After the Windows 8 leak that made international news headlines -- and its privacy controls were called into question as a result -- Microsoft is trying to throw water on burning coals by clarifying when it will and will not search user e-mail.
John Frank, Microsoft Deputy General Counsel & Vice President of Legal & Corporate Affairs, made the announcement on Thursday. Before outlining Redmond's new privacy efforts he offered the backstory of what led up to the brewing privacy storm.
Making a long story short, Frank explained that Microsoft received information about an employee providing stolen intellectual property to a cyber criminal who was selling it for a profit. A lengthy investigation with law enforcement agencies in multiple countries, he explained, confirmed the information.
“As part of the investigation, we undertook a limited review of this third party’s Microsoft operated accounts,” Frank said. “While Microsoft’s terms of service make clear our permission for this type of review, this happens only in the most exceptional circumstances. We applied a rigorous process before reviewing such content.”
Bringing Clarity to Privacy
On Thursday, Seattle Post-Intelligencer reported that Alex Kibkalo had been accused of leaking Windows RT software code, along with Windows 7 program files and data about the company’s internal anti-piracy system called Activation Server Software Development Kit, to an unnamed tech blogger in France.
“In this case, there was a thorough review by a legal team separate from the investigating team and strong evidence of a criminal act that met a standard comparable to that required to obtain a legal order to search other sites,” Frank said. “In fact, as noted above, such a court order was issued in other aspects of the investigation.”
Still, in the age of National Security Agency (NSA) spying, some are expressing concern, which prompted Microsoft to announce steps it will add to strengthen policies if similar situations arise in the future. For starters, Frank said the company wouldn't search customer e-mail or other services unless it finds, in a layered accountability system, that there is enough evidence to justify a court order.
“Even when such a search takes place, it is important that it be confined to the matter under investigation and not search for other information,” Frank said. “We therefore will continue to ensure that the search itself is conducted in a proper manner, with supervision by counsel for this purpose.”
Microsoft also pledged to publish any such searches as part of its bi-annual transparency report, which lately has been revealing requests for user information made by the NSA and other government agencies.
Surprised by Reactions
We caught up with Craig Young, security researcher at security firm Tripwire, to get his take on Microsoft’s moves. He told us he’s surprised by the reactions to Microsoft’s handling of this situation.
“Personally, I think that Microsoft was appropriate in their actions but regardless of the details of this particular case, users should remember that e-mail is not designed to afford privacy,” Young said. “Here’s a very simple rule of thumb -- don’t send anything in e-mail that you wouldn’t want to see as front page news.”
As he sees it, users who are concerned about the privacy of their Hotmail accounts are better off using client-side cryptography such as GnuPG rather than calling foul on Redmond.
Expect to be Searched
Tyler Reguly, manager of security research at TripWire, told us consumers using free services should expect that their accounts may be searched if there is enough evidence of misdoing, especially against the company hosting the account. His view is that this shouldn’t apply to paid accounts because consumers paying for a service should deserve a greater expectation of privacy.
“Microsoft's claim that servers onsite eliminate the possibility of a court order, which seems logical, but can data centers use the same logic?” Reguly asked. “Data center servers are stored on premise, so does that mean data center owners can access them and search them as they please? It sounds awful to give advice to criminals but if you're going to break the law, at least run your own servers.”
Ultimately, he said, this points to a legal grey area: Does virtual ownership matter more than physical ownership? Reguly concludes: “Can we get to the point where legal access is based on virtual ownership? The whole issue is a legal can of worms.”