PRISM, Internet Data, Email, and Auntie Mary’s messages


In 1948, it seems like George Orwell was quite prescient when he wrote “There was of course no way of knowing whether you were being watched at any given moment” in his novel “1984”. Apple used the vision painted by Orwell to help launch the Macintosh in 1984. Much to the pleasure of those who believe that big brother is indeed watching us, the tweetosphere (if such a place exists) lit up last week when reports emerged about a US government called PRISM that apparently seeks to capture information about the various Internet activities of foreigners (such as myself). President Obama moved to reassure us that these were “modest encroachments on privacy” and that “you can’t have 100% security and also then have 100% privacy, and zero inconvenience.” Quite.

Microsoft, among other major Internet companies, has been forced to issue a statement to let people know of its stance on the matter, saying “We provide customer data only when we receive a legally binding order or subpoena to do so, and never on a voluntary basis.”

Quite a few people contacted me to ask whether Office 365 was included in the PRISM program (as if I would know). My response is that I doubt very much if any government agency would be able to deal with the sheer volume of electronic communications that exist today without placing very sophisticated filters on the data feed to identify and isolate items that might be of interest and that it’s unlikely that such filters exist within Microsoft’s datacenters. If anything, interception is far more likely as data travels from company networks across the Internet to reach an Office 365 datacenter.

Even though Office 365 datacenters are located around the globe, the problem is that IP packets containing email, attachments, and other data don’t necessarily follow the most direct path across the Internet to reach Office 365 (a fact emphasized by the leaked PRISM PowerPoint, roundly condemned for its poor use of PowerPoint in this Forbes article). Therefore, whilst your mailbox might safely repose in Singapore or Dublin, the traffic to the mailbox might well go via the U.S. and be subject to all manner of interception, examination, and contemplation by three-letter agencies.

I imagine that the fuss and bother about what the NSA has been up to will cause some companies who were considering moving to Office 365 to pause for thought, if only until they are quite sure that they can protect their information en route to and from Microsoft.

But this has been the case ever since Internet-enabled email has been used. In the old days, when company email travelled across company-controlled networks and never saw the light of day outside those networks (except perhaps in printed form), email was relatively secure insofar it was hard(er) for outsiders to access its contents. Of course, company networks were not as secure as they are today and email was not well secured on servers. In many cases, messages were stored in plain text format and were therefore easily readable if a hacker managed to penetrate the network.

Over the last 25 years we have become increasingly dependent on the Internet as a means of communication. To withdraw from using the Internet is unthinkable to many, even if it would mean a little more privacy. (This article draws a picture of what it would mean to stop using the services offered by the companies mentioned in the PRISM hoo-hah.)

Email security experts have advised for a very long time, “never put anything into an email that you wouldn’t put on the back of a postcard”. Of course this will never happen because the sheer ease of communication makes people forget the risk. The Faustian pact of using all of the facilities of the Internet in full knowledge that packets can be intercepted between transmission and reception is unlikely to be terminated.

Whether using Office 365, Gmail, Yahoo! Mail or anything else that sends messages across the Internet, if you want to preserve your privacy in email you need to invest in some form of encryption. Although it might be possible for your chosen encryption to be broken by the supercomputing power now dedicated to observation and capture, at least you’ll have the small satisfaction of costing the snoops some extra resources to interpret details of the birthday present you plan to send to Auntie Mary next week – or whatever else you put into email.

Follow Tony @12Knocksinna

About these ads

About Tony Redmond

Exchange MVP, author, and rugby referee
This entry was posted in Cloud, Email and tagged , , , . Bookmark the permalink.

29 Responses to PRISM, Internet Data, Email, and Auntie Mary’s messages

  1. John says:

    Public Cloud service such as Office 365 is under serious questions today.
    As companies are starting to seriously questioning public cloud security and integrity after the NSA scandal which is now an international news.

    http://techcrunch.com/2013/06/06/report-nsa-collects-data-directly-from-servers-of-google-apple-microsoft-facebook-and-more/

    • Yes, I think some people will start to question the use of public cloud services such as Office 365, but no, it won’t stop me using Office 365. As I point out, the problem is not really with the services, it is far more likely that interception occurs as data passes along the various connectors and pipes that make up the Internet – and this can still happen for on-premises email when messages are sent off-premises (albeit at a much reduced volume as it’s only external traffic).

      TR

      • Bob says:

        Well Public Cloud service such as Office 365 or Google apps are more and more synonym to Backdoor Access these days.

        http://readwrite.com/2013/06/07/prism-fallout-in-cloud-we-dont-trust

      • Moe says:

        I agree 100% with John & Bob.
        It looks like Public Cloud service such as Office 365 or Google apps have Backdoor Access.
        They also found the guy that leaked this and name is Edward Snowden, he is in China now. He has confirmed that Public Cloud to Microsoft & Google has Backdoor Access.

      • Eric Blair says:

        Yes, you are 100% Correct! As the people become more aware that there is no such thing as money, and the we live in a world where everything is converted into capital, including ignorance about “data security”, even mighty Microsoft will not be able to retain the respect of the people.

        In reality, Microsoft is not being honest. Let’s face it, unless you control your personal data completely, it is subject to being scrutinized and pronounced as “questionable”, under the guise of fascists getting their hands on it.

  2. Sam says:

    All over the news now “Agency taps directly into the Google and Microsoft servers”.
    That means Backdoor Access to MS servers such as Office 365.
    Let’s NOT insult people intelligent here.

    • No one is insulting anyone’s intelligence. It’s merely a matter of staying calm until all the facts emerge. Yes, some facts have been put into the public domain by Edward Snowden (http://www.guardian.co.uk/world/2013/jun/09/edward-snowden-nsa-whistleblower-surveillance), but there is no evidence that any backdoor access exists to Office 365, Google, or anything else. There is evidence that these companies have been responding to requests from the U.S. government to turn over information, but that is hardly an ongoing, systematic, and in-depth harvesting of data from Office 365 or another cloud service. I’m not saying that this might not or is not happening, just that no substantial evidence exists about exactly what is being retrieved by the NSA or any other agency. Until that evidence emerges and is verified, I’m inclined to stay neutral on the matter.

      TR

      • Patel says:

        According to the news, Backdoor Access to Microsoft And Google Public Cloud servers has been going on for many years. So this means Office 365 has Backdoor Access too.

  3. Joe says:

    As pretty much everyone here thinks and 95% of IT pros I talked to last couple days, everybody saying after the NSA scandal everyone knows that Microsoft Public Cloud such as Office 365 has Backdoor Access.

    Now Tony wrote Emails will be intercepted during transition. I would say why on earth would they want to do that when they have direct backdoor access to Office 365 servers and they can just go in and grab all the .ebd files and transaction logs :-)

    • Because it’s much easier to grab stuff off the Internet than to attempt to copy databases and transaction logs and unpack their contents. Intelligence agencies have been intercepting Internet traffic for a very long time so their tools are very sophisticated. Hence my advice that if you want to protect yourself against interception, encrypt your email.

      TR

  4. Lee says:

    Everyone I talked to for the last couple days saying Public Cloud service such as Office 365 has Backdoor Access now that NSA scandal became an international news.

  5. zumarek says:

    Well, again to stir the pot a bit and have some fun … hack was just recently published with iPhone and charger … chargers are made in China … DOD approved iPhones for military … and now we have insects eating electronics …
    something seems odd ;)

  6. Patel says:

    After this NSA scandal, I do not think anyone with right mind will put any corporate Emails on the Public Cloud such as Office 365.
    Exchange On-Premises with encryption as Tony said will be the way to go ;-)

  7. Andrew Mazurek says:

    Patel
    I am sure we will have a good explanation from Microsoft and NSA soon – so we can safely put our data in Office 365. Again for the safety of the nation why not ?

  8. Patel says:

    You guys seen the new Office 365 commercial? ;-)

    “Get Office 365 we will never lose your data. Even if our servers crashes and we lose you data, no worries NSA has it” LOL

    • Tom says:

      The “NSA Backdoor Access to the Public Cloud servers” scandal was the WORST news for Public Cloud companies.
      No one will have any trust to have data in the Public Cloud servers.

  9. Tom says:

    Do you Really think they will come back and say “Yes Office 365 servers have backdoor access for NSA” LOL
    They already said “NSA has access to Microsoft servers in the Public Cloud” such as Office 365.

    • Based on some of the reports, I suspect that this fabled “back door” is not anything that allows government agencies free rein over Office 365, Google Apps, or any other cloud service. Rather, it is much more likely to be something similar to a Dropbox-like facility where government agencies can pick up data that has been extracted by the relevant service as a result of the government serving a discovery notice. It would make sense to have such a facility. Governments will always come up with reasons to look for information, they will get the necessary warrants or whatever other approval is necessary under the law in force, and the service providers will have (no choice but) to respond. Microsoft, Google, Yahoo!, Facebook, and so on are all U.S. corporations and therefore come under the control of the U.S. Patriot Act and therefore have to provide the U.S. government with information that the government requests according to law. Having a secure network location to pick up the extracted information would streamline the process between the two parties and seems to be in line with the description of what’s been going on with PRISM… But a general purpose “access all areas” back door? We’ll need more evidence to be produced before I am convinced that this is the case.

      TR

  10. zumarek says:

    Another fine example of let’s see what happens
    http://www.abuse.ch/?p=5362&cpage=1#comment-674668

    • TJ says:

      I just saw the new Office 365 commercial? ;-)

      “Get Office 365 we will never lose your data. Even if our servers crashes and we lose you data, no worries NSA has it” LOL :-)

  11. George Dougherty says:

    http://news.cnet.com/8301-13578_3-57590389-38/how-web-mail-providers-leave-door-open-for-nsa-surveillance/
    Article detailing its exactly what Tony is describing and not what the rest of the misinformation pool has spouted. The whole back door line never smelled right to me as the opsec of such a program would be near impossible to protect. All it would take is one disgruntled employee at any of these companies talking off the record to a reporter to blow something like that open. With a timeline stretching back to 2004, that pushes things past the boundaries of credulity in my book.

    If you want to protect your communications it looks like MS or Google are your options in the cloud. Otherwise go on-premise and make sure you enable tls for your offsite communications. Then make sure you only send mail to encryption capable recipients.

    • Andrew Mazurek says:

      All it takes is one.
      Also looks like lack of common sense security procedures at NSA’s contractor company.

  12. John says:

    @George
    You are correct about Encryption for Emails.
    But after the news of “NSA backdoor access to the Public Cloud servers”, everyone knows that Microsoft or Google Public Cloud servers have NSA backdoor access. So the BEST option to protect your communication is Private Cloud.

    http://www.businessinsider.com/snowden-says-nsa-has-direct-access-to-tech-companies-2013-7

    • George Dougherty says:

      No, everyone does not know that. It’s what was claimed, but the info in the article I linked is significantly more plausible than the tinfoil hat idea that ms and others have had this back door access open for years without any disgruntled person blowing the whistle on it. What is known and has been previously shared around by people on the inside is that they have access to the pipes and what flows through them. If I were interested in keeping tabs on communication it is far more effective and simple to watch the traffic than try to get plugged into all of the communications providers. From there they can then go back to the big providers and request all the details they need on an individual basis.

      George D

      Sent from my iPhone.

  13. Andrew Mazurek says:

    Yeah, move all your servers to Linux distro … this way you are sure that even in Private Cloud you don’t have hidden back door from MS OS.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s