Biz & IT —

“We still don’t encrypt server-to-server data,” admits Microsoft

"This is why we are currently reviewing our security system."

“We still don’t encrypt server-to-server data,” admits Microsoft
Shutterstock

A senior Microsoft executive has told a European parliamentary committee that the company does not encrypt its server-to-server data communications.

Dorothee Belz, EMEA VP for Legal and Corporate Affairs, made the remark when answering a question from Claude Moraes, MEP, during a meeting at the European Parliament on Monday.

"Generally, what I can say today is server-to-server transportation is generally not encrypted," she said. "This is why we are currently reviewing our security system."

In raising the issue of server-to-server encryption, Moraes had alluded to a surveillance program codenamed MUSCULAR, first reported by The Washington Post on October 30. Via this program, the National Security Agency (NSA) and GCHQ purportedly infiltrated communication links to data centers operated by Google and Yahoo. Millions of user records are alleged to have been retrieved from under the noses of both companies as a result.

It's just one of several leaks by former intelligence agency contractor Edward Snowden that has concerned the EU's Committee for Civil Liberties, Justice, and Home Affairs (LIBE) in a series of parliamentary hearings.

Prior to taking questions from MEPs, Belz, who appeared alongside executives from Google and Facebook, reiterated earlier statements from Microsoft by stressing that the company did not openly provide "direct access" to its servers. However, her later admission that the firm has as yet failed to establish server-to-server encryption has raised fears among many within digital liberties groups that a significant breach of privacy could still be perpetrated.

Sam Smith, a technologist at Privacy International, said the unencrypted data could hypothetically relate to any of Microsoft's cloud services, from Hotmail and Outlook.com email accounts to Xbox Live, Office 365, and SkyDrive cloud storage.

Wired.co.uk approached Microsoft in order to determine which products exactly were implicated by Belz's remarks. However, the company declined to comment beyond stating that it had begun to investigate measures for better securing customer information in general. A spokesperson said, "We are evaluating additional changes that may be beneficial to further protect our customers' data."

This response seems unlikely to reassure Smith, who commented, "Unless Microsoft takes immediate action to rectify this situation, any business or individual using their services to store or transmit sensitive data will have been fundamentally let down by a brand that suggested it was worthy of trust."

Executive Director of the Open Rights Group, Jim Killock, agreed, calling Microsoft's admission an "unacceptable fudge." He added, "It's clear that agencies are willing to go to any length to get data without permission and to use it how they like.

"They're not respecting legal access mechanisms; their interest is in wholesale access to whatever they can get their hands on. So Microsoft is already running a very, very significant risk of having their data accessed and made available outside of established legal mechanisms."

According to Carlo Daffara, CTO of cloud services provider CloudWeavers, it isn't necessarily surprising that Microsoft had previously failed to encrypt server-to-server communications, given the cost and complexity of such measures. However, he argued that following this summer's spate of surveillance program revelations, comprehensive encryption techniques would now become a "necessity" from a business perspective.

"Users want assurances that their data is secure," he explained. "It is now a matter of public opinion, and public cloud companies risk losing quite a lot of business if they don't adapt fast."

Google, in contrast to Microsoft, announced earlier this month that it had taken swift action to begin encrypting communication connections between the company's data centers around the world.

The tech giant's public statements on encryption were at the time accompanied by enraged, anti-NSA comments from a number of its employees on social media. Mike Hearn, a security engineer for the company, stated on Google+ at the time that he was issuing "a giant Fuck You to the people who made these slides," referring to the leaked documents published in The Washington Post.

When speaking to MEPs on Monday, however, Nicklas Lundblad, Google's director of public policy and government relations, took a more sober tone. In fact, he explained that the process of implementing encryption was "not finished" and that it would be an ongoing project for the company.

Statements from Microsoft and Google executives followed an earlier, strongly worded presentation by US Representative Jim Sensenbrenner (R-WI) in which he condemned the actions of the NSA, especially with regard to widespread electronic surveillance of non-US citizens.

"The NSA has weakened, misconstrued, and ignored the civil liberties protections that we drafted into the law," he said, commenting on his role as an architect of the now infamous Patriot Act, which, post-9/11, provided American intelligence agencies with much greater powers of digital surveillance than they previously possessed.

"We never intended to allow the National Security Agency to peer indiscriminately into the lives of innocent people all over the world," noted Sensenbrenner, who is now, along with Senator Patrick Leahy (D-VT), proposing new legislation in the form of the "Freedom Act." The new bill aims to better safeguard the privacy of foreign nationals from US intelligence agency snooping.

This story appeared on Wired UK.

Channel Ars Technica