building Trust in a Post Snowden Era’. Are we in a ‘Post’ Snowden era, or is that wishful thinking or some canny headology? Snowden revelations and insights continue to seep out, maybe wishful thinking that the worst is out, I truly hope so for Microsoft. The only ‘Post’ potential here is the fact that the Snowden documents date up to 2013, we have nothing more current in the interim and the veil of secrecy remains tighter than ever as to what practices continue or have been replaced and what by. Reference:
- Al Jazeera ‘TimeLine of Edward Snowden’s revelations’ – An interactive timeline of world reporting of the Snowden revelations.
- Snowden Surveillance Archive – Access all the NSA documents first hand and read for yourself from over 530 individual files conveniently indexed and cross referenced.
The question is will Wednesdays session gain any ground for Microsoft in the Trust stakes, or perhaps more pertinently are Microsoft’s hands tied and all we are going to get is more of the same obfuscation, smokes and mirrors and regurgitation of what has already been led in published Overviews and Factsheets:
- Microsoft – A Cloud You Can Trust Overview (PDF 686kb)
- Protecting customer data and defending digital privacy fact sheet (PDF 197kb)
What many in the security field are hoping to hear is the truth, and that means sincerity not the legalese and run around statements that leave far too much room for continue concern and gossip. The NSA documents revealed by Snowden are suggesting that the co-operation between the intelligence community and Microsoft (as well as Amazon, Google, Facebook and Yahoo to name a few) is deep, verging on collaborative (ie: more than the minimus required by law) and ongoing. Qualified in NSA documents that clearly state “This success is the result of the FBI working for many months with Microsoft to get this tasking and collection solution established,“. This is worryingly damming in its implications of proactive co-operation. This apparently includes in Microsoft case explicitly providing access and making engineering level accommodations for the NSA so their data gathering engines can at their leisure reach into systems such as:
- Access to SkyDrive (Now called OneDrive). “Beginning on 7 March 2013, Prism now collects Microsoft SkyDrive data as part of Prism’s standard Store Communications collection package for a tasked FISA Amendments Act Section 702 (FAA702) selector”.
- Access to Skype calls.
- Access to Outlook.com
Reference the extracted slides and NSA documents from Glen Greenwald’s book of the Snowden Documents ‘No Place to Hide’ (PDF 91mb). Fast forward to pages 26 for the Microsoft revelations and just to play fair, go to page 81 to see Facebooks kimono laid wide open. This is black and white clinically clear and can only be dealt with in a similar head on confrontation if the air is to be careered and trust re-built.
The fallout being that by the very nature of these revelations and associated compromised technologies the implications are that ALL Microsoft Cloud technologies are similarly exposed by association to ready access by the NSA. NSA documents describe how this access Quote “means that analysts will no longer have to make a special request to SSO for this – a process step that many analysts may not have known about“. SSO meaning the NSA’s Special Source Operations Division. The ‘Special Request’ is the very same legal process and transparency of Government demands for access to customer data that Microsoft and other vendors hide behind in their defence when they have to give governments access to customer’s data. The absence of the need for ‘Special Request’ by NSA analysts can be interpreted in simple terms as a removal of due process, that there exists a mechanism for the NSA to self serve and that the software vendor(s) are complicit.
Some questions to Neal Suggs or any other Microsoft senior exec to get straight and comprehensive trust building answers to could include:
Q1: Did Microsoft provide the suggested support to the NSA across any of these technology services or any others then or now?
Q2: Does the NSA have ‘Special Request’ exclusion level access to the same services?
Q3: Does the NSA hold the private SSL/TSL or other encryption keys, Certificates or have backdoors that would allow them to access any customer or partner data on Microsoft systems?
Q4: If you are unable to answer the above questions due to legal gaging, then what type of powers would you suggest the NSA could have over companies to get them to cooperate in this way?
Q5: Could you truly put your hand on your heart and say ‘Business and consumers trust that Microsoft is not exposing your data without your knowledge to the intelligence community’?
It is important to note that Microsoft has indirectly implied they have not been complicit in statements like ‘There are aspects of this debate that we wish we were able to discuss more freely.’ This does not help build confidence or the trust they seek so passionately. For now the metaphorical door remains wide open to the cold reality that in fact there could have been collaboration and data could be searchable by the NSA without any specific legal process required irrespective of any end user encryption that relies on the associated Microsoft systems.
So Microsoft and the rest of the US IT giants are caught between a rock and a hard place. They cannot reveal the details of what they have done, confirm or deny them explicitly to try an re-establish trust, instead they dance around the subject’s customers and partners so desperately seeking clarity on.
Questions are likely to remain and until they are answered the risk persists and any trust potential elusive.