Don’t Trust the Cloud? Microsoft Gives the Keys to Windows to the NSA

According to Bloomberg, Microsoft tells spy agencies how to exploit Windows bugs:

Microsoft Corp. (MSFT), the world’s largest software company, provides intelligence agencies with information about bugs in its popular software before it publicly releases a fix, according to two people familiar with the process. That information can be used to protect government computers and to access the computers of terrorists or military foes.

We already know Microsoft makes it easy for spy agencies to listen in on Skype calls. And it’s not like regular phone calls are better-protected. Apparently, the same is true for Windows (and don’t get too huffy before the rest of the leaks come in, Mac users).

What does this mean, in English? Glyn Moody puts it succinctly at ComputerWorldUK:

[E]very time a company installs a new patch from Microsoft to fix major flaws, it’s worth bearing in mind that someone may have just used that vulnerability for nefarious purposes.

So, if you were laboring under the illusion that your data is somehow safer on your own computer than in the cloud, let’s just put an end to that fallacy. The NSA is not willing to wait around for court to approve subpoenas. If it wants your data, it is just going to get it. Now we know that one way it is going to get your data is by walking in the back door while Microsoft holds it open and looks the other way.

Is any of this legal? I’m not a constitutional law scholar, but I have a hard time understanding how this would survive a constitutional challenge. Then again, we’ve had secret laws, secret interpretations of those secret laws by the DOJ, and secret courts in which all of those secrets are secretly litigated and constitutional protections are supposedly secretly observed, and this has all been going on for quite a while. Maybe there is a secret amendment to the U.S. Constitution that permits all this secrecy.

You should be upset about this. If you are, you should tell your representatives that you are upset about this. You should certainly tell Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube, and Apple — the companies participating in the NSA’s PRISM program — that you are upset about this. And you should consider whether you want to use voluntarily-compromised products from companies like Microsoft and Google.

The impact of all this on the question of whether or not you should use the cloud, though, is a red herring. You should still use the cloud if you want to. There are a lot of good reasons to, and the cloud is much larger than Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube, and Apple.

Instead, learn about security. Not just because the government or a corporation may have access to your data, but because you owe it to yourself and to your clients to make sure your data is only accessible by the people you want to have access to it. I think every lawyer should have a working knowledge of common encryption technologies. Here is some weekend reading to get you started:

Now, go read the Dropbox and Crashplan security overviews, and see if you can spot the ways the above technologies are employed in both, and how they differ. Oh, and learn how email works, and some basic email security, plus how to encrypt your email if you want to go to the trouble (and it is a lot of trouble).


  1. Sam:

    Thanks for the insights and great round up of relevant links – am sharing across all my networks now…

  2. Avatar Fahad (Eddie) says:

    What about other cloud providers secrets ?

    • Avatar Sam Glover says:

      I don’t understand the question.

      • Avatar Fahad (Eddie) says:

        You indicate Microsoft.. But I want to know other Cloud Providers Security? like amazon, google, rackspace…

        • Avatar Sam Glover says:

          The point of this article is that there is no such thing as a secure cloud. If the NSA wants it, the NSA will get it.

          • Avatar Andrew Nettleman says:

            It also strikes me that a server in my office isn’t any more secure. If Microsoft is willing, as we saw yesterday, to provide the NSA with backdoor access to products that haven’t even been released yet, my bet is that they are also willing to provide them backdoor access to a server through a patch or otherwise.

            • Avatar Sam Glover says:

              Not to mention that the information on your server still has to travel over the wires, and the NSA is copying all the data it can intercept, encrypted or not.

              • Avatar Andrew Nettleman says:

                A very good point. At this point I am just at a loss. The NSA is saying “All your data are belong to me” and I’m just not sure if there is ANYTHING we can do to prevent it. Even encrypted traffic is being intercepted and stored where they can hammer away on it in their new billion dollar data center in Ft. Meade.

  3. Avatar Known by the NSA says:

    Using the cloud means give your data directly to the NSA, and then they can use it with gigabit speed. Having it at home, slows the process extremly because of dsl speed of your connection!

Leave a Reply