Advancing our encryption and transparency efforts

 Posted by Matt Thomlinson
Vice President, Trustworthy Computing Security, Microsoft

In December, we announced our commitment to further increase the security of our customers’ data. We also announced our plans to reinforce legal protections for our customers’ data, and continue to increase transparency in how we engage with governments around the world. We are making positive progress on all of these fronts. 

We are in the midst of a comprehensive engineering effort to strengthen encryption across our networks and services. Our goal is to provide even greater protection for data across all the great Microsoft services you use and depend on every day. This effort also helps us reinforce that governments use appropriate legal processes, not technical brute force, if they want access to that data. 

As part of that, today we’re announcing three important milestones that honor our commitments to security and increased transparency. 

First, Outlook.com is now further protected by Transport Layer Security, or TLS, encryption for both outbound and inbound email. This means that when you send an email to someone, your email is encrypted and thus better protected as it travels between Microsoft and other email providers. Of course, this requires their email service provider to also have TLS support. 

Over the past six months, we have been working across the industry to further protect and help ensure your mail remains protected. This includes working closely with several international providers throughout our implementation, including, Deutsche Telekom, Yandex and Mail.Ru to test and help ensure that mail stays encrypted in transit to and from each email service. I'd like to thank each of these companies and the community for the hard work they've put in, and for making this additional engineering investment a priority. 

This encryption work builds on the existing protections already in many of our products and services, like Microsoft Azure, Skype and Office 365, and some improvements we have made over the last six months. A few examples include enhanced message encryption in Office 365 as well as Azure’s addition of ExpressRoute, a service that enables businesses to create private connections between Azure datacenters and infrastructure on their premises or in a colocation environment. This is a significant engineering effort given the large number of services Microsoft offers and the hundreds of millions of customers we serve around the world. 

In addition to the availability of TLS, Outlook.com has also enabled Perfect Forward Secrecy (PFS) encryption support for sending and receiving mail between email providers. Forward secrecy uses a different encryption key for every connection, making it more difficult for attackers to decrypt connections. 

Second, OneDrive has now enabled PFS encryption support as well. OneDrive customers now automatically get forward secrecy when accessing OneDrive through onedrive.live.com, our mobile OneDrive application and our sync clients. As with Outlook.com’s email transfer, this makes it more difficult for attackers to decrypt connections between their systems and OneDrive. 

Third, I’m pleased to announce that today we opened the first Microsoft Transparency Center, on our Redmond, Wash. campus. Our Transparency Centers provide participating governments with the ability to review source code for our key products, assure themselves of their software integrity, and confirm there are no “back doors.” The Redmond location is the first in a number of regional transparency centers that we plan to open. We continue to make progress on the Transparency Center in Brussels that I announced in January, with other locations soon to be announced. 

As with most things relating to security, the landscape is ever changing. Our work is ongoing and we are continuing to advance on engineering and policy commitments with the goal of increasing protection for your data and increasing transparency in our processes.