
Microsoft: U.S. Constitution is 'suffering' from NSA secrecy - declan
http://news.cnet.com/8301-13578_3-57594011-38/microsoft-u.s-constitution-is-suffering-from-nsa-secrecy/
======
sixothree
I have to agree Microsoft needs to get out in front of this immediately. I
recently had a conversation with a coworker who described the fear she had
using her new computer. She used words like worrying, uneasy, and dirty
feeling.

Also.

>The company said it responds only to orders for "specific accounts and
identifiers," and never provides "blanket or indiscriminate access to
Microsoft's customer data"

Does not mean they did not provide the mechanism to access encrypted data in
transit.

~~~
CurtHagenlocher
I think that's exactly what is said at
[http://blogs.technet.com/b/microsoft_on_the_issues/archive/2...](http://blogs.technet.com/b/microsoft_on_the_issues/archive/2013/07/16/responding-
to-government-legal-demands-for-customer-data.aspx) : "Recent leaked
government documents have focused on the addition of HTTPS encryption to
Outlook.com instant messaging, which is designed to make this content more
secure as it travels across the Internet. To be clear, we do not provide any
government with the ability to break the encryption, nor do we provide the
government with the encryption keys."

~~~
yulaow
So or Microsoft or Swoden and its data are lying. If i have to put a finger
against one of them, i would choose microsoft.

~~~
lukifer
Don't forget the possibility that collaboration is on a "need-to-know" basis
internally within Microsoft, and/or that the data is being captured by agents
or coercion at the data center level.

~~~
declan
I suspect you've been watching too many spy movies. If a Microsoft employee
surreptitiously "captured" user data when asked by the NSA, he would be guilty
of multiple federal felonies and subject to significant civil liability. I
suppose if this were a movie, the president would secretly pardon him, or he'd
get a new identity under the witness protection program or something, but,
alas, this is not fiction.

Microsoft's deputy general counsel and VP John Frank has a top secret security
clearance. So do at least three of its attorneys -- all those clearences were
granted by FedGov precisely so the company could respond to legal requests.

~~~
lukifer
Surely government institutions would never break their own rules, or lie to
anyone?

To be clear, I'm not saying anything is true or not. I'm just saying we
shouldn't rule anything out. It's possible that some of the tech companies are
themselves partially or fully in the dark.

~~~
declan
Government institutions frequently break their own rules, lie, and violate the
law.

I suppose anything's possible, in some abstract sense, but we're talking about
reality here, which excludes some more creative theories. And, alas for
screenwriters, there is precisely zero evidence to support your "in the dark"
theory. :)

------
mtgx
Both Google and Microsoft need to offer end-to-end encryption/easy to use
client-side encryption without having any access to any keys themselves,
wherever possible (chat, e-mail, cloud storage). End of story - if they really
do "care about our privacy".

Otherwise they're just disingenuous at this point, because they know that
while they say that in public, they give access to spy agencies all over the
world to a lot of those accounts, that probably have nothing to do with
"terrorists". Even if they think all the requests the US government is doing
are "legitimate", do they really want to make it just as easy for the Saudi
Arabian government or others to do the same?

~~~
igravious
This is what I thought too but as others have pointed out elsewhere in this
thread how would they provide additional services on top like search and I
don't know what.

Come to think of it though, if the service is free (i.o.w. you are the data
and advertisers are the actual customers wouldn't Google/Facebook or whoever
be more concerned with the security and privacy of those paying the bills
rather than the data-points generating harvestable content.

So it really does seem that we need to move ultimately to federated, paid-for
services for communication at least, like POTS but for email and chat and
whatever.

------
webwanderings
Is it just me or does anyone finds this odd:

>> When we are legally obligated to comply with demands, we pull the specified
content from our servers where it sits in an unencrypted state...

Why would the public's private data sit in unencrypted state on Microsoft's
servers? What would be the point of encryption if corporation servers can see
what you think you are securing via assumed privacy?

~~~
yread
It's quite hard to do stuff like full-text search on encrypted data

~~~
Spearchucker
Erm, no. It's actually quite easy, if you're prepared to do a little more
work.

You just create a search index before encrypting the data. Then you encrypt
the index. Each time you need to search, you decrypt the index, get a
reference to one or more results, fetch those, and decrypt them.

That's trivialising what can become a pretty complex scenario, but it
illustrates the point.

~~~
yread
Actually, I did an email archiver as a side project, I still have the Lucene
index of my emails (including searchable attachments, of course). It's 233MB.
How long do you think it would take to decrypt it with AES256 everytime I
search for something? How long it takes when you search in Gmail? Can you
point me to any implementation that does it like that? Or any implementation
that does it at all?

I wasn't saying it's impossible, just that it's pretty hard.

~~~
Spearchucker
I don't know of anything open source. Initialising the AES crypto provider
takes a lot longer than decrypting ~250 Mb data, so keep it initialized for
the duration of the session.

That said, I did it in a native client app, where state is easier to maintain.

------
rlu
What I find interesting about all these cases is who knew that this was
happening? Were Steve Ballmer/Larry Page/Mark Zuckerberg/etc. as surprised as
we were when this all got released? I wouldn't be surprised if they were (with
maybe the exception of Mark since it's a smaller company).

~~~
yuhong
Yea, as I said before it is not likely that any of these people have any
security clearance at all.

~~~
rlu
Sure, but I don't think many people at Microsoft have security clearance to
begin with. Like when the NSA reached out to some middle management Joe on the
Outlook.com team, he/she probably did not have security clearance.

~~~
klaruz
Entire groups of people at MS have clearances. Their software runs large
chunks of the DOD, they can and do put consultants on site in secured
locations when needed. Who else is going to fix an exchange cluster that has
been mis-configured by a lowest bidder tech?

------
shmerl
Purely a PR move, after the recent revelations. MS for years collaborated with
various governments, often providing information before being asked. And now
we are supposed to believe that they are concerned about it?

~~~
znowi
Yes, they suddenly care about "constitutional principles" one month after the
revelations.

------
pippy
Let's not forget Microsoft's ad campaign around Google's privacy:

[http://www.scroogled.com/](http://www.scroogled.com/)

~~~
shmerl
This campaign is highly hypocritical, since they don't care about users'
privacy any more than Google does.

~~~
cobrausn
I don't quite read it the same way - it means they, as a company, have little
incentive to parse your email for choice bits and serve you advertising based
on the results, because they don't make their money that way.

The people making this campaign probably knew nothing about PRISM anyhow.

------
scrrr
The ones suffering are Microsoft. (IMHO) I don't think that many of their
corporate customers are still considering investing in their software. This
could be a huge turning point for them.

And unfortunate or not, I think they deserve to lose customers. Actually, I am
surprised their stock is not plummeting right now.

~~~
RobAtticus
Think your perspective is a bit off there if you think this should be causing
a stock meltdown or a mass exodus. Most people, rightly or wrongly, probably
aren't all that interested in Microsoft's involvement, but more concerned
about where Snowden is and whether he's leaking our classified information to
other nations. Yes, there are people upset at the tech companies and the NSA,
but I don't think it's nearly as widespread as it is in the tech echo chamber.

EDIT: To clarify, maybe this SHOULD cause a mass exodus in an ideal world. But
I don't think that matches up with reality, and therefore I don't think a mass
exodus/stock meltdown is really an expected outcome.

~~~
gurkendoktor
> Most people, rightly or wrongly, probably aren't all that interested in
> Microsoft's involvement, but more concerned about where Snowden is

But what about the people in charge of buying software or services for their
company? These are the people that Microsoft should worry about.

~~~
joenathan
The people in charge of buying software and services buy what they are told to
buy by their bosses. The bosses making those decisions oftentimes are
uninformed and unconcerned with the things you might imagine that they would
be.

------
spoiledtechie
Took them long enough to come out with a letter. Only after other companies
stepped out.

Unfortunate for MSoft as I used to be a fanboy, but no more.

------
mrmondo
Can anyone say 'Damage Control'?

------
o0-0o
Fuck yeah, MicroSoft. Fuck. Yeah!

------
mortdeus
Microsoft needs to quit acting like a lil bitch.

