Microsoft put on a brave face and asked the NSA to keep its hands off its customer data without due cause. But the company's actual changes lack real technical and political punch, and don't really live up to its ostensibly bold rhetoric.
NSA snooping into corporate databases, Internet traffic, and cellphone locations have put the technology industry on the defensive. Google, Mozilla, Twitter, Facebook and Yahoo have staged public efforts to shield their customer data against spying eyes without search warrants or legal subpoenas.
In a blog post Tuesday, Microsoft top lawyer Brad Smith complained that the company's customers have “serious concerns about government surveillance of the Internet.” Smith called the alleged government snooping an “advanced persistent threat,” similar to sophisticated malware and cyber attacks.
While Microsoft and other tech companies like to talk about protecting customer data, the truth is much more nuanced. Like Google, Yahoo and other public tech companies, Microsoft provides customer data to law enforcement and other government agencies when required by laws such as the Patriot Act and the Foreign Intelligence Surveillance Act. Microsoft admitted as early as June 2011 that it couldn't guarantee the security of its customer data if government agencies came sniffing around.
Microsoft, of course, can make life more difficult for snoops at the NSA by encrypting customer data as it moves to and from Microsoft and between the company's data centers. Smith, in fact, said the company will do just that by the end of 2014, adding that "much of it is effective immediately." The changes impact Outlook.com, Office 365, SkyDrive cloud storage and the company's Windows Azure cloud service.
In an oddly tone-deaf maneuver, Microsoft also said it will expand an existing policy of letting government customers exercise a sort of pseudo-open source review of its source code—the idea being to let (mostly non-U.S.) government bodies to "reassure themselves of its integrity and confirm there are no back doors." To that end, the company will open a network of "transparency centers" for this review in Europe, the Americas and Asia.
Of course, Microsoft has never been particularly clear as to how exactly such source code review works, and Smith did little to clarify it. And it's certainly a little odd that Microsoft isn't extending the same expanded transparency to its corporate customers, although the company has long allowed its largest business and government customers to review source code under a program it calls Shared Source.
Image courtesy of Flickr user passamaquoddy eagle