Print 31 comment(s) - last by jnemesh.. on Mar 24 at 11:32 AM

Despite likely not having to legally, Microsoft has gone the extra mile to protect its employees and customers

Microsoft Corp. (MSFT) raised some eyebrows when it revealed exactly how it had ferreted out a leaker back in 2012.

After being contacted by a French blog asking if a leaked build of Window 8 was authentic, it turned out it was and that the leaker had used a Hotmail account.  The only problem?  Microsoft owns and operates the Hotmail service (Hotmail was recently replaced by, but the branding is still living on in some regard).  So it performed an internal audit and identify the leaker as Alex Kibkalo, a software architect who was allegedly disguntled over a poor performance review.

I. Microsoft: Your Email is Safe

In the wake of Mr. Kibkalo's arrest, many have cried foul and complained that Microsoft had no right to search a private email account, even if it belonged to one of their own employees who had commited crimes.  After all, if they would do that to Mr. Kibkalo, what's to stop them from doing it to the next customer?

To clarify, Google Inc. (GOOG), Microsoft, and every other major online service provider do scan message content in an automated manner without asking, as they typically state in their terms of service.  They due that in order to better target you with ads.  That may be annoying, but it's not overly evil, after all they're offering you a free service and have to make money somehow.

More controversial is whether a company like Microsoft can "search itself", accessing password protected accounts belonging to customers or employees that may have broken company policies or the law.  Many believe allowing such a practice without strict procedures may be legal, but is unethical to employees and invites abuse.

Well, believe it or not, Microsoft actually agrees.

Hotmail logo

In a statement released this week Microsoft's general counsel, VP John Frank, commented:

We believe that Outlook and Hotmail email are and should be private.  Today there has been coverage about a particular case.  While we took extraordinary actions in this case based on the specific circumstances and our concerns about product integrity that would impact our customers, we want to provide additional context regarding how we approach these issues generally and how we are evolving our policies.

Courts do not issue orders authorizing someone to search themselves, since obviously no such order is needed.  So even when we believe we have probable cause, it’s not feasible to ask a court to order us to search ourselves. However, even we should not conduct a search of our own email and other customer services unless the circumstances would justify a court order, if one were available.  In order to build on our current practices and provide assurances for the future, we will follow the following policies going forward...

He goes on to explain that the company will separate the legal team from the audit team, and that if an employee is suspected of criminal activity on a work account, the auditors will have to justify to legal that a warrant would be issued, were the account with a different company.

II. A Seemingly Progressive Policy

This is pretty incredible as Microsoft has no legal obligation to do this.

Google has a similar policy, which was elaborated by Christopher Nguyen, head of internet apps at Google back in 2012.  He posted to Quora:

A small number of GMail related engineers have access to the servers as a matter of necessity to do their jobs; a very small number of people actually access the contents as a matter of necessity to do their jobs, and even then, almost always only the associated metadata.

The rest have to file a request and justify any access they ever need, which is extremely rare. All have to sign paperwork re users’ privacy at the risk of dismissal & legal action, knowing that whatever they do is discoverable. And ultimately, an internal culture of respecting users’ privacy helps keep one another in check.

To our knowledge Google hasn't as rigidly defined or made public its audit structure for such requests to the extent that Mr. Shaw did, nor did in promise the level of transparency to internal audits as Mr. Shaw has.  Google does a good deal of reporting on external audits, but internal audits have remained cloaked in secrecy to some extent.

You employer likely has no legal compulsion to give you due proccess if you use its email accounts; however Microsoft is going the extra mile with its employees and customers to prevent abuse. [Image Source: The Next Web]

Facebook, Inc. (FB) on the other hand appears to have no such policy.  And again, it has no legal obligation to.

Nolo, an online legal information wiki, summarizes:

Courts [in the U.S.] have found that employers are generally free to read employee email messages, as long as there's a valid business purpose for doing so.

Microsoft had previously operated under a similar policy.  Its terms (which have yet ot be amended) state:

We may access or disclose information about you, including the content of your communications, in order to: (a) comply with the law or respond to lawful requests or legal process; (b) protect the rights or property of Microsoft or our customers, including the enforcement of our agreements or policies governing your use of the services; or (c) act on a good faith belief that such access or disclosure is necessary to protect the personal safety of Microsoft employees, customers or the public. We may also disclose personal information as part of a corporate transaction such as a merger or sale of assets.

In other words, if you're doing activity that harms Microsoft -- whether you're a college student selling pirated XP licenses out of your account or a Microsoft employee sharing insider secrets because your boss wrote you up -- you were fair game in the past to have you account inspected.  Now it will be a bit harder.

But don't get too cocky.  The policy is designed to prevent abuse.  If Microsoft finds compelling evidence that a crime was committed against it using its messaging services, it can and will get an inspection order approved by its internal auditors.

III. Microsoft Remains a Powerhouse in the World of Email

An aside, regarding how important this new is or isn't, Hotmail/ currently occupy 6 percent of total email opens, according to marketing firm Litmus:

Email market share

[Image Source: Litmus]

According to that report, in 2013 Apple, Inc. (AAPL) controlled 46 percent of email traffic via its popular mobile products.  Microsoft was in second with roughly 25 percent, while Google was in third with 18 percent. Yahoo! Inc. (YHOO) had 5 percent.

Google is the dominant force in webmail (online clients), while Microsoft's Outlook is the most used installed email client app.  Apple's services, meanwhile, lead the mobile realm in usage.

Those numbers suggest that a slim majority of U.S. users may use Google Inc.'s Android operating system, but many of them also rely on Microsoft products (or Yahoo!) for their email needs.  By contrast Apple keeps its entire customer base tightly corralled.

Oh, and Apple definitely has no compunction with reading employee email.  In fact it's infamous for the lengths it goes to, to hunt down leakers.  So while Microsoft and Google's promises rely on a degree of customer and employee trust, at least they're making an apparent effort, versus the likes of Apple and Facebook.

Source: Microsoft via The Verge

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

and you believe them??
By GulWestfale on 3/21/2014 9:11:18 PM , Rating: 4
frankly, i cannot say that i was surprised when i read this:

but hey, someone out there is going to believe them, right?

RE: and you believe them??
By TSS on 3/21/2014 10:03:29 PM , Rating: 3
I'll belive them - as long as i don't do involve myself with something as stupid as dealing with stolen code.

I mean it's stupid enough the guy stole something. It's even stupider that he'd use email to send it to somebody. It's even more stupid he'd send it to/from an email owned by the company he was stealing from! I mean cmon now.

I don't know about you guys but if i've got any real secrets to hide i don't email them. I'll talk to people, offline, or use an USB stick to transfer data. In the most extreme case i'd first set up a VPN to then make an one-off email adress at a similar service to what Snowden used (similar since that paticular one got shutdown). Preferably one where i can delete the account once i'm done with it.

I've got a harder time beliving the guy couldn't think of that himself. I mean ya can't be dumb if you're a software architect at Microsoft, poor performance or not.

RE: and you believe them??
By inighthawki on 3/21/2014 10:06:23 PM , Rating: 2
You'd be surprised. Some people really know how to make their resumes look way better than they are, and BS their way through certain types of interviews. Plus some people get hired for very specific talents. Maybe he was really really good at one thing in particular, but maybe no so bright in general.

RE: and you believe them??
By Reclaimer77 on 3/21/14, Rating: -1
RE: and you believe them??
By Camikazi on 3/22/2014 12:11:17 PM , Rating: 2
Only time I have seen that message is if I screwed up and didn't set the BIOS right to boot from USB or I was installing an SP1 or lower version of XP.

RE: and you believe them??
By StevoLincolnite on 3/23/2014 3:49:33 AM , Rating: 1
Just the other day I'm installing Windows from a USB thumb drive and the idiotic installer is asking me for CD/DVD drivers even though none present in the machine. I mean, wtf, that is the definition of "dumb" software architecture.

I've had that appear a few times, mostly because Windows doesn't recognize newer SATA controllers.
Throwing the latest drivers from AMD or Intel onto the flash drive fixes it.

RE: and you believe them??
By Reclaimer77 on 3/23/14, Rating: -1
RE: and you believe them??
By inighthawki on 3/21/2014 10:03:40 PM , Rating: 3
There's absolutely nothing wrong with doing this. Not only are the servers, including the storage and service itself, owned and operated by Microsoft and are part of it's property, but the person in question has not only committed a crime, but used that service to commit the crime again Microsoft themselves. Microsoft has every right to search the Hotmail account inbox for evidence.

The only thing that stops any company from reading your personal email when they feel like it is a nice privacy policy that kindly states that they won't. Don't fool yourself into believing that any of your personal information is safe anywhere on "the cloud" or on someone else's servers. I would stand behind any company that did this. Be it Microsoft, Google, Yahoo, etc. They all have this right.

RE: and you believe them??
By futrtrubl on 3/21/2014 10:53:42 PM , Rating: 2
Except they had to look in the email account to see if there was a crime. They suspected there was a crime. If the email was on someone else's server would they have been able to get a court order to look at it? I'm not so sure.

RE: and you believe them??
By Alexvrb on 3/22/2014 11:51:10 PM , Rating: 2
Not quite. The blogger showed the leaks to an MS employee, asking for verification that they were authentic. You've got a guy saying "Hey look at this leaked stuff, is this real?" It was reported, MS looked at it and determined it was real - that's pretty solid proof. Now they just needed to track down the source of the leak so they can be dealt with.

Mind you, suspicion alone would have been good enough. Plus since they own the service they aren't going to a court to check for stolen goods. If they did, as has been mentioned, they'd get tossed out for wasting the court's time.

RE: and you believe them??
By Belegost on 3/22/2014 12:18:39 AM , Rating: 2
I use for my personal email, and I actually feel more secure having this public statement of a rather rigorous policy.

I am quite aware that I am using an MS service that they provide to me in a business relationship; that I do not own the email server, and that the TOS I signed to when I opened the account agreed to these conditions. I am free to not use their services if I am not happy with that. And I am free to not use their services for things I consider too sensitive to risk.

Currently this is a stronger statement of privacy than I have seen from Yahoo, Google, or Apple. So while MS may not actually abide by this (though they would risk the PR nightmare that would come if publicized) the competition has not even given this level of assurance.

As it stands, my business correspondence goes strictly through secure (I hope) corporate servers, the matters I discuss on personal emails are not sensitive enough that I feel they warrant worry, and if at some point in the future I do have such correspondence I would look into operating my own private secure email server that I would have control of.

RE: and you believe them??
By Reclaimer77 on 3/22/14, Rating: -1
RE: and you believe them??
By Belegost on 3/22/2014 2:23:40 PM , Rating: 2
The reason the apartment owner can't go through a mailbox is federal postal laws. But they could (with 24 hours notice where I am) come into an apartment and look around. Ultimately renting an apartment does not give the same protections as owning, and depending on the contract signed and the local laws the owner maintains certain rights over the property. I see nothing unreasonable about that, it's his property, if I don't like that I am free to buy my own property and engage in whatever I want there (provided it is within the law.)

Ultimately MS owns the servers and the service - if I don't like it I can take responsibility for running my own email server. Or find a competing service that will give me a contractual guarantee they won't look at my email without a direct court order.

And what proper channels? If I went to a court and said I think the guy I let use my garage is stealing things and hiding them in the cabinets in my garage, can you please give an order allowing me to search my garage? The judge would laugh me out of the courthouse. Unless I signed a contract with the person stating that he had such privacy on the property I own, then he should have no expectation of such, and I have no obligation to give him it.

I would expect you of all people to support the right of a property owner to control what happens on his own property.

And this certainly is a response to the situation, but seeing as this situation had not arisen before why would they have made such statements? I expect this is a statement resulting from internal review of their policies, discussion with their legal and PR teams on the best way to revise their policy and publicize it. Of course they are acting in their own interest, but that does not mean it's meaningless.

RE: and you believe them??
By GulWestfale on 3/21/2014 10:19:08 PM , Rating: 2
for those of you who have trouble with reading comprehension: MS read the emails of a blogger who posted screenshots of a then-upcoming windows release. they searched his emails merely to find out who leaked the relevant information to him. the blogger himself has not stolen anything, is not a criminal and has not been accused of anything.
and even if he were a criminal, it is not for microsoft to judge that, but for a court of law... oh wait, you're american. patriot act, guantanamo... yeah, the law doesn't mean much there, does it?

RE: and you believe them??
By inighthawki on 3/21/2014 10:35:01 PM , Rating: 2
Actually the possession of stolen goods, materials, or information is a crime, and the leaks themselves are proof of that. Yeah sure, they didn't get an A-OK from a court of law to officially say it was a criminal act, but they also don't need to. They have every right to perform a search on their own property to recover information leading to their own stolen property.

RE: and you believe them??
By Reclaimer77 on 3/22/14, Rating: 0
RE: and you believe them??
By inighthawki on 3/22/2014 2:56:25 PM , Rating: 2
At this point no "crime" had been committed yet. You're innocent until proven guilty in a court of law.

A court of law only decides whether you are guilty of a crime, not whether or not the crime was committed.

If they were doing this to aide a police investigation, hey no problem, but they just decided to do this no warrant no court order no nothing.

You don't need a court order to search your own servers. Just as with Google, the only thing that stops them from looking through your email is them saying "I won't." They have every right to do so for whatever reason they so choose. So does Google. So does Yahoo. And so does any private business for their employee's emails on their own company servers.

RE: and you believe them??
By name99 on 3/22/2014 2:02:12 PM , Rating: 2
Possession of stolen "information" is a crime? Don't be insane.

If that were true, I could put everyone in prison right now. I tell you something that's secret (perhaps even against your will --- I just include it on a web page you see, or shout it at you) and, oops, now you are in possession of "stolen information".

The closest you can get is that there might be some sort of "KNOWING DISSEMINATION of UNLAWFULLY ACQUIRED INFORMATION" but even that is a hell of a stretch.

The way this works in the real world is that if you want to keep something secret, you keep it secret. Once it leaks out, tough --- freedom of speech say that, for the most part, I can damn well repeat what I heard as much as I like.
If you need commercial information of any sort of remain secret you do so through NDAs [which mean you punish the person who LEAKED it, not the person who HEARD it], and which is a civil, not a criminal, matter; or you don't keep it secret but retain control through copyright and patents.

RE: and you believe them??
By Alexvrb on 3/21/2014 11:34:56 PM , Rating: 4
You're leaving some data out. The blogger contacted another source at MS about the leaks, asking for confirmation that they were authentic. This employee reported it to his superiors, and MS verified that the leaks were authentic. Now they had proof of criminal activity, and just needed to track down the source. The blogger was using a Microsoft Hotmail account to communicate with the leaker.

If he/she was using a service owned by a different company, they'd have to get a court order. Such a thing isn't necessary if it's your service and you already have access to the data, as the article above explains. This scenario would play out the same anywhere, but nice hate speech anyway. Plus you're confusing potentially unlawful acts of the government with legal acts of a private company.

RE: and you believe them??
By Solandri on 3/22/2014 12:46:55 PM , Rating: 2
I think the problem is people still think of email in terms of how physical mail works. Even though the mail is stored on MS servers, they still think of it as "their" email. Just like even if your letter is stored at the USPS during transit, it's still "your" mail.

I've been on the Internet since the 1980s, and one of the first things they ground into your head back then was that email wasn't secure. It was more akin to sending a postcard than a letter, so during transit (or now due to the prevalence of webmail, when stored) anyone who looks can read the contents. In fact I vaguely recall some students planning to cheat on a test being busted when the school simply read the emails they'd been sending each other. (Back then all emails were stored on and sent by servers. You had to connect to the server using a terminal to use it. Network cards were too expensive to make it worthwhile for every PC to have one.)

But since the Internet has exploded, the vast majority of people think of email as more like postal mail. They think that the email is "theirs" even though it's being stored at and delivered by third parties. There's an unsubstantiated expectation of privacy, when you really shouldn't expect any. Even if Hotmail, Gmail, and Yahoo institute strong email privacy policies, don't think your mail is safe. Anyone can read your mail while it's in transit. The NSA probably collects network traffic from the major peering sites - where the network trunk lines meet. So even if they can no longer read your email at Gmail or Yahoo or Hotmail, any mail sent between those services is like an open book.

RE: and you believe them??
By HostileEffect on 3/22/2014 1:03:58 PM , Rating: 2
Write your email offline, encrpyt and sign with GNUPGP. If you gave the recipient a key in person, then your comms are relatively safe.

This doesn't taken into account screen grabbers, key loggers, NSA, CIA, FBI, or any other criminal organizations installing physical devices nor hardware back doors paid for by uncle Sam.

RE: and you believe them??
By name99 on 3/22/2014 2:09:19 PM , Rating: 2
Now they had proof of criminal activity, and just needed to track down the source.

This is not at all clear. What they have evidence of is that someone outside the company knows information that should have remained inside the company. Leaking information like that is usually NOT a criminal matter, it is a civil matter. That's why you sign various NDA agreements when you join a company --- you are engaging in an agreement with the company to not do certain things. You don't sign similar documents saying that while on company premises you agree you won't murder or rape anyone.

This is an important technicality because the claims about "well if we had gone to a court they would have easily have given us a court order" are more than a little suspect. Court orders are reasonably easy to get for criminal matters, but not quite as easy to get for civil matters. The courts don't want anyone to be able claim, on the basis of some minor contract disagreement with anyone else, a right to now be able to trawl through their entire online and offline life.

RE: and you believe them??
By Alexvrb on 3/23/2014 12:06:46 AM , Rating: 2
The original DT article sure made it sound like code was leaked. Is that not the case?

Anyway, they own the service. Mailing confidential MS stuff to someone using an MS mail service is like a Facebook employee posting a leak... on a facebook page. Brilliant! Next time leak it by a more anonymous method... make them work a bit harder before firing your rear.

RE: and you believe them??
By Labotomizer on 3/23/2014 3:58:23 PM , Rating: 3
If you've ever dealt with legal discovery surrounding a civil suit then you would sing a different tune about how difficult it is. The best you can hope to do is when a judge decides that you need to present X keywords in a date range is to show justification that it's cost prohibitive. It's how we've gotten out of it before. Didn't change the fact that the judge had no issue doing it.

I had a client in Houston where a divorce court ruled that the husband's corporate email go through legal discovery. Fortunately the nature of their business dictated this wasn't something they could do for a divorce hearing having nothing to do with the company. However, getting out of it and having the corporate attorney fight it didn't come cheap either.

If you're using a free, public mail server you shouldn't expect privacy. Hell, it's called "Public". Now if MS were searching Office 365 mailboxes this way it would be a different story. If Google got busted searching Google Apps mail accounts that would be a problem too. That's not the case here. It's a free, PUBLIC mail server. I don't expect privacy walking down the street in downtown, why do people expect privacy when using public internet services? Idiots.

By name99 on 3/22/2014 1:31:16 PM , Rating: 2
He goes on to explain that the company will separate the legal team from the audit team, and that if an employee is suspected of criminal activity on a work account, the auditors will have to justify to legal that a warrant would be issued, were the account with a different company.

Since you're so easily impressed, Jason, perhaps you'd like to buy this Chinese wall I have in my possession...

RE: Hmm
By taconite on 3/24/2014 11:05:42 AM , Rating: 2
It's a hologram provided by Goldman Sachs.

By bug77 on 3/22/2014 5:24:46 AM , Rating: 2
Missing the point
By name99 on 3/22/2014 1:45:13 PM , Rating: 2
Oh, and Apple definitely has no compunction with reading employee email.

The complaint here is not that MS read an employees mail --- no-one expects otherwise for corporate mail in the US, whether or not you like this fact.

The complaint is that MS read the BLOGGER's mail (ie the RECIPIENT from the employee).

Until you have a comparable example where Apple reads a NON-employee's email on its servers, you're simply making unsubstantiated insinuations. (And the example you give in your link is hardly a case of "leaking". Selling business information for private profit is hardly what most people think of when they hear the term leaking...)

By Monkey's Uncle on 3/24/2014 10:50:33 AM , Rating: 2
After being contacted by a French blog asking if a leaked build of Window 8 was authentic, it turned out it was and that the leaker had used a Hotmail account. The only problem? Microsoft owns and operates the Hotmail service (Hotmail was recently replaced by, but the branding is still living on in some regard). So it performed an internal audit and identify the leaker as Alex Kibkalo, a software architect who was allegedly disguntled over a poor performance review.

makes you wonder how closely Microsoft looks at the quality of the people it hires to be their software architects. I mean c'mon! Using a hotmail account to leak a bootleg copy of Windows? I hope this guy did not pass stupid genes on to his kids.

Obvious solution
By taconite on 3/24/2014 10:55:40 AM , Rating: 2
In the past, mail was carried by a government division, the U.S Postal Service, and they had a duty not to read the mail. Now it's in private hands and look what happens. Why can't we go back to the old way.

By jnemesh on 3/24/2014 11:32:01 AM , Rating: 1
IMMEDIATELY after they are caught rummaging through a French blogger's personal email account, without a proper warrant? Sure, they adhered to the letter of the law, and the TOS that the user agreed to, but it's still a violation of privacy. With this latest revelation, in addition to the revelations of NSA complicity, I will NEVER trust MS with anything, give them one RED CENT of my money in the future, or support them in any way, shape or form. They are dead to me.

"If you can find a PS3 anywhere in North America that's been on shelves for more than five minutes, I'll give you 1,200 bucks for it." -- SCEA President Jack Tretton

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki