Microsoft To Open Transparency Centres for Source Code Reviews


Yesterday, the 50th Munich Security Conference came to a close with cybersecurity being one of the issues discussed at the event. Revelations from the NSA Prism initiative led internet users and stakeholders to rethink how data is handled in cyberspace – the issues of privacy and security were suddenly under discussion. Microsoft VP for Security, Matt Thomlinson was part of such a discussion in Munich last week.
In the aftermath of the Prism leaks, the first steps taken by internet and technology giants was to strengthen the encryption for data passing between their systems and the consumers. Microsoft was not left behind in this race as it implemented 2048-bit keys on its online services including Azure and the company instituted PFS (perfect forward security) to protect customer data from decryption by unauthorized parties. Even the OS team decomissioned RC4 which was still being used on Windows system despite being proven insecure.

There were however 2 other issues on Microsoft’s agenda as it continued to reassure the market. These were establishing a legal framework to protect customer data and opening up customer transparency centers for code review.

“It is my hope to open the Brussels Transparency Center by the end of this year.” – Matt Thomlinson, VP for Security at Microsoft

The latter is part of an announcement made by Matt Thomlison during the Munich conference. In a blogpost, he reassures Microsoft’s government customers that they will be invited for source code reviews to ensure that no backdoors exist in Microsoft software. Despite this announcement, the first transparency centre is not expected until the end of this year. The level of source code review to which Microsoft software will be subjected is currently unknown. Other than technical safeguards, Microsoft is also targetting policies that govern cyberspace by getting involved with governments and other tech firms.

A key step in the process of rebuilding trust is continuing international cybersecurity engagement. To make effective progress, we need a much more robust dialogue about global cybersecurity, and we need a place to have that discussion. One idea I proposed would be the convening of a “G20 + 20” group – 20 governments and 20 global information and communications technology firms – to draft a set of principles for acceptable behavior in cyberspace. Whatever forum we use, we need to further this important conversation.

Despite our various views, we need both technical improvements as well as agreement on the fundamental policies of cyberspace to meet our common needs for security and privacy. Privacy can’t exist without security, and security depends on privacy. We can have both.

-Matt Thomlinson
Vice President, Microsoft Security