Microsoft Wants To Keep The NSA Out Of Your OneDrive And Outlook Accounts
As of now, Outlook.com uses TLS (Transport Layer Security) to provide end-to-end encryption for inbound and outbound email -- assuming that the provider on the other end also uses TLS. The TLS standard has been in the news fairly recently after discovery of a major security flaw in one popular package (gnuTLS), but Microsoft notes that it worked with multiple international companies to secure its version of the standard. This new type of encryption is incorporated into Microsoft Azure, Skype, and Office 365 and does not replace any of the encryption systems already offered within those products.
Second, OneDrive now uses Perfect Forward Secrecy (PFS). Microsoft refers to this as a type of encryption, but PFS isn't a standard like AES or 3DES -- instead, it's a particular method of ensuring that an attacker who intercepts a particular key cannot use that information to break the entire key sequence. Even if you manage to gain access to one file or folder, in other words, that information can't be used to compromise the entire account.
The final announcement doesn't apply to consumers. Microsoft has apparently opened a "Microsoft Transparency Center" on the Redmond campus. Governments and corporations will be allowed to review source code for key products and " assure themselves of their software integrity, and confirm there are no “back doors.” The Redmond location is the first in a number of regional transparency centers that we plan to open."
Proof That MS Takes This Problem Seriously
A cynical person might conclude that Microsoft only takes this loss of customer faith seriously because they could lose hundreds of millions of dollars in sales over the long term. Regardless of the reason, however, they clearly do care about the problem. What impact this will have on customer security, long-term, is still unclear. An increasing about of data moves over wireless networks, where the NSA already has deep hooks in place -- and presumably MS retains some ability to view the contents of an email folder, or else they'd be unable to decrypt it when ordered by a course.
This is why the long-term best solution is to amend our laws to strengthen privacy. Almost everyone would agree that there are some cases we want law enforcement to be able to access a suspect's email or other personal data. The issue isn't whether or not this should be possible -- it's how high the standard of proof should be, and how dire the need before the project is authorized.
Right now, Microsoft is caught in a very awkward position. It can't legally refuse an order from the NSA, but it can't be perceived as cooperating to hand over individual data to a government apparatus many believe is out of control. It wants to put measures in place what will soothe users' fears, but presumably it also retains some ability to pierce that veil. And, of course, there's the question of whether or not the NSA actually pays attention to email as opposed to information it can glean from other sources.
We're glad to see Microsoft taking this issue seriously -- but we'd still prefer to see it addressed by legislative action.