TechWeb

Microsoft May Encrypt All Server-To-Server Communications

Nov 15, 2013 (06:11 AM EST)

Read the Original Article at http://www.informationweek.com/news/showArticle.jhtml?articleID=240163978


Windows 8.1: A Visual Tour
Windows 8.1: Visual Tour
(click image for larger view)
Microsoft doesn't currently encrypt all of its server-to-server communications. But in the wake of reports that the National Security Agency (NSA) is tapping communications between data centers, Microsoft officials are rethinking that approach.

"What I can say today is server-to-server transportation is generally not encrypted," Dorothee Belz, VP of legal and corporate affairs for Microsoft in Europe, told the European Parliament's civil liberties committee this week during a hearing into the mass surveillance of European citizens. "That is why we are currently reviewing our security systems."

Belz's disclosure came as officials from Facebook, Google, and Microsoft testified before the committee that at no point did they give the NSA direct or unrestricted access to their networks. But according to recently published documents leaked by former NSA contractor Edward Snowden, an NSA program -- code-named Muscular -- that's jointly operated with Britain's GCHQ has been accessing the data that flows between servers operated by Google, Yahoo, and likely other major technology players.

[ Are you ready for the Windows XP Security Apocalypse? ]

As a result, the NSA could use Muscular to directly access targeted networks -- including potentially Hotmail and Outlook.com email traffic, as well as such services as Office 365 and SkyDrive -- without having to find a way around, or be stopped outright, by a layer of encryption.

But a Microsoft spokesman emphasized to the Register that the company is reconsidering its crypto choices. "Over the last few years, Microsoft and others have increased protection of customer data travelling across the Internet by increasing use of SSL for services," he said.

"However, recent disclosures make it clear we need to invest in protecting customers' information from a wide range of threats, which, if the allegations are true, include governments," he said. "We are evaluating additional changes that may be beneficial to further protect our customers' data."

In the wake of Belz's disclosure, multiple information security and privacy experts have questioned how Microsoft's online services -- including cloud services -- could be considered secure, if the underlying communications aren't encrypted. "Every European company which has used U.S.-based cloud services must have a contract which specifies conditions for secure data processing," privacy researcher Caspar Bowden, who formerly served as the chief privacy adviser to Microsoft, told the Register.

"It is negligent for cloud companies to have failed to encrypt the high-speed links between data centers, and this has left EU citizens' data wide open to political and economic surveillance from many SIGINT powers, not just the NSA," he said, referring to government agencies tasked with gathering so-called signals intelligence.

Encryption would be one way to counter -- or at least curtail -- NSA surveillance. Another approach would be for Congress to pass laws that restrict the breadth of information the agency could collect, as well as to scrutinize the agency's collection efforts more closely.

Rep. James Sensenbrenner (R-Wis.), who authored the Patriot Act that the NSA has used to justify the massive digital dragnet that it's currently running, told the European committee that the NSA's surveillance activities had occurred outside of Congressional oversight. "I hope that we have learned our lesson and that oversight will be a lot more vigorous," he said.

Sensenbrenner has also continued to criticize what he sees as an "overbroad interpretation" of the Patriot Act, which the NSA says authorizes the digital dragnet it's created. To that end, Sensenbrenner has introduced the "Uniting and Strengthening America by Fulfilling Rights and Ending Eavesdropping, Dragnet-collection, and Online Monitoring" (USA Freedom) Act, together with Sen. Patrick Leahy (D-Vt.). The bill would still allow the NSA to monitor people suspected of having ties to terrorism, but it would prohibit the arbitrary collection of massive amounts of information on millions of people.

Sensenbrenner also called on European government officials -- who of course run their SIGINT operations, and no doubt data center taps -- to work with the United States. "I ask my friends here in the European Parliament to work pragmatically with the United States to continue balanced efforts to protect our nations," he told the committee. "Together we can rebuild trust while defending civil liberties and national security on both sides of the Atlantic."