In December 2013, Microsoft issued a public pledge to increase security measures across the company's entire product line to counteract what Microsoft's general counsel and executive vice president Brad Smith characterizes as "a broader and concerted effort by some governments to circumvent online security measures — and in our view, legal processes and protections — in order to surreptitiously collect private customer data."
As part of this pledge, Microsoft rolled out in July 2014 a variety of changes intended to enhance the security of Outlook and OneDrive, as well as introduced an initiative to increase the transparency of Microsoft code to assuage concerns that backdoor vulnerabilities are intentionally placed in Microsoft products.
Adding Transport Layer Security (TLS) to Outlook
As of the beginning of July 2014, both incoming and outgoing mail on Outlook are protected by Transport Layer Security (TLS). As such, if you send an email to someone on a network that also supports TLS, the email is encrypted in transit. In the statement, Microsoft names the Russian organizations Yandex and Mail.ru, as well as Deutsche Telekom, as groups that it has worked with to implement and test the deployment of TLS to ensure that email remains secure in transit.
The fact that mail is encrypted in transit is an important distinction. While this implementation of TLS is a welcome change that arguably does increase security, it does not do anything for messages that are stored on Microsoft's servers. In the announcement, no mention was made of any method through which stored mail is encrypted. Consequently, it seems any organization that can gain access to the server, or gain the cooperation of Microsoft, still retain the ability to read stored mail, independent of the method used to transfer the message.
Earlier this year, Microsoft did enable S/MIME in Office 365, which could potentially be an indicator that this feature could be forthcoming for users of the Outlook Web App.
Adding Perfect Forward Secrecy (PFS) to OneDrive and Outlook
Outlook now has Perfect Forward Secrecy (PFS), which allows for encryption support for sending and receiving mail between different providers. PFS employs a new key for every connection, which limits the amount of data that could be retrieved if a key is cracked, and complicates matters for those seeking to crack keys. This protection is also extended to OneDrive, as transmitted data is now encrypted with forward secrecy for the OneDrive web interface, mobile applications, and sync clients.
The introduction of the Microsoft Transparency Center
Perhaps most curious in this round of updates is the opening of the Microsoft Transparency Center in Redmond, Washington, which, according to Microsoft will "provide participating governments with the ability to review source code for our key products, assure themselves of their software integrity, and confirm there are no 'back doors.'"
No reasonable person should expect Microsoft to open the source of its products for just anyone to audit, but the limitation of such privileges to only government agents appears to be a wholly transparent attempt to assuage the concerns of various foreign governments about the integrity of Microsoft products in light of recent disclosures. At the GigaOm Structure conference last month, Smith stated, "We are seeing other governments consider new procurement rules — procurement rules that could effectively freeze out US-based companies." Although this level of transparency is a welcome step, extending this privilege to security researchers would be perhaps a more full-throated defense of the company's position.
Microsoft can capitalize from its position of authority. For comparison, Facebook is facing discontent and backlash for a psychological experiment attempting to alter the mood of users based on the contents of the news feed, a practice for which it is facing a legal inquiry. Google, in comparison, is up against a negative perception of the privacy implications of Google Glass, the acquisition of Dropcam, and the continued modus operandi of mining user data to serve targeted advertisements. Microsoft does not share in either of these criticisms, and I think it could use a healthy dose of maturity and take the high ground on this issue — something more forthright than its hollow Scroogled campaign.
Disclaimer: TechRepublic and ZDNet are CBS Interactive properties.
James Sanders is a Java programmer specializing in software as a service and thin client design, and virtualizing legacy programs for modern hardware.