You might think, given Edwards Snowden’s recent revelations that the NSA and GHCQ, as part of a program named MUSCULAR, have been tapping the main data links between Google and Yahoo!’s international servers, that tech giant Microsoft might take some measures to prevent the same thing happening to them, but apparently not.
In a meeting with the European Parliament on Monday (11 October 2013), senior Microsoft executive Dorothy Belz admitted that,
‘Generally, what I can say today is server-to-server transportation is generally not encrypted… This is why we are currently reviewing our security system.’
Google is reportedly storming mad at the revelations that the NSA and GHCQ secretly spied directly on vast amounts of data as it passed through the core data links between its international servers, and Brandon Downey a top security engineer posted the following to his blog,
‘Fuck these guys.
I’ve spent the last ten years of my life trying to keep Google’s users safe and secure from the many diverse threats Google faces.
I’ve seen armies of machines DOS-ing Google. I’ve seen worms DOS’ing Google to find vulnerabilities in other people’s software. I’ve seen criminal gangs figure out malware. I’ve seen spyware masquerading as toolbars so thick it breaks computers because it interferes with the other spyware.
I’ve even seen oppressive governments use state sponsored hacking to target dissidents.
But even though we suspected this was happening, it still makes me terribly sad. It makes me sad because I believe in America.’
Goggle has rushed to encrypt all the traffic that was shown being monitored by the NSA, and Yahoo! has announced that it is working to step up its encryption by January next year, but seems that Microsoft has not leaned from the lessons of the last few months. Interestingly, Belz’s admission came out in a video of the hearing, which has now mysteriously disappeared from YouTube.
Caspar Brown, privacy researcher and ex-privacy adviser to Microsoft, told The Register that ‘every European company which has used US-based cloud services must have a contract which specifies conditions for secure data processing.’ Under EU law it is considered negligent to leave EU citizen’s data unencrypted and therefore open to spying by national security organizations (not just the NSA), and as Brown observes, ‘these risks were well known before Snowden, and European companies who want to show they are serious about data protection will be considering legal action.’
The Register approached Microsoft over the issue, and were told that,
‘Over the last few years, Microsoft and others have increased protection of customer data travelling across the internet by increasing use of SSL for services… However, recent disclosures make it clear we need to invest in protecting customers’ information from a wide range of threats, which, if the allegations are true, include governments. We are evaluating additional changes that may be beneficial to further protect our customers’ data.’