Microsoft Wants to Come Clean About PRISM
In the wake of rising public anger against Microsoft over allegations of its involvement in the National Security Agency's PRISM program, the company on Tuesday urged U.S. Attorney General Eric Holder to let it share more details about the way it handles government requests for information about its customers.
There are "significant inaccuracies" in the interpretation of leaked government documents reported in the media last week, according to Microsoft General Counsel Brad Smith.
"We believe the U.S. Constitution guarantees our freedom to share information with the public, yet the government is stopping us," he wrote.
Microsoft has so far received no response to a petition it filed in June seeking permission to publish the volume of national security requests it has received.
The Guardian last week claimed that Microsoft helped the NSA circumvent its encryption on the Outlook.com portal; gave the agency pre-encryption-stage access to email on Outlook.com; and worked with the FBI's Data Intercept Unit to understand potential issues with a feature in Outlook.com that lets users create email aliases, among other things.
Smith denied those allegations.
Damned if You Do
"Tech companies are between a rock and a hard place," said Robin Feldman, a professor at the UC Hastings College of the Law and codirector of the college's Privacy and Technology Project.
In its plea to the Justice Department, Microsoft "is not necessarily trying to say this is unconstitutional -- they're saying they want not to do this," Feldman told the E-Commerce Times.
However, "if Microsoft really cared about privacy, it would be fighting these issues when these programs were implemented, not after they were made public," contended Yasha Heidari, managing partner at the Heidari Power Law Group. "Microsoft's actions are little more than a public relations stunt."
Microsoft is "not providing any additional comment or information beyond the Microsoft blog post and the embedded letter to the U.S. Attorney General," Tricia Payer of Waggener Edstrom, the company's public relations agency, told the E-Commerce Times.
Microsoft does not provide any government with direct access to emails or instant messages or SkyDrive or the ability to break HTTPS encryption on Outlook.com instant messages, or provide any government with the encryption keys, Smith stated.
He also denied accusations that Microsoft made changes to Skype to afford easier governmental access to that service.
The company does comply with lawful demands from governments to turn over content for specific accounts on receipt of a search warrant or court order, Smith asserted.
Microsoft discussed legal compliance requirements with the government last week as reported, Smith said, but the discussion was confined to how it would continue to comply with lawful requests.
How Microsoft Turns Over Data
When Microsoft is legally obligated to comply with government demands, it pulls the specified content from its servers, where it sits in an unencrypted state, and then provides it to the government agency.
That could be tricky, because "if companies decrypt data at rest on servers they don't physically control, such as on cloud services, then their decryption keys are exposed in memory," Steve Weis, chief technology officer at PrivateCore, told the E-Commerce Times.
By taking a snapshot of the memory, people could parse out decryption key values and unlock data at rest, whether or not they had lawful access to that data, Weis continued.
Why Microsoft Might Be Antsy
Several other high-tech players, including Google and Facebook, are allegedly partners in the PRISM project, but Microsoft has objected the loudest and most fervently.
That's possibly because of its ownership of Skype, UC Hastings' Feldman speculated.
"For a long time, Skype was considered untraceable," she said. "It was used by journalists and revolutionaries because of that -- so for Microsoft, Skype is the key."
Or it could be that Microsoft is concerned about losing business.
"A number of Microsoft's products are directly marketed to government entities," Heidari pointed out. "This is an especially sensitive issue since it has previously faced scrutiny for certain improper practices with foreign governments, such as the EU."