After last week's uproar over Microsoft's 2012 snooping in a blogger's Hotmail account, the company says it will no longer perform its own email snooping in criminal cases. In an official blog post today, Microsoft Executive Vice President Brad Smith said that, effective immediately, when investigations occur, "we will not inspect a customer's private content ourselves. Instead, we will refer the matter to law enforcement if further action is required." Which sounds like what should've been protocol in the first place.
An indictment filed in federal court today reveals that Microsoft snooped through a blogger's Hotmail account trying to plug an internal leak of pre-release Windows 8 software. That sounds like an outrageous violation of privacy because that's exactly what it is. Microsoft claims they had the legal right under its terms of service.
BI reports that that federal prosecutors filed papers agains former Microsoft employee Alex Kibkalo today, alleging that he illegally transferred company secrets to an unnamed blogger. According to the indictment, the blogger came to Microsoft in September 2012, claiming it had inside information. The information was of particular interest because the blogger's email address had already been associated with leaks by Microsoft's private security company. After clearing its plan with its legal department, Microsoft dove in, and found an email implicating Kibkalo in leaks.
That Microsoft would go poking around anyone's email without a court order is pretty infuriating, especially since Microsoft has made a big hubub about how it keeps your information private and how Google is scraping your email for advertising purposes.
But don't worry, Microsoft has a lame legal justification. Here's the statement the company provided to Business Insider. Emphasis mine.
During an investigation of an employee we discovered evidence that the employee was providing stolen IP, including code relating to our activation process, to a third party. In order to protect our customers and the security and integrity of our products, we conducted an investigation over many months with law enforcement agencies in multiple countries. This included the issuance of a court order for the search of a home relating to evidence of the criminal acts involved. The investigation repeatedly identified clear evidence that the party involved intended to sell Microsoft IP and had done so in the past.
As part of the investigation, we took the step of a limited review of this third party's Microsoft operated accounts. While Microsoft's terms of service make clear our permission for this type of review, this happens only in the most exceptional circumstances. We apply a rigorous process before reviewing such content. In this case, there was a thorough review by a legal team separate from the investigating team and strong evidence of a criminal act that met a standard comparable to that required to obtain a legal order to search other sites. In fact, as noted above, such a court order was issued in other aspects of the investigation.
In other words, Microsoft thinks that because the security of its product, and therefore its users, had been compromised, it had the right to unilaterally decide it could go in. Not because it was the right thing to do, but because its legal department determined it was justifiable under Hotmail's Terms of Service.
Can Microsoft legally justify snooping through a reporter's email? Sure. That doesn't change the fact that its a reprehensible violation of the trust we put in the company. It's a good reminder that we're all a little stupid for trusting big tech powerhouses with our data. If you're not a little wary about what you say in your email—maybe you should be.
Following the dust-up over Microsoft's snooping, the company posted an update to its policies. In short, Microsoft is not admitting it did anything wrong, but it promises to take exhaustive steps to ensure it doesn't cross the line in the future.