Orlando — Microsoft today pushed back once again against the idea that it's giving the National Security Agency (NSA) carte blanche access to its cloud-based services, an allegation that's cropped up in media reports since the revelations from former NSA contractor Edward Snowden began last June.
"We don't provide governments with direct, unfettered access to your data," said Adrienne Hall, general manager for trustworthy computing at Microsoft, the division that reviews and oversees security across Microsoft products and services. Speaking in a keynote address at the Cloud Security Alliance Congress, Hall sought to refute the notion that Microsoft does other than what it must under U.S. law when it gets a specific legal request related to customer data.
Hall noted that Microsoft is even suing the federal government to be able to publicly discuss just the number of requests it gets from the NSA, which today it's not allowed to do under law. Several news stories in the past few months based on the Snowden leaks have suggested that Microsoft operates hand-in-glove with the NSA, such as helping the NSA circumvent Microsoft's own encryption to hand over massive amounts of information.
The amount of data often mentioned in these news articles is "highly exaggerated," said Hall. "We don't assist government with efforts to break encryption keys. We don't engineer backdoors into our products. ... If there's a bigger surveillance program, we're not involved."
"We have concerns as do our customers," Hall acknowledged, noting that Microsoft counts about 100 cloud-based services in 90 countries, ranging from Windows Azure, Office 365, Skype, MSN, Exchange Hosted Services and Outlook.com.
There's no escaping the fact that the Snowden revelations about how the NSA collects massive amounts of data on the Internet, ostensibly aiming for non-U.S. citizens and systems in other countries in order to ferret out information about terrorism or spy-vs-spy intelligence, has had a bombshell effect, said Jon-Michael Brook, principal in security and privacy at consultancy CIPP Guide.
Speaking during a session at the CSA Congress, Brook said the Snowden revelations are having an impact, especially in places such as Europe, where U.S.-based cloud service providers face suspicions from customers asking whether the U.S. government, via the NSA, can see the data they consign to U.S. cloud providers.
The allegations about the NSA working to subvert crypto or trying to build backdoors is "astonishing," he said.
But Brook said the European Union itself is embarked on what he labelled a "protectionist" effort that would shut out non-European cloud service providers -—especially U.S.-based ones who dominate today — through a new data-privacy law now being formulated.He said there's expectation that the EU will vote for a single law in the spring that would boost the role of cloud infrastructures in the EU region in order to boost Europe's economy. He said the relatively small number of cloud-service providers there, including Swisscom and Deutsche Telekom, are "fledging" competitors in comparison to U.S.-based companies.
Sign up for CIO Asia eNewsletters.