back to article Microsoft DENIES it gives backdoor access to Outlook encryption

Microsoft has written to the US Attorney General asking him to let the company be more open about what information it hands over to the NSA, and has published a rebuttal of the claims from NSA whistleblower Edward Snowden about the privacy of its users. "The Constitution guarantees the fundamental freedom to engage in free …

COMMENTS

This topic is closed for new posts.
  1. edge_e
    Facepalm

    What's the problem?

    When Microsoft receives a valid information request from law enforcement, it has no need to disable the encryption of messages, Smith said. Instead, Microsoft can take the data from its own servers (where it sits unencrypted)

    Sounds perfectly secure to me....

    1. Sebby
      Happy

      Re: What's the problem?

      Exactly. Microsoft just confirmed something we had hitherto only suspected: its cloud is a very unsafe place to store your data. Full stop.

      1. John Smith 19 Gold badge
        Unhappy

        Re: What's the problem?

        "Exactly. Microsoft just confirmed something we had hitherto only suspected: its cloud is a very unsafe place to store your data. Full stop."

        I think that sentiment can easily be extended to any cloud service under US jurisdiction.

        1. The BigYin

          Re: What's the problem?

          "I think that sentiment can easily be extended to any cloud service under [ANY] jurisdiction."

          Unless, of course, you encrypt all you data prior to upload. Oh, and that personal cloud thing you run on your own VPS? You still need to encrypt.

    2. albaleo

      Re: What's the problem?

      I notice that part wasn't quoted (i.e. no quote marks) in the article. Any reason for that?

    3. Anonymous Coward
      Facepalm

      Re: What's the problem?

      Yes, whatever good feelings MS generated with the "Hey, we don't give the NSA rights to disable our encryption" was lost while saying "That's because we don't encrypt data at rest!". Also, to the extent this is news to the black hat hacker community, MS just painted a big fat bullseye on it's cloud.

      1. danbi

        Re: What's the problem?

        "this is news to the black hat hacker community"

        Are you serious? The black hat community is perfectly aware that 'Microsoft' and 'security' cannot be used in the same sentence unless you qualify with 'lack of'. I doubt they learned anything they didn't already know.

        1. Alan Brown Silver badge

          Re: What's the problem?

          s/black hat/security/

          There, fixed it for you.

    4. Velv
      Flame

      Re: What's the problem?

      OK, so encryption provides protection against some attacks, typically physical or in transit.

      Encryption is useless against "authorised" access. Chances are any hacker who gains access to the hosts where the data is held will also have achieved sufficient privileges to be considered an authorised reader, hence even "encrypted" data on the disk will be readable.

      I'm not saying the data shouldn't be encrypted at rest, I'm simply pointing out the head in the sand attitude of too many people who believe that encryption on disk protects you against everything. IT DOESN'T - it only really protects you against loss of the disk, and I'm guessing Microsoft's data centres have physical security (which you don't hear too many people questioning here!!!).

      1. This post has been deleted by its author

      2. Sebby
        Stop

        Re: What's the problem?

        Encryption doesn't solve all problems. As with everything there is a tradeoff of security and convenience. However, in Microsoft's case it's completely inexcusable, because they control both the client and server, so they can put the encryption well within the user's reach. But they don't--they just leave the data lying around, unencrypted, for an insider to nick/search or an NSA agent to unlawfully obtain without Microsoft's knowledge or permission.

  2. Anonymous Coward
    Anonymous Coward

    Oh fuck...

    ... that means they've got my plans for World Domination.

    I suspect anyone who put any data into any cloud who thought it would be secure, must of by now come to realise they're either been duped, or deluded.

    1. Captain DaFt

      Re: Oh fuck...

      "Oh fuck...

      ... that means they've got my plans for World Domination."

      Geez, doesn't anyone read the Evil Overlord Guidelines?

      Following their advice, I swapped my plans with Granny's chocolate cake recipe...

      In hindsight, I should've just substituted her recipe instead of swapping them though.

      The last time she tried to bake a cake, she nearly overthrew Nictenstien! (Thanks for finding the flaw in the plan, Gran!)

  3. Herby

    One small problem...

    What about the backdoors that Microsoft DOESN'T know about.

    All sorts of governments and agents of governments in countries other than the USA (China!) exploit these for lots of information (the value of the information in the BILLIONS of $$s).

  4. Anonymous Coward
    Anonymous Coward

    I always love the caveats "comply with legal requests" which means "you do what the fuck the NSA tells you to do because it's for national security and if you tell anyone you've done it we'll put you in a very dark cell for the rest of your life"

    1. yossarianuk

      They did annonce that they could not legally tell the truth.

      So what is the point in listening to them....

  5. Dan 55 Silver badge

    "governments must continue to rely on legal process"

    Does MS consider the NSA as "government" or as something else ("law enforcement", "security services")?

    As for "legal process", PRISM is legal.

    Repeat for all the other sentences throughout the post. MS took long enough to publish that post, quite a few of MS's lawyers must have had a look at it...

    And to end with, "with U.S. Government lawyers stopping us from sharing more information with the public" means that everything that came before was worthless.

    1. GrumpyOldBloke

      Re: "governments must continue to rely on legal process"

      >As for "legal process", PRISM is legal.

      Not if its unconstitutional.

      Legality in the US does not automatically flow from the whims of the public service as it does in commonwealth countries.

      1. Anonymous Coward
        Anonymous Coward

        Re: "governments must continue to rely on legal process"

        "Not if its unconstitutional."

        Time for another amendment then. PRISM is one of America's success stories, it allows her to defend her people for the terrorists. Do you WANT another 9/11? I didn't think so.

        1. Ian 62

          Re: "governments must continue to rely on legal process"

          I wouldnt want anything like 11/9 to happen anywhere, but equally I wouldnt want to give any future Government anywhere in the world the easy option of forming a new Stasi.

          Would you want a Police officer on every street corner and junction logging who drove past at what time? What size of car, speed, direction, number of passengers, time of day.

          Then returning to the station, dumping all that data in with all the other officer reports?

          Thats the car analogy to what we're told NSA and GCHQ have been doing.

          1. Anonymous Coward
            Anonymous Coward

            Re: "governments must continue to rely on legal process"

            We already have this in the UK with all the cameras!!!!!!!!

            We welcome our "Big Brother Overloards"

          2. Anonymous Coward
            Anonymous Coward

            Re: "governments must continue to rely on legal process"

            already got the car thing in the UK, it's called anpr and covers most of thevmajor roads I've been on.

        2. Arctic fox
          Headmaster

          Re: "... PRISM is one of America's success stories..........

          ........., it allows her to defend her people for (sic) the terrorists."

          No, that is the claim they make - ie that they have prevented another 9/11. This claim is by definition impossible to test and/or validate. It reminds one of the old joke about a farmer who built an enormous wall with electrified fence on top and a huge moat at the bottom. When asked by another farmer why he had gone to such expense he replied that "it's to keep the elephants out". His mate replied "but we don't have any elephants round here Bill". "Quite right" said Bill "you can see what a great job my wall is doing."

        3. Alan Brown Silver badge

          Re: "governments must continue to rely on legal process"

          "It allows her to defend her people for the terrorists"

          That worked really well in Boston, didn't it?

          1. Anonymous Coward
            Anonymous Coward

            Re: "governments must continue to rely on legal process"

            Boston was an exception. The security services have to be successful every time, terrorists only once.

            Perhaps you'd prefer it if there was not monitoring of threats, no border checks, no bomb detectors. Just let people blow you up in your own bed. Some dream you seem to have. What a world you wish upon your children.

            Me? I pay my government to protect me via taxation. PRISM is part of that protection and it is a great thing to have. Or do you have something you are trying to hide?

            1. Dan 55 Silver badge
              FAIL

              Re: "governments must continue to rely on legal process"

              You obviously do, that's why you're posting anonymously.

              "Oh dear," says the troll, "I hadn't thought of that," and promptly disappears in a puff of logic.

  6. Sir Runcible Spoon

    Sir

    Every time one of these spying weasels issue a press release denying their involvment, they always use the qualifying word "directly".

    Which basically is a tacit admission that they allow it "in-directly" - and you can spin that however you like since it is a very woolly term, a bit like "and at a bare minimum of expense to john q taxpayer".

  7. ~mico
    Angel

    "We do not allow direct access"

    xcopy *.* //nsa/indirect/access /S

  8. Don Jefe
    Meh

    We Want to Tell the Truth

    But we're not allowed to so you'll just have to trust us. No thanks.

    We all know they're not ever going to let them tell the whole truth anyway and MS knows this as well. They can bullshit us because they know without another Snowden type event they can get away with it. Bastards.

    1. Steve Knox
      Meh

      Re: We Want to Tell the Truth

      The sad thing is, there's a good chance that the truth is that the US government can't instantly get their hands on all the data everyone thinks that they can, and that they want to continue the gag orders specifically because they don't want people to know how little they actually can do.

      1. John Smith 19 Gold badge
        Unhappy

        Re: We Want to Tell the Truth

        "The sad thing is, there's a good chance that the truth is that the US government can't instantly get their hands on all the data everyone thinks that they can, and that they want to continue the gag orders specifically because they don't want people to know how little they actually can do."

        The end run around this is simple. Under THE PATRIOT act all such emails are "business records."

        An authorized federal agency can simply demand them en masse, in the same the IRS can demand to see a companies books.

        Do that a few times and the company can become surprisingly willing to automate the process.

  9. Anonymous Coward
    Anonymous Coward

    "It's time to face some obvious facts", Smith wrote.....

    "Numerous documents are now in the public domain"......... And we're still not allowed to tell you the truth EVER! .... And we won't because the US Government (and Military) is still one of our biggest clients and 'elite friends' whom we don't want to lose...

    We may tell the truth to our trusted private-side mega-corp clients but only behind closed doors. So who are really talking to here? We're addressing the freebie Outlook plebs who we need to sell Ads to, in order to compete with the Big G.... Overall, this is about Reputation Management. We aim to reduce the number of panicked calls from our mega-corp clients...

  10. Tom 35

    Can't trust what they say

    As long as secret gag orders exist.

  11. Rol

    Where are they now?

    I'd love to see a "This is Your Life" come back, featuring the people who helped code Windows 2000, especially the guys in dark sunglasses and pointy suits.

  12. Yet Another Anonymous coward Silver badge

    I feel sorry for Richard Nixon

    If only he had thought to have a secret court declare what he was doing perfectly legal there wouldn't have been a problem

  13. Trevor_Pott Gold badge

    Ahem.

    Bullshit.

    1. Ken Hagan Gold badge
      Paris Hilton

      Re: Ahem.

      Trevor, you don't seem to be replying to any post in particular.

      Are you just having a bad day, or is the whole world Bullshit. (I can't tell from here.)

      1. Trevor_Pott Gold badge

        Re: Ahem.

        I am replying to Microsoft.

        Generally when you start a new post (instead of replying to a specific one) then you are replying to the article proper. Thus:

        To: Microsoft

        Re: Everything you just said, and pretty much everything you will say, ever, regarding trustworthiness

        Body: Bullshit.

        Clearer?

  14. Homer 1
    Paris Hilton

    Oh look...

    Vole using weasel words in a desperate act of damage limitations, then ending with the disclaimer that everything they've just told us is a lie.

    Genius!

  15. danR2

    Please Eric Holder, permit me to stop lying.

    Sincerely,

    Agent Smith.

  16. Anonymous Coward
    Anonymous Coward

    Ahem....

    I'm minded of an episode of 'Law & Order' where the prosecutor asks: "Were you lying then or are you lying now?" I'd add, "or both?" It doesn't matter who the disclaimers (excuses), they are surrounded by lawyerese weasel words and that's doing offense to the weasels of the world.

    The saddest and sorriest part of all this is that I *knew* what we could do, hell did do, to the rest of the world. I was called in as a last resort when things were broken and they couldn't figure it out how to fix it. You see things but you don't talk about them. Hell, I signed a piece of paper that said I didn't remember anything since just after my 17th birthday. Just like I was ordered to do when it was Americans I overheard or saw an intercept from. It'd have to be a major threat before we'd even repeat it to our chain of command. Not to somebody's spouse, a business rival, whatever. An honest to God threat to the Constitution or my Command, or real personal like. (My Command might like to know that I'm on somebody's list ;).

    Now I find out that that rule got lost somewhere in all this and we were doing unto our own. Shit.

  17. adnim

    The wonderful world of words

    "We do not provide any government with direct access to emails or instant messages. Full stop"

    Does this mean that government agencies have to go through a proxy?

  18. John Smith 19 Gold badge
    FAIL

    secret gag orders == the super injuctions of metadata collection.

    At heart it's about choice.

    Your business should be your business. It's only when you start dong things that are illegal (and all terrorist acts are illegal by definition) that the state should become involved. IOW You don't bother the state, it does not bother you, because it's not allowed to bother you..

    But under this system the state decides to bother you first and it decides if you're worth bothering with some more. Your actions make no difference. It has unilaterally decided the people are the enemy.

    1. tempemeaty

      Re: secret gag orders == the super injuctions of metadata collection.

      ...and so our founding fathers of Gov gave the people the right to bear arms because of this very type situation inevitably ends in the people being terrorized by the Gov itself.

      1. Sir Runcible Spoon

        Re: secret gag orders == the super injuctions of metadata collection.

        "the right to bear arms"

        Does that include virii that could infect US government machines?

        Or are you thinking along the lines of shooting your ADSL router?

  19. PJ H
    FAIL

    Deny, rebut, refute

    "Smith also published a blog post in which he rebutted claims that Microsoft has built backdoor access for federal investigations into some of its most popular software and services."

    Such a shame he couldn't refute[1] it instead. Perhaps there's a reason for that; like he can't...

    [1] http://www.dailywritingtips.com/rebut-refute-deny/

  20. Anonymous Coward
    Anonymous Coward

    ""We do not provide any government with direct access to emails or instant messages. Full stop," Smith said. "We do not provide any government with the technical capability to access user content directly or by itself. Instead, governments must continue to rely on legal process to seek from us specified information about identified accounts."

    Right, Microsoft employees do all the collection THEN hand it over to government. Which would be an indirect handover. So his statement is perfectly true.

  21. Ken Hagan Gold badge

    The real story here...

    ...surely is not that Microsoft have bent over for the NSA. *Every* US-based corporation is legally obliged to do that and you are being dementedly naive if you think the NSA don't take advantage. No, the realy story here is that Microsoft now reckon that the rest of the world will never trust them (or any other US-based IT provider) again, ever, unless the NSA voluntarily give up that right.

    And *that's* bad news for the US economy as we move into the 21st century.

  22. me n u

    "With U.S. Government lawyers stopping us from sharing more information with the public, we need the Attorney General to uphold the Constitution."

    Uh, that's really like asking Satan to be a good boy, and go to church as well. Let me know how that works for ya!

  23. Anonymous Coward
    Anonymous Coward

    missing

    "We do not provide any government with direct access to emails or instant messages."

    What's missing here is "or related meta-data." The content itself may be less useful than the meta-data which Microsoft's vehement denial conveniently leaves out of scope. See:

    http://kieranhealy.org/blog/archives/2013/06/09/using-metadata-to-find-paul-revere/

  24. Old Handle

    "The Constitution guarantees the fundamental freedom to engage in free expression unless silence is required by a narrowly tailored, compelling Government interest."

    That's funny, I don't remember seeing the second half of that the last time I read the first amendment. Did someone pull an Animal Farm?

This topic is closed for new posts.

Other stories you might like