Microsoft Wants to Come Clean About PRISM

In the wake of rising public anger against Microsoft over allegations of its involvement in the National Security Agency’s PRISM program, the company on Tuesday urged U.S. Attorney General Eric Holder to let it share more details about the way it handles government requests for information about its customers.

There are “significant inaccuracies” in the interpretation of leaked government documents reported in the media last week, according to Microsoft General Counsel Brad Smith.

“We believe the U.S. Constitution guarantees our freedom to share information with the public, yet the government is stopping us,” he wrote.

Microsoft has so far received no response to a petition it filed in June seeking permission to publish the volume of national security requests it has received.

The Guardian last week claimed that Microsoft helped the NSA circumvent its encryption on the Outlook.com portal; gave the agency pre-encryption-stage access to email on Outlook.com; and worked with the FBI’s Data Intercept Unit to understand potential issues with a feature in Outlook.com that lets users create email aliases, among other things.

Smith denied those allegations.

Damned if You Do

“Tech companies are between a rock and a hard place,” said Robin Feldman, a professor at the UC Hastings College of the Law and codirector of the college’s Privacy and Technology Project.

In its plea to the Justice Department, Microsoft “is not necessarily trying to say this is unconstitutional — they’re saying they want not to do this,” Feldman told the E-Commerce Times.

However, “if Microsoft really cared about privacy, it would be fighting these issues when these programs were implemented, not after they were made public,” contended Yasha Heidari, managing partner at the Heidari Power Law Group. “Microsoft’s actions are little more than a public relations stunt.”

Microsoft is “not providing any additional comment or information beyond the Microsoft blog post and the embedded letter to the U.S. Attorney General,” Tricia Payer of Waggener Edstrom, the company’s public relations agency, told the E-Commerce Times.

Microsoft’s Case

Microsoft does not provide any government with direct access to emails or instant messages or SkyDrive or the ability to break HTTPS encryption on Outlook.com instant messages, or provide any government with the encryption keys, Smith stated.

He also denied accusations that Microsoft made changes to Skype to afford easier governmental access to that service.

The company does comply with lawful demands from governments to turn over content for specific accounts on receipt of a search warrant or court order, Smith asserted.

Microsoft discussed legal compliance requirements with the government last week as reported, Smith said, but the discussion was confined to how it would continue to comply with lawful requests.

How Microsoft Turns Over Data

When Microsoft is legally obligated to comply with government demands, it pulls the specified content from its servers, where it sits in an unencrypted state, and then provides it to the government agency.

That could be tricky, because “if companies decrypt data at rest on servers they don’t physically control, such as on cloud services, then their decryption keys are exposed in memory,” Steve Weis, chief technology officer at PrivateCore, told the E-Commerce Times.

By taking a snapshot of the memory, people could parse out decryption key values and unlock data at rest, whether or not they had lawful access to that data, Weis continued.

Why Microsoft Might Be Antsy

Several other high-tech players, including Google and Facebook, are allegedly partners in the PRISM project, but Microsoft has objected the loudest and most fervently.

That’s possibly because of its ownership of Skype, UC Hastings’ Feldman speculated.

“For a long time, Skype was considered untraceable,” she said. “It was used by journalists and revolutionaries because of that — so for Microsoft, Skype is the key.”

Or it could be that Microsoft is concerned about losing business.

“A number of Microsoft’s products are directly marketed to government entities,” Heidari pointed out. “This is an especially sensitive issue since it has previously faced scrutiny for certain improper practices with foreign governments, such as the EU.”

2 Comments

  • PRISM is a clandestine mass electronic surveillance data mining program operated by the United States National Security Agency (NSA) since 2007.[1][2][3][Notes 1] PRISM is a government code name for a data-collection effort known officially by the SIGAD US-984XN.[8][9]

    PRISM began in 2007 in the wake of the passage of the Protect America Act under the Bush Administration.[10][11] The program is operated under the supervision of the U.S. Foreign Intelligence Surveillance Court (FISA Court, or FISC) pursuant to the Foreign Intelligence Surveillance Act (FISA).[12] Its existence was leaked six years later by NSA contractor Edward Snowden, who warned that the extent of mass data collection was far greater than the public knew and included what he characterized as "dangerous" and "criminal" activities.[13] The disclosures were published by The Guardian and The Washington Post on June 6, 2013.

    A document included in the leak indicated that PRISM was "the number one source of raw intelligence used for NSA analytic reports."[14] The leaked information came to light one day after the revelation that the FISA Court had been ordering a subsidiary of telecommunications company Verizon Communications to turn over to the NSA logs tracking all of its customers’ telephone calls on an ongoing daily basis.[15][16]

    U.S. government officials have disputed some aspects of the Guardian and Washington Post stories and have defended the program by asserting it cannot be used on domestic targets without a warrant, that it has helped to prevent acts of terrorism, and that it receives independent oversight from the federal government’s executive, judicial and legislative branches.[17][18] On June 19, 2013, U.S. President Barack Obama, during a visit to Germany, stated that the NSA’s data gathering practices constitute "a circumscribed, narrow system directed at us being able to protect our people.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories

LinuxInsider Channels