Microsoft’s OneDrive Storage Expands NSA Surveillance


Earlier this month Microsoft announced that its Office 365 subscribers would be able to upload an unlimited amount of data into Microsoft’s cloud-based infrastructure. Microsoft notes that the unlimited data storage capacity is:

just one small part of our broader promise to deliver a single experience across work and life that helps people store, sync, share, and collaborate on all the files that are important to them, all while meeting the security and compliance needs of even the most stringent organizations.

Previously, subscribers could store up to 1TB of data in OneDrive. The new, unlimited storage model, creates new potential uses of the Microsoft cloud including even “wholesale backup of their computer hard drives, or even of their local backup drives”. And, given OneDrive’s integration with contemporary Windows operating systems there is the opportunity for individuals to expand what they store to the Cloud so it can be accessed on other devices.

While the expanded storage space may be useful to some individuals and organizations, it’s important to question Microsoft’s assertion that OneDrive meets the most stringent organization’s security and compliance needs. One reason to question these assertions arise out of a memo that was disclosed by National Security Agency (NSA) whistleblower Edward Snowden. The memo revealed that:

NSA Memo on Microsoft enabling SIGINT Access to SkyDrive

As summarized by the Electronic Frontier Foundation, Section 702 of the FISA Amendments Act which is mentioned in the NSA memo is extremely permissive. The section has been used to authorize:

  • collection of Americans’ phone records without a warrant;
  • access to large portions of Internet traffic that moves through American servers;
  • disclosure of collected information to other parties (e.g. the Drug Enforcement Agency);

European policy analysts agree that Section 702 is overly permissive(.pdf) and argue that the definitions used in the section are so general that “any data of assistance to US foreign policy is eligible, including expressly political surveillance over ordinary lawful democratic activities.” The scope of surveillance was made worse as a result of the FISA Amendments Act 2008. While the FAA 2008 is perhaps best known for providing legal immunity to companies which participated in the warrantless wiretapping scandal, it also expanded the scope of NSA surveillance. Specifically:

[b]y introducing “remote computing services” (a term defined in ECPA 1986 dealing with law enforcement access to stored communications), the scope was dramatically widened communications and telephony to include Cloud computing (.pdf source).

Microsoft’s expansion of OneDrive storage limits is meant to enhance its existing consumer cloud offerings. And such cloud storage can produce workplace efficiencies by simplifying access to documents, protecting against device loss, and externalizing some security-related challenges.

However, if subscribers take advantage of the new unlimited storage and send ever-increasing amounts of data into Microsoft’s cloud, then there will be a much greater amount of information that is readily available to the NSA (and other allied SIGINT agencies). And given that Section 702 authorizes surveillance of foreign political activities there is a real likelihood that data content which was previously more challenging for NSA to access will now be more readily available to interception and analysis.

Signals intelligence agencies, such as the NSA, are likely not top of mind threats to individuals around the world. However, Microsoft’s willingness to manufacture government access to personal and business data should give people pause before they generate sensitive documents, share or store intimate photos, or otherwise place important data in Microsoft’s cloud infrastructure. Any company so willing to engineer its users’ privacy out of personal and enterprise services alike must be treated with a degree of suspicion and its product announcement and security assurances with extremely high levels of skepticism.

Digital Crises and Internet Identity Cards

Something that you learn if you (a) read agenda-setting and policy laundering books; (b) have ever worked in a bureacratic environment, is that it’s practically criminal to waste a good crisis. When a crisis comes along various policy windows tend to open up unexpectedly, and if you have the right policies waiting in the wings you can ram through proposals that would otherwise be rejected out of hand. An example: the Patriot Act wasn’t written in just a few days; it was presumably resting in someone’s desk, just waiting to be dusted off and implemented. 9/11 was the crisis that opened the policy windows required to ram that particular policy through the American legislative system. Moreover, the ‘iPatriot’ Act, it’s digital equivalent, is already written and just waiting in a drawer for a similar crisis. With the rhetoric ramping up about Google’s recent proclamations that they were hacked by the Chinese government (or agents of that government), we’re seeing bad old ideas surfacing once again: advocates of ‘Internet Identity Cards’ (IICs) are checking if these cards’ requisite policy window is opening.

The concept of IICs is not new: in 2001 (!) the Institute of Public Policy Research suggested that children should take ‘proficiency tests’ at age 11 to let them ‘ride freer’ on the ‘net. Prior to passing this ‘test’ children would have restrictions on their browsing abilities, based (presumably) on some sort of identification system. The IIC, obviously, didn’t take off – children aren’t required to ‘license up’ – but the recession of the IIC into the background of the Western cyberenvironment hasn’t meant that either research and design or infrastructure deployment for these cards has gone away. Who might we identify as a national leader of the IIC movement, and why are such surveillance mechanisms likely incapable of meeting stated national policy objectives but nevertheless inevitable?

Continue reading

P2P and Complicity in Filesharing

I think about peer to peer (P2P) filesharing on a reasonably regular basis, for a variety of reasons (digital surveillance, copyright analysis and infringement, legal cases, value in efficiently mobilizing data, etc.). Something that always nags at me is the defense that P2P websites offer when they are sued by groups like the Recording Industry Association of America (RIAA). The defense goes something like this:

“We, the torrent website, are just an search engine. We don’t actually host the infringing files, we are just responsible for directing people to them. We’re no more guilty of copyright infringement than Google, Yahoo!, or Microsoft are.”

Let’s set aside the fact that Google has been sued for infringing on copyright on the basis that it scrapes information from other websites, and instead turn our attention to the difference between what are termed ‘public’ and ‘private’ trackers. ‘Public’ trackers are available to anyone with a web connection and a torrent program. These sites do not require users to upload a certain amount of data to access the website – they are public, insofar as there are few/no requirements placed on users to access the torrent search engine and associated index. Registration is rarely required. Good examples at, and ‘Private’ trackers require users to sign up and log into the website before they can access the search engine and associated index of .torrent files. Moreover, private trackers usually require users to maintain a particular sharing ration – they must upload a certain amount of data that equals or exceeds the amount of data that they download. Failure to maintain the correct share ratio results in users being kicked off the site – they can no longer log into it and access the engine and index.

Continue reading

Reading, Reviewing, and Recording

I want to toss up a few links that I’ve found particularly interesting/helpful over the past couple of months. I’ll begin with a way to read, move to a review of the newest tool for electronic education, and conclude with an article concerning the commercialization of the core platforms electronic resources are accessed from.

Reading 102

We’ve all heard of data-mining; the FBI has been doing it, the NSA has been caught doing it, and corporations are well known for it. Citizens are getting increasingly upset that their personal information is scaped together without their consent, and for good reasons.

What if those citizens used data-mining principles to prepare and filter their reading? Donal Latumahina has eight processes that you can use to get the most out of the books that you’re reading, processes that are guided by the objective to get the greatest possible amount of useful information from the text. It’s amazing what happens when you objectively structure your reading, rather than just letting yourself be carried along by it.

Continue reading

Open Source and Open Office XML

I’ve had friends and colleagues that have championed open source software and operating systems for ages. While I’ve appreciated their arguments I’ve never been convinced by them to actually proceed and move whole-scale to open source – either because it would be inconvenient, the software that I needed wasn’t immediately available in the same format as what I was using in Windows, or I just didn’t have the time to learn an entirely new way of computing. I’ve worked with computers for the past five or six years and in all that time has been in Microsoft environments – I’ve had (and in many ways continue to have) a deep investment in Microsoft products, and that’s been a central factor in Microsoft keeping my business.

The decision to avoid switching to an open source Office Suite was practically sealed when I started to demo Microsoft Office 2007 for my workplace – I love the interface, the built-in designs, and the ability to make professional looking documents with ease. Office 2007 completely drops the GUI of all other Office packages and reinvents the wheel, somehow managing to come closer to that Form of perfect Office computing. Without knowing anything about the new document format that Office 2007 used I was just annoyed that it wasn’t interoperable with previous versions of Office, but that was relieved when Microsoft placed a free conversion package on their Window’s Update website. Finally, I thought, I’d be able to share these awesome documents that I’m making with everyone in the Windows world!

Continue reading