Microsoft Google and Facebook Testify In The EU About Spying And Privacy

This week Microsoft, Google, and Facebook testified in the European Parliament about how involved American companies are in widespread spying, and some of the problems with transparency and accountability for those companies. You can watch the full video here. We have skipped the opening portion of the video because it is largely a discussion of the FREEDOM act and how it would impact European citizens, which is not the focus of this article.

Some of the more interesting parts of the discussion:

The opening: All of the representatives pat their own backs on how good they are at defending privacy.


C. Morales (to Microsoft) asks about encryption of communications that are moving between datacenters. He also asks about Microsoft developing "surveillance capability" to monitor chats, emails, and other communications as it pertains to the Prism documents that have been released. He then adds that he wants clarification about bulk data collection, and why Microsoft seems to always omit talking about that and only directs dialogue toward targeted requests involving law enforcement / government agencies.

C. Morales also asks Google specifically about the Washington Post allegations that the NSA was tapping enormous amounts of data via the connectivity between their data centers.

He then directs a question to Facebook about the level of access the NSA has, and says that a "flat out denial" of any NSA access is hard to believe given the evidence that is already out there.


D. Belz of Microsoft responds.

"We do not know Prism as a program." "We do not give unfettered access to our datacenter." "We do not give direct access to our server" "On encryption, Microsoft is offering a number of services, a multitude of... I cannot comment on how we a handle things individually... I can say generally data from server to server is not encrypted. This is why we are currently reviewing our security system..."

For Microsoft to say that they don't know of Prism at this point shows that they are under a gag order and not allowed to acknowledge that the program exists. The fact that they did not and continue to not encrypt server to server communications is abysmal.


N. Lundblad of Google responds.

"As it pertains to the Washington Post allegations I would say that we are... as all systems in the information society constantly in different ways under attack, which we then are constantly evolving our systems of response." "It is an arms race." "It is work that is never finished..." "We will continue to find ways to secure our user's data."

Here I believe Google is acknowledging the NSA data breach of their systems. They are taking action to close that specific gap, but the data leak is confirmed to exist.


R. Allan of Facebook responds.

"On the data that has been published, we can read about it as well and make educated guesses on what is going on. We as people who work in internet companies, we are not privy to any more information about the inner workings of a government agency than anyone else. But it does seem clear when you read that material that it is talking about systems that are inside that agency i.e. what they do once they've obtained that data... Which to say is not something that we have any awareness of. What we do have awareness of is when they make requests to us for the data, and on that i think we have been clear and unequivocal that we will publish as much information as we can about those requests..."

Here i believe that Facebook is saying that their transparency reports only cover requested government data, but that data can be obtained in other ways such as a security breach.


J. Albricht asks.

(when you refer to unwarranted access to your systems) "...Which jurisdiction do you operate under when you define whether access is warranted?" "Which jurisdiction are you following when you process an EU person's personal data?" "Can you 100% exclude that you are violating EU or EU member state's rules when you are processing an EU citizens personal data?" "(How do you investigate possible state sponsored attacks on your systems? Do you inform EU governments of possible data breaches?)"


D. Belz of Microsoft responds.

"... If the data resides in the US, we follow the US rules ... If the data resides in Ireland we follow (those rules)..." (on state-sponsored attacks) "With regard to attacks on our servers it's very simple. Whoever is driving attacks against our server is trying to harm and infringe our protection so we have been able to build out quite sophisticated cybercrime mechanisms and activities because... it is more (organized crime) that tries to get access to our server than anybody else and we are constantly looking into it..."

Here, Microsoft says that it pretty much applies the the law to wherever the data resides, which is without a doubt in most cases the United States. On cyberattacks by governments, she seems to want to bury the audience in jargon and not answer the question. The only real substantive answer I got for that question was "we fight cybercrime."


N. Lundblad of Google responds.

(on jurisdiction) "... on a very large extent this is a government to government issue and needs to be handled at that level. For many purposes if you are headquartered in the US then US law applies but there are many different shades and nuances to that argument which means that you would welcome, if you were in Google's position the kind of clarity that you are seeking..." (on state-sponsored attacks) "... We have several teams that investigate possible attacks on our systems. We do that because we need to strengthen those systems. We need to make sure that they can become more resilient and more responsive to other types of attacks. Knowing whether or not they are from certain attackers is a very tricky business. We concentrate on trying to protect the users by finding new patterns of attack and protecting against those, and trying to become smarter in the ongoing arms race against people that try to penetrate the systems."

Google sidesteps the issue and says that the jurisdictional fight should be between the governments and not the company. They then seem to echo the long winded "we fight cybercrime" speech by D. Belz.


R. Allen of Facebook responds.

(on jurisdiction) "... we have multiple responsibilities. We have responsibilities in the United States where the infrastructure is, we have responsibilities in Ireland because Facebook Ireland is the data controller for users outside of the United States and Canada, and we may have responsibilities directly in the country that is issuing the request for data where they can be quite demanding and quite assertive about their own jurisdiction, and we spend a lot of time trying to juggle all of those responsibilities and not break anyones law. So to the extent that those could be harmonized, that would be great." He does not directly address the state-sponsored cyber security concerns and is asked by J. Albricht to follow-up on that. R. Allen says, "We have done so. I myself have been involved in a hacking case where we identified that the person that was trying to break into our systems was based in the United Kingdom. We absolutely reported it to UK law enforcement and worked with them to prosecute the individual. That is how we would react."

Facebook gives about the best answer you can give in my opinion. They show the current problems with the misalignment of laws on cybersecurity and privacy and discuss the hoops they have to jump through to try to stay compliant in multiple jurisdictions at once. He generally avoids giving a straight answer on state-sponsored attacks.


K. Wyveld speaks. (name may be incorrect, video source is low quality)

"... I'm glad that you came here but lets face it, these are all carefully prepared legal statements. I think (inaudible) made it very clear that... (your companies eagerness to come clean) is kind of late... because i've been talking to representatives of your firms for many many years and off record i've heard things that i've found particularly shocking by no one ever wanted to go on record. So if i listen to your statements here today it sounds like civil liberties associations, but we are talking about companies who have been cooperating with governments. Under pressure, yes, i recognize that, under pressure, but nevertheless..." "Who was it... the CEO of Yahoo who said 'if i say what i want to say then I might end up in prison for 35 years', but if you comply with US law, at the same time you are violate EU law and if I were a company I would also rather pick a fight with the European Commission than with the US administration. It is very evident but in the end we have to fight for the interests of our citizens who are your users and you mentioned the word trust (she is motioning to Facebook representative R. Allen) can you blame the users for not trusting companies anymore?"

"A few questions... encryption... yeah great encryption... but in one of our previous sessions we've heard that even the companies that are certifying encryption standards may have been corrupted by the US government. So how much value can we attach to encryption standards? I don't know... You say that you don't allow for any backdoors, I don't know that because the US seems to be able to create backdoors and I don't know if there are backdoors that you are not allowed to tell me about under US law. So how much trust can we attach to that?"

"Another element here is we hear stories in the media about payment. Not just costs for covering compliance, but actual payment. Can you say on record that your companies have not received a penny beyond the actual costs for compliance? Would your companies be willing to provide this committee with an overview of government business orders that you have received? Because of course there is another interest beyond direct payments in which you might presume the motto "don't bite that hand that feeds you." And I can think of at least one company sitting on this podium that has extensive orders in the defense sector..."

"...How do you feel about Safe Harbor... Do you feel that it (adds protection to EU citizens)?"


D. Belz of Microsoft responds.

"I don't think (you can expect) companies to make statements infringing laws and bringing the CEO into jail... I am not aware that we are infringing on any EU rules as of today..."

"Let me go to the backdoors and the payments, and as i mentioned we do not have backdoors and as you can imagine, we are offering our products to the defense industry we are offering our products to governments with sensitive data handling we are very aware that our customers are concerned about this factor. We (have had for a number of years) a program called GSP which allows governments to have a very detailed look into our technology including the source code and all these kinds of elements to give them comfort in that they can see if there is a backdoor or not. This has been for us a very good kind of mechanism to give the assurance, but also please understand we do not and we can not make public our business secrets and we need (to do this behind closed doors)."

(In regards to the payments - she claims Microsoft is only recovering costs when they are paid by government agencies for compliance with requests.)


N. Lundblad of Google responds.

"...back in 2006 we were one of the first companies to push back at the (US) Department of Justice when they made their first overly-broad request for search queries in a case that got a lot of attention in the US but maybe not on this side of the Atlantic. We pushed back then and we have continued to push back ever since because we do believe that it is important that government requests are limited and that they're purposefully designed and that they're proportional and relevant for the purposes in which (the requests) are made."

"In terms of trust, I think that there is a dual trust question here. Of course the internet and the information society at large is losing trust, but I think a lot of citizens are looking at their governments and asking if they can trust them given that they don't necessarily have the transparency into what has been happening..."

(on backdoors) "...There are no backdoors and we have received no remuneration for surveillance activities"

(on safe harbor) "... Safe Harbor certainly can be reformed, it can certainly be improved, it can certainly be tailored to the needs that we now see. There is a national security carve-out in there that one would need to examine more closely. (That matter needs to be handled by governments)."

(on encryption) "...I think the open encryption standards that are now under scrutiny are as reliable as they can be, but they also need to evolve. As i've said earlier encryption standards don't stay reliable forever. So we should always update them, we should always improve them, and we should always seek new encryption standards in order to improve security."


R. Allen of Facebook responds.

(on encryption) "... Essentially what you are doing with security is you are trying to raise the cost of breaching the security and encryption certainly does raise that cost so even if it is compromised, the reaction to that compromise or threat of compromise is to go for an even stronger encryption system that carries more costs but also raises the costs of the person trying to break it. I think Nicholas (of Google) mentioned an arms race. That is exactly what companies like ours are in. I know we are looking at new technologies with long terminology that I won't go into here that actually helps us get to the next stage. I think that will always be the case."

(on payments) "... At Facebook we don't take payments for the government data requests we receive. Interestingly some activists have urged us to do so. Privacy activists. Their logic is that if you charge governments then they'll make fewer requests which is quite a compelling logic and we've been kicking it around but we have so far adopted a policy that says we won't take payment..."

(on safe harbor) "... As an EU citizen i would much rather do business with someone that is in the Safe Harbor than do business with one that is not because that tells me that a company is serious and is thoughtful about data protection. The FTC... is a tough regulatory commission. They do regulate us effectively. The national security piece is exempt at the moment, but interestingly the safe harbor is designed to be 2-way and similarly the national security bit is also exempt in the EU data protection regulation. So it is logical that today Safe Harbor doesn't include national security..."


C. Engstrom asks.

(to Microsoft) "...You've mentioned several times that you don't have backdoors in your products and of course i'm very happy that you say that. The problem is that most of your products are closed-source, which means that there is no way an independent outside person to verify what is actually running on his or her computer once it's installed. You say that you allow some governments etcetera to read source code and of course the source code that you let them read, quite obviously there are no backdoors in that source. But there is no way to... because it's closed source there is no way to know that the source you showed somebody is actually what's running. In contrast if we're talking about open-source software operating systems like Linux etc then the source code is published and anybody with the expertise can compile it... It is possible to verify open-source software, but it is not possible to verify any of your products. (My question is) If the NSA or some other government agency had ordered you to install a backdoors into some or all of your products would you be allowed to tell us that here, now?"


N. Torvalds (father of the founder of Linux, Linus Torvalds) asks.

"... Mrs. Belz said that there are no backdoors, which is not technically actually true, because you have bad programming with backdoors. Because if you have bugs, and you have bugs in your program, and that bug is a backdoor... and you actually gave money to a James Forshaw for finding one backdoor and we suspect that there are probably hundreds of bug backdoors in Windows programs.


D. Belz of Microsoft responds.

"... Open source vs proprietary software (has been a heated debate for a long time). Open source has the beauty of being open, but it also open to people who want to (look for vulnerabilities) and use the software to do exactly what you want to avoid. So it is not more secure, I would even say that it is higher risk for open-source (over 'controlled' software)."

"... If there was a backdoor then i assume I would not be allowed to be told because of the (secret in which i am not allowed to talk about)."

(she then defines what a backdoor is in her mind, which is an intentionally-built hole in the software which they then hand to the NSA, which differs from Mr Torvalds definition which is more in line with day-0 attacks)

Of course Microsoft is going to say that open-source is less safe. Their entire business model revolves around keeping their source code to their products a secret.


Closing statements are made by the representatives of Google and Facebook.

< last
next >