Microsoft to open up code to customers in a bid to repair damage of NSA revelations

'Enhanced transparency' of code part of a series of measures to repair damage wrought by NSA revelations

Microsoft will today unveil its plans to protect customer data from government surveillance.

The move comes in response to the revelation that the US National Security Agency (NSA) targeted weak links in the security of major internet companies, including Google, Yahoo and Microsoft, in order to tap the data on their networks.

In a blog post, Brad Smith, general counsel and executive vice president, Legal & Corporate Affairs at Microsoft, strongly criticised the government-led internet surveillance initiatives and outlined the steps that the software giant was planning to take to protect data.

"We are especially alarmed by recent allegations in the press of a broader and concerted effort by some governments to circumvent online security measures - and in our view, legal processes and protections - in order to surreptitiously collect private customer data," wrote Smith.

He continued: "In particular, recent press stories have reported allegations of governmental interception and collection - without search warrants or legal subpoenas - of customer data as it travels between customers and servers or between company datacentres in our industry.

"If true, these efforts threaten to seriously undermine confidence in the security and privacy of online communications. Indeed, government snooping potentially now constitutes an 'advanced persistent threat', alongside sophisticated malware and cyber attacks."

In response, the company will expand encryption across its internet-facing services, "reinforce legal protections" for customer data, and "enhance the transparency" of the company's code, "making it easier for customers to reassure themselves that our products do not contain back doors", according to Smith.

He added there was no evidence that customer data had been compromised by the NSA, "but we don't want to take any chances and are addressing this issue head on".

The effort will encompass major communications, productivity and developer services such as Outlook.com, Office 365, SkyDrive and Windows Azure, and will provide protection across the full lifecycle of customer-created content.

Smith outlined the following developments in particular:

  • All customer content moving between customers and Microsoft will be encrypted by default
  • All key platform, productivity and communications services will encrypt customer content as it moves between Microsoft datacentres
  • "Best-in-class industry cryptography" will be used to protect these channels, including Perfect Forward Secrecy and 2048-bit key lengths
  • All of this will be in place by the end of 2014, and much of it will be effective immediately
  • Microsoft will encrypt customer content that it stores: "In some cases, such as third-party services developed to run on Windows Azure, we'll leave the choice to developers, but will offer the tools to allow them to easily protect data"
  • Microsoft will work with other companies across the industry to ensure that data transmitted between services - from one email provider to another, for instance - is protected

However, Smith did not mention Skype, the company's online voice and video conferencing service, which has long been the subject of eavesdropping suspicion.