Yesterday was an unusually troubling day for online privacy. Microsoft clarified the potentially problematic privacy settings for the Kinect video and audio sensor that must be plugged into the Xbox One for it to operate. And yet according to a stunning, unrelated report, Microsoft has also been offering up its users' data to the NSA and the FBI since 2007. Today, it has denied participation in just such a program.
Microsoft's statement, sent to Kotaku by a Microsoft spokesperson:
"We provide customer data only when we receive a legally binding order or subpoena to do so, and never on a voluntary basis. In addition we only ever comply with orders for requests about specific accounts or identifiers. If the government has a broader voluntary national security program to gather customer data we don’t participate in it.”
Yesterday, both the Washington Post and The Guardian released documents indicating that since 2007 the National Security Agency and the FBI have been engaging in a massive, secret data-mining operation called PRISM.
PRISM's goal has been to monitor for potentially dangerous activity, focusing on foreign communications, and to track individuals and connections to individuals through their online interactions. They've done so with the consent of a bunch of the biggest American Internet companies, although the program ostensibly tracked data only from non-Americans.
According to both reports, Xbox One-maker Microsoft was first to agree to go along with the program. The other companies listed in the report, in order of their sign-on date, are Yahoo!, Google, Facebook, PalTalk, YouTube, Skype, AOL and Apple.
If Microsoft were involved with a program like PRISM, it would cast the company's repeated assurances about user privacy in a different light. The Xbox One, after all, comes packaged with a mandatory Kinect camera that surveys your room and can record your physical information, voice, and more. As we reported in May and was confirmed yesterday by Microsoft, it's possible to turn the camera off, but you'll need to leave it plugged in to use the Xbox One. And of course, as Microsoft says, "Some apps and games may require Kinect functionality to operate, so you’ll need to turn it back on for these experiences." Microsoft's network goes far beyond the Xbox One. They own Skype, Outlook and Windows.
But now, Microsoft denies involvement in this type of program. There's some wiggle-room in their statement, mostly hinging on how one decides to define "voluntary." Then again, Apple, Yahoo!, Google, Dropbox and Facebook have given more unequivocal denials to other outlets. Apple, for example, told CNBC it had never even heard of PRISM. Google told The Next Web the same thing: It hadn't heard of PRISM.
But after the Post and Guardian reports went up, Director of National Intelligence James Clapper confirmed the existence of PRISM, saying that "Information collected under this program is among the most important and valuable intelligence information we collect, and is used to protect our nation from a wide variety of threats."
What to make of all this? It's difficult to say at this point. Government agencies subpoenaing companies for user-data is nothing new, though the alleged scope and scale of PRISM is possibly unprecedented. It's likely that more information will come to light in the near future. And at the very least, this is probably cause to pay close attention to what information you let your Kinect transmit.