The involvement of the US National Security Agency(NSA) in the development of the new flagship operating system of Microsoft Corporation raises serious national security concerns.
The National Security Agency (NSA) stepped in to help Microsoft develop a configuration of (Microsoft VISTA) that would meet U.S. Department of Defense (DoD) requirements, said NSA spokesman Ken White.
European governments are now aware that strategic dependencies on software are as crucial as dependencies on oil supply from third countries. France even wants to challenge google and develops its own French search engine: Quaero. European Windows Operating System dependencies are increasingly felt as a security risk by national governments which evaluate alternative Desktop solutions, esp. Linux distributions. In the late 90th of the last century Lotus Notes made headlines in Sweden as it was supposed to include a secret NSA backdoor. Swedish government staff used Notes for office management and communication.
Unlike Open Source products such as Linux where NSA contributed code to shape security (SELinux) VISTA is closed source. Nobody except Microsoft can verify the original source code of VISTA for secret backdoors. The source code is transformed by Microsoft into the VISTA product in "binary code" which you or your government can obtain. In the past Microsoft responded to growing concerns by governmental European IT security agencies and EU multinationals with its "shared source" initiative. For selected customers source code is provided under non-disclosure agreements for inspections. However no customer builds his binaries from these 'shared sources'. The customer cannot be 100% sure that the shared source provided by Microsoft really corresponds to the product. Backdoors usually relate to hidden encryption keys shipped with the product, not algorithms. That results in a trust problem which is associated with the closed source model.
Do EU customers trust a company whose products are co-developed by a foreign Secret Service? Media coverage was very negative, in particular in Germany. It does not really matter what NSA actually did. The involvement raises suspicion and national or corporate security risks need to get assessed. Corporate spying is still a huge problem for European governments and policy makers.
The existance of the NSA was secret for a long period of time ("No such agency"). Critics point out that prior to 1974 the US President Nixon had no knowledge about its existance. About the activities and operations of the agency is little known. Secrecy and intrasparency are without doubt an inherent part of intelligence. For a politically less accountable and monitored agency we have to assume great organisational inefficiency of intelligence services. Secrecy and intransparency lead to public suspicion. Legends about the activities are generated which are very difficult to get calmed down. Secret Intelligence leads to felt insecurity risks by the supposed targets of activities and higher counter-intelligence security efforts. Earlier concerns about NSA surveillance for business spying in Europe were followed up by an examination by the European Parliament and much paranoia voiced through European data protection specialists.
Former US Intelligence Director James K. Woolsey wrote an angry undiplomatic response article for the Wallstreet Journal.
What is the recent flap regarding Echelon and U.S. spying on European industries all about? We'll begin with some candor from the American side. Yes, my continental European friends, we have spied on you. And it's true that we use computers to sort through data by using keywords. Have you stopped to ask yourselves what we're looking for? …That's right, my continental friends, we have spied on you because you bribe. Your companies' products are often more costly, less technically advanced or both, than your American competitors'. As a result you bribe a lot. So complicit are your governments that in several European countries bribes still are tax-deductible.
European National Security Agencies and customers of the US software products need to find ways to gain trust in the software technology. NSA Backdoors would seriously undermine the trust in that plattform. In 1999 Microsoft was asked for explanaitions about an electronic key named "NSAkey" that was found in a consumer product. IT Security specialist Andrew Fernandes found that key in the Microsoft Crypto API. That case lead to increased awareness on the European national level. Microsoft denied the accusation.
Microsoft said the key is labeled "NSA key" because NSA is the technical review authority for U.S. export controls, and the key ensures compliance with U.S. export laws. The company reiterated that Microsoft has not shared this key with the NSA or any other company or agency.
It surprises European observers that following the 1999 public scandal Microsoft continued to have relations with NSA and now openly admits intelligence service involvement. Given how damaging and undesirable the involvement is for Microsoft's markets that continuity could be an indication that NSA activities are indeed obligations imposed on the company. Concerns even grow higher when we consider the recent announcement of Microsoft to enter the telecommunications market.
With EU governments considering to adopt alternative software solution we have to stress: Redmond, you have a problem. It will be a challenging task to develop a VISTA trust model.