Comment by codeulike
1 month ago
“I want to note our appreciation for the reporting of the Guardian,” [Microsoft’s vice-chair and president, Brad Smith] wrote, noting that it had brought to light “information we could not access in light of our customer privacy commitments”. He added: “Our review is ongoing.”
Its interesting that they seem to be saying they dont know the full details of how their customers are using Azure, due to privacy commitments.
Weird, pretty sure employees brought this to their attention a few times already…
https://apnews.com/article/microsoft-azure-gaza-palestine-is...
https://apnews.com/article/microsoft-azure-gaza-israel-prote...
https://apnews.com/article/microsoft-build-israel-gaza-prote...
https://apnews.com/article/microsoft-protest-employees-fired...
I actually think understanding exactly how your customers do a thing is not an easy thing to be 100% sure of.
I've had sales, customer reps, even engineers and customers describe how a customer / they work ... and then I go and look and ... it's not how anyone said they work IRL.
[flagged]
4 replies →
If they act on information their employees report, they are violating their commitments.
There have been public reports by major news organizations on the subject of Israel using big tech companies to surveil the West Bank and Gaza, for a decade. This isn't an issue of customer privacy.
54 replies →
No, because those employees didn't learn about it by snooping around in Azure data.
Can anyone help clean up these sources/verify?
The first one seems to be after Microsoft's claim "and Microsoft has said it is reviewing a report in a British newspaper this month that Israel has used it to facilitate attacks on Palestinian targets".
The second one looks similar "Microsoft late last week said it was tapping a law firm to investigate allegations reported by British newspaper The Guardian".
The 3rd one seems to be a genuine example that Microsoft employees were reporting this specific contract violation concern - but I feel like there are more genuine examples I've heard of than just this one report.
The 4th one is a bit unclear, it seems to be a general complaint about the contract - not about specific violations of it.
Perhaps the more confounding question remaining is "what was so different about the report from The Guardian". It's not like these kinds of claims are new, or in small papers only, but maybe The Guardian was able to put together hard evidence from outside that allowed Microsoft to determine things without themselves going in breach of contract details?
> Perhaps the more confounding question remaining is "what was so different about the report from The Guardian".
I think timing. The world is finally ready to stop ignoring what Israel has been doing so it’s significantly easier for countries, companies, and even individuals to stand up, speak out, and take action.
I think it's the latter -- Microsoft was unable to look internally, or able to pretend they were ignorant. But the Guardian report was just too detailed to ignore.
I don't know if it's _true_, but it seems right? I don't want Microsoft to have this level of visibility into my usage of Azure, just like I don't want my phone provider to eavesdrop on my conversations. I'm no privacy ayatollah, but this seems like a reasonable amount of privacy from Microsoft
Privacy ayatollah? Is that like an infosec shah?
I have seen "czar" used as an informal title to denote ownership of a domain, e.g. the "security czar."
I suppose it originates from the term "border czar" and others in politics e.g. https://www.politico.com/story/2009/09/president-obamas-czar...
No, a Shah is a hereditary ruler (a King), whereas an Ayatollah is more like a Bishop (ie a religious leader, but not the top guy such as the Pope in Roman Catholicism)
Data pope?
1 reply →
Grand Mullah of GDPR Compliance
5 replies →
Well, the average org isn't out there literally committing genocide
[flagged]
4 replies →
The whole point of confidential computing is that the cloud provider can't access your data and can't tell what you're doing with it. This is a must have requirement in many government contracts and other highly legislated fields.
What country does this "confidential computing" exist in, and how can I get there?
I've personally never seen anything requiring confidential computing in anything. Is this required in the USA? I find that hard to believe, because the technology on a cloud level is still very beta-feeling. I think that Microsoft just never looked because they did not want to know.
They have services literally dedicated to things like health data records.
But you don’t even need to go that sensitive, literally any type of online service might run the risk of handling PII. Which is why CIS, NIST et al have security frameworks that cover things like encryption at rest.
2 replies →
https://learn.microsoft.com/en-us/azure/confidential-computi...
It could also mean "now that someone else has seen it, we can finally act on what we have only privately seen but couldn't admit seeing"
More likely MS was well aware of what was going on and didn't care until the Guardian forced their hand.
> The disclosures caused alarm among senior Microsoft executives, sparking concerns that some of its Israel-based employees may not have been fully transparent about their knowledge of how Unit 8200 used Azure when questioned as part of the review.
Highly likely, or at least a bit naive -- Completely reasonable to have local staff for a contract this big, but Microsoft should have independently 'double-checked' sooner
6 replies →
That comment is... weird, considering they disabled the accounts of certain International Court of Justice that were individually targeted.
The reality is that no one can tell whose ass it is safe to kiss now a days, so it’s all scandal driven actions. Unless someone can create a big enough scandal, no one is going to do squat.
They should ask their Chinese engineers in charge of sensitive Azure servers.
That’s the best part, they cannot. Well, they technically can, but the answer from the company that runs chinese azure servers is gonna be “none of your business.”
What is interesting is they gave some privacy while others they strip away.
JIDF and Unit 8200 have infiltrated a lot of US tech companies.
This is a very significant issue for American tech companies, they either need to restore the trust of global customers, or they will lose it completely.