Microsoft helped defeat encryption for NSA on Outlook, SkyDrive, Skype

posted at 8:01 am on July 12, 2013 by Ed Morrissey

I’d call this another reason to go Mac, except that Apple also cooperated with NSA in accessing customer activities.  Second look at Linux?

Microsoft has collaborated closely with US intelligence services to allow users’ communications to be intercepted, including helping the National Security Agency to circumvent the company’s own encryption, according to top-secret documents obtained by the Guardian.

The files provided by Edward Snowden illustrate the scale of co-operation between Silicon Valley and the intelligence agencies over the last three years. They also shed new light on the workings of the top-secret Prism program, which was disclosed by the Guardian and the Washington Post last month.

The documents show that:

• Microsoft helped the NSA to circumvent its encryption to address concerns that the agency would be unable to intercept web chats on the new Outlook.com portal;

• The agency already had pre-encryption stage access to email on Outlook.com, including Hotmail;

• The company worked with the FBI this year to allow the NSA easier access via Prism to its cloud storage service SkyDrive, which now has more than 250 million users worldwide;

• Microsoft also worked with the FBI’s Data Intercept Unit to “understand” potential issues with a feature in Outlook.com that allows users to create email aliases;

• In July last year, nine months after Microsoft bought Skype, the NSA boasted that a new capability had tripled the amount of Skype video calls being collected through Prism;

• Material collected through Prism is routinely shared with the FBI and CIA, with one NSA document describing the program as a “team sport”.

These aren’t so much new revelations as they are explanations of earlier ones.  From the first exposure of the NSA surveillance programs, we knew that Microsoft (and Apple) facilitated in some way the NSA’s access to information passing through its servers and programs.  At first, the reports claimed that the Internet companies provided direct access to their servers, which later details demonstrated was either an oversimplification or flat-out exaggeration. The Guardian says in this report that Microsoft and others denied providing a “back door” into those communications, but that’s not exactly true. They denied providing a back door into the servers themselves, but offered highly nuanced explanations about just about every other possibility.

This explanation also suggests that the NSA didn’t tap directly into the servers.  Instead of grabbing the data at the unencrypted hub, Microsoft set up the NSA to decrypt communications as they passed through the backbone.  If Microsoft gave the NSA access to the servers, it probably wouldn’t need the decryption keys.  Moreover, the issue of encryption access isn’t new.  The government has been wrangling with Microsoft for years over that issue, arguing that national security required the government to be able to decrypt communications when necessary.  That’s what Microsoft meant in this response:

Privately, tech executives are at pains to distance themselves from claims of collaboration and teamwork given by the NSA documents, and insist the process is driven by legal compulsion.

In a statement, Microsoft said: “When we upgrade or update products we aren’t absolved from the need to comply with existing or future lawful demands.”

We’re still back to the issue of how much surveillance the American people will tolerate.  This is just the nuts and bolts of how it worked.  Until Congress can exercise effective oversight over the NSA — which will require administration officials to stop lying about it — nothing will have changed.  Except, of course, that the Russians have started using typewriters rather than computers.


Related Posts:

Breaking on Hot Air

Blowback

Note from Hot Air management: This section is for comments from Hot Air's community of registered readers. Please don't assume that Hot Air management agrees with or otherwise endorses any particular comment just because we let it stand. A reminder: Anyone who fails to comply with our terms of use may lose their posting privilege.

Trackbacks/Pings

Trackback URL

Comments

I don’t see Microsoft doing anything necessarily wrong here… And, when they have a warrant, the NSA should have access to such.

What was Microsoft supposed to do? Take a principled stand sorry can be harassed sued by the “consumer relations” board?

Skywise on July 12, 2013 at 8:08 AM

Second look at Linux?

Why? Linux is open-source. At that point you might as well just hand the NSA your data on a silver platter.

Stoic Patriot on July 12, 2013 at 8:14 AM

I am seriously sick of our federal government.
We need to just tear the whole damn thing down and start over again to restore our nation to its founding principles instead of something resembles Big Brother.

Unfortunately, that’s unlikely to happen. We’re proving once and for all that individual liberty and freedom from tyranny are historical aberrations, not the norm.

DRayRaven on July 12, 2013 at 8:14 AM

Mid-20th century technology is the New Hotness

workingclass artist on July 12, 2013 at 8:16 AM

Trojan..
Backdoor..
Virus..

Take your pick..

M$

Electrongod on July 12, 2013 at 8:16 AM

The Postal Service is excited about prospects for the return of typewriters.

workingclass artist on July 12, 2013 at 8:17 AM

What did Mussolini say about the merging of State and corporate power? I think he called it fascism.

antifederalist on July 12, 2013 at 8:18 AM

Stoic Patriot on July 12, 2013 at 8:14 AM

Wow, I’d love to hear tour warped view on what you think “open source” means.

thphilli on July 12, 2013 at 8:20 AM

How many years did the United States exist without having to “live” wiretap and videotape all its citizens?

Just shows how corrupt government is. Give government the technology to spy on its greatest enemyits citizens – and it will maximize and exploit it to its fullest.
(But if you try to do it, you go to jail.)

And where are the out-of-power Republicans on all this excess spying on its citizens? Quiet as a church mouse because they are just champing at the bit to get back in power so they can use the spying capabilities on its citizens!

albill on July 12, 2013 at 8:21 AM

….typewriters!

KOOLAID2 on July 12, 2013 at 8:21 AM

But drones are a good thing, a DNA database would never be abused, and Snowden is a traitor.

Got it.

WryTrvllr on July 12, 2013 at 8:24 AM

Second look at Linux?

Go ahead TRUST LINUX

BDU-33 on July 12, 2013 at 8:26 AM

Gonna be difficult to comment here on my old Selectric®.

Bmore on July 12, 2013 at 8:26 AM

Why? Linux is open-source. At that point you might as well just hand the NSA your data on a silver platter.

Stoic Patriot on July 12, 2013 at 8:14 AM

“Open-source” has nothing to do with “encryption”. Discussing apples during an oranges discussion adds no value … unless you’re trying to influence the ignorant.

Carnac on July 12, 2013 at 8:28 AM

Not surprised – MSNBC is MicroSoft NBC. DUH

A significant majority of IT people vote Democrat – they are technically smart, much more than many of us but….. technology isn’t the only answer – there’s the human component, one that is often overlooked when making decisions.

Gates, Jobs, Yahoo crew, Google crew, many SW developers support Democrats. There is something in certain mindsets that says, “I know it all.” Definitely a major component of leftist thinking.

Final point – again, a significant majority of government workers vote Democrat. Thus, if you think your “team” has all the answers, maybe you’re getting some of “your” answers from those who are not part of your team – legally, and questionably illegally.

MN J on July 12, 2013 at 8:28 AM

Apple & Microsoft are headed by leftists.

Leftists like big, intrusive government.

All this evildoing is not very surprising.

itsnotaboutme on July 12, 2013 at 8:28 AM

How many people remember when Microsoft and Google were drooling over China and acquiesced to allowing that government information on, and access to its citizens? I am also willing to bet that a lot of light bulbs flashed when the US government saw what extant the companies were willing to go to enter the Chinese market, and the amount of capitulation China received.

I am guessing all tech companies are in the same boat, some probably less willing than others, but still, selling out people has become just a business decision. Insidious and evil.

Second look at typewriters?

Second look at “The Patriot Act”?

Rode Werk on July 12, 2013 at 8:29 AM

MN J on July 12, 2013 at 8:28 AM

Great minds think alike. :)

itsnotaboutme on July 12, 2013 at 8:30 AM

I am an Apple user. Never have regretted sticking with it. Always subject to change however. Its just such a lovely OS. I use these two pieces of software which not only help improve my pleasure in my time spent here at HA, but seem to keep things fairly honest. Abine and Sophos. Never used any viris protection until just a few months back.

Bmore on July 12, 2013 at 8:33 AM

I just took a look at my copy of
Microsoft Security Essentials.

There’s no mention about being Big Bro safe..

Electrongod on July 12, 2013 at 8:35 AM

Accept it. Any government, whether a Republican or Democrat US government, or the UK or Russia or China or Japan has your electronic data. The question is, who can you trust? I used to be able to trust the US government, but not any longer, not with the marxistsin this White House.

Rand Paul, Ted Cruz? Maybe.

rbj on July 12, 2013 at 8:42 AM

sorry can be harassed

SO THEY can be harassed… dopey stupid droid autocorrect…

Skywise on July 12, 2013 at 8:43 AM

Why? Linux is open-source. At that point you might as well just hand the NSA your data on a silver platter.

Stoic Patriot on July 12, 2013 at 8:14 AM

You know nothing about open source, do you? The benefit of open source is that you have the ability to know what you’re installing on your system.

What you said doesn’t make sense.

Kingfisher on July 12, 2013 at 8:44 AM

Perhaps a link.

Bmore on July 12, 2013 at 8:48 AM

One more some of you may find interesting.

Bmore on July 12, 2013 at 8:52 AM

Not a big fan of the cloud concept however.

Bmore on July 12, 2013 at 8:52 AM

Accept it. Any government, whether a Republican or Democrat US government, or the UK or Russia or China or Japan has your electronic data. The question is, who can you trust? I used to be able to trust the US government, but not any longer, not with the marxistsin this White House.

Rand Paul, Ted Cruz? Maybe.

rbj on July 12, 2013 at 8:42 AM

Scott Walker is the only hope. It needs to be someone from the outside. And the more body blows the nominee takes (and Walker will be savaged ala Palin) the less will be his/her need to feel loved.

WryTrvllr on July 12, 2013 at 8:53 AM

Amazing how much Obama has been able to get Silicon Valley companies to fork over whether it is money or their willingness to help spy on Americans. What all are they getting in return? Would love to see a listing of that.

Charm on July 12, 2013 at 9:13 AM

If Microsoft gave the NSA access to the servers, it probably wouldn’t need the decryption keys.

No. If the email is encrypted, it stays encrypted on the server. The keys to the decryption don’t reside on the email server. What you’re probably thinking of is the encryption that goes on anytime you use https. That encrypts the message packets between the client and the server – but it doesn’t actually encrypt the email, itself.

I don’t see Microsoft doing anything necessarily wrong here… And, when they have a warrant, the NSA should have access to such.

This is more the equivalent of Kwikset building in a master keying to every lock they make, then handing the master key to the local police – without a warrant, but just-in-case. Then the police can wander into anyone’s house at any time. If the police have a warrant, then they can decrypt individual emails related to that warrant. Giving them a master key (and not telling the people relying on that decryption) is a horrendous breach of trust. (Not that I would expect anything different from Microsoft.)

What was Microsoft supposed to do? Take a principled stand…?

Skywise on July 12, 2013 at 8:08 AM

Well, if they had any principles, yeah. That’s sort of the point of them.

Why? Linux is open-source. At that point you might as well just hand the NSA your data on a silver platter.

Stoic Patriot on July 12, 2013 at 8:14 AM

You keep using that word. I don’t think that word means what you think it means.

GWB on July 12, 2013 at 9:13 AM

Second look at Linux?

Why? Linux is open-source. At that point you might as well just hand the NSA your data on a silver platter.

Stoic Patriot on July 12, 2013 at 8:14 AM

I’m going to assume good intent on your part and try to explain what open source means.

Open source does not in any way be that there is open access to encrypted content. Open source means that the source code, the actual programming instructions which are later compiled into the program itself, is open for all to examine. When people talk about a backdoor such as the one Microsoft made available to NSA they mean that in the programming code is a separate pathway for accessing information. Once that code is compiled (built into the actual program that you run on your computer), no one can see that the back door exists.

With open source software, anyone can review the code and confirm that everything there is therefore the right reasons. Anyone can then compile the code and confirm that the resulting gift is the same result that everyone is using. In the case of encryption, if there’s not a backdoor code and the only option for an agency like an insane encrypted content is either to exploit a weakness in the design or through something called a brute force attack (basically trying every password in existence).

The encryption program true crypt (http://www.truecrypt.org/) is an example of open source encryption. If used properly the only known exploit is a. With a sufficiently complex key, such a force attack would take even NSA hundreds of thousands of years to decrypt. Of course no one outside NSA knows the true extent of the computational power they can deploy against such an attack but suffice to say getting access to your TrueCrypt encrypted files would be a good deal more complicated than using the backdoor built into Outlook.

SoRight on July 12, 2013 at 9:37 AM

If used properly the only known exploit is a.

should have said

If used properly the only known exploit is a brute force attack.

SoRight on July 12, 2013 at 9:38 AM

Go ahead TRUST LINUX

BDU-33 on July 12, 2013 at 8:26 AM

But it’s still open-source.

Hot Gas on July 12, 2013 at 9:39 AM

For those who are fans of typewriters (I have my grandmothers old Underwood circa 1930 model & it works fine)…Here’s a site link for collectors and those interested in parts and restoration…

http://www.mytypewriter.com/

workingclass artist on July 12, 2013 at 10:02 AM

Why? Linux is open-source. At that point you might as well just hand the NSA your data on a silver platter.

Stoic Patriot

Explain yourself.

Even the NSA provided SELinux has been peer reviewed. Yearly shootouts by various parties on which OS is the hardest to crack list Linux at the top of the heap.

Dr. Dog on July 12, 2013 at 10:02 AM

Actually, Apple is on record refusing to break the iPhone’s encryption.

http://gizmodo.com/apples-got-a-huge-waiting-list-of-cops-who-need-iphone-500136154

PJ Emeritus on July 12, 2013 at 10:06 AM

Go ahead TRUST LINUX

BDU-33

Why not? You are right now. You posted the above and there is a very excellent chance that the OS this very web site is running on is Linux. Ha.

Dr. Dog on July 12, 2013 at 10:12 AM

I’d call this another reason to go Mac

Another? I wasn’t aware there were any…

spinach.chin on July 12, 2013 at 10:12 AM

My Grandmother’s Old Underwood (c. 1930) now sells for $1675.00 restored/mint condition…

This is a hoot!

My Grandmother (maternal side) worked at Rockwell International in Chicago…and re-located to Houston with the company during the Depression…Stayed with them until she retired in the early 80′s.

workingclass artist on July 12, 2013 at 10:13 AM

D*** you HA. You destroyed my comment with your freakin’ updates again. Saw it coming and couldn’t submit or copy it in time. fu

TerryW on July 12, 2013 at 10:14 AM

TerryW on July 12, 2013 at 10:14 AM

Firefox can block automatic updating of websites.

slickwillie2001 on July 12, 2013 at 10:43 AM

I’d call this another reason to go Mac, except that Apple also cooperated with NSA in accessing customer activities. Second look at Linux?

Already there, on Ubuntu right now, but if you’re a Windows user looking to make the switch give Mint a try, it’s probably the closest to Windows – http://www.linuxmint.com/

clearbluesky on July 12, 2013 at 11:00 AM

I think people are misunderstanding what the term open source means, it doesn’t mean people are free to get into your computer if you’re using linux, it means the code is free for people to develop. People can get MS and OS code too, they just can’t develop it.

clearbluesky on July 12, 2013 at 11:05 AM

If Microsoft gave the NSA access to the servers, it probably wouldn’t need the decryption keys.

No. If the email is encrypted, it stays encrypted on the server. The keys to the decryption don’t reside on the email server. What you’re probably thinking of is the encryption that goes on anytime you use https. That encrypts the message packets between the client and the server – but it doesn’t actually encrypt the email, itself.

GWB on July 12, 2013 at 9:13 AM

The fuller sentence should be, “If the email is encrypted by the sender, it stays encrypted on the server.” Even if an e-mail provider uses SSL/TLS (or STARTTLS) to encrypt the transport of e-mail between its server and a client, it decrypts that particular encryption before it is stored on the server.

The Kwikset analogy is entirely apt, BTW, and Google probably also did the same thing.

Steve Eggleston on July 12, 2013 at 11:12 AM

Does anyone believe NSA employees and those cozy with them are not getting insider investment information?

There is not a human being alive that can be trusted with all this power…

elkchess on July 12, 2013 at 12:15 PM

Just one more reason why I hate Microsoft with the intensity of a thousand Suns!!

Axion on July 12, 2013 at 1:46 PM

BDU-33 – 1st, SELinux is a set of extensions which are enforced at the kernel and higher. It’s use on Linux is not required however; it’s optional. There are alternatives like AppArmor. 2nd, SELinux is open source, so feel free to look through the source code. If you find something, post it to BugTraq.

raz0r on July 12, 2013 at 2:26 PM

BTW, you are all aware Mac OS X IS Linux with an Apple-designed GUI, right?

PJ Emeritus on July 12, 2013 at 2:38 PM

BTW, you are all aware Mac OS X IS Linux with an Apple-designed GUI, right?

Actually Mac OS X is the Mach kernel wrapped with BSD. Avie Tevanian, who was an original author of Mach, worked at NeXT and Apple.

Sebastian on July 12, 2013 at 3:28 PM

Microsoft Outlook has security?

jms on July 12, 2013 at 8:26 PM

The skype issue was really quite predictable. When MS took skype over many people speculated that there would be another shoe to drop in the matter.

That said, its all easily avoidable. That is really what is so sad about all these issues.

What you are seeing is the manifest collapse of “Security through Complexity”. Which is a way of saying security through encryption. Encryption has failed. All the lockouts, passwords, etc have failed.

There are several different security paradigms which are slightly more awkward which is why they’re less popular BUT they have certain advantages.

My personal favorite is “security through obscurity.” Its a much maligned policy because you have to very carefully guard and manage your obscurity. However, the basic premise is that you won’t be targeted if they don’t know you’re there in the first place. They won’t target you if they don’t see you or don’t know what you are in the first place. Its about deception.

To analogize the two systems… Security through complexity is sort of like the turtle shell. Its hard to get through but you know what you’re dealing with from the start. If you have the means to burn through that shell or go around it then the turtle is screwed. Security through obscurity is more like those stick insects that look like twigs to evade birds. They don’t look like insects and so they’re pretty safe from predation.

Taking this into the computer world… Avoid popular software as regards your security or privacy. This might be impossible with operating systems but try to avoid services and software packages that EVERYONE is using. Use obscure technology. Next, don’t use your technology in the default manner. Route things in odd ways. Use different bits of software together in novel ways make it less likely for predators to understand what you are doing.

Finally… Whenever possible… Make it literally impossible for your systems to be compromised. This sounds like a strange notion. But it possible to make systems literally impossible to breach. Little things like isolating networks so information physically cannot flow to unsecured systems. Or little things like setting many core system settings as Read Only. If an attacker can’t modify system settings they often cannot take control of the system.

As regards encryption, many groups are getting more and more interested in implementing “on off pad” type schemes which involve a 1:1 ratio of encryption key to data. And that type of encryption is theoretically unbreakable since there is no repeating pattern. The downside of the on off pad system is that if you want to transfer 2 gigabytes of data you need 2 gigabytes of stored encryption key data to encrypt it. And every time you encrypt anything you throw away encryption key material as you use it. It is therefore a very inefficient system. However, it is unbreakable. You could have a computer the size of a universe try to crack it for the next 100 trillion years and it would fail. Something to be said about that.

Another useful notion is compartmentalizing assets in different systems. Decentralization. When everything is in one place using a well known standardized system you are inherently less secure then if the information is scattered around a dozen specialized systems that each use different technology that very few people understand.

Its a question of security versus efficiency. Choose. Make your system very efficient and the NSA and hackers will own it. Make your system very secure and it will be a pain in the ass to maintain.

Choose.

Karmashock on July 13, 2013 at 9:10 AM