• United States



Former Microsoft Chief Privacy Officer on the Cloud Conspiracy

Jan 07, 20154 mins
Cloud ComputingData and Information SecurityMicrosoft

At the 31C3 security conference, Microsoft's former chief privacy adviser Caspar Bowden presented The Cloud Conspiracy, warning "If you are not American, you cannot trust U.S. software services." He worked for Redmond for nine years, but was fired after warning Microsoft that the NSA could conduct unlimited mass surveillance on cloud computing data. But not even the EU believed it ... until Snowden.

Microsoft former chief privacy adviser Caspar Bowden has said for years that he does not trust Microsoft as a company, nor does he trust its software. If a privacy expert who previously worked for Microsoft can’t trust the company, should we? Well at the 31st Chaos Communication Congress (31C3), Bowden presented The Cloud Conspiracy 2008 – 2014 (pdf).

Bowden served as Chief Privacy Officer at Microsoft for nine years, responsible for advising 40 National Technology Officers from different countries. During an internal strategy conference in 2011, with Microsoft deputy general counsel, cloud management personnel and the NTOs in attendance, Bowden warned, “If you sell Microsoft cloud computing to your own governments then this [FISA] law means that the NSA can conduct unlimited mass surveillance on that data.”

After that, Bowden said the deputy general counsel “turned green” and the room was dead silent. During the coffee break, Bowden was threatened with being fired. Two months later, Microsoft decided Bowden was redundant and fired him.

In Bowden’s presentation about ‘The Cloud Conspiracy,’ he explained that he’s not referring to the cloud as in storage, but the cloud as in data processing. “You cannot protect data in cloud computing,” he said.

Caspar Bowden 31c3 cloud conspiracy Caspar Bowden

His talk could basically be boiled down to how likely is it, legally or technically, that data centers have secret doors for warrantless mass surveillance? Bowden explained how the 2008 changes to the Foreign Intelligence Surveillance Act Amendment Act (FISAAA) added the secret surveillance of remote computing services, aka the cloud. That surveillance, he said, doesn’t have to be triggered by potential criminality or national security, but is instead “purely political surveillance” of “ordinary lawful democratic activities.”

Caspar Bowden warning about NSA and cloud why Microsoft fired him Caspar Bowden

Bowden primarily is talking about secret targeted cloud surveillance of non-US persons outside of the US; that’s a whopping 95% of the world. In other words, the former Microsoft Privacy Chief said FISAAA means “If you are not American, you cannot trust U.S. software services.” Even if the software started off being cryptographically sound, software updates can be pushed through – pushed at you because you are targeted – with results of subverting your security.

cloud conspiracy slide by Caspar Bowden Caspar Bowden

He added that any company choosing not to comply with a FISA order can be found in contempt of the Foreign Intelligence Surveillance Court (FISC). If someone in an American company were to tell a foreign data protection authority about the FISA order, then the individual/company could potentially be charged with the Espionage Act and face 20 years in prison…or worse.

In the synopsis of his lecture, Bowden wrote, “There is one law (FISA 702) and one policy (EO12333) which authorizes the US government to conduct mass surveillance on ‘foreigners in foreign lands’. These are drafted in terms which discriminate the privacy rights you have by the passport you hold – in fact there are no rights at all for non-Americans outside the US.”

Now get this, the slides explaining FISAAA and what happens if you don’t comply with FISC have not changed from what Bowden presented pre-Snowden at the internal Microsoft cloud strategy meeting. You know, the one that ultimately resulted in Microsoft firing him for daring to tell the truth about its cloud services. Yet even the EU laughed off NSA cloud surveillance capabilities before the PRISM scandal.

The rest of his multidisciplinary talk deals with “national and international surveillance and privacy law, Five Eyes SIGINT policy, technical security and economics” as well as possible EU strategies and resolutions. Since PRISM, Bowden has come to believe that the only way to ensure cloud privacy is to have free and open source software running on locally hosted data centers. “The only possible resolution compatible with universal rights is data localization, or construction of a virtual zone in which countries have agreed mutual verifiable inspections that mass-surveillance is not occurring.”

Bowden describes the current political situation with the meta-panopticon slide below.

Caspar Bowden 31C3 cloud conspiracy slide Caspar Bowden

Since talk started of alleged back doors in Microsoft products, Microsoft’s General Counsel Brad Smith makes it appear as if Microsoft is working hard on transparency and fighting the good fight to reform surveillance. Maybe that’s true, maybe Microsoft hopes that trust in US services is not irreparably damaged? Bowden doesn’t trust the company or its software and he likely knows more secrets about Microsoft than we will ever know.

Despite Microsoft’s current public position on mass surveillance and privacy, “The thoughts that Edward Snowden have put in the minds of the public cannot now be unthought,” Bowden said.

ms smith

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues. She focuses on the unique challenges of maintaining privacy and security, both for individuals and enterprises. She has worked as a journalist and has also penned many technical papers and guides covering various technologies. Smith is herself a self-described privacy and security freak.