Snowden Revelations a blessing, trust needs to be built: Microsoft

• Made the senior leadership team wake up, company gets it act together
• Microsoft pushing to expand its ability to be transparent, ironing legal kinks

MICROSOFT Corp’s chief security officer for Asia, Pierre Noel, believes that the ‘Snowden Revelations’ have proven to be a blessing for the company.
 
“It forced us to get our act together. Inside Microsoft, we were always big on security – but we were really bad at collecting this information and communicating it in an effective way.
 
“Snowden came into the picture and made everybody at the senior leadership team wake up and ask, ‘Oh my gosh, what does this mean to us? Do we have backdoors? Are we talking to the NSA?’ ” he said.
 
Edward Snowden is the former contractor with the US National Security Agency (NSA), who revealed widespread spying by the NSA, the GCHQ (the United Kingdom’s Government Communications Headquarters), and other intelligence agencies.
 
“At that time, people within Microsoft then started to communicate more effectively in terms of what trust means to us, and how we can demonstrate trust,” said Noel.
 
“This is why it was a blessing because before Snowden, you would not have found any document within the company that said ‘This is what we stand for when it comes to trust.’ We had no clear stand, and it really crystalised that, and helped different divisions come together,” he added.
 
That ‘trust’ is the keyword in Microsoft’s recent cyber-security briefing hosted at its Asia Pacific offices in Singapore is no accident.
 
The company has worked hard to change public perception of its role in NSA data collection efforts, mainly by pushing to expand its ability to be transparent.
 
Microsoft general counsel Brad Smith has been the main public face of these efforts, maintaining a regular blog that provides thoughts and updates.
 
In addition, the company has been active in challenging the limits and rationale behind some of the requests for access and data that have been made by government entities – most notably, the on-going legal battle between Microsoft and the Southern District of New York over the handing over of emails stored in the company’s Dublin data centre.
 
In December 2013, a New York court issued a search warrant compelling Microsoft to hand over the emails, intended to be used as potential evidence in a federal narcotics case.
 
The company refused to hand over the information, claiming the court has no jurisdiction overseas and therefore the warrant was void.
 
While the legalities are being fought out in courts, the fact remains that business must continue and when it comes to cybersecurity and cloud computing, technology vendors such as Microsoft could be seen as the mildly awkward middlemen between the private and public sectors.
 
Navigating sovereignty, trust issues
 
John Galligan (pic), regional director of Government Relations at Microsoft Asia Pacific, noted that when it comes to “trust,” it is not just about confidence.
 
“It’s about trusting the fact that the technology is going to do what it’s going to do, in the way you expect it to operate,” he said.
 
Galligan said that the foundations of technology use has been “rocked” in the months since the Snowden Revelations were made public, and trust is now one of the biggest challenges facing Microsoft and the wider IT industry.
 
“Governments may have been over-generous in their access to information, and may have been opaque in how they’ve gone about accessing that data and its use. We’ve seen cyberattacks by both state and non-state sponsored actors.
 
“We’ve seen huge data breaches by companies that should have known better; and even consumers that have started to use this technology and in many ways, are being their own worst security advisors in having too much information out there and trusting these services in a way that is more naïve then we’ve anticipated,” he added.
 
In Microsoft’s approach to building up its own level of trust with customers, Galligan said that in addition to ensuring regulatory compliance and deploying robust security protocols and measures, it is also about transparency.
 
“It’s about being more open about what happens with customer data when they choose to host it on our cloud platform. We’ve also made moves to simplify and clearly outline this in our contract terms, in a concise fashion as well.
 
“We also report audit results and publish transparency reports such as our Law Enforcement Request Report,” he added. [The details of the report can be found here.]
 
For example, in the second quarter of 2014, Microsoft received 101 requests from the Singapore Government, with 139 accounts/ users specified in the request. The company provided only subscriber/ transactional data in 90.1% of requests and rejected 2% of the requests.

In Thailand, out of 67 requests received, with 53 accounts/ users specified in the request, 29.9% of requests were rejected while 53.7% of requests saw the company providing subscriber/ transactional data.
 
Galligan said that during that period, governments around the world made over 70,000 requests of Microsoft, with the United States taking first place and Turkey ranking a very close second.
 
“Very few came from Asia to be honest – they tend not to be asking, or asking Microsoft rather. What’s interesting to note is that out of all requests, less than 20% were for commercial data, with the rest dominated by requests for data on individuals.
 
“You have enormous concern from commercial players over the ease of access to data, ironically enough, when the focus from law enforcement is actually on individuals because invariably, when crimes are committed, it’s individuals or groups, not commercial entities,” he added.
 
When asked about the company’s stance on cases where demands for data hosted overseas are made domestically concerning a local individual, as opposed to the Dublin email case which involves more than one sovereign territory, Galligan said he believes there is “no easy answer,” as every case has its own unique circumstances.
 
“We believe that we shouldn’t be the judge of what the law is – we should be responsible for what the law requires us to do, but in this cloud age there’s oftentimes conflict.
 
“And where there’s a conflict, we tend to take the position that where the data is located, that country’s law will prevail,” he said.
 
Referring to the Dublin case, Galligan said that such a stance is being tested right now in the United States.
 
“So we’re energised around this case, not so much in terms of standing up for one individual who may or may not have committed a crime, but rather to exercise those agencies that are trying to get around the process that they themselves set up,” he said.
 
Galligan added that when there are exigent circumstances like the Charlie Hebdo case in France or the Sydney Siege, information has been provided to aid in investigations, with all due processes being followed.
 
Meanwhile Noel (pic) highlighted that during the Charlie Hebdo case, the French police discovered that one of the attackers had a Hotmail account which was hosted in the United States, and wanted access to the information.
 
“I can tell you now that if they went to Microsoft France for access to that data, they would have been rejected. But they didn’t do that – in this case they went to the FBI (Federal Bureau of Investigation) with their request and outlined why, and the agency in turn contacted us.
 
“All in all, it only took 45 minutes for us to provide the information after verifying everything, because everything was done by the book.
 
“We stand by the fact that we don’t simply give up information but if everything is done correctly, we will provide it,” he said.
 
Galligan said that governments usually have secondary arrangements to share information, for example the notable Five Eyes alliance.
 
The Five Eyes, often abbreviated as FVEY, refers to an intelligence alliance comprising Australia, Canada, New Zealand, the United Kingdom and the United States.
 
“As technology companies, we don’t want to be Solomon, to cut the baby or figure out which mother to give it to. We want to know the rules of the road, and have them be defined and transparent, but legal theory is changing and we are at the forefront of some of those test cases,” Galligan said.
 
Up Next: Governments should trust and secure the cloud
 
Related Stories:
 
Year 1 AS: I hope we get more Snowdens
 
The world needs to unite on privacy and trust: EU official
 
Cloud adoption shaken by Snowden revelations: Survey
 
Privacy laws: Why we have them, and who benefits

The mystery of the Malaysian Govt and its rejection by Facebook
 
 
For more technology news and the latest updates, follow us on Twitter, LinkedIn or Like us on Facebook.