For the first time, the Guardian is detailing how a tech company works with the National Security Agency to share user information under the NSA's PRISM program. Unfortunately, that tech company happens to be Microsoft, the one that makes the operating system used on 92 percent of computers in the world.
The tone of the report (and Microsoft's statement about it) contrasts significantly with what the company said when PRISM was revealed. The Guardian, using documents obtained from NSA leaker Edward Snowden, paints Microsoft as a compliant partner in creating windows and doors in their software for the government to access.
Before we get to the mechanics, we'll answer the obvious: Which Microsoft products are covered? Primarily the web-based ones. There are three specific Microsoft services that the NSA has privileged access to: Outlook, SkyDrive, and Skype. Given the revelations, here's a service-by-service breakdown of what's probably not safe from the NSA's prying eyes:
Outlook: No E-Mails or Chats to or from This Service Are Safe. We already knew that the government had "direct access"—or something like it—to all of Microsoft's data as a part of the PRISM program outlined in June. Up until 2011, the NSA had been collecting all e-mail metadata for everyone, which did not include the content, but location, name, date, and other revealing information. PRISM, however, gives the government access to more than just that. However, up until now, it was safe to assume encrypted (encoded) messages (as described here) might not be readable. The Guardian suggests that's not the case: meaning all e-mails and encrypted chats—even ones specifically meant just for certain people to see, could fall into the NSA's hands.
SkyDrive: Some Computer Files Are Not Safe. For people who use SkyDrive, any of the documents, or pictures, or anything linked up with the service are vulnerable. The cloud service automatically syncs any stuff in its folders. When first setting up the service, by default the app creates Documents, Pictures, and Public folders, but you can tinker with what gets put in there, so it's user-dependent. Some people might sync all their folders just in case their hard drive crashes, or something—all of which the NSA could potentially see.
Skype: Audio and Video Content of Phone Calls Is Not Safe. In addition to Skype chat, the NSA has access to audio and video of calls. "Now, analysts will have the complete 'picture'," one document obtained by The Guardian says. In other words, the government has a veritable wiretap on Skype conversations. "Feedback indicated that a collected Skype call was very clear and the metadata looked complete," read another document.
The standard caveat applies here: the NSA is not allowed to collect data on Americans, though the FBI can with a warrant. But the NSA defines non-American as being a 51 percent likelihood that the person is overseas. And any communication between an American and a non-American could be swept up by the agency.
From Microsoft's "Safety and Security Center."
The Microsoft revelations stem from what Guardian reporter Glenn Greenwald calls "an internal, ongoing NSA bulletin" produced by the NSA's Special Source Operations (SSO) division. The SSO, the article notes, was "described by Snowden as the 'crown jewel' of the agency," and the one that manages the relationships with tech companies under PRISM.
In Microsoft, it had a willing partner. The company's original statement downplaying its work with the government stated that it provided the Feds with data "only when we receive a legally binding order or subpoena." Today's revelations suggest that this caveat—while undoubtedly true—is a bit like erecting a thick wall through which you've drilled a velvet-rope-protected tunnel. The government is kept out—but if they want access, it's trivial. (Other companies, like Yahoo, put up more of a fight, albeit earlier.)
The files show that the NSA became concerned about the interception of encrypted chats on Microsoft's Outlook.com portal from the moment the company began testing the service in July last year.
Within five months, the documents explain, Microsoft and the FBI had come up with a solution that allowed the NSA to circumvent encryption on Outlook.com chat.
The government's desire to peel back encryption has been known for some time. In May, prior to the Snowden revelations, The Times reported on the FBI's efforts to intercept encrypted messages. At the time, the paper suggested that Obama was "on the verge of" approving a system to force that to happen. The FBI probably found that story somewhat amusing.
Microsoft was compliant on allowing SkyDrive access, too. "An entry dated 8 April 2013 describes how the company worked 'for many months' with the FBI … to allow Prism access without separate authorization" to SkyDrive. In other words—once an analyst has access to your Outlook, it's got access to SkyDrive, too, without having to make a separate request to higher-ups. (The entry also suggests that analysts "may not have known" that additional approval was required anyway.)
While the Guardian article singles out Microsoft, there is little reason to think that other companies implicated in the PRISM program—Apple, Google, AOL, Facebook—did much to make the NSA's work harder. Which is why our guide to hiding from the NSA started with one admonition: using companies known to collaborate with the government is not a good way to keep the government from collecting your data.