In the week since word of the NSA's Boundless Informant
programs leaked online, there's been a great deal of concern over to what degree various companies cooperated with the NSA's requests. Some companies, like Google, have pointed to their repeated requests for greater transparency. Twitter, of course, is the major social app that isn't
on Prism's list at all. And then, there's Microsoft. It's been notably quiet since the Prism leak, and while the PR team has had its hands full dealing with the fallout over the Xbone
E3 debacle, there's certainly been bandwidth for a situation as serious as the idea that MS is facilitating the NSA's access to its user databases. Worse, the company may have lied about it.
First, the facts: Since acquiring Skype
in 2011, Microsoft has moved away from the VoIP client's original distributed node method of organization in favor of a smaller number of 'supernodes.' The company justified these changes by claiming that the supernode architecture would improve software rollout speeds and efficient communication. They may well have done so, but a centralized system is intrinsically easier to spy on than a decentralized one. A year after buying Skype, Microsoft was granted a patent on "legal intercept" technology that's explicitly designed to allow a company to make a silent copy of a voIP stream. Is that patent proof that Microsoft deployed such a system for snooping on Skype? No. But Skype's terms of service explicitly allow for such a process.
In March of this year, after intense pressure, Microsoft finally agreed
to reveal data on government requests for Skype information. The report revealed that the PC version of Skype is fully encrypted (the tablet/phone version isn't) and implied that the total amount of content released was quite small in relation to the amount of content requested. That's true -- but Microsoft's report claims that it never handed any content over to the United States government from Skype. The NSA report paints a different picture. According to it, Skype joined the program in early 2011, well before the Microsoft purchase. We've already discussed the fact that the gag letters from the FISA court could make it legally impossible for Microsoft to acknowledge that it had ever received such requests for data. As far as the system is concerned, those requests never happened.
If that's true, it means the company's tranparency and privacy report is a sham. Microsoft may have avoided disclosing the data its users were most interested in, out of fear that the NSA would react poorly to any public disclosure. Unlike other companies, like Google, which made it clear that there were directives in play that it couldn't talk about, Microsoft chose to perpetuate the myth that Skype remained beyond the reach of governments.
We're Back To Oversight
Does this reflect poorly on Microsoft? In a sense, yes. It's inconceivable to believe that the NSA successfully compelled Verizon, Google, and other companies to turn over data and yet has no visibility into Skype -- a program which has been identified as a major thorn in the side of organizations like the FBI. Instead, what's far more likely is that Microsoft simply ommitted those requests from its reporting.
Google has chosen to fight such requests head-on, a move that's laudable, but also opens the company up to the possibility of either indirect punishment or even a lawsuit from the federal government in the event that its efforts are defeated. Yes, Google gets points on this for being more willing to stand up to the government, but getting stuck on that
point is like arguing over who filled sandbags more effectively during the middle of a Mississippi flood. The problem isn't the sand -- it's the river.
Ok, now, nobody's allowed to pee for at least a week
Microsoft took the safest path with NSA disclosures. In doing so, it perpetuated a false claim about Skype. But when the alternative is risking serious federal lawsuits and the courts have proven unwilling to take the government to task over expansive claims of national security. In a situation where the judiciary is giving full legal cover to the actions of the NSA and FBI and both major parties are loudly advocating such measures as necessary components of the War on Terror, it's difficult to argue that Microsoft should be the trailblazer. Redmond, perhaps adopting a 'better late than never' strategy, has joined Twitter
in calling for greater transparency in disclosing when the government has asked for data and what information it's required to hand over.