Microsoft Slams Reports of Direct NSA Access to Outlook, Skype

Microsoft this week hit back at a recent story from The Guardian that accused the software giant of "helping the National Security Agency to circumvent the company's own encryption."

"There are significant inaccuracies in the interpretations of leaked government documents reported in the media last week," Microsoft said in a blog post, which outlined how it complies with federal requests for data across products like Outlook, SkyDrive, and Skype.

The Guardian's story was based on documents leaked by former contractor Edward Snowden. It suggested that Microsoft worked with the NSA to allow the agency easier access to user data.

In response, Microsoft outlined how it handles requests for data, arguing that information is only turned over to the feds when they make lawful requests. They cannot access it whenever they please, Microsoft argued.

As it relates to Outlook.com, "we do not provide any government with direct access to emails or instant messages. Full stop," wrote Microsoft's general counsel, Brad Smith.

According to the leaked docs, "Microsoft and the FBI [came] up with a solution that allowed the NSA to circumvent encryption on Outlook.com chats," The Guardian reported.

Microsoft did add HTTPS encryption to Outlook.com instant messaging to secure those messages as they travel across the Internet. But, according to Smith, "we do not provide any government with the ability to break the encryption, nor do we provide the government with the encryption keys. When we are legally obligated to comply with demands, we pull the specified content from our servers where it sits in an unencrypted state, and then we provide it to the government agency."

With SkyDrive, Microsoft said it updated its processes in order to more easily comply with the increasing number of data requests it was receiving from governments around the globe.

"None of these changes provided any government with direct access to SkyDrive," Smith wrote. "Nor did any of them change the fact that we still require governments to follow legal processes when requesting customer data. The process used for producing SkyDrive files is the same whether it is for a criminal search warrant or in response to a national security order, in the United States or elsewhere."

Government access to Skype data, meanwhile, has been in the news for quite some time. Skype reportedly joined the NSA's controversial PRISM prior to being acquired by Microsoft. The Guardian quoted a document that said "feedback indicated that a collected Skype call was very clear and the metadata looked complete."

Microsoft said it has made improvements to Skype since the acquisition, but "these changes were not made to facilitate greater government access to audio, video, messaging or other customer data."

As VoIP usage increases, Microsoft said it expects the government to "have an interest in using (or establishing) legal powers to secure access to this kind of content to investigate crimes or tackle terrorism." As a result, Redmond said that, going forward, it assumes Skype calls will be regarded just like any other phone call - mobile or landline.

Finally, Smith addressed enterprise customers, and said Microsoft has never handed over their information for national security purposes. Usually, the government will go to those clients directly if they need data.

"In short, when governments seek information from Microsoft relating to customers, we strive to be principled, limited in what we disclose, and committed to transparency," Smith said.

Given the secretive nature of the U.S. Foreign Intelligence Surveillance Court (FISC), Microsoft and other tech firms are limited in what they can disclose to the public. Therefore, Microsoft and several other firms have asked the feds for permission to publish data about how many national security-related data requests they receive. Redmond yesterday appealed to the Attorney General, arguing that the FISC is taking too long to respond.

Also yesterday, a group of 19 consumer and privacy groups - led by the Electronic Frontier Foundation - sued the NSA, arguing that the agency's data collection processes violate the law and the Constitution.