For the first time, The Guardian is detailing how a tech company works with the National Security Agency to share user information under the NSA's PRISM program. Unfortunately, that tech company happens to be Microsoft, the one that makes the operating system used on 92 percent of computers in the world.
The tone of the report (and Microsoft's statement about it) contrasts significantly with what the company said when PRISM was revealed. The Guardian, using documents obtained from NSA leaker Edward Snowden, paints Microsoft as a compliant partner in creating windows and doors in their software for the government to access.
Before we get to the mechanics, we'll answer the obvious: Which Microsoft products are covered? Primarily the web-based ones. There are three specific Microsoft services that the NSA has privileged access to: Outlook, SkyDrive, and Skype. Given the revelations, here's a service-by-service breakdown of what's probably not safe from the NSA's prying eyes:
Outlook: No Emails or Chats to or from This Service Are Safe. We already knew that the government had "direct access"—or something like it—to all of Microsoft's data as a part of the PRISM program outlined in June. Up until 2011, the NSA had been collecting all e-mail metadata for everyone, which did not include the content, but location, name, date, and other revealing information. PRISM, however, gives the government access to more than just that. However, up until now, it was safe to assume encrypted (encoded) messages (as described here) might not be readable. The Guardian suggests that's not the case: meaning all e-mails and encrypted chats—even ones specifically meant just for certain people to see, could fall into the NSA's hands.
SkyDrive: Some Computer Files Are Not Safe. For people who use SkyDrive, any of the documents, or pictures, or anything linked up with the service are vulnerable. The cloud service automatically syncs any stuff in its folders. When first setting up the service, by default the app creates Documents, Pictures, and Public folders, but you can tinker with what gets put in there, so it's user-dependent. Some people might sync all their folders just in case their hard drive crashes, or something—all of which the NSA could potentially see.
Skype: Audio and Video Content of Phone Calls Are Not Safe. In addition to Skype chat, the NSA has access to audio and video of calls. "Now, analysts will have the complete 'picture'," one document obtained by The Guardian says. In other words, the government has a veritable wiretap on Skype conversations. "Feedback indicated that a collected Skype call was very clear and the metadata looked complete," read another document.
The standard caveat applies here: the NSA is not allowed to collect data on Americans, though the FBI can with a warrant. But the NSA defines non-American as being a 51 percent likelihood that the person is overseas. And any communication between an American and a non-American could be swept up by the agency.
From Microsoft's "Safety and Security Center."
The Microsoft revelations stem from what Guardian reporter Glenn Greenwald calls "an internal, ongoing NSA bulletin" produced by the NSA's Special Source Operations (SSO) division. The SSO, the article notes, was "described by Snowden as the 'crown jewel' of the agency," and the one that manages the relationships with tech companies under PRISM.
In Microsoft, it had a willing partner. The company's original statement downplaying its work with the government stated that it provided the Feds with data "only when we receive a legally binding order or subpoena." Today's revelations suggest that this caveat—while undoubtedly true—is a bit like erecting a thick wall through which you've drilled a velvet-rope-protected tunnel. The government is kept out—but if they want access, it's trivial. (Other companies, like Yahoo, put up more of a fight, albeit earlier.)
The files show that the NSA became concerned about the interception of encrypted chats on Microsoft's Outlook.com portal from the moment the company began testing the service in July last year.
Within five months, the documents explain, Microsoft and the FBI had come up with a solution that allowed the NSA to circumvent encryption on Outlook.com chat.
The government's desire to peel back encryption has been known for some time. In May, prior to the Snowden revelations, The Times reported on the FBI's efforts to intercept encrypted messages. At the time, the paper suggested that Obama was "on the verge of" approving a system to force that to happen. The FBI probably found that story somewhat amusing.
Microsoft was compliant on allowing SkyDrive access, too. "An entry dated 8 April 2013 describes how the company worked 'for many months' with the FBI … to allow Prism access without separate authorization" to SkyDrive. In other words—once an analyst has access to your Outlook, it's got access to SkyDrive, too, without having to make a separate request to higher-ups. (The entry also suggests that analysts "may not have known" that additional approval was required anyway.)
While the Guardian article singles out Microsoft, there is little reason to think that other companies implicated in the PRISM program—Apple, Google, AOL, Facebook—did much to make the NSA's work harder. Which is why our guide to hiding from the NSA started with one admonition: using companies known to collaborate with the government is not a good way to keep the government from collecting your data.
Update, 4:25 p.m.: A spokesperson for Microsoft provided The Atlantic Wire with a response to the article. It largely mirrors the statement provided to the paper. One addition to the original statement is in bold below.
We have clear principles which guide the response across our entire company to government demands for customer information for both law enforcement and national security issues. First, we take our commitments to our customers and to compliance with applicable law very seriously, so we provide customer data only in response to legal processes. Second, our compliance team examines all demands very closely, and we reject them if we believe they aren’t valid. Third, we only ever comply with orders about specific accounts or identifiers, and we would not respond to the kind of blanket orders discussed in the press over the past few weeks, as the volumes documented in our most recent disclosure clearly illustrate. To be clear, Microsoft does not provide any government with blanket or direct access to SkyDrive, Outlook.com, Skype or any Microsoft product. Finally when we upgrade or update products legal obligations may in some circumstances require that we maintain the ability to provide information in response to a law enforcement or national security request. There are aspects of this debate that we wish we were able to discuss more freely. That’s why we’ve argued for additional transparency that would help everyone understand and debate these important issues.
The "direct access" question has been an ongoing point of contention between the companies and the outside observers, which we've written about before.
This article is from the archive of our partner The Wire.