Windows 10 Trust at its Core, Really?

“Trust has to be at the Core of Windows 10 and Cortana” said Satya Nadella (CEO of Microsoft) in his keynote to the Microsoft World Wide Partner Conference (WPC) audience on Monday. See 60 second clip below:

To reiterate from the video quote: “At the core of Cortana is the ability to collect ALL the personal data, your calendar information, email information, your likes, your history and reason over it.” He has it right when he says Trust has to be at the core.

Windows 10 is planned to be the foundation on which Microsoft builds its new ‘mobility of experience across devices’ vision. This pervasive nature of Windows 10 across all device types, with a shared app code platform and dependency on Cloud Services, has its success resting on even more of our daily actions being shared with Microsoft. More than the heartbeat of our online habits that are already shared with our ISP’s who know every site and system we connect to. Microsoft is encouraging us to share potentially more than users already do with Google or Facebook, the two most perniciously vagrant abusers of personal data and privacy. No wonder WPC this year has the Corporate big guns out touting Microsoft Trust Credentials, and they are without doubt impressive credentials, second to very few in the IT industry. Those few are the outliers who fly in the face of Government strong arm tactics (such as Silent Circle) and drive the new wave of secure communication services and devices like the ‘Black Phone’.

I truly believe Microsoft’s sincerity, when in timely fashion to follow through on the claim by their CEO on Monday, we had impressive Trust and Compliance credentials rolled out to us. The first wave was a formal keynote by Brad Smith (Microsoft General Counsel and Executive Vice President of Legal and Corporate Affairs) yesterday morning, East Coast time, followed up with a Q&A session by his number 2 Neal Suggs (Microsoft Vice President and Associate General Counsel) and Phil Sorgen (Corporate Vice President of the Worldwide Partner Group) under the heading of ‘Building Trust in a Post Snowden Era’.

The reality is that Microsoft and its fellow US IT Titans can do all the IT magic, encryption and compliance goodness possible in the world but those stoic efforts mean little when they have their backs against the wall and their own government pointing a gun at their heads if they say ANYTHING directly relating to assistance rendered by them revealed by Snowden under the ‘secret’ FISA court (United States Foreign Intelligence Surveillance Court, also know as FISC) orders. Brad Smith did a nice two step with the FISA court answerphone stunt during his keynote. A candid attempt to introduce and bring into his presentation some pseudo feeling for his audience that Microsoft has the upper hand.

I wrote on Monday of my concerns ‘Snowden Revelations Haunt at Microsoft Worldwide Partner Conference (WPC)’ hoping that we would get more than the usual vaporous terrorism messaging, window dressing legal pillow talk or back patting as to the strength of Microsoft security in the face of the Cyber Security threat landscape. For many in the InfoSec community the strength of cloud providers like Microsoft to deliver compelling security is undisputed and some of the issues addressed in these sessions were compelling reasons for using Microsoft cloud. Brad Smith focused on these strengths and beat the drum in his commitment and ‘duty’ to:

1. Keep Customer Data Secure
2. Ensure data is kept private and under individual owners control
3. Microsoft will manage the data in accordance with the law
4. Microsoft will keep us informed as to what they are doing with our data.

Keeping customer’s data secure and to take the responsibility of sorting out the localised regulatory burdens and informing us is all great, using the magic word Transparency. But there appears to be transparency and then there is Transparency. What was resonant in its omission was any direct reference and detailed redress of the individual Snowden revelations of Microsoft complicit cooperation in giving government access to customer data through their services such as SkyDrive (OneDrive) and Skype. Yes, I get it, it was a secret court order and you cannot speak to it or even acknowledge what you did. The best we get is the real win that Microsoft has achieved as one of the companies that pushed for the US government to allow tech firms to reveal how many requests they get under the FISA (Foreign Intelligence Surveillance Act). Perhaps the reason being that whilst this has forced the Government into agreeing for the first time to the publishing the number of FISA orders, the constraints imposed means that very little is actually revealed. All we get to see is the number of requests and our insights into clearing up the uncertainty over the collaboration accusations from Snowden still haunt. The closest we go was last year when Brad Smith was quoted “First, while our customers number hundreds of millions, the accounts affected by these orders barely reach into the tens of thousands. This obviously means that only a fraction of a percent of our users are affected by these orders. In short, this means that we have not received the type of bulk data requests that are commonly discussed publicly regarding telephone records. This is a point we’ve publicly been making in a generalized way since last summer, and it’s good finally to have the ability to share concrete data. In short, this means that we have not received the type of bulk data requests that are commonly discussed publicly regarding telephone records.”.

The bottom line is this makes the Government look good and the IT industry little better off, nothing in the new FISA transparency reporting actually quash the customer concerns over the implicit co-operation given by the likes of Microsoft to continued massive data collecting that is apparently still going on under the cover of gagging orders. The truth is that Trust in the US, UK Government Communications Headquarters (GCHQ) and its collaborators Australia, Canada and New Zealand, and intelligence alliance known as the ‘5 eyes‘  has been reduced and will not recover in the significant future. Paraphrasing one of the findings of the research for the Conference Paper ‘The Consequences of Edward Snowden NSA Related Information Disclosures’

So we see Trust as I have written about many times before, is a fiercely fickle thing, which Microsoft and its fellow US / Global IT titans Google, Amazon and Facebook amongst others shredded with their complicit and proactive acquiescence to ‘secret’ Government orders to participate in the biggest breach of data and trust in digital life recorded to date. The back room machinations of Government and their Intelligence Services have done little to curtail the ‘war on terror’, their greatest achievement being to compromise the integrity of the largest IT vendors in the world. The participation in the feral activities of the intelligence services to monitor and gain convenience of access beyond that demanded by law to customer data as far as we are aware continuous unabated as detailed in the NSA’s own records revealed by Edward Snowden (see Snowden Archives). This is not idle gossip but fully qualified investigatory journalistic facts. Facts backed up my multiple internal NSA documents spanning years, documents that iterate clearly and in operational terms and jargon that are hard to refute. It means that for those not blind to those facts this issue is very much unresolved and many remain reserved over any claims of trustworthiness by the IT industry.

As for the post Snowden implications, what we got in the Neal Suggs session was the very ‘conflation with other business models’ that Satya Nadella said could not co-exist at the core of the Trust he aspires to. The Suggs and Sorgen Q&A’s orientated around the weakness of client infrastructure and end user systems, taking the discussion into safe operational territory that Microsoft can eloquently speak to and show their impressive credentials. Microsoft undisputedly provides a much more resilient and robust service in the face of huge scale cyber-attacks compared with even the largest enterprises and most of their competition. However, this line of discussion is a red herring and not the model of exposure that needs to be addressed to put Snowden behind us. Back to the crux of the issue – collaboration with the intelligence services – this ‘insider breach’ side channels rendering useless as protection any of those great Cyber Security and regulatory compliance credentials heralded by Smith, Sorgen and Suggs.

The truth is there are institutional and government monsters in the metaphorical cupboard of our online worlds that live in the dark corners and give those of us in the security community, who live in the twilight world, nightmares to consider how the innocent are being slavishly used, and well meaning corporates made to look fools. Monsters that hate the spotlight of scrutiny and transparency that is our duty to shine on them, often in the face of naysayers and critics who try to marginalise us for crying wolf or for rocking a boat and spoiling their fun. Well the wolf is real and it has teeth, and you know what, your breakfast, lunch and tea if you’re not prepared to keep an eye on the menu and make sure you keep off it. The biggest wolf is NOT the Google (I thought I would never say that!), hacker or malcontent it is the insider threat from our own governments who it appears have strong armed even the biggest IT corporates, Microsoft included.

So what can Microsoft do about this? Let me start with Microsoft own ‘Trust Narrative’ 4 pillars:

1. Help comply with regulatory obligations.
2. Make sure your data is under your control.
3. Protecting client data.
4. Transparency

The first 3 are home runs for Microsoft with their ‘killer feature sets’ as Neal Suggs puts it and I have already summarised above and presented on myself at past WPC’s. It is number 4 that opens up the kimono, and Microsoft does a great job with its transparency reports into Government requests it CAN report, but as in many other parts of life, its what remains unspoken that concerns and continuous the debate as to what is really going on behind the scenes.

It is also a duty to obey the law and if the law imposes gaging orders through secret courts to force breathe of data and privacy then we need to look deep into what this means for us as an increasingly digital society.

As for transparency, for now what can Microsoft do better without breaching their gaging orders:

1. Change the default. Windows 10 is such a chatty OS, even worse than its forebear Windows 8. So start by sorting it out. The current approach is to force users into an opt-out default policy for data sharing with Microsoft and its affiliates. Even the highly questionable and risky sharing of WiFi connections across social groups and devices. Windows 10 should be completely locked down. Provide wizards that clearly and laboriously articulate what users are enabling (risks and benefits) WHEN they try to use a function that could benefit from a cloud service or internet connection, not IF. Many discerning users are sick and tired of having to spend the first hour of any new install, or major update, closing things down and switching stuff off to avoid their desktop behaving like a multi headed hydra spouting a users every action and interaction out onto the internet to you or your partners servers. Users would care if they knew the half of it, be their guardian not their nemesis. It does not matter if you say its not being shared or is going over a secure channel, they should be the one to make the choice NOT Microsoft or a Partner. Even if they acquiesce to opening up to some insight, provide a user friendly console that allows them to reverse the actions. If you do this you will win many friends and users (license fee’s) and you know what, I guarantee people will become more comfortable using those services driving UP the adoption rates without the stigma of uncertainty that Microsoft is pulling a fast one with their data.
2. Cookie Transparency. Provide an interface in your OS’s that brings into the light the underworld of Cookies, Super Cookies, Flash Cookies, Tracking Cookies and their ilk that liv eon every users machine reporting their every action to unknown entities across the Internet. Expose these malignant artefacts of web browsing to the scrutiny of users, give your users the power to control the information that is being shared about them.
3. Empower users through Encryption. I do not mean the encryption Microsoft applies and ultimately holds the keys to as this is as good as handing the keys on demand to the likes of the NSA or GSHQ under current ‘secret court orders’. I mean the enablement of users to leverage encryption across ALL your systems in a user friendly way that even my grandmother (if she was still alive) could manage. Devolve the responsibility by empowering those who pay your bills with the means to underpin your trust foundations with a model that will be so irrefutable and symbiotic that you get the security of a retained audience by taking their digital trust worries away and all the FISA orders served on you in the world will not see you compromise customer data or privacy. Where the end user holds their own encryption keys, you cannot be put in a position to expose their data to government, the Government needs to do what they should be doing, pursuing the data owners.

This is by no means exhaustive but a start. Where there is a will there is always a way.

Microsoft you have less than 3 weeks to get the bits flipped on Windows 10 to deal with the defaults, please do so. The others can follow 😉