Latest Leak Shows Microsoft Handed The NSA And FBI Unencrypted Access To Outlook, SkyDrive And Skype
from the MS-US-Internet-Explorer-10,-now-available-for-download! dept
Microsoft has painted a picture that its relationship with the NSA and FBI isn't a cozy one, but one based on forced compliance. The company has recently been taking shots at Google with its "Scroogled" campaign, claiming it kept users' data more secure. Then news surfaced that Microsoft was providing intelligence agencies with zero-day exploits for deployment by the agencies before getting around to patching them, leading to questions as to its expressed concern for its customers.
The latest leak released by the Guardian paints the company as a willing "team player" working closely with the FBI and NSA to allow unfettered access to the data of its customers.
Microsoft has collaborated closely with US intelligence services to allow users' communications to be intercepted, including helping the National Security Agency to circumvent the company's own encryption, according to top-secret documents obtained by the Guardian.This damaging set of documents indicates that Microsoft talks a pretty good game when it comes to privacy, but the protection it actually offers is less than skin deep.
The documents show that:
• Microsoft helped the NSA to circumvent its encryption to address concerns that the agency would be unable to intercept web chats on the new Outlook.com portal;
• The agency already had pre-encryption stage access to email on Outlook.com, including Hotmail;
• The company worked with the FBI this year to allow the NSA easier access via Prism to its cloud storage service SkyDrive, which now has more than 250 million users worldwide;
• Microsoft also worked with the FBI's Data Intercept Unit to "understand" potential issues with a feature in Outlook.com that allows users to create email aliases;
• Skype, which was bought by Microsoft in October 2011, worked with intelligence agencies last year to allow Prism to collect video of conversations as well as audio;
• Material collected through Prism is routinely shared with the FBI and CIA, with one NSA document describing the program as a "team sport".
Microsoft's latest marketing campaign, launched in April, emphasizes its commitment to privacy with the slogan: "Your privacy is our priority."Microsoft's actions say otherwise. Skype alone gives the NSA and FBI access to over 600 million users worldwide despite Skype's earlier claims that these calls couldn't be tapped.
Similarly, Skype's privacy policy states: "Skype is committed to respecting your privacy and the confidentiality of your personal data, traffic data and communications content."
Microsoft has responded to this leak with a statement claiming its actions are above-board and completely legal. The NSA released a statement as well, claiming, as Microsoft does, that everything detailed is fully compliant with applicable laws. As usual, the NSA statement makes reference to "strict oversight" and "careful monitoring," empty phrases its deployed before that are ultimately meaningless without any corresponding transparency.
Again, speaking to the "legality" of these actions is nothing more than self-serving rhetoric. As has been expressed before, the real scandal isn't that large-scale surveillance is happening. It's that it's legal. Secret courts issuing secret interpretations that companies like Microsoft are compelled to comply with. Microsoft may say it "rejects" demands that it doesn't deem "valid," but does anyone not think these rejections aren't simply overridden?
There are ways to comply with government requests which don't take the form of working closely with intelligence agencies to undercut the same privacy you're telling the public you're so interested in protecting. (Maybe ask Twitter for some advice...) Giving intelligence carte blanche access to data pre-encryption doesn't sound like the actions of a company that regularly challenges government requests. It sounds more like the compliance of a company who'd rather not jeopardize OS sales and support to one of its biggest customers.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: encryption, nsa surveillance, pre-encryption access, prism, surveillance
Companies: microsoft, skype
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re:
http://www.heise.de/tp/artikel/5/5263/1.html
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Response to: Alana on Jul 11th, 2013 @ 12:34pm
[ link to this | view in chronology ]
Re: Response to: Alana on Jul 11th, 2013 @ 12:34pm
[ link to this | view in chronology ]
Untrustworthy...
[ link to this | view in chronology ]
Re: Untrustworthy...
Starting to become clear why the U.S. government went after Megaupload so strongly...
[ link to this | view in chronology ]
Re: Untrustworthy...
There never was and there never will be. It's one of the main reasons why you should not allow any third party to hold or transfer data that you don't want anyone else to see -- that rule has always been true, and in these days of the cloud fad, it's even more important to keep this in mind.
For best results, minimize the amount of data stored by third parties, and encrypt everything.
[ link to this | view in chronology ]
Re: Re: Untrustworthy...
How do we know there isn't a government-mandagted secret way to circumvent the HTTPS certificate management in Internet Explorer to make man-in-the-middle attacks easier?
Are our computers betraying us in ways we don't even know about yet?
There comes a point where conspiracy theorists like Richard Stallman are correct - the only software you can trust is the software you can inspect, modify, and rebuild yourself.
And then there's the hardware...
[ link to this | view in chronology ]
Re: Re: Re: Untrustworthy...
You raise an interesting question because with third partry closed-source software you can not review the code for any back doors. With open-source software, you can review the code for back doors and it would be harder to hide a back door in the code. The issue is how much do you or I trust the specific vendor of the closed-source software. The openness of open-source software is inherently more trustworthy because the developers are not deliberating hiding anything.
I wonder long-term how the NSA spying scandle will affect Windows or MS Office in particular if customers decide enmass MS can not be trusted.
All commercial transactions rely heavily on the buyer believing then can trust the vendor and manufacturer (if different). Contracts are often used to codify and clarify the relationship but do not remove the element of trust.
Oddly it may be in MS' long-term best interests to consdier making their products open-source.
[ link to this | view in chronology ]
Re: Re: Re: Re: Untrustworthy...
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Untrustworthy...
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Untrustworthy...
You don't, obviously. However, there's an interesting historical event around this kind of thing that involves open source and should be kept in mind:
Dennis Ritchie, the designer of the first C compilers and one of the authors of the original Unix, had put an administrative backdoor into the OS's login program.
Just in case someone was looking through the source code and found it, he also altered the C compiler itself to check for this and to reinsert the backdoor if the login program was recompiled.
This went completely undetected until he revealed it himself in his acceptance speech when he got a Turing Award.
The lesson: just using open source -- although better than using closed source -- is no panacea for this sort of thing. Stuff can be hidden in open source code such that it's hard to find (if, indeed anyone looks).
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Untrustworthy...
"Trusting Trust" is an absolutely brutal avenue of attack, although there are (fortunately) ways to beat it.
https://www.schneier.com/blog/archives/2006/01/countering_trus.html
[ link to this | view in chronology ]
Re: Re: Re: Re: Untrustworthy...
In all likelihood, not at all. Their biggest customers are the government, if anything this makes them even more likely to buy.
And for the sheeple? They just keep using Windows, because its easy. Linux is still very hard to work with, often requiring knowledge of the command line to do even basic tasks. And although, most games work on Linux (with wine), they often don't work well, that's the only reason I still dual boot...
And Apple, well, lets just say that hamfisted control over everything has been their game from day one. I'm sure they willingly hand over every byte of data to the NSA, after scrutinizing it carefully themselves of course.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Untrustworthy...
This hasn't been true for a long time. I personally know three non-computer-geek people who switched to Debian and had no problems at all. They've yet to even open the command line.
[ link to this | view in chronology ]
Re: Re: Re: Untrustworthy...
[ link to this | view in chronology ]
Re: Re: Re: Untrustworthy...
I find it hilarious every time someone calls Stallman a "conspiracy theorist".
Stallman is probably the one person in the world who is fighting for your freedom to use a computer. He takes such ridiculous precautions when using his computer because he knows more than anyone that every last byte of info that's being transmitted is being used against him. We're only now finding that out nearly twenty years after he realized it.
All I'm saying is: Branding people as "Conspiracy theorists" without taking the time to understand what it is they are saying is the move of a sheep. "Four legs good, two legs bad" and all that. I find it unreal that people are still calling him that when it has been revealed that he was right all along.
[ link to this | view in chronology ]
Re: Re: Re: Re: Untrustworthy...
The difference here is that the conspiracy is real.
[ link to this | view in chronology ]
Re: Re: Re: Re: Untrustworthy...
I openly call myself a conspiracy theorist, and I'm proud of it.
[ link to this | view in chronology ]
Re: Untrustworthy...
"It is insufficient to protect ourselves with laws; we need to protect ourselves with mathematics."
-- Bruce Schneier
[ link to this | view in chronology ]
Re: Untrustworthy...
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Soo close. Was: Re: Re:
https://jitsi.org/
[ link to this | view in chronology ]
Re: Soo close. Was: Re: Re:
Linphone supports iOS.
See here:
https://en.wikipedia.org/wiki/Comparison_of_VoIP_software
Of course, spend some quality times with the Wiki page, then with the various sites that look like good candidates.
[ link to this | view in chronology ]
At least according to orig article there's massive (secret) oversight and accountability to (secret) courts.
The reason we have laws is that people who "can", "do". If they can spy, they will. If they can railroad a person and take their property, they will. We can't really stop people from going on like this, but we can keep it illegal so there is some slice of hope for justice down the road for victims of those who "did".
I'm just hoping that after all this we the sheeple don't make this crap legal.
[ link to this | view in chronology ]
Re:
There is a cyber-pearl harbor going on right now, its just that this "cyber-war" is being waged by the government against the people, not the other way around. Our privacy and security have already been sunk, and our civil liberties are burning and down by the head.
Nonetheless, I hope all they have done is to awaken a sleeping giant and fill him with a terrible resolve...
[ link to this | view in chronology ]
If anyone has stock in Microsoft, consider selling it ASAP before the bottom completely falls out. It's already been falling out with Win8 and flopRT, but these new revelations make MS's bottom look like it's made out of wet cardboard.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Copyright-maximalist organizations love that cloud storage gives them the ability to remove your access to content too...
And advertising-centric companies (Google, now Microsoft as well), love that they can force you to view ads or mine your data for marketing content whenever you use their services.
What we really need are more free, convenient, "do it yourself" cloud devices. I know several linux-based solutions already exist that you can run from home, or from your own hosted server, but they don't easily integrate with all devices like dropbox, google drive, or skydrive would.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Might have jumped the gun a bit there...
On the other had, this does offer one heck of a PR chance for those other companies... 'Yes we may be forced to hand over customer data when ordered to by the government, but unlike companies like Microsoft, we don't go out of our way to assist in the collection of your personal data.'
(Semi-related tangent)
Honestly, with how close MS is proving to be with various government agencies, and the Xbone's mandatory, always on camera, I can only assume that anyone still planning on buying it is obsessed with the few games listed for the system, and/or is simply has no clue as to the MS/government connections.
[ link to this | view in chronology ]
Re: Might have jumped the gun a bit there...
[ link to this | view in chronology ]
Re: Might have jumped the gun a bit there...
It may be true that the NSA doesn't have access, but this is a "better safe than sorry" circumstance if I ever saw one.
There is such a thing as not being paranoid enough, regarding certain things.
Also, I finally understand the slow roll out of the leaks. It isn't so the Guardian can redact the damaging stuff. It's to give everyone involved enough rope to hang themselves w/!
1. First leak that the NSA is spying, knowing they'll deny it, like they have in the past.
2. Then leak the who they're using, & let them deny that.
3. Then leak the how, w/ proof of who, & see everyone backtrack on the "not" & explain how they're forced to.
4. Then leak that EVERYONE is spied on, & watch the denial wave & excuses come together. This was about where those in Congress in the know started talking about oversight... which appears to also be a lie. Just like the cake.
5. Then leak that all the excuses have been lies so far, & that the "oversight" is a rubber stamp.
6. Now they're starting to leak specifics.
Since it seems to be the thing on Techdirt...
7. ???
8. Profit!?!?!?!?!?
[ link to this | view in chronology ]
Re: Might have jumped the gun a bit there...
Would people pay Microsoft/NSA to set up a camera/mic in their house? Not a chance. Since they can't directly sell the public on the notion of having their privacy violated all day and night, they obfuscate their nefarious intentions by emphasizing all the fun features housed in their spy-box.
If they give the NSA unfettered access to Skype, Hotmail, etc., what makes anyone think that they won't do the same with the Xbox One Kinect? Logic please.
[ link to this | view in chronology ]
That may explain why I spent 20 minutes of reading web posts and clicking all over the outlook.com to try and figure out how to setup a quick email alias. I gave up and set it up on one of my gmail accounts.
[ link to this | view in chronology ]
Re:
I've set up a few once I worked out how (which was more difficult the first time than it is now).
If the Aliases are posing the NSA some trouble, it sounds like they were actually set up properly; though, your name (the one you click on to get there) is still displayed as your name when someone gets an E-mail from you through the alias, which is kinda stupid. At least I didn't use my real name when creating the account. Anyone who does needs to take lessons on basic online safety.
[ link to this | view in chronology ]
While I don't think the camera on the XBox is as big of a problem as it's made out to be, the close and cozy relationship between Microsoft and various TLA intelligence agencies goes way back and has been common knowledge for decades, at least in the software industry.
[ link to this | view in chronology ]
Re:
Actually it more evidence of Microsoft's untruthfulness. They say you can "turn it off", but the system won't work if Kinect is not plugged in. You'd have to be nuts to actually believe it's truly off given that restriction. If the customer has no need for it to be connected, why does Microsoft?
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: xbone kinect
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
Some coder alleged to have inserted backdoors into OpenBSD at the behest of the FBI, the devs went over their code with a fine-toothed comb to prove it was clean.
A similar approach from the Linux devs certainly wouldn't go amiss.
[ link to this | view in chronology ]
Re:
The thing to worry about isn't the integrity of the kernel, it's all the damn packages that every user feels they "need to have" in order to run a computer. All the driver blobs, and packages that aren't found on repositories, or extensions that are seemingly made out of thin-air? Those are the things that need constant, 100% scrutiny.
It makes far more sense for the NSA to let the user bug themselves than it is for them to attempt to infiltrate a close-knit group of some of the best programmers in the world. It's why Facebook is so popular.
[ link to this | view in chronology ]
More Porn!
So the NSA's true motives come out! They didn't think there was enough porn on the internet so they recorded video and audio from Skype to get more?:)
[ link to this | view in chronology ]
Re: More Porn!
[ link to this | view in chronology ]
Re: Re: More Porn!
[ link to this | view in chronology ]
[ link to this | view in chronology ]
outlook?
that means they're enabling FBI/NSA spying on enterprise customers, too.
[ link to this | view in chronology ]
Re: outlook?
[ link to this | view in chronology ]
If a law is unknown it is not law. It is simply a codification of the practices of dictatorship.
I know people like to play mental tricks to self-justify and pat themselves on the back... but really... secret laws? What the hell good is a secret law to anyone.
There are no secret laws. Who is beholden to a secret law? The law is only good for the people with access to and protection under it.
Law is our set of guidelines by which we can run a maintain society... agreed upon social norms that we set as standard expectations so that we can more peacefully get along in commerce and fellowship.
A "secret law" is an oxymoron if there ever was one.
Secret rules are only set to let secret men feel secure about doing awful things to lawful citizens.
Their secret "law" is a farce. Time to burst their bubble.
[ link to this | view in chronology ]
Re:
Tell that to the men with the guns.
[ link to this | view in chronology ]
Re: Re:
Almost want to click insightful there. I'm cannot deny reality; firepower always wins hands down.
However that has been true since well before the Magna Carte.
This doesn't change the fact that a 'secret law' does not exist in a society of Rule of Law; only in dictatorships. If I recall correctly.. that's not (or was not) supposed to be how we run things here.
[ link to this | view in chronology ]
Re: Re:
Just because armed thugs says something is legitimate law does not mean it's legitimate law. Although when guns come into play, all that becomes academic.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Crafty buggers.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
And people made fun of me
[ link to this | view in chronology ]
Quid Pro Quo?
[ link to this | view in chronology ]
Wait a minute
[ link to this | view in chronology ]
[ link to this | view in chronology ]
I have a hard time believing this is true because Microsoft just isn't that stupid.
[ link to this | view in chronology ]
Clear Violation of Privacy Policy
[ link to this | view in chronology ]
Re: Clear Violation of Privacy Policy
No, because they didn't violate their privacy policy. Read it -- there's a clause in there about how they will give any or all information in response to legal requests from the government. Nearly all privacy policies include wording along these lines.
[ link to this | view in chronology ]
Re: Re: Clear Violation of Privacy Policy
[ link to this | view in chronology ]
Worst fears realized
I'd heard vague mutterings about the NSA and MS previous to that, and I assumed that they would hand over the keys to their newest acquisition promptly.
I was right, and justified in not again using Skype. I don't do that anymore..because MS can't be trusted, along with all the other big tech companies.
Pretty soon we'll be back to using landlines and coffee cans for communication, and FTP servers to send files.
Yes, indeed, such a secure feeling now, isn't it?
Let's just now assume every single tech company has been co-opted by the NSA, and assume everything is sent to them either voluntarily (most of the time) or involuntarily.
Don't listen to their 'well, we really value your privacy."-with fingers crossed behind their backs. They're laughing at us, you know. We're idiots-we trusted them too much, and all the while they were selling their souls to the US government.
Let's just shut down the Internet. It's done.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
How to circumvent wiretapping
[ link to this | view in chronology ]
Re: How to circumvent wiretapping
[ link to this | view in chronology ]
An uncomfortable thought
That much is a bit of a wowser, true.
What if: they went a step further, and MS made a undetectable piece of software that got into all of their security updates for every single registered computer which allows the NSA to directly access the user's computer without detection by the computer user? It wouldn't set off alarms or your AV at all.
Sort of a 'submerged subprogram' that innocently installs as part of the updates that MS is famous for.
Don't tell me it can't be done. We know what they've done so far, and this isn't that far fetched, now, is it?
Paranoid? Perhaps....but one never knows what kind of 'working relationship' the NSA is capable of making with companies do we?
"We'll make you an offer you can't refuse-if you give us all this stuff, your company will never be prosecuted or sued again for whatever you did before."
It worked in the Godfather, and it works in real life.
[ link to this | view in chronology ]
Re: An uncomfortable thought
Even then, let's be serious here, AV programs get false positives all the time. Any normal user that sees a windows process flagged is going to think "Oh, it just picked up a false positive" and ignore it.
Windows, not even once.
[ link to this | view in chronology ]
MSA?
They already have an address, One MSA Way.
Is this NSA version 1.0 or 2.0?
Ohhh, the laughs go on and on. If all this were at all funny.
[ link to this | view in chronology ]
Yesterday it came to light that the NSA has been collecting millions of emails, chats and skydrive files from us each and every day. Since that news was released, many of you have called support with questions and concerns about this program. To save our time and yours, here are answers to three of the F.A.Q.s we�ve been hearing from you:
*1. Will I be charged extra for this service?*
We're happy to say that the answer is no. While the harvesting and surveillance of your emails, chats and cloud data were not part of your original service contract, we're providing this service entirely free of charge.
*2. If I add email aliases to my account, will those also be monitored?*
Once again, the answer is good news. If you want to add any additional accounts through our service, your emails, chats and other data will all be monitored by the United States government, at no additional cost.
*3. Can Microsoft help me fix Windows crashing issues?*
Unfortunately, no. Our close partnership with NSA to provide exploits / backdoors in our softwares may be responsible for some of the issues you're facing. Infact, we like to think of these as "features", some of which took us months to develop.
I hope we�ve helped clear up some of the confusion about this exciting new program. But if you have any further questions, please don�t hesitate to call support. Your calls may be recorded for "quality" purposes.
[ link to this | view in chronology ]
http://paranoia.dubfire.net/2010/09/calea-and-encryption.html
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]