By encrypting traffic, Microsoft ensures your queries will only be collected by a third party if you're being investigated by the FBI or some other government with a court order. Without encryption, anybody between you and Bing can see your queries.
Well, that's generous. You don't have to be specifically investigated by the FBI (just 'related') and the court orders used to make requests can be quite large and in practice are primarily automated. If you look at the sort of processing the NSA is talking about they are discussing large scale sentiment and social media analysis (of the sort that non-related folks must be included). On this line we know that anyone 'three hops away' was considered legally relevant to an investigation. It was shown in the Snowden documents that NSA hacked into backend databases of US corporations to collect data - which gave data access with no warrant. Finally, companies are encouraged to give data to the government as a gift. This gifting of data is not compulsed legally and is outside the scope of (weak) legislation by FREEDOM providing some small limitations on bulk collection requests.
If you have an associate or an associate of an associate who is a known threat to national security, and the government submits a request for your data, you are specifically being investigated. From Google's transparency reports, we know that the number of foreigners being investigated is in the low tens of thousands, and the number of Americans being investigated is at most low single digit thousands.
We know that all corporations that had their inter-datacenter networks compromised (there is no evidence their databases were accessed) have since encrypted traffic on those links, making that a non-issue. The last remaining place to collect data in bulk is between the user and the service, which is what this blog post addresses.
The data-gifting is a figment of your imagination. Nobody will go out of their way to make their own data accessible to a third party for free, and these Internet companies in particular wouldn't share it with anybody.
Sure, if you can say that hundreds of millions of people can simultaneously be specifically investigated.
> We know that all corporations that had their inter-datacenter networks compromised have encrypted traffic on those links, making that a non-issue.
Actually, we know that they targeted the interlinks where encryption was removed and added back - giving plaintext (if you are referring to Google). If you remember after the Snowden exposures related to this hacking there was an industry wide call to encrypt data in transit - this very thing implies it was not the case before.
> The data-gifting is a figment of your imagination. Nobody will go out of their way to make their own data accessible to a third party for free, and these Internet companies in particular wouldn't share it with anybody.
Please familiarize yourself with the associated stored communication and service provider laws and data sharing programs.
No, but they're a funnel to many. Simply by them collecting or holding the data, it becomes available to numerous agencies from numerous governments, and also to hacking groups.
Isn't Google part of it too? If you scrape out Google and Bing, what other good alternatives are you left with that wouldn't comply if requested?
Isn't it better to have some prevention against random MITM, especially on mobile devices where your choices are fixed? Like preventing tracking injections from your ISP (namely Verizon or Comcast)?
Outside of the privacy/security win for users and the PR win for Microsoft, it is likely to provide a business advantage depending on how they incorporate this data in Bing Ads.
Right now, you can get Bing organic query data in Google Analytics and other web analytics tools. This is invaluable to marketers, and even more so now that Google's organic data only shows up as "not provided."
If the Bing Ads team provides organic data within the Bing Ads platform like Google AdWords does, that is a reason to get people using their ad platform.
Not sure offhand if that data will exist in some form via Bing Webmaster Tools as well, but right now in Google land, the only two places you can get organic query data are AdWords and Webmaster Tools.
It pressures destinations to move to HTTPS if they want referer info (although Google also shimmed in a redirect to protect privacy / analytics premium... I don't know if it's Bing or one of my add-ons that's leaving direct links.)
Google SERP links are different in Chrome especially. Hover the link and you see one address, but copy the link URL and you'll see a number of parameters in addition to just the site URL. AFAIK, GA Premium is $150k/year and the sales rep I spoke with didn't allude to any solution to not provided.
Don't get too comfortable if you're on the paid side, either. Adwords disabled exact match keywords a few months back. They now include 'similar' keywords, but that is just another black box similar to the QS system that they have always used to manipulate CPCs.
Encryption doesn't just protect your message in transit. It also positively identifies you as a sender.
This way, the feds not only get the contents of your searches, but they can positively prove that you are the one that initiated the search, so they can lock up "subversives" that much more easily.
Amazing that so much attention is given to the NSA here... To me a more interesting question is how will this impact keyword data that's pasted through the referring URL? Will we be losing bing.com as a referrer on iOS similar to google.com?
> Amazing that so much attention is given to the NSA here..
Well, the topic of default encryption is related to a mass global surveillance network supported by data collection capabilities built into the internet backbone - and HN is concerned about what these technical capabilities could mean for a runaway government or in the hands of adversarial entities/governments/groups. It's an incredibly important topic, so I'm glad there's some chat about it.
> To me a more interesting question is how will this impact keyword data that's pasted through the referring URL?
Doesn't Google have a redirect mechanism that allows referrer information to pass through when a 'blue link' is clicked?
And yet on their blogpost announcing it, they use insecure resources and blogs.bing.com is only https if you manually specify the https, so it's basicaly not SSL'd.
