Microsoft announced today that it is expanding encryption across its services, strengthening legal protections for its customer data, and making its software code more transparent so customers can be reassured that there aren’t back doors into the company’s products.
These steps to buffer its security are aimed at pushing governments to use legal processes rather than “technological brute force” to access customer data, Microsoft’s top lawyer Brad Smith said in the blog post. The company’s announcement comes amid fears that the US National Security Agency has broken into Microsoft’s communication links.
All of Microsoft’s security measures will be in place by the end of 2014, and many are effective immediately, though Microsoft doesn’t specify which ones.
Microsoft’s encryption efforts will cover services including Outlook, Office 365, SkyDrive and Windows Azure, and will provide protection throughout the full life-cycle of customer content. Here is a list of encryption steps the company is taking.
- Content moving between customers and Microsoft will be encrypted by default.
- All of Microsoft’s key platform, productivity and communications services will encrypt customer content as it moves between data centers.
- Microsoft is using industry cryptography to protect these channels, including Perfect Forward Secrecy and 2048-bit key lengths.
- Customer content that Microsoft stores will also be encrypted.
- Developers for third-party services that run on Windows Azure have the choice of encryption, but Microsoft will offer the tools to allow them to protect the data.
Microsoft is also working with other tech companies to protect data moving between services, for example from one email provider to the other.
Other than encryption, the company has also stated its commitment to notifying business and government customers if it receives legal orders related to their data — and if there’s a gag order, Microsoft will challenge it in court.
The company is also boosting its transparency by allowing customers to review its source code accordingly, so they can confirm there are no back doors. Microsoft will be opening a network of “transparency centers” in Europe, the Americas and Asia.
Smith says that Microsoft has been “alarmed” by recent claims that some governments have taken steps to circumvent online security measures to get their hands on private customer data. He notes:
In particular, recent press stories have reported allegations of governmental interception and collection – without search warrants or legal subpoenas – of customer data as it travels between customers and servers or between company data centers in our industry.
If true, these efforts threaten to seriously undermine confidence in the security and privacy of online communications. Indeed, government snooping potentially now constitutes an “advanced persistent threat,” alongside sophisticated malware and cyber attacks.
Microsoft becomes the latest company to strengthen its security in response to the NSA’s alleged spying efforts. Google is accelerating its plans to encrypt the “torrents of information,” while Yahoo will encrypt all information that moves between its data centers by the end of the first quarter next year.
Headline image via Justin Sullivan/Getty Images