Microsoft’s OneDrive Storage Expands NSA Surveillance


Earlier this month Microsoft announced that its Office 365 subscribers would be able to upload an unlimited amount of data into Microsoft’s cloud-based infrastructure. Microsoft notes that the unlimited data storage capacity is:

just one small part of our broader promise to deliver a single experience across work and life that helps people store, sync, share, and collaborate on all the files that are important to them, all while meeting the security and compliance needs of even the most stringent organizations.

Previously, subscribers could store up to 1TB of data in OneDrive. The new, unlimited storage model, creates new potential uses of the Microsoft cloud including even “wholesale backup of their computer hard drives, or even of their local backup drives”. And, given OneDrive’s integration with contemporary Windows operating systems there is the opportunity for individuals to expand what they store to the Cloud so it can be accessed on other devices.

While the expanded storage space may be useful to some individuals and organizations, it’s important to question Microsoft’s assertion that OneDrive meets the most stringent organization’s security and compliance needs. One reason to question these assertions arise out of a memo that was disclosed by National Security Agency (NSA) whistleblower Edward Snowden. The memo revealed that:

NSA Memo on Microsoft enabling SIGINT Access to SkyDrive

As summarized by the Electronic Frontier Foundation, Section 702 of the FISA Amendments Act which is mentioned in the NSA memo is extremely permissive. The section has been used to authorize:

  • collection of Americans’ phone records without a warrant;
  • access to large portions of Internet traffic that moves through American servers;
  • disclosure of collected information to other parties (e.g. the Drug Enforcement Agency);

European policy analysts agree that Section 702 is overly permissive(.pdf) and argue that the definitions used in the section are so general that “any data of assistance to US foreign policy is eligible, including expressly political surveillance over ordinary lawful democratic activities.” The scope of surveillance was made worse as a result of the FISA Amendments Act 2008. While the FAA 2008 is perhaps best known for providing legal immunity to companies which participated in the warrantless wiretapping scandal, it also expanded the scope of NSA surveillance. Specifically:

[b]y introducing “remote computing services” (a term defined in ECPA 1986 dealing with law enforcement access to stored communications), the scope was dramatically widened communications and telephony to include Cloud computing (.pdf source).

Microsoft’s expansion of OneDrive storage limits is meant to enhance its existing consumer cloud offerings. And such cloud storage can produce workplace efficiencies by simplifying access to documents, protecting against device loss, and externalizing some security-related challenges.

However, if subscribers take advantage of the new unlimited storage and send ever-increasing amounts of data into Microsoft’s cloud, then there will be a much greater amount of information that is readily available to the NSA (and other allied SIGINT agencies). And given that Section 702 authorizes surveillance of foreign political activities there is a real likelihood that data content which was previously more challenging for NSA to access will now be more readily available to interception and analysis.

Signals intelligence agencies, such as the NSA, are likely not top of mind threats to individuals around the world. However, Microsoft’s willingness to manufacture government access to personal and business data should give people pause before they generate sensitive documents, share or store intimate photos, or otherwise place important data in Microsoft’s cloud infrastructure. Any company so willing to engineer its users’ privacy out of personal and enterprise services alike must be treated with a degree of suspicion and its product announcement and security assurances with extremely high levels of skepticism.

The Oddities of CBC’s Snowden Redactions

cbcThe CBC has recently partnered with Glenn Greenwald to publish some of Edward Snowden’s documents. Taken from the National Security Agency (NSA), the documents the CBC is exclusively reporting on are meant to have a ‘Canadian focus.’ Many of the revelations that have emerged from Mr. Snowden’s documents have provided insights into how the NSA conducts its activities both domestically and abroad, and have also shown how the Agency’s ‘Five Eyes’ partners conduct their affairs.

Journalists have redacted documents or provided partial copies since first reporting on the Snowden documents in summer 2013. To date, no common method or system of redacting documents has been agreed upon between the journalists and news agencies covering these documents.

In this post I want to spend some time talking about the redactions that the CBC has made to the sole Snowden document it has (thus far) released to the public. I begin by explaining how I got my – almost entirely unredacted – version of the document and why I am comparing my copy to the ‘publicly released’ version. Next, I discuss the various redactions made by the CBC and comment on the appropriateness of each redaction. Where I think that information ought to have been released, or the redacted information is outside of the ‘personal information’ reason the CBC gave for redacting information, I provide or describe the information to the public. Finally, I write about the need for a more robust way of redacting documents: as I will make clear, the CBC’s approach seems (at best) scattershot and (at worst) inappropriate. The CBC is the journalist source that will  be controlling the Canadian Snowden documents and, as a result, has a public obligation to dramatically improve its explanations for why it is redacting sections of the leaked documents. Continue reading

Tracing the Network, Tracing the NSA

NSA EagleIn many ways, I can credit the NSA along with the excellent reporting of Nate Anderson for why I’m so interested in surveillance technologies. In particular, when the story broke in 2005 that the NSA was likely engaged in massive wiretaps of domestic and international data traffic I was drawn to the power and capacity for the ‘net to be used for truly broad-based surveillance efforts. This interest was heightened when Nate published the first of a set of articles on deep packet inspection (DPI) for Ars Technica. Without these two key moments, along perhaps with some interesting reporting on copyright, I’d probably still be thinking through the conditions of ontological psychology through a Heideggerian or Hegellian lens.

Given that I am engaged in research into surveillance technologies, and have the absolute pleasure to be associated with truly excellent scholars, activists, advocates, collaborators, and friends who share similar research interests, I wanted to take a moment to ask you, my readers, to help us map data traffic. As you may be aware, the NSA is reputed to have installed systems in various networking hubs that lets them examine massive amounts of data traffic. It’s not entirely known how they inspect this traffic, or the algorithms that are used to parse the fire hose of data they must be inundated by, but researchers at the University of Toronto have a decent idea of what ‘carrier hotels’, or major Internet exchange/collocation points, have likely been compromised by NSA surveillance instruments.

Continue reading

Shield the Sources, Shield the Telecoms

The past couple of days have been interesting, to say the least, when looking at recent shifts and decisions in American legislatures. Specifically, the House is looking to shield bloggers from federal investigations by providing them with the same protections as reporters, and that after the telecommunication companies that ‘theoretically’ (read: actually) cooperated with NSA spying activities have refused to cooperate with Congressional investigations that they have been let off the hook. Let’s get into it.

Federal Journalists and Professional Bloggers Shielded

The US has had a long history of journalistic freedoms, but in the face of recent technological advances they have refused to extend those freedoms to users of new journalistic mediums. Bloggers, in particular, are becoming a more and more important source of information in the US – some dedicate their lives to blogging and use it for professional gain. Until recently they have (typically) been refused the same status as traditional journalists, which has made it risky for bloggers to refuse to disclose their sources if hauled into courts of law.

Continue reading

Reading, Reviewing, and Recording

I want to toss up a few links that I’ve found particularly interesting/helpful over the past couple of months. I’ll begin with a way to read, move to a review of the newest tool for electronic education, and conclude with an article concerning the commercialization of the core platforms electronic resources are accessed from.

Reading 102

We’ve all heard of data-mining; the FBI has been doing it, the NSA has been caught doing it, and corporations are well known for it. Citizens are getting increasingly upset that their personal information is scaped together without their consent, and for good reasons.

What if those citizens used data-mining principles to prepare and filter their reading? Donal Latumahina has eight processes that you can use to get the most out of the books that you’re reading, processes that are guided by the objective to get the greatest possible amount of useful information from the text. It’s amazing what happens when you objectively structure your reading, rather than just letting yourself be carried along by it.

Continue reading

Online Data Storage and Privacy

Last week Google, Microsoft, and Apple revealed updates to their online data storage platforms – Google now lets users purchase additional space for their various Google applications, Microsoft provides a Live Skydrive (essentially an online network drive), and Apple completely revamped their .Mac solution.

The idea behind these services is that people that are already using, or are considering using, the aforementioned companies’ online services and will be enticed by the idea that they could store hordes of information in ‘safe’ repositories; we can trust that neither Google, Microsoft, or Apple would lose our data, right? This isn’t entirely true – at least Google and Microsoft have previously lost client data and could not always restore it. Individuals cannot count on any of these services, though they are likely to be more reliable than personal backups. What’s more, these online solutions just make life easier by letting users stop worrying about performing personal data backups – this is their real selling feature.

There are issues that emerges with all of these services – first clients cannot know what country their data is being stored in, potentially leaving their data subject to foreign surveillance laws, and second clients cannot verify what any of these corporations are actually doing with their data.

Continue reading