While almost every big tech company in the US has taken a bit of a battering in the wake of Ed Snowden’s leaks around PRISM, the allegations levelled at Microsoft last week were particularly damning. According to The Guardian, the Seattle software giant altered the way Skype calls are transmitted across its network – Microsoft purchased Skype last year – in order to give US security agencies the ability to decrypt video in calls as well as voice under the PRISM program.
Prior to its acquisition, Skype made a strong selling point of its end-to-end encryption which was supposed to make intercepting calls difficult, if not impossible. Security experts worried, however, that by changing the way Skype traffic is managed to a network based on ‘supernodes’ rather than straightforward P2P, data collection and virtual wiretapping was being made easier.
This morning, however, Microsoft has flat out denied the charge. In an open letter on the Technet blog, General Counsel and Executive Vice President Brad Smith says that the Skype changes were made to improve performance.
“These changes were not made to facilitate greater government access to audio, video, messaging or other customer data,” writes Smith. “We will not provide governments with direct or unfettered access to customer data or encryption keys.”
Smith also reiterates that Microsoft – along with Google, Facebook et al – have requested permission from the US government to publish more information about their relationship with the NSA. He also outlined the legal process for dealing with US government requests for data.
- Microsoft does not provide any government with direct and unfettered access to our customer’s data. Microsoft only pulls and then provides the specific data mandated by the relevant legal demand.
- If a government wants customer data – including for national security purposes – it needs to follow applicable legal process, meaning it must serve us with a court order for content or subpoena for account information.
- We only respond to requests for specific accounts and identifiers. There is no blanket or indiscriminate access to Microsoft’s customer data. The aggregate data we have been able to publish shows clearly that only a tiny fraction – fractions of a percent – of our customers have ever been subject to a government demand related to criminal law or national security.
- All of these requests are explicitly reviewed by Microsoft’s compliance team, who ensure the request are valid, reject those that are not, and make sure we only provide the data specified in the order. While we are obligated to comply, we continue to manage the compliance process by keeping track of the orders received, ensuring they are valid, and disclosing only the data covered by the order.
He goes on to point out that it’s not just the US government that requests customer data from Microsoft, but this is a global issue that needs more public discussion.
“It would be a mistake to assume this somehow is confined to the United States,” Smith writes.
The most interesting part of the letter, however, pertains to business customers – who are no doubt alarmed by the idea that the data they store on Microsoft servers might be spied on.
“If we receive a government demand for data held by a business customer, we take steps to redirect the government to the customer directly, and we notify the customer unless we are legally prohibited from doing so. We have never provided any government with customer data from any of our business or government customers for national security purposes.”
He goes on to say that the firm only received four such requests in all of 2012.
As far as the PRISM scandal goes, this is one of the most direct and specific denials of government collusion which has been published by the tech companies alleged to be involved with PRISM so far. Whether or not you believe it, of course, is down to you. You can read the full statement at Technet.
Meanwhile, Ed Snowden himself has reportedly applied for temporary asylum in Russia. When he first landed in Moscow, he was told by the authorities that an asylum application could only be made if the PRISM leaks stopped – does that the Skype accusation was the last of the big revelations in his files?