It took them a while, but Microsoft is finally announcing a concentrated effort to protect its customers and their data from unauthorised government surveillance.
“Like many others, we are especially alarmed by recent allegations in the press of a broader and concerted effort by some governments to circumvent online security measures – and in our view, legal processes and protections – in order to surreptitiously collect private customer data. In particular, recent press stories have reported allegations of governmental interception and collection – without search warrants or legal subpoenas – of customer data as it travels between customers and servers or between company data centers in our industry,” says Brad Smith, General Counsel & Executive Vice President, Legal & Corporate Affairs, Microsoft.
Likening government snooping to Advanced Persistent Treats (APTs), he announced that the company will be expanding encryption across its services.
They aim to strenghten the encryption of customer data across their networks and services, including Outlook.com, Office 365, SkyDrive and Windows Azure. Customer content will be encrypted as it moves between the customer and Microsoft, as it travels between Microsoft data centers, and when it’s stored.
“We will use best-in-class industry cryptography to protect these channels, including Perfect Forward Secrecy and 2048-bit key lengths,” he says. “All of this will be in place by the end of 2014, and much of it is effective immediately.”
Also, they plant to work on protecting customer data as it travels between various services, not just Microsoft’s, but that is done in conjuction with the companies operating those services.
The company is also set on making users more comfortable with their offerings, and will be widening its program that offers government customers from all over the world the possibility to review the software’s source code, in order to assure themselves that no backdoor has been inserted.
“We also will take new steps to reinforce legal protections for our customers’ data. For example, we are committed to notifying business and government customers if we receive legal orders related to their data,” notes Smith.
They will be challenging gag orders, and “assert available jurisdictional objections to legal demands when governments seek this type of customer content that is stored in another country.”
In short, the company is trying to make it impossible for any government to use stealthy technological brute force attacks and force them to ask for access in court.