Current Issue
This Month's Print Issue

Follow Fast Company

We’ll come to you.

2 minute read


Are Microsoft's New Offshore Data Centers Really NSA-Proof?

Microsoft has broken ranks to offer its clients "data security" outside the U.S. akin to a Swiss bank. Is this a viable strategy?

Are Microsoft's New Offshore Data Centers Really NSA-Proof?

[Image: Flickr user Bob Mical]

Since the NSA scandal broke, tech giants have been hammered for suspected sharing of user data with the U.S. government. Now Microsoft says it can offer customers safe harbor in offshore data centers—but no one seems to be able to verify if it’s actually safe.

We talked to several lawyers. None would definitively say that Microsoft’s foreign data centers would be safe from the NSA. We scanned the coverage. Nobody could say that Microsoft’s offer would keep the NSA out. So why offer it in the first place?

The Financial Times notes that local laws may get in the way, but nobody is saying that Microsoft’s foreign data centers will be immune from secret U.S. government court requests. Forbes threw up its hands and quoted other coverage to let readers come to their own conclusions. Microsoft itself even admitted back in 2011 that since it’s headquartered in the U.S., all of its services are subject to American law and inspection. Google Chairman Eric Schmidt echoed that. So did ACLU privacy researcher Christopher Soghoian.

Microsoft says that its cloud-based hosting service Windows Azure is compliant with the EU’s Data Protection Directive, but carefully states on its Azure Trust Center FAQ that the best they can do is either redirect agencies to you or provide you with copies of legal demands for your data—both of which could be legally prohibited by the agency anyway. Their only strategies are to increase encryption and challenge data request gag orders, said Microsoft general counsel Brad Smith in a December blog post.

In a panel at the World Economic Forum in Switzerland, Smith insisted that the company has "never turned over to any government any information that belongs to another business, another government or an NGO."

Microsoft is offering its users a "privacy placebo," says Bart Knijnenburg, a UC Irvine Ph.D. candidate who was recently awarded a coveted Google Fellowship in Privacy. Contributing to the problem is poor awareness of privacy control, Knijnenburg said. He pointed to a CMU study that showed how much more data users inadvertently shared when Facebook changed its privacy interface. NSA data tapping is a threat, but people don't comprehend how much data big corporations ingest.

"So maybe Microsoft is just pulling up a smoke screen to hide the obvious: that too much of your data is already out there, and already being used every day without your knowledge to make decisions about you that can potentially severely impact your life," Knijnenburg said.

After an uproar in October, Brazil proposed a law, Marco Civil, to require all companies housing data on Brazilian citizens to host it in-country. The tech industry remarked that this would be prohibitively expensive, especially for startups, and result in a Balkanization of the web. A consultant further noted that Brazil is the most expensive country to build data centers, with approximately 22% of the $60 million building cost going to taxes.

For foreign users, Microsoft is pledging to host their data in data centers outside the U.S., which are located in Dublin, Amsterdam, Hong Kong, Singapore, and upcoming centers in Sydney and Melbourne. This must come as a grudging PR maneuver as Microsoft just bought another 200 acres of land for its 500,000-square-foot new data center in Quincy, WA, which is set to open in 2015.