Microsoft says government snooping constitutes an APT event

Microsoft isn’t happy, and their top lawyer had plenty to say about protecting customer information this week in a blog post that announced the company’s efforts to implement wide-reaching encryption.

[NSA revelations bolstering demands for congressional action]

Brad Smith, the General Counsel & Executive Vice President of Legal & Corporate Affairs at Microsoft, said on Wednesday that the software giant is taking steps to protect customer data from government snooping. Like Google, Yahoo, and Twitter before them, Microsoft recognizes that their customers are concerned, and plans to do something about it.

The revelations from Edward Snowden this year, which focused on the wide-reaching, sweeping data collection done by the NSA and partner intelligence agencies, touched all of the major technology firms in one form or another.

“Like many others, we are especially alarmed by recent allegations in the press of a broader and concerted effort by some governments to circumvent online security measures — and in our view, legal processes and protections — in order to surreptitiously collect private customer data,” Smith wrote.

Without naming him directly, Smith referenced the countless stories and media reports during the second half of the year sourced from Snowden’s leaked documents. All summer long, a new story would emerge weekly it seemed, focused on governmental interception and collection (often without search warrants or legal subpoenas), somewhere in the world.

The most critical stories were reserved for the U.S., and the one that alarmed Silicon Valley the most focused on the collection of data as it moved between corporate datacenters and private networks. What was assumed to be a secure channel, was nothing of the sort.

Assuming all of the reports are true, then the government’s efforts threaten to “seriously undermine confidence in the security and privacy of online communications. Indeed, government snooping potentially now constitutes an ‘advanced persistent threat,’ alongside sophisticated malware and cyber attacks,” he said.

In order to address this new APT, Microsoft is planning to boost encryption across their services, reinforce existing legal protections; including fighting gag orders and continuing their customer notifications when able, and enhance the level of transparency of their existing software code, making it easier for some customers to see that there are no backdoors.

[NSA spreading malware to further goals for more power]

“For many years, we’ve used encryption in our products and services to protect our customers from online criminals and hackers. While we have no direct evidence that customer data has been breached by unauthorized government access, we don’t want to take any chances and are addressing this issue head on,” Smith said.

The massive engineering undertaking will include all of Microsoft’s communications, productivity, and developer services including Outlook.com, Office 365, SkyDrive and Windows Azure. The changes listed in Smith’s post include implementation of Perfect Forward Secrecy, and 2048-bit keys, for the customer data that will be encrypted.

In the case of third-party services that are running on Azure, the level of data protection will be up to the developers, but Microsoft plans to offer the tools needed to allow them to easily implement strengthened protections. The goal is to have everything done by the end of 2014.

Microsoft has taken a stance, and there’s clear indications that the government is starting to push boundaries. If anything, it’s clear that things have taken a turn for the worse when the nation’s largest software corporation says the government’s intelligence operations are a threat, placing them on the same level as common criminals.

The term APT is often overhyped and used to describe things that it shouldn’t. It’s a buzzword used to push marketing efforts and sales. However (and perhaps unfortunately), when placed in context, Microsoft’s use of the term fits perfectly as a way to describe the NSA’s initiatives.

“Ultimately, were sensitive to the balances that must be struck when it comes to technology, security and the law. We all want to live in a world that is safe and secure, but we also want to live in a country that is protected by the Constitution. We want to ensure that important questions about government access are decided by courts rather than dictated by technological might. And were focused on applying new safeguards worldwide, recognizing the global nature of these issues and challenges,” Smith concluded.