Posted by Brad SmithGeneral Counsel & Executive Vice President, Legal & Corporate Affairs, Microsoft
Last Thursday, news coverage focused on a case in 2012 in which our investigators accessed the Hotmail content of a user who was trafficking in stolen Microsoft source code. Over the past week, we’ve had the opportunity to reflect further on this issue, and as a result of conversations we’ve had internally and with advocacy groups and other experts, we’ve decided to take an additional step and make an important change to our privacy practices.
Effective immediately, if we receive information indicating that someone is using our services to traffic in stolen intellectual or physical property from Microsoft, we will not inspect a customer’s private content ourselves. Instead, we will refer the matter to law enforcement if further action is required.
Successful challenge of National Security Letter protects longstanding policy of notifying enterprise customers if a government requests their data
On Thursday, a federal court in Seattle unsealed documents related to an FBI National Security Letter that Microsoft successfully challenged in court late last year. This marks an important and successful step to protect Microsoft's enterprise customers regarding government surveillance.
Because information about the case wasn’t public until today, this is our first opportunity to discuss it in detail. Given the strong ongoing worldwide interest in these issues, we wanted to provide some additional context on the matter.
Posted by John FrankDeputy General Counsel & Vice President, Legal & Corporate Affairs, Microsoft
We believe that Outlook and Hotmail email are and should be private. Over the past 24 hours there has been coverage about a particular case, so we want to provide additional context and describe how we are strengthening our policies.
In this case, we took extraordinary actions based on the specific circumstances. We received information that indicated an employee was providing stolen intellectual property, including code relating to our activation process, to a third party who, in turn, had a history of trafficking for profit in this type of material. In order to protect our customers and the security and integrity of our products, we conducted an investigation over many months with law enforcement agencies in multiple countries. This included the issuance of a court order for the search of a home relating to evidence of the criminal acts involved. The investigation repeatedly identified clear evidence that the third party involved intended to sell Microsoft IP and had done so in the past.
Posted by Brad SmithGeneral Counsel & Executive Vice President, Legal & Corporate Affairs, Microsoft
Today we are updating our transparency reporting to provide new information relating to governmental demands for customer data. Beginning last summer, Microsoft, Google, and other companies filed lawsuits against the U.S. government arguing that we have a legal and constitutional right to disclose more detailed information about these demands. We contended that we should be able to disclose information about legal orders issued pursuant to U.S. national security laws such as the Foreign Intelligence Surveillance Act (FISA), which we had previously been barred from disclosing.
As a result of that litigation and after lengthy discussions, the Government recently agreed for the first time to permit technology companies to publish data about FISA orders. While there remain some constraints on what we can publish (more details on that below), we are now able to present a comprehensive picture of the types of requests that we receive from the U.S. Government pursuant to national security authorities.
In the year since news reports surfaced about U.S. government surveillance practices, a lot has changed. And there even have been some initial positive reforms. We all want to live in a safe and secure world and governments - including the U.S. government – play a vital role in helping to protect our communities. But the reality is clear. The U.S. Government needs to address important unfinished business to reduce the technology trust deficit it has created.
It was a year ago this week that the Guardian and Washington Post published their first reports about the extent of U.S. government surveillance of phone and Internet records, sometimes in partnership with others. As the story evolved, we learned that the government was not just seeking a relatively small amount of content from Internet companies via legal orders. It’s now apparent that the government intercepted data in transit across the Internet and hacked links between company data centers. These disclosures rightly have prompted a vigorous debate over the extent and scope of government surveillance, leading to some positive changes. But much more needs to be done.
Posted by Matt ThomlinsonVice President, Trustworthy Computing Security, Microsoft
In December, we announced our commitment to further increase the security of our customers’ data. We also announced our plans to reinforce legal protections for our customers’ data, and continue to increase transparency in how we engage with governments around the world. We are making positive progress on all of these fronts.
We are in the midst of a comprehensive engineering effort to strengthen encryption across our networks and services. Our goal is to provide even greater protection for data across all the great Microsoft services you use and depend on every day. This effort also helps us reinforce that governments use appropriate legal processes, not technical brute force, if they want access to that data.
As part of that, today we’re announcing three important milestones that honor our commitments to security and increased transparency.
Posted by J. Paul NicholasSenior Director, Global Security Strategy & Diplomacy, Microsoft
On Monday, Microsoft released a new report entitled “Cyberspace 2025: Today’s Decisions, Tomorrow’s Terrain” that looks beyond today’s technological trends to anticipate future catalysts for change in cyberspace. Cloud computing, the Internet of Things, big data and cybersecurity loom large on today’s—and tomorrow’s—agenda. In the report is a Cyber 2025 Model, developed to determine potential cyber trends, as well as revealing several interesting projections about the future of cyberspace.
Posted by Brendon LynchChief Privacy Officer, Microsoft
We at Microsoft focus on privacy protections for our customers every day of the year. On Jan. 28, we join others across private and public sectors around the world to mark Data Privacy Day (DPD) – which is also known as Data Protection Day in Europe where it began in 2006. In support of the day’s focus on educating and empowering people, I’ll be participating in a DPD panel discussion hosted by the National Cyber Security Alliance (NCSA) in Washington, D.C. on Jan. 28, and will share the results of a new Microsoft commissioned survey that measured online privacy perceptions among technology savvy individuals in the U.S. and four European countries (Belgium, France, Germany and the UK).
Our panel discussion will focus on “Notice and Consent: Innovating a New Path Forward,” where we’ll explore the complex opportunities and challenges that businesses, civil society and government must overcome to adapt traditional privacy models for the era of big data and the Internet of Things.
Posted by David HowardCorporate Vice President & Deputy General Counsel, Litigation & Antitrust, Microsoft
You may be wondering what happened to the YouTube app for Windows Phone. Last May, after we launched a much improved app on our platform, Google objected on a number of grounds. We took our app down and agreed to work with Google to solve their issues. This week, after we addressed each of Google’s points, we re-launched the app, only to have Google technically block it.
We know that this has been frustrating, to say the least, for our customers. We have always had one goal: to provide our users a YouTube experience on Windows Phone that’s on par with the YouTube experience available to Android and iPhone users. Google’s objections to our app are not only inconsistent with Google’s own commitment of openness, but also involve requirements for a Windows Phone app that it doesn’t impose on its own platform or Apple’s (both of which use Google as the default search engine, of course).
Posted by David HowardCorporate Vice President & Deputy General Counsel, Microsoft
The U.S. government doesn’t have the power to search a home in another country, nor should it have the power to search the content of email stored overseas.
To protect this principle, we filed a formal legal challenge months ago to a U.S. search warrant seeking customer email content that is located exclusively outside the United States. Today we received an initial decision that maintains the status quo but is a necessary step in our effort to make sure that governments follow the letter of the law when they seek our customers’ private data in the future.
When we filed this challenge we knew the path would need to start with a magistrate judge, and that we’d eventually have the opportunity to bring the issue to a U.S. district court judge and probably to a federal court of appeals. Today the Magistrate Judge, who originally issued the warrant in question, disagreed with our view and rejected our challenge. This is the first step toward getting this issue in front of courts that have the authority to correct the government’s longstanding views on the application of search warrants to content stored digitally outside the United States.
Last week, President Obama spoke about the role of the National Security Agency and announced some important changes to the surveillance practices of the U.S. government. We appreciate the steps the President announced, which represent positive progress on key issues including privacy protections for non-U.S. citizens. There is more work to do to define some of the details and additional steps that are needed, so we’ll continue to work with both the administration and Congress to advocate for reforms consistent with the principles our industry outlined in December.
This week, the World Economic Forum holds its annual meeting in Davos, Switzerland where these same issues of data privacy and reform of government surveillance will be on the agenda. We hope that these discussions will spur a focus on the international steps that governments can take together. While there is no substitute for American leadership and action on these issues, the time has come for a broader international discussion. We need an international legal framework – an international convention – to create surveillance and data-access rules across borders.
Posted by Peter CullenGeneral Manager, Trustworthy Computing, Microsoft
This week is particularly exciting for the many people at Microsoft who focus on data privacy. Several of us will attend the annual Global Privacy Summit in Washington, D.C., hosted by the International Association of Privacy Professionals (IAPP). It is a week for privacy professionals from around the world to convene and discuss the big topics that industry, civil society and governments work on collectively to advance the state of privacy protections in today’s data-rich world.
Scott Charney, Corporate Vice President of Microsoft’s Trustworthy Computing group, will deliver a keynote address on Thursday that explores both the trust dynamics resulting from ongoing disclosures regarding government data access and the challenges facing commercial data privacy models in a world of increasingly ubiquitous computing.
Today we have asked the Attorney General of the United States to personally take action to permit Microsoft and other companies to share publicly more complete information about how we handle national security requests for customer information. We believe the U.S. Constitution guarantees our freedom to share more information with the public, yet the Government is stopping us. For example, Government lawyers have yet to respond to the petition we filed in court on June 19, seeking permission to publish the volume of national security requests we have received. We hope the Attorney General can step in to change this situation.
Until that happens, we want to share as much information as we currently can. There are significant inaccuracies in the interpretations of leaked government documents reported in the media last week. We have asked the Government again for permission to discuss the issues raised by these new documents, and our request was denied by government lawyers. In the meantime, we have summarized below the information that we are in a position to share, in response to the allegations in the reporting:
Not surprisingly, we remain subject to these types of legal obligations when we update our products and even when we strengthen encryption and security measures to better protect content as it travels across the web. Recent leaked government documents have focused on the addition of HTTPS encryption to Outlook.com instant messaging, which is designed to make this content more secure as it travels across the internet. To be clear, we do not provide any government with the ability to break the encryption, nor do we provide the government with the encryption keys. When we are legally obligated to comply with demands, we pull the specified content from our servers where it sits in an unencrypted state, and then we provide it to the government agency.
Posted by Dan BrossSenior Director, Corporate Citizenship, Microsoft
We are proud to be included in the 2014 list of the World’s Most Ethical Companies, which was released by the Ethisphere Institute on Thursday.
Ethical and responsible business practices are the bedrock of our corporate governance practices. These practices are designed to promote the interests of shareholders, maintain checks and balances, strengthen accountability and foster responsible decision making.
Posted by David FinnAssociate General Counsel & Executive Director, Microsoft Cybercrime Center
A new study released Tuesday reaffirms what we in Microsoft’s Digital Crimes Unit have seen for some time now – cybercrime is a booming business for organized crime groups all over the world. The study, conducted by IDC and the National University of Singapore (NUS), reveals that businesses worldwide will spend nearly $500 billion in 2014 to deal with the problems caused by malware on pirated software. Individual consumers, meanwhile, are expected to spend $25 billion and waste 1.2 billion hours this year because of security threats and costly computer fixes.
Posted by Peter CullenGeneral Manager, Trustworthy Computing, Microsoft
We live in an environment where the amount of data being generated is increasing at a staggering pace. With it we see a corresponding growth in the potential for important benefits, both to us as individuals and as a society, based on using this information.However, in this data-rich world it is becoming clear that today’s privacy frameworks cannot adequately protect consumer privacy; it has become critical that we evolve our thinking with respect to the ways societies protect the privacy of individuals while providing for responsible, beneficial data use.
Identifying frameworks that support the dual goals of privacy and responsible data use is the motivation for Microsoft’s collaboration with privacy stakeholders from around the world – across governments, private enterprise and civil society. Today, we are pleased to have been able to support the launch of two new white papers: “Data Protection Principles for the 21st Century” and “Data Use and Global Impact” which outline important new thinking on this topic.
Today, we are joining AOL, Apple, Facebook, Google, LinkedIn, Twitter and Yahoo in calling for reforms of government surveillance.
Since Microsoft was founded, we’ve believed technology is a powerful tool that can help people. In that belief we remain steadfast.
But we also recognize another important point. People won’t use technology they don’t trust. Governments have put this trust at risk, and governments need to help restore it.
Last week we announced that we’re taking new steps to reduce the risk of government snooping. Today we’re joining with others across our industry to call on governments to adhere to specific principles with respect to surveillance.
Posted by Anthony SalcitoVice President, Worldwide Education, Microsoft
I'm thrilled to announce a new benefit designed to empower students worldwide with the technological skills they need to compete in today’s (and tomorrow’s) workforce: it's called Student Advantage.
Beginning Dec. 1, any academic institution that licenses Office for staff and faculty can provide Office 365 ProPlus for students at no additional cost. Student Advantage makes it easy for qualifying institutions to provide students with the latest version of full Office at school and at home. Combined with Office 365 for Education plan A2, which is free for schools, Student Advantage gives students access to the same set of world-class productivity tools and services used by Fortune 500 companies all over the world.
Posted by Matt ThomlinsonVice President, Microsoft Security
On Friday, I participated in a panel entitled “Rebooting Trust? Freedom vs. Security in Cyberspace” at the 50th Munich Security Conference. During my presentation, I discussed Microsoft’s initiatives to protect customer data from government snooping, which Microsoft General Counsel & Executive Vice President Brad Smith recently announced. Brad outlined three areas where Microsoft would be taking action: expanding encryption across our services; reinforcing legal protections for our customers’ data; and enhancing the transparency of our software code. On Friday, we announced another step we are taking in implementing those commitments.
We will open an international Transparency Center in Brussels, which will offer government customers an increased ability to review our source code. The Brussels center will build upon on our long-standing program that provides government customers with the ability to review our source code, reassure themselves of its integrity and confirm there are no back doors. It is my hope to open the Brussels Transparency Center by the end of this year.
Posted by Dr. Dennis SchmulandChief Health Strategy Officer, U.S. Health & Life Sciences, Microsoft
On Wednesday, University of Colorado Health (UCHealth), one of the state’s largest healthcare providers, announced its migration to Microsoft Office 365, a decision that was made in large part due to Microsoft’s long-standing commitment to data security and privacy and because the company supports HIPAA requirements beyond what other vendors provide.
Such cloud adoption within the healthcare industry is gaining momentum because the economic, clinician productivity and care team collaboration advantages of the cloud are undeniable. However, as was the case for UCHealth, there’s one fundamental concern that continues to weigh heavily on the minds of providers: Is patient data safe, secure and private in the cloud.
Posted by Paul NicholasSenior Director, Global Security Strategy & Diplomacy, Microsoft
On Thursday, Microsoft released a new study entitled The Cybersecurity Risk Paradox. The new report focuses on specific ways that social and economic factors affect cybersecurity outcomes worldwide. It is a follow-up study that builds on the earlier learnings of a study released last year entitled Linking Cybersecurity Outcomes and Policies.
In Linking Cybersecurity Outcomes and Policies, we took malware infection data from our Microsoft Security Intelligence Report and compared it to international socioeconomic statistics in three categories – digital access, institutional stability and regime stability. We were then able to identify the key social, economic and technological factors critical to enhancing cybersecurity.
Posted by David FinnExecutive Vice President & Associate General Counsel, Microsoft Cybercrime Center
Last week, Microsoft hosted our first Cybercrime Enforcement Summit. More than 60 global law enforcement leaders and cybercrime experts met in Redmond for two days of closed-door sessions, discussing best practices and concrete steps to protect people online.
As I reflect upon the event, I think there are three key takeaways that will guide the efforts of all of those that attended:
1. Actions speak louder than words
We are entering a new era of collaboration where there is a shared recognition that only through strong partnerships can we not only keep pace with cybercriminals, but get ahead of them.
Posted by Scott CharneyCorporate Vice President, Trustworthy Computing, Microsoft
At Microsoft, establishing and sustaining trust with our customers is essential. If our customers can’t rely on us to protect their data—whether from crooks, mismanagement or excessive government intrusion—they will look elsewhere for a technology provider.
Government access to data is a hot topic. But it’s not new. In fact, our General Counsel, Brad Smith, has addressed the issue in a series of blog posts covering, among other topics, our efforts to protect customers and our support for reforming government surveillance.
On Tuesday at the RSA Security Conference in San Francisco, I gave a speech on the changing cybersecurity landscape and the respective roles of governments, users and the IT industry. I’d like to share some of my thoughts here.
Posted by Scott CharneyCorporate Vice President, Trustworthy Computing For more than two decades, people have struggled to understand the cyber threat, evaluate the risks to individuals, organizations (including nation-states), and society at large, and craft appropriate responses. Although many organizations have invested significantly in information assurance, most computer security experts believe that a well-resourced and persistent adversary will more often than not be successful in attacking systems, especially if raising defenses is the only response to an attack. For this reason, increasing attention is being paid to deterring such attacks in the first instance, especially by governments that have the power to investigate criminal activity and use a wide range of tools to respond to other public safety and national security concerns. Notwithstanding this emerging discussion, it appears to many people that neither governments nor industry are well-positioned to respond to this highly complex threat and that, from a policy and tactical perspective, there is considerable paralysis. In my Rethinking Cyber Threats and Strategies paper I discuss a framework for categorizing and assessing cyber threats, the problem with attribution, and possible ways for society to prevent and respond to cyber threats. In my speech today at the International Security Solutions Europe (ISSE) Conference in Berlin, Germany, I proposed one possible approach to addressing botnets and other malware impacting consumer machines. This approach involves implementing a global collective defense of Internet health much like what we see in place today in the world of public health. I outline my vision in a new position paper Microsoft is publishing today titled “Collective Defense: Applying Public Health Models to the Internet.”