OpManager: A single console to manage your complete IT infrastructure. Click here for a 30-day free trial.
Welcome Guest | Sign In

Microsoft Wants to Come Clean About PRISM

By Richard Adhikari E-Commerce Times ECT News Network
Jul 17, 2013 9:48 AM PT

In the wake of rising public anger against Microsoft over allegations of its involvement in the National Security Agency's PRISM program, the company on Tuesday urged U.S. Attorney General Eric Holder to let it share more details about the way it handles government requests for information about its customers.

Microsoft Wants to Come Clean About PRISM

There are "significant inaccuracies" in the interpretation of leaked government documents reported in the media last week, according to Microsoft General Counsel Brad Smith.

"We believe the U.S. Constitution guarantees our freedom to share information with the public, yet the government is stopping us," he wrote.

Microsoft has so far received no response to a petition it filed in June seeking permission to publish the volume of national security requests it has received.

The Guardian last week claimed that Microsoft helped the NSA circumvent its encryption on the Outlook.com portal; gave the agency pre-encryption-stage access to email on Outlook.com; and worked with the FBI's Data Intercept Unit to understand potential issues with a feature in Outlook.com that lets users create email aliases, among other things.

Smith denied those allegations.

Damned if You Do

"Tech companies are between a rock and a hard place," said Robin Feldman, a professor at the UC Hastings College of the Law and codirector of the college's Privacy and Technology Project.

In its plea to the Justice Department, Microsoft "is not necessarily trying to say this is unconstitutional -- they're saying they want not to do this," Feldman told the E-Commerce Times.

However, "if Microsoft really cared about privacy, it would be fighting these issues when these programs were implemented, not after they were made public," contended Yasha Heidari, managing partner at the Heidari Power Law Group. "Microsoft's actions are little more than a public relations stunt."

Microsoft is "not providing any additional comment or information beyond the Microsoft blog post and the embedded letter to the U.S. Attorney General," Tricia Payer of Waggener Edstrom, the company's public relations agency, told the E-Commerce Times.

Microsoft's Case

Microsoft does not provide any government with direct access to emails or instant messages or SkyDrive or the ability to break HTTPS encryption on Outlook.com instant messages, or provide any government with the encryption keys, Smith stated.

He also denied accusations that Microsoft made changes to Skype to afford easier governmental access to that service.

The company does comply with lawful demands from governments to turn over content for specific accounts on receipt of a search warrant or court order, Smith asserted.

Microsoft discussed legal compliance requirements with the government last week as reported, Smith said, but the discussion was confined to how it would continue to comply with lawful requests.

How Microsoft Turns Over Data

When Microsoft is legally obligated to comply with government demands, it pulls the specified content from its servers, where it sits in an unencrypted state, and then provides it to the government agency.

That could be tricky, because "if companies decrypt data at rest on servers they don't physically control, such as on cloud services, then their decryption keys are exposed in memory," Steve Weis, chief technology officer at PrivateCore, told the E-Commerce Times.

By taking a snapshot of the memory, people could parse out decryption key values and unlock data at rest, whether or not they had lawful access to that data, Weis continued.

Why Microsoft Might Be Antsy

Several other high-tech players, including Google and Facebook, are allegedly partners in the PRISM project, but Microsoft has objected the loudest and most fervently.

That's possibly because of its ownership of Skype, UC Hastings' Feldman speculated.

"For a long time, Skype was considered untraceable," she said. "It was used by journalists and revolutionaries because of that -- so for Microsoft, Skype is the key."

Or it could be that Microsoft is concerned about losing business.

"A number of Microsoft's products are directly marketed to government entities," Heidari pointed out. "This is an especially sensitive issue since it has previously faced scrutiny for certain improper practices with foreign governments, such as the EU."

Facebook Twitter LinkedIn Google+ RSS
Should social media sites be held accountable for terrorists' communications?
Yes -- They are providing a platform to facilitate murder and mayhem.
Yes -- Everything must be done to protect society from danger.
Maybe -- I'm not sure they have the technological capability to stop them.
Maybe -- I'm not convinced terrorists are using them for serious plotting.
No -- Authorities should monitor social networks to gather intelligence.
No -- Social networks are no different than phone carriers or mail services.