November 27, 2013
Microsoft is moving to encrypt its Internet traffic based on assumptions the National Security Agency has broken into its internal global communications systems as it did with Google and Yahoo, according to sources familiar with the plans.
Microsoft’s suspicions that the NSA is intercepting traffic within its private networks were heightened in October, when it was reported such intrusions have happened to Google and Yahoo, which have similar global infrastructures. Sources close to Microsoft’s deliberations told The Washington Post top executives at the company are to meet this week to decide what encryption initiatives will take place.
The Post reports two previously unreleased slides obtained via former NSA contractor Edward Snowden suggest the company is rightly concerned.
The slides on the operations on Google and Yahoo networks also reference Microsoft’s Hotmail and Windows Live Messenger. Another NSA email mentions Microsoft Passport, a web service no longer offered by Microsoft, as another potential target of the surveillance program called MUSCULAR .
Microsoft officials said they don’t have independent verification such surveillance of their internal data centers is occurring, though the company’s general counsel Brad Smith said Tuesday that such revelations would be “very disturbing” and a violation of constitutional rights.
Encryption efforts of such a scale would put Microsoft in the same league as Google, Yahoo, Facebook and other tech giants  that have reinforced security defenses amid the cascade of secret NSA programs coming to light – some the companies have legally participated  in with the NSA.
Experts tell The Post such investments in encryption will hamper surveillance – by governments, private companies and hackers alike – for years. These technology efforts may even supersede congressional policy efforts, currently underway, as the most tangible outcome of steady revelations of NSA surveillance since early June, when the Guardian and The Washington Post ran the first stories supplied with classified documents given to them by Snowden.
“That’s a pretty big change in the way these companies have operated,” said Matthew Green, a Johns Hopkins University cryptography expert. “And it’s a big engineering effort.”
The NSA said Tuesday in a statement about Microsoft that the agency’s “focus is on targeting the communications of valid foreign intelligence targets, not on collecting and exploiting a class of communications or services that would sweep up communications that are not of bona fide foreign intelligence interest to the U.S. government.”
One anonymous US official said Tuesday that collection can be done at various points and does not have to happen on a company’s private fiber-optic links.
A 2009 email from an NSA senior manager of NSA’s MUSCULAR program specifies that a targeting tool known as “MONKEY PUZZLE” can search only across a listed “realm,” including Google, Yahoo and Microsoft’s Passport service. What service the fourth realm, “emailAddr,” represents is not clear. “NSA could send us whatever realms they like right now, but the targeting just won’t go anywhere unless it’s of one of the above 4 realms,” the email said.
The MUSCULAR program involves a process in which the NSA and Britain’s GCHQ intercept communications overseas, where lax restrictions and oversight allow the agencies access to intelligence with ease.
“NSA documents about the effort refer directly to ‘full take,’ ‘bulk access’ and ‘high volume’ operations on Yahoo and Google networks,” The Post reported. “Such large-scale collection of Internet content would be illegal in the United States, but the operations take place overseas, where the NSA is allowed to presume that anyone using a foreign data link is a foreigner.”
To do as much, the NSA and GCHQ rely on capturing information being sent between company data centers around the globe, intercepting those bits and bytes in transit by tapping in as information is moved from the “Public Internet” to the private “clouds” operated by the likes of Google and Yahoo. Those cloud systems involve the linking of international data centers, each processing and containing huge troves of user information for potentially millions of customers.
Intelligence officers who can sneak through the cracks when information is decrypted — or never encrypted in the first place — can then see the information sent in real time as take “a retrospective look at target activity,” according to documents seen by The Post.
“Because digital communications and cloud storage do not usually adhere to national boundaries, MUSCULAR and a previously disclosed NSA operation to collect Internet address books have amassed content and metadata on a previously unknown scale from US citizens and residents,” The Post reported.
Microsoft general counsel Brad Smith hinted at the company’s encryption efforts at a shareholders meeting recently. “We’re focused on engineering improvements that will further strengthen security,” he said, “including strengthening security against snooping by governments.”
While company officials do not have definitive proof of the data interception, the company has held high-level meetings to discuss the possibility that encryption efforts “across the full range of consumer and business services.” Big decisions will be made this week at company headquarters in Redmond, WA, anonymous sources familiar with Microsoft’s planning told The Post.
Of NSA documents mentioning Microsoft services, Smith said in a statement: “These allegations are very disturbing. If they are true these actions amount to hacking and seizure of private data and in our view are a breach of the protection guaranteed by the Fourth Amendment to the Constitution.”
Upon news of MUSCULAR’s intrusions, Google’s general counsel David Drummond said he was“outraged.” The company announced new encryption efforts at data centers worldwide in September.
Yahoo announced its own encryption initiatives last week.
These major tech companies have called on limits to NSA’s surveillance powers, especially those used without oversight from the Foreign Intelligence Surveillance Act court.
NSA documents from Snowden do not outline how the NSA would access Microsoft’s data, though it is possible some or all of it happens on the public internet and not via private links to data centers. Some MUSCULAR documents do, though, discuss targeting Microsoft online services. Microsoft’s Hotmail has been one of several email services shown to have been targeted by NSA surveillance.
Privacy advocates meanwhile have criticized Microsoft in the past for being slow to adopt encryption technology.
“Microsoft is not yet in a situation where we really call them praiseworthy,” said Peter Eckersley, director of technology projects at the Electronic Frontier Foundation. “Microsoft has no excuse for not being a leader in encryption and security systems, and yet we often see them lagging behind the industry.”
Documents released by Snowden have indicated Microsoft has worked  with US officials in the past to circumvent some encryption on the company’s services.