Microsoft is taking measures to further secure customer data by expanding encryption across all services and reinforcing legal protections for customer data, the company announced on Thursday on its blog. It will also make its software code more transparent, in an effort to assure customers that there are no back-door channels to access the data.
The announcement comes about a week after Microsoft executives met to address reports that the company was among those the National Security Agency (NSA) allegedly hacked in order to gain customer information. In June, the Washington Post broke the story, based on leaks from NSA contractor Edward Snowden, that the agency had a direct line to the central servers of Microsoft, Yahoo, Google, Facebook, Paltalk, AOL, Skype, YouTube and Apple and was secretly mining data of U.S. Internet users.
At the time, the companies released statements denying that the government had access to its servers."We provide customer data only when we receive a legally binding order or subpoena to do so, and never on a voluntary basis," Microsoft wrote in a statement. "In addition we only ever comply with orders for requests about specific accounts or identifiers. If the government has a broader voluntary national security program to gather customer data we don't participate in it."
In the new blog post, titled “Protecting customer data from government snooping,” Microsoft’s top lawyer Brad Smith explained that these measures will address customers’ “serious concerns about government surveillance of the Internet.”
“In particular, recent press stories have reported allegations of governmental interception and collection – without search warrants or legal subpoenas – of customer data as it travels between customers and servers or between company data centers in our industry,” he wrote.
By increasing security so publicly, the company is looking to ensure that the government will have to go through due legal process rather than using “technological brute force” in order to access data.
The increased encryption will be in place by the end of 2014, if not sooner. Microsoft says many security enhancements will go into effect almost immediately. The company will also work with third-party developers to help increase their encryption, though that choice will be up to the individual developers.In terms of legal protections, Microsoft promises to alert government and business customers if another entity is requesting their data, even if the request goes through legal channels. In cases of gag orders, Microsoft says it will fight the orders in court, as its done in the past.
“Except in the most limited circumstances, we believe that government agencies can go directly to business customers or government customers for information or data about one of their employees – just as they did before these customers moved to the cloud – without undermining their investigation or national security. And when those limited circumstances arise, courts should have the opportunity to review the question and issue a decision,” Smith wrote.
Other tech giants have already heightened security in response to the allegations of NSA spying. Google, Yahoo, Mozilla, Twitter and Facebook are also expanding encryption. After the recent Yahoo announcement, privacy advocates questioned why Yahoo had not already offered tighter security.
In the past, one reason companies hesitated to add stronger encryption was the fear that it would slow down connectivity. But after Edward Snowden leaked information on the NSA’s domestic surveillance efforts – apparently effecting millions of Internet users – the companies could no longer delay.