New documents reveal NSA attempts to hoard Outlook.com, Skype and SkyDrive data

Today, Glenn Greenwald, the journalist behind the NSA revelations, released an excerpt from his new book, 'No Place to Hide.' The book mainly focuses on Greenwald's relationship with Edward Snowden, the man responsible for leaking the information about the NSA's spying programs, but also contains four interesting new slides detailing the NSA's relationship with Microsoft and it's data collection from Skype, Outlook.com and SkyDrive (now called OneDrive). 

Discovered by TechCrunch, the new documents show that Microsoft was complict with the NSA in sharing user information, amongst other things, with the intelligence agency. At the time, Microsoft provided the following statements regarding the data collection: 

SkyDrive: 

In 2013 we made changes to our processes to be able to continue to comply with an increasing number of legal demands of governments worldwide. None of these changes provided any government with direct access to SkyDrive.

Outlook.com: 

First, while we did discuss legal compliance requirements with the government as reported last week, in none of these discussions did Microsoft provide or agree to provide any government with direct access to user content or the ability to break our encryption. Second, these discussions were instead about how Microsoft would meet its continuing obligation to comply with the law by providing specific information in response to lawful government orders.

Skype:

The reporting last week made allegations about a specific change in 2012.  We continue to enhance and evolve the Skype offerings and have made a number of improvements to the technical back-end for Skype, such as the 2012 move to in-house hosting of “supernodes” and the migration of much Skype IM traffic to servers in our data centers. These changes were not made to facilitate greater government access to audio, video, messaging or other customer data.

Below are excerpted documents from today's Greenwald leaks.

While the documents do not reveal much new information, they do highlight just how close Microsoft is working with the NSA in passing over user data. 

Source: Glenn Greenwald, TechCrunch | Image via PC World

Report a problem with article
Previous Story

'Flappy Bird' returning in August, this time with a multiplayer feature

Next Story

Microsoft could debut 12-inch Surface at upcoming event

54 Comments

Commenting is disabled on this article.

Another thing that amazes me, from US citizens that are upset with the NSA.

They are mad at the NSA for doing what they were 'tasked' with doing by the Bush administration, and it is a controlled agency. (Which is being reigned in slowly by the new administration.)

However, these same US citizens have NO PROBLEM willingly giving away MORE information to PRIVATE companies that have no regulation or oversight. A Voting public can stop the NSA completely, but there is NOTHING that can stop the use of data these same people are giving Google on a daily basis.

Sad fact, Google knows more about most users than the NSA does. (And Google uses that information to make money and manipulate markets and manipulate geopolitical powers with no oversight.)

While I would term Microsoft's involvement as being "compliant" rather than "complicit", this brazenly illegal, egregiously unconstitutional conduct on the part of the U.S. government, my government, is thoroughly reprehensible. Those most culpable, the likes of Clapper, Hayden, Bush, Cheney, & now Obama, will almost certainly be immune to consequences for their high crimes & misdemeanors.

It is thoroughly unconscionable & incomprehensible that they should uniformly denounce & vilify Edward Snowden, some even expressing that his execution would be wholly just. Until the advent of drone driven aerial execution I had deemed that the act of "Shooting the messenger" was a relic consigned to the past. Now however, and though I am loathe to admit it, The Death Of The Messenger is a possibility that must be considered all too real. Frighteningly so.

I really don't get all this preoccupation about privacy coming from regular people. I use One Drive, Skype and Outlook extensively and I cannot think of anything I may have there that will put me in trouble if the government sees it. Neither there is any activity I do in the privacy of my home that would compromise me if the government had some magical satellite xray system that sees everything people do.
I've been systems admin in corporations and I had access to take ownership of anybody's account, including CEO's, I could set myself permissions to read emails of anybody. Never cared to do it, I had only had to do it once at the request of management for criminal investigation. But otherwise, I never cared. The more access to information you have the more noise, the less you care about what someone said to whom, what porn websites people see, what content people store in the company computer. If employees did some network activity that was prohibited by company policy we would send a notification to backup their personal data into a personal hard drive and delete it from company computers and servers, and after a few days script will go and delete all these automatically.
And I never cared about that content, we are humans and we all have layers, if I stumble into some employee private 'hobbies' all I did was smile, and carried on with other duties. Because, again, the more you know, the less you are surprised, the less you care about people's regular activities. Then you just focus in what really stands up because is really unusual, and of someone ever does something REALLY unusual they should expect to attract attention, regardless if they do it at the 'privacy' of their homes, or on the net.

I'm constantly amazed at how people can miss the point so thoroughly. The "I'm not important enough or doing anything wrong so who cares" bit. If you don't understand the importance of privacy in a free and democratic (supposedly) nation, then you can't really speak intelligently on the subject. Enabling government agencies in this way is inexcusable and shouldn't be tolerated. Microsoft, Google and other large players are easy one stop shopping for alphabet agencies. So if there's nothing to hide, why did they do just that and even lie about it afterwards? Because they care so much about their customers? lol.

I doubt Microsoft or Google had an option not to provide this access, nor I think they wanted. This was imposed by a democratically elected government and you shouldn't blame a company for complying with the law. And what is privacy? Privacy is the right of not being bothered if you are not doing anything wrong or suspicious. Is not a right to do illegal stuff as long as is 'private'. If you cook cocaine in the privacy of your home and your neighbor smelled it and reported you, he's not invading your 'privacy', he's just reporting a crime.

We should all send out a billion e-mails loaded with keywords that would overload the NSA, and bring them to a halt.

These documents ONLY detail how they handle legal requests, there is NOTHING about the NSA getting access to data or servers.

Because of 'how' Microsoft encrypts data, even a legal request can be tricky for the NSA to process, and this details how to deal with and unlock encrypted data given to the NSA from Microsoft.


I am starting to loose my faith in the authors/editors at Neowin's ability to comprehend what they are reading. This is borderline laughable that the Neowin summary is even close to accurate.

Hello,

you mean well, but it looks like you stopped reading after the first part of the article: the quotes from Microsoft.

If you read further, you'll see that this leak is DEFINITELY about eliminating the need for using legal requests because the data will be collected automatically. See the first document: official data request will no longer be necessary for Skydrive. The other documents are about real time data collection of PRISM, which are not "legal requets" but rather collecting of everything no matter what it is.

ulric said,
Hello,

you mean well, but it looks like you stopped reading after the first part of the article: the quotes from Microsoft.

If you read further, you'll see that this leak is DEFINITELY about eliminating the need for using legal requests because the data will be collected automatically. See the first document: official data request will no longer be necessary for Skydrive. The other documents are about real time data collection of PRISM, which are not "legal requets" but rather collecting of everything no matter what it is.

You are conflating PRISM networking leeching and access Microsoft provides.

Go read this story on a 'real' tech site, or a legal site, their interpretation is exactly the opposite of what is being portrayed here.

Microsoft handing over 'encrypted' bits has been problematic for law enforcement and the NSA, because it is how Microsoft has access to the data themselves. These processes are to help escalate the process to match the user GUID to when it is a legitimate legal request, so that the bits are readable by the NSA.

0--JLowzrif said,
"Because of 'how' Microsoft encrypts data, even a legal request can be tricky for the NSA to process, and this details how to deal with and unlock encrypted data given to the NSA from Microsoft."

How's Microsoft encrypts data?

Like this....

Microsoft handed the NSA access to encrypted messages

http://www.theguardian.com/wor...nsa-collaboration-user-data

What you are not getting is that this is about metadata collection, with the NSA was given legal access to collect by the Bush administration in 2004-2008. See Patriot Act, see PRISM.

ALL tech companies had to provide metadata access to transferred information, just as phone companies had to provide calling metadata. Because Microsoft's metadata was encrypted, they had to make an exception for the metadata, but NOT THE DATA.

ATT, Verizon, Sprint, (any Telco) also had to provide 'unencrypted' access to metadata, just as AOL, Yahoo, Google and every other company. Microsoft was a bit more or a challenge as the NSA couldn't directly tap their servers or circumvent their metadata encryption in real-time while leeching trunks.

This isn't complicated and I'm surprised people are so close to getting it, and then proclaim the earth is flat.

Apparently for some the earth is spherical and for others is "Hollow" just like their heads are...

‘We Kill People Based on Metadata'
http://www.nybooks.com/blogs/n...kill-people-based-metadata/

"Why The “It's Just Metadata” Argument Is False"
http://www.outsidethebeltway.c...metadata-argument-is-false/

"Judge destroys ‘just metadata' argument"
http://www.msnbc.com/msnbc/not-just-metadata

"Evidence that the NSA Is Storing Voice Content, Not Just Metadata"
https://www.schneier.com/blog/...013/06/evidence_that_t.html

"Microsoft, Facebook, Google and Yahoo release US surveillance requests"
http://www.theguardian.com/wor...-fisa-surveillance-requests

NSA's Strategic Partnerships (Microsoft is in off course)
http://revolution-news.com/str...th-greenwalds-book-release/

and so on and so on...

One friendly advice, Give it a rest!

jasondefaoite said,
Yeah, it's probably worse now.

Yes, let's just assume it's worse and not look at the facts. That's what logical people do, right?

I'm taking this with a pinch of salt as this doesn't really prove anything and these 'extracts' could have been typed up by anyone.

I also have nothing to hide or anything of value stored on my OneDrive account so if these government figures want to look at my data all they will find is boring documents and daft pictures, if that's a threat to national security arrest me now!!

What goes around comes around. Guess the peoples representatives in congress know they are being watched too. The NSA will reap what they have sown, pitiful if you are an american citizen. Happy to say I don't use these services, but if the sad state of the inter-web keeps on course I will have no good reason to pay for access to it. The cellphone is already gone, cable TV and cable modem are next.

I'm getting sick and tired of these NSA blasts on Microsoft articles. Every dominant tech company has been doing this for quite some time now and no one knew or really cared. Now ever since these NSA leaks, the press freaks out and as usual blows things out of proportion. They have to legally comply or face the consequences. Also, we all know Microsoft and others have drastically restricted access in recent times anyway. There's a difference between providing information for security purposes (i.e. an investigation on a crime) vs. using your information for gaining profit (i.e. what Google does) which I find is even more baffling. It's not like either sit around going through everyone's stuff. It's all automated.

Everyone involved lied, the government, the NSA and yes your precious Microsoft. They all were and are still wrong for doing so. Just because it would have damaged their business doesn't make it OK. They had choices and made some pretty bad ones by allowing EASIER access on top of access to begin with. I understand this is Neowin, but this level of cheerleading is just a little pathetic.

It wasn't a "law", it fact, it's unconstitutional and many of the practices are technically illegal right now. But because of supposed terrorism, we're supposed to willingly and gleefully sacrifice an entire nations right to privacy and other rights. They had a choice and made one based on self interest, you can excuse it all you want, but most will not and rightly so.

Who cares what their computer systems look at. You're basically anonymous to whoever ends up looking at something in more detail - you're not going to be walking down the street and an NSA agent call out "hey it's Jimbob, Hey Jimbob, love your porn stash".

I honestly don't give a damn if a Government agency looks at my life.

The NSA was looking at pictures of my cat from my OneDrive and sent two agents over. They drew their guns but all they really wanted to do was have the cat chase the laser sight dots.

Jesus what a reckless statement. The damage is done when the decide to target someone for any number or reasons and pull up your life from the past ten years and simply use the most damning items against you. Only serious cheerleaders can dismiss this as no big deal and pointing fingers at other companies that do the same is childish as well. I think we all know who the real terrorists are now.

Why is the press targeting Microsoft? All tech companies doing business in the United States are legally required to comply with the NSA.

Well it's one thing to comply with lawful requests, but it's kind of strange that according to this, they built some kind of open access or automated system for letting them monitor and store copies of things from their services.

I don't know how true all of this is though. I can make up some of this stuff too. All I need is a monospaced font, some imagination, and a scanner to make it look like it came off some document instead of something I just whipped up in Notepad.

Because in todays tech press, their blessed Google can do no wrong, while Microsoft can do no right

get with the times man!

In any case, FISA secret orders compel you to do something you do it, That is the law, US citizens can blame their government, their reps and themselves(for allowing it to happen)

Enron said,
Well it's one thing to comply with lawful requests, but it's kind of strange that according to this, they built some kind of open access or automated system for letting them monitor and store copies of things from their services.

PRISM, the program that enables this automated collection, has required every major tech company to comply with the NSA, not just Microsoft. It's just bothering me that people are specifically calling out Microsoft. Plus, even if they don't comply, they have packet inspectors that clone and analyze every single Internet packet, using Narus. If Microsoft wasn't required to comply with the NSA, they wouldn't.

Its already been shown NSA and other spy agencies were are or had been tapping into Fibers directly this is why most companies started encrypting ALL traffic

BUT companies are also Legally obliged /compelled to give access to even stored encrypted data, All companies are legally compelled to have the KEYS on hand

dingl_ said,
Because in todays tech press, their blessed Google can do no wrong, while Microsoft can do no right

get with the times man!

In any case, FISA secret orders compel you to do something you do it, That is the law, US citizens can blame their government, their reps and themselves(for allowing it to happen)


I guess you missed when tech press reported about Google meeting with NSA....
All companies handling data are in the same boat here, which is obvious: if you plan monitoring such activities you want everybody in.

No I didn't miss the articles... My point is Microsoft will be ragged on for months-year
google and others get a few days in Tech headlines

dingl_ said,
No I didn't miss the articles... My point is Microsoft will be ragged on for months-year
google and others get a few days in Tech headlines

Undoubtedly some sites will pull more emphasis on MS, some others on Google and so on....

Enron said,
Well it's one thing to comply with lawful requests, but it's kind of strange that according to this, they built some kind of open access or automated system for letting them monitor and store copies of things from their services.

All it says is that they don't need a *special* request any more. This could easily mean that they can now do a normal request which I assume would be to fill out a web form.

I have seen nothing yet to confirm that Microsoft is handing over data without a human authorizing the requests, even though the tech press seems convinced otherwise.

Enron said,
I don't know how true all of this is though. I can make up some of this stuff too. All I need is a monospaced font, some imagination, and a scanner to make it look like it came off some document instead of something I just whipped up in Notepad.

Whilst I'm happy to believe these are legit, the marketing spiel at the end of the second entry seems out of place. Also the red outline on each "NAME REDACTED" look like they're there to enhance suspension of disbelief. Normally people just turn those things into solid rectangles.

Cosmocronos said,

Undoubtedly some sites will pull more emphasis on MS, some others on Google and so on....


But globally its mainly MS. I even hear average joe's about MS and NSA practices, totally unaware that their precious Apple (for example, as iPhone/OSX users) have to comply to the exact same.

WIth all the data collection going on is the US any more capable then they were on/before September 11th 2001 at stopping an act of terrorism before it happens? Back then the NSA did not act on warnings of pilots being trained to fly, but not to land, as early as 1999. What knowledge is actionable and why is some ignored? Does collecting "everything" help recognize and confirm evil intent, or is there an even bigger pile of bureaucracy building at today's NSA? Tough situation for us all.
reference: wikipedia: https://en.wikipedia.org/wiki/...in_the_September_11_attacks

They've just gone batsh*t crazy IMO, they are collecting so incredibly much data, it overflows them.
It does seem to work, I know of several cases in the last few years where our AIVD (Dutch NSA/CIA) was informed by the CIA about terrorists (not just arabic but domestic ones), a few wanted-by-interpol suspects we(whole EU) didn't notice.
But I can't seem to stop thinking that the more useless information they are digging up about everyone, the less people they actually want to find are spotted.

Torolol said,
this not surprising considering it was Microsoft who the first/earliest to join NSA among other big data companies.

In all fairness, Microsoft was probably the first to be asked (or forced to comply) because of its dominance in the operating system market.

Ian William said,

In all fairness, Microsoft was probably the first to be asked (or forced to comply) because of its dominance in the operating system market.

Indeed. And really, does anyone think that all of the major tech companies, offering cloud hosted solutions, aren't dealing with the NSA? I can't imagine there are very many out there without their data being tapped by the NSA - either with agreement, or without agreement.

Sheesh Microsoft, how are you going to retain customers if bs like this keep happens, even after the facts? And it's not like they have the best customer recognition either.

TBH, I've starting to use less and less of Gmail and Outlook. Beta testing startmail now. It's nowhere close to either mainstream one, but I have a piece of mind when I use it.

cetla said,
Sheesh Microsoft, how are you going to retain customers if bs like this keep happens, even after the facts? And it's not like they have the best customer recognition either.

TBH, I've starting to use less and less of Gmail and Outlook. Beta testing startmail now. It's nowhere close to either mainstream one, but I have a piece of mind when I use it.


You act like they have a choice. Quit being dumb and realize they have to comply with the law.

SharpGreen said,

You act like they have a choice. Quit being dumb and realize they have to comply with the law.

isn't handing over user data without warrant actually illegal? they had to comply for something else I presume.

cetla said,
Sheesh Microsoft, how are you going to retain customers if bs like this keep happens, even after the facts? And it's not like they have the best customer recognition either.

TBH, I've starting to use less and less of Gmail and Outlook. Beta testing startmail now. It's nowhere close to either mainstream one, but I have a piece of mind when I use it.

You're naïve if you think this will affect their customer retention.

x.iso said,

isn't handing over user data without warrant actually illegal? they had to comply for something else I presume.
If the government says do it, it's the law. That's what law is. It may be illegal to hand over the data, but it's illegal to NOT hand over the data.

Beaux said,
If the government says do it, it's the law. That's what law is. It may be illegal to hand over the data, but it's illegal to NOT hand over the data.

are you being sarcastic? If government representative does something illegal then it's illegal and should be dealt with.

x.iso said,

are you being sarcastic? If government representative does something illegal then it's illegal and should be dealt with.
I already acknowledged what you just said. It may be illegal. And it may be that it should be dealt with. BUT, it is ALSO illegal to not hand over the data.

Newsflash Secret FISA orders don't require any traditional warrant
It is a Green Light monkey court run by NSA and other governing authority

You can thank your Presidents for that BS(if you are a US citizen that is)

cybersaurusrex said,
Without a warrant? If so, troubling... and unconstitutional (in my opinion).

Actually it doesn't say that the requests can be made without a warrant. Nothing is said about the legal part of this process.