Slashdot Mirror
Microsoft Petitions US Attorney General For Permission To Disclose Data Requests
MojoKid writes "Microsoft is smarting in the wake of the Guardian's discussion of how chummy it's gotten with the NSA over the past few years, and the company wants permission to clarify its relationship with the federal government. To that end, the company has sent a follow-up letter (PDF) to the Attorney General's office, asking it to please address the petition it filed in court back on June 19. Redmond is undoubtedly cringing at the accolades being heaped on Yahoo and its repeated court battles on behalf of its users, and wants an opportunity to clear the air. But Microsoft has gone farther than simply asking the government to hurry up and rule on its petition — it has also issued a series of clarifying remarks regarding its relationship with the NSA. Microsoft refutes some of the Guardian's claims strongly. It insists it does not provide encryption keys or access to Outlook's encryption mechanisms, and that the government must petition MS to provide information via the legal process."
From this ex-customer they can rationalize all they want.
So Google can turn my data over to the NSA, I don't like Microsoft!
* Carthago Delenda Est *
Who needs encryption keys or back doors if Redmont is handing over (and not patching) Zero Day Exploits?
"It insists it does not provide encryption keys or access to Outlook's encryption mechanisms, and that the government must petition MS to provide information via the legal process."
What about when the govt. agencies get those "legal papers" that compel MS to provide access to data on Outlook, Skydrive, etc? Do they provide encryption keys then? What about SSL certs? Do they send them over to the NSA after they expire?
And this should not be only about MS. Any company should answer these questions. I really hope this shitstorm will kill stupid usage of "the cloud" but I doubt it. People are dumb, education budgets diminish every year so there is no changing that fact.
I guess my point is that if you need to have sensitive data in "the cloud" roll your own already. The software to do that is already available and free (gratis and libre).
Right, because handing over your data after loosing a court battle is so much better than doing it before. You're focusing on the wrong part of the problem.
... whatever
Given that, at present, 'via the legal process' seems to consist of a variety of procedures that make getting a search warrant rubber-stamped by a handpicked sycophant look positively robust, I'm not sure how reassured I'd be even by 100% ironclad evidence that all data were divulged in accordance with 'legal process'.
Even aside from the high-volume shenanigans on the NSA side, whose legal justifications themselves are rather secretive, the good old 'National Security Letter' is a 'legal' process that essentially boils down to 'Somebody at a three letter agency asserts that the information demanded is in some way related to an investigation with national security implications. Pinkie Swear!'. No judicial involvement, no need to present any evidence for that assertion, a downright farcically bad record on recordkeeping(the FBI won't even tell congress how often they use the things), and a gag order that makes the operation essentially silent.
Sure, maybe Microsoft are better people if they are always complying under penalty of law, rather than as enthusiastic little quislings voluntarily cozying up to the spooks; but from the perspective of a potential customer, rather than an observing ethicist, what difference does it make?
Time to reexamine this:
http://www.h-online.com/security/news/item/Skype-with-care-Microsoft-is-reading-everything-you-write-1862870.html
"associates in Germany at heise Security have now discovered that the Microsoft...Shortly after sending HTTPS URLs over the [skype] instant messaging service, those URLs receive an unannounced visit from Microsoft HQ in Redmond."
Microsoft claimed it was for malware checking, but it was noticeable it targeted Germany, I did a test on my skype (to UK) and received no visit. That could be the Prism interface Microsoft installed.
The rest of the claim is simply misleading, Guardian leaks show they worked around encryption by letting NSA grab the data before it was encrypted, and that they set up a team to help NSA with further surveillance problems, neither of these claims Microsoft has disputed.
"legal process" is meaningless. That program is clearly a violation of the 4th and thus illegal.
Microsoft is a business, they are in the game to make money. They also know that doing stupid shit like providing wholesale access to data/keys/exploits/whatever is bad for business.
So, Microsoft, as a business, probably would not have given anything without a court order.
That being said, a better guess would be that someone within MS, possibly high up in the chain of command would be the one providing the data. Again, a total guess, and I could be completely wrong.
I came, I conquered, I coredumped
Not really. The point is that there is no court battle. Warrantless searches is exactly the problem, and MS is purposely confusing "legal papers" with "warrant." I guess you fell for it.
In fact, handing over data after a court battle is much, much better than doing it before. That's called due process, it's how things are supposed to work and it is a significant improvement over handing over the data just because the feds asked nicely. Now when you talking about "secret courts", that's when things get ugly again.
All these companies are feigning outrage over these "requests" they get, when in reality I doubt the requests are ever used except in cases where the government needs evidence in court. The REAL data collection is done without Microsoft/Googles direct knowledge. The NSA surely has agents working on staff at every major tech company in the world with the sole goal of installing as many NSA backdoors as possible. The idea that the NSA has no respect what-so-ever of the American peoples privacy but at the same time wouldn't just take the same sort of data from a corporation is idiotic.
How is that going to help? The NSA and US government can get any data they want from any US-based email provider, Gmail, Outlook.com, or Yahoo. The only way you'll be really safe is to run your own mail server in a foreign country, but switching from one US-based provider to another US-based provider isn't going to make a bit of difference.
Yahoo is not a fix for this, they lost. Likely all US based services would/have also lost and handed over backdoor access if Yahoo lost. Microsoft just did it more willingly/quickly and more thoroughly.
If you used a non -US pop3 account, something capable of TLS, and a https webmail or tls POP3 connection, then your emails will still go into the big database but it will be encrypted and thus cannot be datamined. Well unless you're communicating with a US or UK based person (Canada?*).
Snowden used Lavabit, but that seems to be based in Texas and so cannot be used now. NSA gets 'class' warrants, where a whole service is tapped on the claim that their software will locate the 'terrorist' out of *all* the data. Hence they need it *all*.
So they'll have served Lavabit with a full tap, and Lavabit have the email unencrypted just before it goes into their servers for encryption. So if you use that, all the content of your email (USA based too) will be grabbed and stored, and flagged as possibly related to Snowden.
* Canada too I think, PRISM groups USA and Canada as one item as though Canada are 100% under control. I decided to move my email out of Canada as a result.
Why the encryption process employed is susceptible to third party decryption in the first place. To avoid this from happening, the design needs to be end-to-end with the users holding the keys.
Select from tblFriends where interesting >= 4;
The problem with secret courts, secret executive orders and undisclosed legal reasoning is that even if Microsoft released some information as "transparency", can you really trust that they aren't holding something back or outright lying due to some other even more secret court order?
They were completely denying and fudging the question about Skype eavesdropping right up until the Snowden leaks. Then they did a complete 180 turn.So clearly they have no problem with obfuscating the discussion, why should we trust that any new information they provide is the whole truth and not some weasel legal loophole way of interpreting the facts? Kind of like how James Clapper weaseled and outright lied through his testimony to Congress. If these people are willing to lie to Congressmen and Senators, who the fuck are you?
I reckon Pandora's Box has been open and American technology companies will face an uphill, if not impossible, task to get anyone from the rest of the world to trust them again.
Microsoft refutes some of the Guardian's claims strongly. It insists it does not provide encryption keys or access to Outlook's encryption mechanisms, and that the government must petition MS to provide information via the legal process."
As a non-American, why should I give a fuck ? The NSA can simply demand access to my data in secret, legally, and also demand - again legally - that Microsoft not breathe a word about it to me, without any judicial oversight whatsoever. As far as I am concerned, no U.S. tech company (or any company that stores any of my data within U.S. jurisdiction) can be trusted, and I will vote with my wallet accordingly.
I'm glad you think non-US companies can be trusted.
What color is the sky on your planet?
Given the fees the telcos get for interception data, and given NSAs astronomical multi billion dollar budget I think its safe to assume Microsoft gets paid handsomely for PRISM interface usage and you are the product of Outlook.com and NSA is the customer.
Which makes sense if you think about it. You want to pump hidden subsidies into US online businesses because it's pretty much the only industry you have left. How would you do it? If you did it publicly then foreign countries would subsidize their online services too, and you'd be back to square one. So instead you buy data from them secretly, the budget for this is secret NSA budget, and so you create a surveillance & subsidy industry in one.
I wondered where the money comes from with Skype to justify a $7 billion price tag. Say you could run it on $500 million profit, NSA has estimated $10 billion budget, $5 billion would be enough to buy all the data from the top 10 US online services.
It's simple. They don't have to turn over encryption keys to the NSA because that's where they got them in the first place.
When our name is on the back of your car, we're behind you all the way!
If they want to disclose the data requests, why not just engineer a leak from a disgruntled former employee already located in Ecuador/Venezuela/Iran/Wherever?
All the nice sentences just to talk around full compliance with CALEA? :)
Its not like it was just some fax with a time, ip and port number from some city police department.. with an amazing letterhead.
http://en.wikipedia.org/wiki/Communications_Assistance_for_Law_Enforcement_Act
http://www.independent.co.uk/news/edward-snowden-claims-microsoft-collaborated-with-nsa-and-fbi-to-allow-access-to-user-data-8705755.html
http://www.salon.com/2013/07/11/snowden_docs_detail_collaboration_between_nsa_and_microsoft/
http://arstechnica.com/tech-policy/2013/07/nsa-taps-skype-chats-newly-published-snowden-leaks-confirm/
http://www.guardian.co.uk/world/2013/jul/11/microsoft-nsa-collaboration-user-data
http://en.wikipedia.org/wiki/Usage_share_of_operating_systems
US Adult Computer and Adult Internet Users
http://www.census.gov/compendia/statab/2012/tables/12s1158.pdf
The tiny % number wrt to big US computer use number and US MS marketshare seem to add up
Interesting http://cryptome.org/2013-info/06/whistleblowing/whistleblowing.htm lists gov works, bankers, military, a call-centre-employee, health insurance PR, a few former NSA, CIA, FBI employees, people in sports and education, press, lawyers...
In this broad mix, how/why did so many within the US computer/CS/networking elite stay so silent? Did they feel it was just a domestic link to the FBI in continuous use?
Was the psychological profiling and testing of contractors near perfect Cash was great?
So few staff over so many product ranges over many years?
Domestic spying is now "Benign Information Gathering"
Moot point. IMHO the NSA just hacks in and everyone has deniability including you know who. Even with Microsoft's superior knowledge of hacking, they are still probably "putting up with it from NSA".
Eliminate Speeding Tickets
Snowden In, Holder Out
Due process is going to get fun re confrontation clause and simple things like evidence, witnesses. You just wont have standing in your own trial to see what data the feds and their friends collected.
Welcome to the the digital https://en.wikipedia.org/wiki/Star_Chamber
Domestic spying is now "Benign Information Gathering"
Re-engineer Outlook and the back end services supporting it. Employ end-to-end encryption with private keys held only by the client. Microsoft's systems serve only to distribute public keys and store and forward encrypted content.
So when the NSA comes asking, Microsoft (or any other service provider) can honestly say "We can't decrypt that for you, signed warrant or not." The NSA can already scrape encrypted content off the backbone choke points, so bugging Microsoft for something they don't have would be pointless. FISA courts would have to authorize searches of customers' premises or equipment for keys and plaintext. Which is a much more difficult task.
The entire design of messaging protocols that decrypt the server content is suspect. If I were running an e-mail service, I'd tell my customers that I don't want to see the content passing through my system.
Have gnu, will travel.
No, because the due process, in this case, only applies to American citizens. The rest of us get fuck-shafted by whichever email provider we have. To you American types, the recent string of lawsuits over this is good, to the rest of us, it's very bad. It focuses on the rights of you, over the rights of us.
The OP was about switching between US providers, and I guess I should have been clearer that this is only going to work for people, whom the various amendments apply to. All in all, we don't need to figure out which amendment this violates the most, or how many people can be tapped at once to deem it "mass", we need it to stop, period.
Yadda, yadda American news site and all, but this thing really does stretch beyond US soil. And no matter which government is doing the spying, it needs to just.fucking.stop.
I can't imagine why the businesses who have been caught red handed on this aren't being more vocal about the implications for their overseas trade, after all, governments love export more than import.
... whatever
... when they join a legal battle in defence of our 4th amendment rights.
In-house email isn't safe either, unless your company is outside the US (and there, you're still going to be spied on if you're in the UK, Germany, France, etc. as those have all now been revealed to have programs just like PRISM or even worse). The reason for this is that email is fundamentally flawed from a security perspective: it travels completely unencrypted over what's basically a simple telnet session: you can telnet to port 25 of any mail server and send a bogus email quite easily using the appropriate SMTP commands ("HELO", "RCPT TO", etc.) (though it'll probably be rejected these days based on other techniques used to avoid spoofing). So if the government wants to spy on you, all they have to do is tap into your ISP connection and they'll see all your incoming and outgoing emails. Sure, you could use GPG to encrypt them, but then no one will be able to communicate with you since so few other people actually bother or even know what GPG is (and I sure wouldn't trust PGP since it's closed-source IIRC). Plus, even for the few people you do successfully communicate with using GPG, the NSA will know who you're talking to and at what frequency, though they may not be able to decipher the exact content of your messages so easily.
So to avoid that, the only way to be secure is to have a mail server based in some country that doesn't have a big spying program, such as Switzerland or Iceland. Then, you can access that mail server, even using a webmail interface, using typically-available encryption methods like SSL/https.
Same goes for FTP, but then again I don't know why anyone would ever use that these day. Only a moron would use FTP since it transmits your username and password in cleartext, so anyone listening in on your internet connection would not only see what files you're transferring but your login credentials as well (which may be the same credentials as used in many other places, since people tend to re-use passwords a lot). But at least here we have an ubiquitous and simple alternative: SFTP.
Something about dogs and fleas.
Actually, it is. By forcing 'the authorities' to go to court, you at least maintain some shred of hope that their activities will be exposed, that the courts will see reason, or at least by making it a pain in the ass they will be just a tiny bit more hesitant to make outrageous requests.
It may not be much in the long run, but it's sure more than the big fat zero principles reflected in handing the data over like a good little sheep.
Fuck what the NSA tells you. 'No Such Agency' means they don't exist and their rules be damned. Gain the biggest share on the planet and grow a pair, and release the data, NSA be damned. Release it all. That sort of brutal honesty gets more respect from me than beating around the (George) bush, even if you were helping them spy on me.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
I'm sure the PHBs and overpriced lawyers on retainer believe Microsoft haven't done all the things Snowden has exposed.
Because _they_ didn't get the NSLs to STFU and just do the dirty work; their sharpest senior techies did, and they still can't say squat, lest they suffer pain of arrest or worse.
Of course, NSLs to the underlings would also give the perfect cover to allow the execs and shysters to protest too much.
Interestingly, it looks like some stuff has changed since I last looked at SMTP, according to the Wikipedia article. It does look like there's a SSL-secured SMTP, but it doesn't look like it's mandatory.