Microsoft plans to encrypt data flowing through all of its communication, productivity and other services as it seeks to reassure users in the United States and beyond that it will guard their personal information from snooping governments, the company announced Wednesday night.
The encryption initiative, approved by company executives last week, comes as many of the nation’s top technology firms scramble to protect their reputations after months of revelations about how the National Security Agency and its foreign counterparts have siphoned off massive amounts of user information, including emails, video chats, address books and more.
“The goal is clear: We want to be sure that governments use legal processes rather than brute force to access user data,” said Brad Smith, Microsoft’s general counsel.
Smith said that concern at the company surged in October, when The Washington Post reported, based on documents provided by former NSA contractor Edward J. Snowden, that the NSA and its British counterpart were tapping into the private communications links of Google and Yahoo as information flowed among those companies’ data centers.
Smith said that report was “like an earthquake sending shock waves through the tech sector” because it made clear that government surveillance was not limited to known legal processes, such as those approved by the Foreign Intelligence Surveillance Court, but was happening by other means, as well.
Both Google and Yahoo, which have announced their own major encryption initiatives in recent months, have global networks that resemble Microsoft’s. In addition, documents provided by Snowden to the Post suggested – while not proving – that Microsoft also was a target of the NSA program that collected data moving between centers.
Privacy advocates long have considered Microsoft a laggard in adopting encryption technology and resisting surveillance efforts. Microsoft’s announcement signals a major new commitment to such issues, and was accompanied by promises to make the computer coding for Microsoft’s services more transparent and to more vigorously resist data requests from police and intelligence agencies.
Smith said the company also was taking the position that the Foreign Intelligence Surveillance Court, which oversees some NSA intelligence-gathering efforts, does not have jurisdiction to approve the collection of data outside U.S. borders.
The company did not immediately release an estimated cost or a timeline for completing the new encryption efforts. It did, however, promise to implement “best-in-class cryptography” for data flowing between customers and Microsoft and moving between data centers around the world. It also plans to encrypt data that’s in storage. Among the products getting new encryption are Outlook.com, Office 365, SkyDrive and Azure.
The company said the encryption effort will include implementing “perfect forward secrecy,” a way of safeguarding encryption keys, and 2,048-bit key lengths. Both are considered relatively advanced technologies. Data flowing between customers and Microsoft will be encrypted by default, which privacy advocates consider superior to systems that users must personally activate.