Conundrums in cyberspace — exploiting security in the name of, well, security

At Microsoft, establishing and sustaining trust with our customers is essential. If our customers can’t rely on us to protect their data—whether from crooks, mismanagement or excessive government intrusion—they will look elsewhere for a technology provider.  

Government access to data is a hot topic. But it’s not new. In fact, our General Counsel, Brad Smith, has addressed the issue in a series of blog posts covering, among other topics, our efforts to protect customers and our support for reforming government surveillance.

On Tuesday at the RSA Security Conference in San Francisco, I gave a speech on the changing cybersecurity landscape and the respective roles of governments, users and the IT industry. I’d like to share some of my thoughts here.

When I think about how governments relate to the Internet, it’s in the following four ways:

Users: Governments use the Internet extensively.  They use it to communicate and store sensitive information, and as a result, they have a vested interest in Internet privacy and security.

Protectors: Governments protect the rights of Internet users — protecting the security and privacy of their populations — and the Internet itself.

Exploiters: Military espionage and other surreptitious activity reminds us that governments often have other interests that conflict with their role as protectors. These overlapping and conflicting roles have given rise to the thorny issue that underpins much of the current dialogue on cybersecurity: How should governments act when they have competing objectives?

Investigators: Governments may seek access to their citizens’ digital data, or data in other countries. This raises questions about the rules covering such access.

Cross-border questions add an additional layer of complexity. Governments investigating local citizens for committing a local crime against local people sometimes find that the evidence is in another country.  In these circumstances, the question becomes – how can the legitimate law enforcement needs of countries be met, while also protecting the privacy of Internet users and respecting the laws of the country where the data is stored.

The ongoing surveillance disclosures have brought these issues into stark relief and provided stimuli for a robust debate. The situation is full of conundrums with no clear resolution. Consider these perspectives:

  • Governments want to both secure the Internet and exploit it. 
  • Users want to embrace the cloud, preserve their privacy, and be protected from criminal activity, including terrorism. 
  • Industry wants to protect the security and privacy of users, and support efforts to protect public safety and national security.

So where do we go from here? Everyone has a part to play, including governments, users and industry.

Governments need to conduct serious conversations about norms for acceptable action in cyberspace. Governments should enact reforms to ensure that all surveillance is narrowly tailored, governed by the rule of law, transparent, and subject to oversight. We believe this can best be accomplished by building an international framework to set norms for government behavior.

Users must help government and industry strike the right balance between conflicting priorities. They should also take basic steps to protect their devices and data, including the use of encryption tools. 

Industry can help by continually updating and advancing technology options that enable greater data protection and by sharing information that promotes an informed public dialogue. It must be responsive to both customer and government concerns, encouraging transparency and promoting legal processes that help ensure appropriate oversight exists when customer data is sought. 

Having led Microsoft’s Trustworthy Computing group for more than a decade, I can assure you that we fully embrace the mission to expand trust on the internet, in accordance with our guiding trust principles: security, privacy and transparency. Let me briefly expand on each of those.

Security: We begin with a focus on information assurance, continually building and enhancing security protections in our products and services. Microsoft has not and will not put “back doors” in our products and services, and we don’t weaken our products to enable government spying. Our security efforts are focused on defense, not offense.

To increase customer protections, we continue to advance security technology and innovation. For the last decade, we have implemented the Security Development Lifecycle and we have extended our secure design methodology to cloud services. We are increasing our use of data encryption across services like Outlook.com, Office 365, OneDrive and Windows Azure. We have previously announced that by the end of 2014, all content moving across our networks will be encrypted by default.

Privacy: Regarding requests for customer data from law enforcement or other governmental entities, Microsoft is firm in its commitment to protect customer data.

We will only provide data in response to lawful requests for specific accounts or identifiers. Where appropriate, we will refer law enforcement requests directly to the customer, rather than attempting to fulfill the requests ourselves.  Additionally, we require governments to live within the limits the law imposes on them, and will fight data requests that lack a jurisdictional basis or demand the production of bulk data. 

Transparency: We are committed to transparency and strongly support a more open discussion on current data access policies.

One example of our transparency is our Government Security Program (GSP), which enables government customers to review our source code, in order to reassure them of its integrity. We recently announced plans to expand this access by opening several international Transparency Centers.

Microsoft also publishes a Law Enforcement Requests Report twice a year which details the number of law enforcement requests we receive (notably, only a tiny fraction of accounts are affected by government requests for data). Additionally, following a lawsuit filed by Microsoft and other large technology companies, the U.S. government agreed to let companies disclose figures on the national security orders received under the Foreign Intelligence Surveillance Act.

Wherever society nets out on this important debate on the appropriate degree of government involvement in the Internet, it’s vital that industry remains principled in its approach to security, privacy and transparency. 

We believe it is time for an international convention on privacy and government access to data, and have joined with others across the industry to recommend clear principles for government surveillance reform at ReformGovernmentSurveillance.com.

Microsoft will continue to push for policy and technical progress to restore public trust in technology, supporting increased transparency, sensible limits on data access and appropriate oversight. We will also push for greater coordination among governments. We believe that these steps are necessary to help restore the trust that is critical to the future growth of global IT systems, and that these steps can be achieved without undermining important public safety and national security concerns.

About the Author

Corporate Vice President, Trustworthy Computing, Microsoft

Scott Charney is Corporate Vice President for Microsoft’s Trustworthy Computing Group. Mr. Charney is responsible for a range of corporate programs that influence the security, privacy and reliability of Microsoft’s products, services and internal networks. He also manages the Engineering Excellence Team, a group focused on promoting best-of-breed engineering practices and ensuring compliance with Microsoft’s mandatory engineering policies. Prior to joining Microsoft, Mr. Charney served as a Principal at PricewaterhouseCoopers, where he led the firm’s Digital Risk Management and Forensics Practice. Before that, Mr. Charney served as Chief of the Computer Crime and Intellectual Property Section (CCIPS) where he was responsible for implementing the Justice Department's computer crime and intellectual property initiatives. Prior to leading CCIPS, Mr. Charney served as an Assistant United States Attorney responsible for the investigation and prosecution of complex cases involving organized crime and as an Assistant District Attorney in Bronx County, New York, where he was responsible for prosecuting persistent violent felony offenders. He also served as Deputy Chief of the Investigations Bureau.