Microsoft has announced its plan to alert users to any suspected government hacking on their accounts, from now on. The move has been welcomed by privacy activists, who have applauded the tech giant for coming into line with the practices of other important companies such as Google, Facebook, Yahoo and Twitter (that already have similar policies in place).
The shift of approach follows a previous failure from Microsoft to alert users to an invasive penetration by the Chinese government on its Outlook.com (previously known as Hotmail) service. It is believed that hack put the security of around 1000 email accounts in jeopardy (including the email accounts of various high up Uighur and Tibetan leaders as well as those of African diplomats). A failure of transparency for which the firm has recently suffered severe criticised.
The decision was announced by Microsoft’s Vice President Scott Charney, who has written about the policy improvement in a company blog post,
‘We’re taking this additional step of specifically letting you know if we have evidence that the attacker may be ‘state-sponsored’ because it is likely that the attack could be more sophisticated or more sustained than attacks from cybercriminals and others.’
As such, the additional security benefit will only be an enhancement to its existing security policy of alerting users to all ‘third party’ activity. Deciding to specifically mention state involvement because of the additional security implications that it could involve.
While Microsoft is promising to alert users to any state sponsored activity on their accounts, unfortunately, that warning will remain rather vague. The company, sadly, not promising to let users know exactly who the perpetrator of any attack on their accounts might have been. According to Charney, this is because (despite wanting to alert its users to an elevated risk of surveillance) the company does not wish to specifically compromise the (possibly important) work of any ongoing investigations. Meaning that (even if Microsoft knows) users will remain in the dark about whether it was the NSA, GCHQ, the Chinese government, (or any other state actor) that has been snooping around inside their email account. From the Microsoft blog,
‘The evidence we collect in any active investigation may be sensitive, so we do not plan on providing detailed or specific information about the attackers or their methods. But when the evidence reasonably suggests the attacker is “state-sponsored,” we will say so.’
So, why the shift in policy at all? Sadly, the reality about the policy shift appears to be related more to public relations management than to a genuine will to help its users. The announcement, coming just nine days after the company had a finger pointed at it by media giant Reuters for the hacking that took place in 2011 at the hands of the Chinese. It is under the duress of this pressure (to conform to the already shifted policies of companies like Google – who started alerting its users to suspected state-sponsored activity back in 2012) that Microsoft appears to have made the sudden decision also to begin informing its users about government sponsored surveillance. A decision that it claims will help users by making them aware that they should be more vigilant than usual.
At a glance, there appear to be some pretty glaring problems with both Microsoft’s policy shift and the existing policies of various other tech firms. Firstly, it is a commonly accepted belief that (in the West) state-sponsored surveillance is meant to target things like cybercrime and terrorism. It stands to reason (that if this is the case) any person engaged in illegal activities (an ISIL terrorist for example) would likely have his or her suspicions about who any state-sponsored hacker might be. As such, they would stand to benefit greatly from being warned that their account had been penetrated by the government (an apparent failure for homeland security).
Any innocent citizen on the other hand (having, in theory, nothing to fear from their own government) ought to only be concerned if it were indeed the government of an un-allied nation that had been snooping on their account. Being an innocent victim (a citizen would hope) that any information about an un-allied nation hacking their account would be both made known to them (and perhaps be passed on to their home nation’s intelligence agency- to alert them to the illegal snooping of a foreign nation-state).
Of course, the truth about the blanket surveillance policies (such as those forced through in the US’ end of year bill) of Western governments likely means that our governments are already snooping into our communications as and when they want to. Either unnoticed by Microsoft and other tech companies (at best), or in lawful cooperation with them (at worst). The UK’s planned Investigatory Powers Bill (Snoopers Charter) for instance, would, in reality, make it completely illegal for Microsoft to do what it has promised – meaning that despite its reassurances – the firm would not be able to warn British users about any snooping undertaken by GCHQ (even if it wanted to).
Add to this the fact that companies like Microsoft likely do already share specific information about foreign hacking with intelligence agencies (info that it admits it still will not share with users) and as per usual it is the consumer that is left largely in the dark about the true nature of unwanted activity on their account.