Microsoft supplied NSA with encrypted info: here’s how

Edward Snowden is the whistleblowing gift that just keeps on giving. The latest documents from the former NSA-contractor, obtained by the Guardian, show how Microsoft circumvented its own encryption in supplying information to the US intelligence agency.

The documents also shed new light on the top-secret PRISM programme, as well as the scale of cooperation between the US’ biggest tech companies and the NSA.

• According to The Guardian, the leaked documents show that:
• Microsoft helped the NSA to circumvent its encryption to address concerns that the agency would be unable to intercept web chats on the new Outlook.com portal;
• The agency already had pre-encryption stage access to email on Outlook.com, including Hotmail;
• The company worked with the FBI this year to allow the NSA easier access via Prism to its cloud storage service SkyDrive, which now has more than 250 million users worldwide;
• Microsoft also worked with the FBI’s Data Intercept Unit to “understand” potential issues with a feature in Outlook.com that allows users to create email aliases;
• In July last year, nine months after Microsoft bought Skype, the NSA boasted that a new capability had tripled the amount of Skype video calls being collected through Prism;
• Material collected through Prism is routinely shared with the FBI and CIA, with one NSA document describing the programme as a “team sport”.

There are also however increasing signs that the relationship between tech companies and state entities is an uneasy one, with the former at pains to stress that it only supplies information to state organisations when it is forced to by court order.

“When we upgrade or update products we aren’t absolved from the need to comply with existing or future lawful demands,” the company said in a statement before reiterating its argument that it provides customer data “only in response to government demands and we only ever comply with orders for requests about specific accounts or identifiers”.

For Microsoft, the revelations are especially damaging. In recent months, it’s put a lot of weight into a campaign with the slogan: “Your privacy is our priority.”

Skype’s policy meanwhile states that: “Skype is committed to respecting your privacy and the confidentiality of your personal data, traffic data and communications content.”

The leaked documents however show that Microsoft had worked with federal authorities after they had expressed concerns that they would not be able to intercept communication on its new Outlook.com platform.

A newsletter announcing that the issue had been resolved, is dated 26 December 2012 “MS [Microsoft], working with the FBI, developed a surveillance capability to deal” with the issue. “These solutions were successfully tested and went live 12 Dec 2012.”

Two months later, Outlook.com was officially launched.

Another later newsletter says: “For Prism collection against Hotmail, Live, and Outlook.com emails will be unaffected because Prism collects this data prior to encryption.”

Skype meanwhile is believed to have joined the PRISM programme as early as 2011. While we reported on concerns that it was allowing so-called “backdoor eavesdropping” in July that year, it turns out that the VoIP service had joined the programme before it was even bought by Microsoft.

“Feedback indicated that a collected Skype call was very clear and the metadata looked complete,” the leaked document states, praising the co-operation between NSA teams and the FBI. “Collaborative teamwork was the key to the successful addition of another provider to the Prism system.”

Microsoft provided the following statement in response to the Guardian’s article:

We have clear principles which guide the response across our entire company to government demands for customer information for both law enforcement and national security issues. First, we take our commitments to our customers and to compliance with applicable law very seriously, so we provide customer data only in response to legal processes.

Second, our compliance team examines all demands very closely, and we reject them if we believe they aren’t valid. Third, we only ever comply with orders about specific accounts or identifiers, and we would not respond to the kind of blanket orders discussed in the press over the past few weeks, as the volumes documented in our most recent disclosure clearly illustrate.

Finally when we upgrade or update products legal obligations may in some circumstances require that we maintain the ability to provide information in response to a law enforcement or national security request. There are aspects of this debate that we wish we were able to discuss more freely. That’s why we’ve argued for additional transparency that would help everyone understand and debate these important issues.

A joint statement from Shawn Turner, spokesman for the director of National Intelligence, and Judith Emmel, spokeswoman for the NSA, meanwhile said:

The articles describe court-ordered surveillance – and a US company’s efforts to comply with these legally mandated requirements. The US operates its programs under a strict oversight regime, with careful monitoring by the courts, Congress and the Director of National Intelligence. Not all countries have equivalent oversight requirements to protect civil liberties and privacy.

They added: “In practice, US companies put energy, focus and commitment into consistently protecting the privacy of their customers around the world, while meeting their obligations under the laws of the US and other countries in which they operate.”