If true, NSA spying could “seriously undermine confidence in the security and privacy of online communications,” Microsoft’s general counsel, Brad Smith, said in a blog post
. “In light of these allegations, we’ve decided to take immediate and coordinated action.”
Smith pledged to “pursue a comprehensive engineering effort to strengthen the encryption of customer data across our networks and services.” That includes major communications, productivity, and developer services such as Outlook.com, Office 365, SkyDrive, and Windows Azure.
Content moving between customers and Microsoft’s servers will be encrypted by default, as will communications moving between Redmond’s data centers, using “best-in-class industry cryptography to protect these channels, including Perfect Forward Secrecy and 2048-bit key lengths,” Smith said. “All of this will be in place by the end of 2014, and much of it is effective immediately.”
Smith said Office 365 and Outlook.com customer content is already encrypted when traveling between customers and Microsoft, while most Office 365 workloads as well as Windows Azure storage are now encrypted in transit between data centers.
In addition to encryption, Microsoft also said it will “take new steps to reinforce legal protections for our customers’ data,” – like informing them when the feds request data. “Where a gag order attempts to prohibit us from doing this, we will challenge it in court,” Smith said.
The company will also open a “network of transparency centers” in Europe, the Americas and Asia that will build on “our long-standing program that provides government customers with an appropriate ability to review our source code, reassure themselves of its integrity, and confirm there are no back doors.”
“Ultimately, we’re sensitive to the balances that must be struck when it comes to technology, security and the law, … but we also want to live in a country that is protected by the Constitution,” Smith concluded. “We believe these new steps strike the right balance, advancing for all of us both the security we need and the privacy we deserve.”
Reports that Microsoft would step up encryption emerged last month
. That came after The Washington Post, citing documents provided by Edward Snowden, reported on MUSCULAR, an NSA program that operates in conjunction with the U.K. version of the NSA, the Government Communications Headquarters (GCHQ). Together, they “are copying entire data flows across fiber-optic cables that carry information between the data centers of the Silicon Valley giants” like Yahoo and Google, the paper said.