Don’t Trust the Cloud? Microsoft Gives the Keys to Windows to the NSA
According to Bloomberg, Microsoft tells spy agencies how to exploit Windows bugs:
Microsoft Corp. (MSFT), the world’s largest software company, provides intelligence agencies with information about bugs in its popular software before it publicly releases a fix, according to two people familiar with the process. That information can be used to protect government computers and to access the computers of terrorists or military foes.
We already know Microsoft makes it easy for spy agencies to listen in on Skype calls. And it’s not like regular phone calls are better-protected. Apparently, the same is true for Windows (and don’t get too huffy before the rest of the leaks come in, Mac users).
What does this mean, in English? Glyn Moody puts it succinctly at ComputerWorldUK:
[E]very time a company installs a new patch from Microsoft to fix major flaws, it’s worth bearing in mind that someone may have just used that vulnerability for nefarious purposes.
So, if you were laboring under the illusion that your data is somehow safer on your own computer than in the cloud, let’s just put an end to that fallacy. The NSA is not willing to wait around for court to approve subpoenas. If it wants your data, it is just going to get it. Now we know that one way it is going to get your data is by walking in the back door while Microsoft holds it open and looks the other way.
Is any of this legal? I’m not a constitutional law scholar, but I have a hard time understanding how this would survive a constitutional challenge. Then again, we’ve had secret laws, secret interpretations of those secret laws by the DOJ, and secret courts in which all of those secrets are secretly litigated and constitutional protections are supposedly secretly observed, and this has all been going on for quite a while. Maybe there is a secret amendment to the U.S. Constitution that permits all this secrecy.
You should be upset about this. If you are, you should tell your representatives that you are upset about this. You should certainly tell Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube, and Apple — the companies participating in the NSA’s PRISM program — that you are upset about this. And you should consider whether you want to use voluntarily-compromised products from companies like Microsoft and Google.
The impact of all this on the question of whether or not you should use the cloud, though, is a red herring. You should still use the cloud if you want to. There are a lot of good reasons to, and the cloud is much larger than Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube, and Apple.
Instead, learn about security. Not just because the government or a corporation may have access to your data, but because you owe it to yourself and to your clients to make sure your data is only accessible by the people you want to have access to it. I think every lawyer should have a working knowledge of common encryption technologies. Here is some weekend reading to get you started:
Now, go read the Dropbox and Crashplan security overviews, and see if you can spot the ways the above technologies are employed in both, and how they differ. Oh, and learn how email works, and some basic email security, plus how to encrypt your email if you want to go to the trouble (and it is a lot of trouble).