Microsoft has denied building a backdoor into Windows 7, responding to concerns from privacy organisations after it was revealed that the National Security Agency (NSA) had worked on the operating system.
But these concerns have been met with a firm denial. "Microsoft has not and will not put 'backdoors' into Windows," a company spokeswoman said.
Earlier this week, Richard Schaeffer, the NSA's information assurance director, told the Senate's Subcommittee on Terrorism and Homeland Security that the NSA had worked on the creation of Windows 7 "to enhance Microsoft's operating system security guide."
Echoing earlier concerns, Marc Rotenberg, the executive director of the Electronics Privacy Information Center (EPIC), questioned the wisdom of letting the NSA participate in OS development. "The key problem is that NSA has a dual mission, COMPUSEC, computer security, now called cyber security, and SIGINT, signals intelligence, in other words surveillance," said Rotenbergl.
Yesterday, he raised the issue, which isn't new, of whether the NSA pressures companies like Microsoft to craft so-called "backdoors" into their code that would let the agency track users and intercept users' communications. Rotenberg called it an "obvious concern," and added that it might be difficult for major software makers to turn down NSA "suggestions" because the US federal government is an important customer.
Today's categorical denial by Microsoft was accompanied by further explanation of exactly how the NSA participated in the making of Windows 7. "The work being discussed here is purely in conjunction with our Security Compliance Management Toolkit," said the spokeswoman.
The company rolled out the Windows 7 version of the toolkit late last month, shortly after it officially launched the operating system.
The compliance management toolkit provides a set of security configurations that address additional levels of risks beyond those addressed out of the box, as well as tools to deploy these configurations and monitor what Microsoft calls "configuration drift." The toolkit is aimed at enterprises, government agencies and other large-scale organisations.
Microsoft's rejection of the idea that it's hidden a backdoor in Windows came as no surprise to security researchers, who yesterday expressed doubt that the company would put its reputation at such risk. "I can't imagine NSA and Microsoft would do anything deliberate, because the repercussions would be enormous if they got caught," Roger Thompson, the chief research officer of antivirus vendor AVG Technologies, said yesterday.
John Pescatore, an analyst with Gartner Research, agreed. "[The concerns] are way overstated," he said today in an email. "NSA worked with Microsoft and others, like Cisco, on security configuration standards for [their] products."
Cisco, in fact, has built "lawful intercept" capabilities into its products, including its Internetworking Operating System (ISO) and its VoIP lines. The term describes the process by which law enforcement agencies conduct electronic surveillance of circuit and packet-mode communications under authorisation, such as electronic wiretap orders.
Rotenberg still questioned NSA involvement. "The key point is that the NSA is not the right agency to promote computer security in the private sector," he argued. "The risks to end users are real - the original NSA key escrow proposal, 'Clipper,' was a terrible idea - and there is too little transparency about these arrangements."
The Clipper chip Rotenberg referred to was a project first proposed in 1993 that would offer ultra-strong encryption, but would allow access to encrypted data by law enforcement. The NSA proposal, however, raised a firestorm of protest and the idea was ultimately dropped.