Microsoft steps up defense of cloud users’ privacy -

Microsoft steps up defense of cloud users’ privacy

Douglas Crawford

Douglas Crawford

March 10, 2015

When Microsoft was deeply implicated by Edward Snowden in betraying customers’ data to the NSA, its business suffered as users lost confidence in the tech giant’s willingness and (and ability!) to protect their data from rapacious government surveillance programs.


According to this Snowden-derived PowerPoint slide, Microsoft was the first tech giant to bend over to get on board with the NSA PRISM mass surveillance project

Microsoft has ever since been trying to regain that confidence by making a public stand against government efforts to compromise it users’ privacy.

Given that some of these efforts, such as offering to store non- US customers’ data away from the US despite the fact that the US Patriot Act and FISA require it to hand over information on their servers to US intelligence agencies, even if that information resides on servers outside the US, are dubious at best (and duplicitous at worse), it is easy to be cynical about Microsoft real commitment to its users interests.

We have nevertheless been impressed by Microsoft’s tenacity in fighting government demands to hand over a customer’s emails that were stored in Ireland, so it is with some hope that we learn Microsoft plans to warn Azure, Office 365, Dynamics CRM Online, and Microsoft Intune customers when it receives a government request for their data.

Specifically, Microsoft has promises to adhere to the ISO/IEC 27018 privacy standard ‘developed by the International Organization for Standardization (ISO) to establish a uniform, international approach to protecting privacy for personal data stored in the cloud,’ a claim backed by independent audits from the (BSI) and Bureau Veritas.

ISO/IEC 27018 is the first international privacy standard for data kept in cloud storage, and Microsoft is the first major cloud provider to support the standard – all of which sounds excellent news. Although it does not guarantee users that their data will not be handed over to the US government, complying with the standard does mean that Microsoft promises to inform them when it does so.

Unfortunately, the big flaw in any such commitment is that the US government can issue National Security Letter gag orders to prevent any such disclosure, something that Microsoft acknowledges when it says ‘unless this disclosure is prohibited by law…’

Nevertheless, despite its arguably very cynical motives (regaining public trust), Microsoft does seem to be showing some genuine commitment to protecting its customers’ data…