"Our goal is to provide even greater protection for data across all the great Microsoft services you use and depend on every day," Thomlinson wrote. "This effort also helps us reinforce that governments use appropriate legal processes, not technical brute force, if they want access to that data." Microsoft Corporation statement
Microsoft is a (the first, since 2007) NSA Prism provider. In respect of the NSA Prism program, you can figure out in general how it works by looking at the slides released by The Guardian newspaper and Le Monde, from the material Edward Snowden provided to them.
You can believe this, if you can believe the authenticity of the US Top Secret documents that have been provided by European journalists, In fact, it is extremely hard to believe anything that is in variance with these documents, certainly not a statement from Microsoft Corporation.
1. Every "Prism provider" - NSA designation (P1-Microsoft, P2-Yahoo, P3-Google, P4-Facebook, P5-PalTalk, P6-YouTube [now Google], P7-Skype [now MS], P8-AOL, PA-Apple - maybe others we don't know about), has, directly connected to their company servers and databases, in one or more private locations on their company premises, a "Data Intercept Technology Unit - DITU", property of the US government, controlled and operated by FBI personnel.
2. Each FBI DITU has a direct connection with the NSA, and CIA, and FBI. I intepret this to mean that there is a direct connection to the Prism Provider's servers, not an Internet connection. An Ethernet connection.
3. There are two types of situations at the DITU.
a) "surveillance" the individual Prism provider client is "under surveillance". This means that every action in which they participate, login, e-mail, voice, videoconference, file transfer, image transfer, etc. is automatically provided to the DITU and transferred to NSA (and, optionally, "dual routing", to the CIA and/or FBI in real time.
I think it takes a FISA court order to put someone under surveillance, but I don't know that. Seems to me the statistics about government requests that some of the Prism providers supply are about "surveillance"
b) "Stored Comms" the NSA analyst sends a request to "poke around" in the information (about anyone "Target") that the Prism provider has in their stored database with an association to the targeted client. (e-mails, web pages, uploads, voice, videos, "friends", etc.). In routing the NSA request to the DITU for "Stored Comms", the NSA request is first filtered through an FBI "Electronic Communications Surveillance Unit - ECSU", which filters out the requests pertaining to individuals (presumably only those not under "surveilllance") known by the FBI to be "US Persons", before the request is sent to the DITU. This is done, presumably, to adhere to the 4th Amendment, though I don't think it does very well. For instance, If I "friend" or send an e-mail to a targeted non -"US person", the NSA would get that...
You can look at the slides and see if you agree with my thoughts about this. Incidentally, the Wikipedia site says these slides were released by Edward Snowden, though, of course, Snowden has not released them, to my knowledge, at least.
So, some Prism providers' statements, to the effect that they provide no information directly to the NSA are technically correct, though such statements seem to me to be deliberately misleading.