More revelations about collaboration between technology and communications companies and U.S. Federal agencies came Thursday from former NSA contractor Edward Snowden and The Guardian's Glenn Greenwald, this time asserting that Microsoft worked much closer with the FBI and NSA than the company seems to have previously stated.
Following the Washington Post and Guardian's revealing stories on the NSA's metadata-collecting "PRISM" program last month, the role of technology companies in U.S. government spying has been further uncovered by the Guardian, as documents provided by Edward Snowden showed that Microsoft has helped the NSA circumvent its own Outlook.com web chat encryption. The Guardian also alleged in its story that Microsoft has been working with government agencies to provide easier access to other data on email services, Skype, and Microsoft's cloud data servers, called SkyDrive.
MS Works With NSA to Hack Its Own Outlook.com Web Chat, Before Launch
According to the Guardian, the documents show that Microsoft had already given the NSA pre-encryption access to Outlook and Hotmail email, and that, within five months after the NSA became worried about web chats on Microsoft's new Outlook.com portal, Microsoft and the FBI came up with a solution to allow the NSA to bypass Outlook.com's web chat encryption.
An internal NSA newsletter dated December 26, 2012, marked top secret, reportedly says, "MS [Microsoft], working with the FBI, developed a surveillance capability" to fix the encryption problem. "These solutions were successfully tested and went live," on December 12, 2012. Microsoft officially launched Outlook.com for customers in February 2013.
NSA Has Pre-Encryption Access to Hotmail, Live, and Outlook.com
Another newsletter entry, obtained by the Guardian, shows that the NSA already had pre-encryption access to Outlook.com, Hotmail, and Live emails: "For Prism collection against Hotmail, Live, and Outlook.com emails will be unaffected because Prism collects this data prior to encryption."
NSA Can Monitor Skype Video Chats
Another document reportedly obtained by The Guardian shows that the NSA's PRISM program was capable of tapping into Skype video calls - at first just the audio, but then the video data as well. The documents purportedly state that on July 14, 2012 the NSA added video monitoring capabilities, saying, "The audio portions of these sessions have been processed correctly all along, but without the accompanying video. Now, analysts will have the complete 'picture.'"
Collection of non-video Skype data goes back to February 6, 2011 - two days after the attorney general sent Skype a directive to comply with the NSA, though reportedly work to begin integrating Skype into PRISM had begun in November the previous year. According to another top-secret document provided by Snowden, the NSA was pleased with Skype's cooperation: "Feedback indicated that a collected Skype call was very clear and the metadata looked complete," said the document. "Collaborative teamwork was the key to the successful addition of another provider to the PRISM system."
Microsoft Worked "For Many Months" with the FBI On NSA Access to SkyDrive
According to the top-secret documents attained by the Guardian, Microsoft cooperated with the FBI - a kind of liaison between technology companies and the NSA - on giving PRISM special access to Microsoft's SkyDrive cloud storage service. The access, according to the document, "means that analysts will no longer have to make a special request to SSO [Special Source Operations] for this," and that "this new capability will result in a much more complete and timely collection response." The document praises the FBI and Microsoft, saying, "This success is the result of the FBI working for many months with Microsoft to get this tasking and collection solution established."
Microsoft: Denials, Disclosure, and Denials
Along with other technology companies, like Yahoo, Facebook, and Apple, Microsoft released information about government requests for customer data after the initial NSA PRISM story broke in June. Also like other technology companies, Microsoft could only disclose the number of requests and the number of accounts affected for a six-month period, and emphasized that the data requests were small in scope and from law enforcement at every level of government. An excerpt from Microsoft's disclosure from June 14, 2013:
"For the six months ended December 31, 2012, Microsoft received between 6,000 and 7,000 criminal and national security warrants, subpoenas and orders affecting between 31,000 and 32,000 consumer accounts from U.S. governmental entities (including local, state and federal). This only impacts a tiny fraction of Microsoft's global customer base."
Before that disclosure, and right after the NSA PRISM story broke, Microsoft denied providing customer data in a broad way to The Verge on June 6, saying, "we provide customer data only when we receive a legally binding order or subpoena to do so, and never on a voluntary basis. In addition we only ever comply with orders for requests about specific accounts or identifiers. If the government has a broader voluntary national security program to gather customer data we don't participate in it."
In response to the most recent Guardian report, Microsoft posted this statement on its blog, denying, again, that its actions were only in response to specific, legal requests.
"We have clear principles which guide the response across our entire company to government demands for customer information for both law enforcement and national security issues.
First, we take our commitments to our customers and to compliance with applicable law very seriously, so we provide customer data only in response to legal processes. Second, our compliance team examines all demands very closely, and we reject them if we believe they aren't valid. Third, we only ever comply with orders about specific accounts or identifiers, and we would not respond to the kind of blanket orders discussed in the press over the past few weeks, as the volumes documented in our most recent disclosure clearly illustrate. To be clear, Microsoft does not provide any government with blanket or direct access to SkyDrive, Outlook.com, Skype or any Microsoft product.
Finally when we upgrade or update products legal obligations may in some circumstances require that we maintain the ability to provide information in response to a law enforcement or national security request. There are aspects of this debate that we wish we were able to discuss more freely. That's why we've argued for additional transparency that would help everyone understand and debate these important issues."
The revelations about Microsoft bring into question responses from all of the technology companies initially named in the PRISM report, as it seems ludicrous to think that Microsoft would be the only one out of the half-dozen or so that the NSA leaned on for access to data. But as Donald Rumsfeld once said, that is a "known unknown."
One thing seems to be the case going forward - It's becoming less and less clear if everyone agrees upon the same definitions of to the terms "direct access," "legal processes," and "applicable law."
- Contribute to this Story:
- Send us a tip
- Send us a photo or video
- Suggest a correction