This is a great move. Of course, there's the massive loophole on the last point that they really can't do anything about:
>The standard requires that law enforcement requests for disclosure of personally identifiable data must be disclosed to you as an enterprise customer, unless this disclosure is prohibited by law.
Since the policy of several governments seems to be "collect everyone's data and don't inform anyone about it under penalty of law," it's a pretty weak protection. Seems like the only way around it is removing centralized keys. Even if you trust your own government with the data, there are probably other ones you don't trust and you have no control over that will collect your data if they have any opportunity to do it.
Yeah, it's not like Microsoft could write a privacy policy that lets them not follow the law, and expect that to matter to law enforcement. Until the law changes, there's not much that individual companies can choose to do about that.
At least they're at least saying that they will be transparent whenever they are legally allowed to do so, which is something.
It's not just about strict adherence to the law. These companies have been willing to cooperate with the state voluntarily, even when doing that was legally questionable. For instance, the AT&T data collection 'room' as well as the special infrastructure hooked directly into internet giant's networks. It takes more than just laws to stop these practices, you need a reform of government and the secret agencies.
I think privacy should be the first priority when it comes to personal data. Intelligence agencies need to be intelligent in collecting data, not directly requesting it.
Because if they did that then they would be breaking the law. 'Disclosing data if law enforcement asks for it' isn't only if the data can be disclosed; It means that If law enforcement asks for it you MUST be able to disclose it.
No, that's no the case in all countries, and probably shouldn't be the case in any country, but UK is pretty weird like that, so I don't know about UK.
But in US, the law says companies must provide the data unecrypted ONLY IF THEY CAN DO THAT. So if they're using strong end-to-end encryption, the law should be on their side, since they can't decrypt the data themselves. Only the users can.
That's why the FBI was making such a big deal about Apple encryting the data with the user's key in the press. Because they knew they can't do anything about it, and the best they could hope for is to make it a big enough scandal that Congress will pass a law against such encryption.
And the reason I said this is how it should work in all countries is because it's common sense. If companies can't do something, then they can't be forced to do it. But as I said, in UK you could go to prison even if you forgot your password, and they ask your for your drive's password. That's an illogical law, but I guess that's what UK citizens get for not having a Constitution: illogical and abusive laws from the government that trample people's rights.
Its a little I Knox to say that when the U.S. is willing to break the laws of other countries when it suits them. Accessing EU data from the US is certainly illegal under that. The fact that the EU commission hasn't done anything about it is mother issue entirely.
I wont debate specifics of the letter of the law because I don't know them, but im not convinced you do either.
And then what? They either keep the keys themselves, or the customer has to ensure that the key exists on every device they want to access the data from. If you're a one-man shop that doesn't matter, but if you're a multi-national trying to rollout Office 365, it makes it prohibitive.
They could always keep the keys in multiple different companies, across multiple jurisdictions. Imagine all Microsoft cloud data is encrypted under a threshold cryptosystem, requiring the cooperation of 5 parties to authenticate users and jointly generate user keys. Now, each of those parties is a fully independent company, with its own CEO, own board, own employees and own counter-espionage division. In order to decrypt the data of any Microsoft user, anywhere in the world, they will need to simultaneously authenticate with:
* Microsoft Corp, U.S.A.
* Microsoft AG, Germany
* Microsoft, China
* Microsoft, Russia
* Microsoft, India
And have each one of those independently generate key material that, when combined, can be used by the user to generate their decryption/signing keys, which are used to secure their data.
In order to compel this system to give the user's data to a third party, all five governments involved must compel all five entities involved to release the key materials.
Of course, even better than 5 "Microsofts" would be a general distributed protocol in which users trust X companies in Y countries with their data, such that no less than Z < X companies are required to approve any re-construction of the user's key. The protocol can further be designed to make it as hard as possible to re-construct any keys without simultaneously announcing publicly that a key has been re-constructed (e.g. via a block-chain based protocol).
Is this a huge pain to implement? Yes, yes it is. But, is there any viable alternative for a globally trusted internet/cloud in the era of internet militarization?
> Now, each of those parties is a fully independent company, with its own CEO, own board, own employees and own counter-espionage division. [...]
Do you remember that US judges didn't even give a fuck about other _countries_ having different privacy laws? I can't imagine that they will respect that "this company which actually isn't one, but five"-move.
Being in a different jurisdiction makes the wrench crypto-analysis pretty hard as well ;). Not impossible, sure, but politically and economically costly. Remember, this is about trusting some sort of global cloud without everyone in the world having to trust a single third-party government. If the user lives within the country of the government seeking to compel them, and the laws of said country are such that torture is a permitted method of interrogation (specifically, by monkey wrench), well... nothing your cloud provider can do for you, except perhaps try to help you fly under the radar (stenography, anonymous logins, etc.). Keep in mind, that in the case of mass surveillance, even if every user is vulnerable to wrench crypto-analysis, the fact that the cloud provider isn't still raises the costs of widespread surveillance enormously.
As for US judges not caring about the five companies thing. Well, so what? They can, assuming their local laws and political climate lets them get away with it, jail everyone working for their local company. This should not compel the other four companies, in four other countries, to give them the extra four components of the key. Note that I selected USA/EU/China/Russia/India for a reason, and not, say... USA/Mexico/Colombia/Afghanistan/Iraq. If this sort of system were the accepted global standard, any nation that tries to "brute force" their own local company, instead of using whatever legitimate procedure becomes available for internationally agreed law enforcement, would just be basically marginalizing itself out of the internet.
I'll be the first to admit that what I am describing is not very likely. It would probably require a significant number of governments to be basically OK with not having access to certain data about people, so long as other governments don't have access either, which is not what most political leaders are clamoring for right now. But the problem is, the alternative is not business as usual either, the alternative is every country basically building their own silo-ed internet over time (China is there, Russia is heading there, the EU is strongly considering it, etc). Reasonably powerful non-U.S. countries will eventually see using U.S.-company run cloud services as equivalent to what Americans would think of say, having their energy grid directly connected to power plants in Russia over Alaska and running no plants within their own territory.
"if you're a multi-national trying to rollout Office 365" ...if you're competent, you already issue your own certificates for other purposes and install them on the computers you own. Therefore maintaining additional keys would not even cause adding more manpower than what you already have.
If you are multi-national and not having your own certificates, I'd be happy to do some consulting for you.
That's not the issue. The issue is that now you have to maintain a solution for key distribution across thousands of laptops, tablets, and phones. For some orgs it isn't too hard and can be part of their existing solutions (as you note), for others it is. Remember that a lot of the reason that orgs are using solutions like Office 365 is remote working, BYOD, and explicity not having to maintain all that supporting infrastructure (I don't disagree with you through, and best practice is often different from widely-used practice)
Owning your own encryption keys also has other issues: Do you issue per-user keys, or an org-wide key? If you issue per-user keys, how do you share documents between users? If you have an org-wide key that gets compromised, how quickly can you re-key every device and re-encrypt every document (how do you even detect that it's been compromised?)? If you encrypt using your own keys, how does that impact any processing that happens 'in the cloud' (eg. search indexing, batch processing)? Do you need to run encryption endpoints locally that users can access all the data through?
All of these problems are solvable. All of these problems can become a nightmare depending on your org, rollout, users, existing environment, etc.
I guess the point I'm making is that 'encrypt all the things' is rarely the {best,easiest,possible} way to do things.
> The British Standards Institute (BSI) has now independently verified
Yeah great, show your proprietary code to a third party company and everyone is just going to immediately trust you.
Plenty of other cloud storage services offer real reasons to trust the backing store, called the code is open. I can audit it, my neighbor could audit it, and every corporate user is liable to audit it. I have no reason to ever trust an arbitrary third party I have never had reason to trust in the past who is now trying to guarantee your cloud is secure, when competitive options are letting me do my own auditing, if I wish.
Is there anything else this is comparable too - where a company has the gall to say "another company looked at our black box and said it was good, so trust us alright guys?". When cars or houses or roads or food get certified for something you always have the capacity to reproduce the certification process yourself as a verification measure. You cannot do that to proprietary software, especially when its on some foreign server somewhere running who knows what version of it.
> Is there anything else this is comparable too - where a company has the gall to say "another company looked at our black box and said it was good, so trust us alright guys?
Uh, isn't that how third party trust works?
Like how SSL cert verification goes to a trusted root CA for validation.
Unless you opt to run all your own stuff you will need to trust someone. Even if all of Microsoft's code were open source, how can you trust they're not running a modified version?
Open-sourcing helps though. Also, relying on ISO for the standard (which has been sketchy in the past when it comes to Microsoft, see also OOXML) was probably not a good idea. Microsoft doesn't have a great reputation for security either.
It's true, ultimately cloud security relies on trust, but I don't think Microsoft has done enough to deserve my trust, even if this is a good step forward.
Quite a bit of MS's cloud stuff, especially Azure /is/ in fact open source. http://azure.github.io/ here, take a look and audit their azure source to start.
Still, note what they don't say that the user data will be encrypted before transferred to the cloud, or even more important for Europeans, that the European data would be managed strictly in Europe. Interestingly, the money received in Europe is without problem for all these big companies so managed to not end in the US (avoiding the taxes), the data, it seems still not important?
Should there ever be any reason to trust your privacy to proprietary software running on a third party's server? Or is this "privacy standard" they are conforming to just another form of security theatre?
A company that slurps all contacts and calendar entries from customers' smartphones without their explicit consent and without a way to opt out from it is talking about privacy.
The IT industry clearly needs systems so that companies can work well together, and these systems need to work well in all countries. The ISO process for IT standards was designed to promote interoperability, portability, and cultural and linguistic adaptability, using a consensus process. We believe strongly in these goals, but the current process is not designed to achieve them. The OOXML proposal has exposed serious flaws in ISO process–especially in the fast-track process–and we believe these flaws need to be fixed.
We begin therefore where they are determined not to end, with the question whether any form of democratic self-government, anywhere, is consistent with the kind of massive, pervasive, surveillance into which the Unites States government has led not only us but the world.
This should not actually be a complicated inquiry.
Can anybody clarify what privacy I as a Bing, outlook, windows mobiles user get from this ? It mentions enterprise customer, does this means, these standards doesn't apply to users of above mentioned services ?
I'm pretty sure it's a different set of rules for regular consumers vs enterprise. It's always been that way in the past. That said, can you really trust any "cloud storage" provider these days? I'd say the most trustworthy would be someone like SpiderOak, as they don't have access to your private key and therefore have had minimal requests from law enforcement which yielded no info[1].
And I say that as someone who has settled on OneDrive for my casual cloud storage, with more important or private files (taxes, finances) stored on a personal server running OwnCloud from my home office. I have all of my files, important and casual, backed up to an external drive that lives in a fire safe. Not as secure as, say, a bank deposit box, but better than nothing.
(Tedious disclaimer: my opinion, not my employers. Not representing anybody other than myself. I work at Google, not on cloud, although I routinely fire my nerf gun at people who do)
It wasn't a jab at competitors, neither an attempt to make MS seem like /the/ forerunner. Just to say that it's definately a different MS we're seeing.
And quickly. This was not that long ago:
http://recode.net/2014/03/20/microsoft-says-will-tighten-its...
(I particularly liked their reference to their customer's emails as Microsoft's "own emails and customer services" and that searching their customer's data is "searching ourselves").
Neither is a word which you would have associated with Microsoft ten years ago.
An example for you: Microsoft used to have an identity service called 'Passport'. They wanted to make it into a universal login, along the lines of Google ID or Facebook logins today. They created a whole suite of related services, codenamed 'Hailstorm', which they tried to bring to market under the terrible name of ".NET MyServices". And they failed because the universal reaction of the world was that they were not prepared to trust Microsoft with their privacy. (see, e.g. http://www.theregister.co.uk/2002/12/17/net_my_services_gone...)
And that software is running on a machine that you own and control with verified open firmware running on open hardware with no known security vulnerabilities, with strong encryption on the drive and a locked bios, and not connected to any network (including the internet) where all the devices on that network satisfy the previous conditions.
If any of these are not met then you are trusting someone else with your privacy.
Right, you can never be 100% certain it's the same code. But it's a valuable "good faith" step that sets a level of trust between the users and developers.
The standard was created by the ISO JTC1/SC 27 Working Group 5 (Privacy and Identity Management). It seems like mostly an European effort, which certainly isn't limited to Great Britain. Europeans usually take privacy very seriously.
In an interview Richard Stallman, head of the Free Software Foundation, said:
Microsoft corrupted many members of ISO in order to win approval for its phony 'open' document format, OOXML. This was so governments that keep their documents in a Microsoft-only format can pretend that they are using 'open standards.' The government of South Africa has filed an appeal against the decision, citing the irregularities in the process.
>The standard requires that law enforcement requests for disclosure of personally identifiable data must be disclosed to you as an enterprise customer, unless this disclosure is prohibited by law.
Since the policy of several governments seems to be "collect everyone's data and don't inform anyone about it under penalty of law," it's a pretty weak protection. Seems like the only way around it is removing centralized keys. Even if you trust your own government with the data, there are probably other ones you don't trust and you have no control over that will collect your data if they have any opportunity to do it.