back to article Microsoft: Let's be clear, WE won't read your email – but the cops will

Microsoft has today performed a second volte-face in the Hotmail scanning scandal, and this time it looks serious. There was uproar after the software giant revealed it had rummaged through a blogger's Hotmail inbox to snare an employee who had allegedly leaked pre-release Windows 8 software. Microsoft runs Hotmail as part of …

COMMENTS

This topic is closed for new posts.
  1. tom dial Silver badge

    Shame

    "We've entered a 'post-Snowden era' in which people rightly focus on the ways others use their personal information ..."

    No. Snowden's activity, whether one thinks it good or bad, has nothing do with this issue. Microsoft's action in this case should, and probably would, have have been considered out of bounds 10, 20, or more years ago. If they had a problem with their employee or contractor releasing proprietary information in a way that violated a law they ought to have filed a complaint and let the authorities get whatever warrants or subpoenas might be needed, against services they operate as well as others. They acted like police, but are not, and so earned whatever opprobrium they receive.

    However, I expect Mr. Smith expressed his only true concern in the quote at the end of the article: "... companies now recognize this is a market issue for them."

    1. Chris Miller

      Re: Shame

      Leaking IP is (generally) not a criminal offence - law enforcement would laugh at any such request. But if an organisation suspects that someone is leaking proprietary information, you can bet they'll be going through their email and other Internet logs - and if they find who it was, said person will very soon be sitting outside the front door holding a cardboard box of their belongings, with a surprised expression on their face. If you don't think that can happen to you, I suggest you read your employment Ts&Cs again.

      Most organisations don't host a public email service, so Microsoft have additional PR concerns to worry about. But any such provider is bound to respond to legal requests from the appropriate authorities. You would rightly expect your bank to keep your account transactions private, and if they negligently disclosed them you would be entitled to compensation. But faced with a court order, they will hand them over to the authorities. And that's just as it should be.

      1. Robert Carnegie Silver badge

        Re: Shame

        The story seems to be that they found Microsoft secret information (that Windows 8.1.1 is still making users cry?) by opening the Hotmail e-mail of the non-employee blogger that it was leaked TO.

        To do this, presumably they went through every other Hotmail user's e-mail, as well.

        In other news, using Linux is considered to be stealing from Microsoft. Anyone receiving e-mails that mention Linux will henceforth be billed for damages. Welcome to what always was a post-Snowden world, only now you know it. (Which is what post-Snowden really means.)

        1. Mikel

          Re: Shame

          @Robert Carnegie

          Apparently the blogger in question was unwise enough to solicit comment on the leak from a Microsoft employee using the very same Hotmail account he had received the illicit materials on. I am not a Microsoft defender by any means, but this suggests that a broad sweep of Hotmail was not necessary.

        2. Anonymous Coward
          Anonymous Coward

          Re: Shame

          "presumably they went through every other Hotmail user's e-mail, as well."

          No, Microsoft knew who their target was. If you want to be SURE your email company reads your email then you need a GoogleMail account...

          "using Linux is considered to be stealing from Microsoft"

          Copyright and IP infringement is not theft.

          However Linux likely does have lots of third party IP in it. The "free" model bypasses most of those issues as it is hard to demonstrate damages.

        3. big_D Silver badge

          Re: Shame @Robert

          the so-called blogger asked a friend of Steven Sinofsky, then head of Windows, for some help deciphering some of the source code in the MS activation server technology.

          The friend passed the email onto Sinofsky, who handed it onto the security team, which then got approval from the legal bods to look at that 1 account to see if they could find out where the leak was coming from...

      2. tom dial Silver badge

        Re: Shame

        Company owned and operated email for business purposes is one thing, and the company, as the employer, has the right (confirmed, I think, by court decisions) to examine company supplied email accounts that were established for the conduct of company business. The case in point, however, seems to concern a commercial email service that the company provides to non-employees and employees alike as customers. Microsoft's reported actions went well beyond what an employer is entitled to do: they were equivalent to Microsoft searching the gmail account of an employee or contractor.

      3. Tom 35

        Not quite

        "said person will very soon be sitting outside the front door holding a cardboard box of their belongings"

        1- it was not the employees email account, it was a blogger's.the employee used a mail.ru account.

        2- The employee didn't end up fired, they some how ended up locked up in the US.

    2. Ole Juul

      Re: Shame

      @tom dial: I wish I could give you a couple more upvotes. That was a particularly insightful post that cut right through the smoke.

    3. Anonymous Coward
      Anonymous Coward

      It's a simple matter in the UK

      We are talking about a service offered by the company to third parties, and the fact that the 3rd party in question is a member of staff is actually irrelevant. In the UK, Microsoft would have broken the law accessing that account. A company has no right to act as if it's law enforcement (that's one of the main reasons I vehemently disagree with imposing filtering obligations, it's IMHO the thin edge of the wedge), and the only way this could have been investigated is indeed by law enforcement.

      Off the top of my head, this would not only be violating privacy (which would be at best a slap with a wet noodle for all the power the Information Commissioner has at the moment), but also a criminal offence under the Computer Misuse Act as it's accessing IT resources without authorisation.

      But hey, it's the US. They seem to have pretty much reverted to the Wild West approach of law enforcement, with the man in the street having as much in the way of rights as the former Indian tribes.

      /sarcasm

      1. Chris Miller

        Re: It's a simple matter in the UK

        the fact that the 3rd party in question is a member of staff is actually irrelevant relevant if said member of staff has given permission for their email to be accessed in this way as part of their employment contract (and, these days, the vast majority will). I admire your libertarian sentiments as regards web filtering, but if I'm providing an Internet service so you can do your job, I reserve the right to control what can be accessed when. Even if it's just blocking timewaster.com or online betting sites.

        15 years ago, we were contacted by the police who had found one of our staff posting stuff on Islamic web sites and chat rooms about killing kafirs. Needless to say, he was shown the door pretty swiftly. Imagine if he'd been storing stuff on our servers.

        1. ratfox Silver badge
          Stop

          @Chris Miller

          > the fact that the 3rd party in question is a member of staff is actually relevant

          Read again. They accessed the emails of somebody who was not an employee, not a contractor, and who had no relationship at all with Microsoft. He just happened to have information sent to him by a Microsoft ex-employee.

          1. big_D Silver badge

            Re: @Chris Miller @ ratfox

            the "ex-"employee was a current employee at the time the offence took place.

            Although it was the French bloggers fault that it came to surface, he used his Hotmail account to contact a friend of the head of Windows to ask some questions about the source code for the MS activation server. The friend passed it on to MS...

      2. nickety

        @AC #2148573

        > In the UK, Microsoft would have broken the law accessing that account.

        You haven't indicated what law you suggest Microsoft would have broken. I think you might have been thinking of either:

        * the criminal offence of "unlawful interception" under section 1 of the Regulation of Investigatory Powers Act 2000;

        * the civil "duty ... to comply with the data protection principles" under section 4(4) of the Data Protection Act 1998; or

        * the equitable doctrine of "breach of confidence"?

        By storing Hotmail emails in a form that they can access, Microsoft "intercepted" them; however, the interception was lawful under section 3(3) as Microsoft provide the (Hotmail email) service and the interception was "for purposes connected with the provision or operation of that service". Once lawfully intercepted, RIPA does not restrict what can be done with the data.

        Microsoft also complied with the data protection principles, as their actions fell within their terms of service (with which Hotmail users explicitly agreed in signing up to the service). For the same reasons, they would not have breached any confidence.

        There may be other relevant laws in England & Wales of which I'm not aware and, given that I know very little indeed about Scots law, Microsoft might well have broken some law up there. If you know the specifics, I would be very interested to learn more!

  2. Combat Wombat

    *sigh*

    Time to start hosting my own mail.

    1. Anonymous Coward
      Anonymous Coward

      Re: *sigh*

      It always was that time.

    2. Voland's right hand Silver badge

      Re: *sigh*

      Was there any time not to?

    3. John Brown (no body) Silver badge

      Re: *sigh*

      We seem to go through this whole process on a regular cycle.

      Way back in the mists of time there were minor outcries when one or two people actually bothered to read the T&Cs of the like s of AOL and Geocities and suddenly realised that AOL and Geocities were pretty much claiming all rights over all data stored on their servers, including mail.

      We've seen similar more recently with the likes of photos sharing sites and various "social media" sights making similar claims over user data including the use of photos of and owned by minors in publicty campagnes.

      As has been stated so many times on these august pages, if the service is free, then the user is the resource for sale.

      I'm not even sure anyone can claim an "expectation of privacy" since they ony have that expectation because they didn't read the T&Cs they agreed to when the signed up.

      TANSTAAFL. You always pay, one way or another, just not always with cash.

    4. Anonymous Coward
      Anonymous Coward

      Re: *sigh*

      I always have done. Gets a bit more expensive with the demise of Technet though!

  3. M Gale

    In other words...

    ...they got caught with their hands in the cookie jar but hey, look at Google! Yeah, over there! They.. uhm... drove around with airodump-ng running! They have bots that fling adverts at you based on keywords! The bastards!

    Scroogled, indeed.

    1. Jyve

      Re: In other words...

      What I find interesting about the Scroogled campaign is it reflects (and always has) worse on MS than it has on Google. And now with this, and Scroogled often being mentioned in the same articles, it continues to draw attention to MS.

      Now, yesterday was;

      http://www.forbes.com/sites/emmawoollacott/2014/03/27/microsoft-wins-battle-over-scroogled-ad-campaign/

      "Two people complained about the ad, pointing out that Microsoft scans the content of emails too. But the ASA ruled that, because this scanning was for the purposes of eliminating spam rather than targeting ads, Microsoft wasn’t being hypocritcal."

      Sure more news companies will draw attention MS probably didn't want. They don't scan for ads, they manually read/snoop on your email.

      1. M Gale

        Re: In other words...

        I find it mildly amusing that the guy who got spied on and fired should have gone with Google if he wanted privacy.

        1. Anonymous Coward
          Anonymous Coward

          Re: In other words...

          Read the bloody article. The guy who was spied upon was not a Microsoft employee, and did not get fired. He was a blogger who got sent secret information from an ex-Microsoft employee, and happened to have an email account on Hotmail.

          1. tom dial Silver badge

            Re: In other words...

            @AC: "The guy who was spied upon was not a Microsoft employee, and did not get fired. He was a blogger who got sent secret information from an ex-Microsoft employee, and happened to have an email account on Hotmail."

            True enough, but could Microsoft have done to a gmail account what they did with his hotmail account? I do not think so. The earlier comment was incorrect in detail, but the main point certainly was not.

  4. Mikel

    Oh darn

    I was hoping they would stick to their guns on this one.

    1. Mark 85 Silver badge

      Re: Oh darn

      I was hoping they would stick to their guns on this one.

      I was hoping they would stick their guns.

      FTFY

  5. Vociferous

    Wasn't what Microsoft did illegal?

    Mail account hacking is illegal in most parts, why is Microsoft getting away with a change of policy after the fact?

    1. This post has been deleted by its author

  6. Frank N. Stein

    Looks like leaking of Windows 8 info didn't do Microsoft any favors. Took them long enough to bring this to light, long after Windows 8.1 and Surface tablets flopped in the market place. Bringing this up now and the fact that Microsoft attempted to act like Apple security acts, when Apple loses an iPhone prototype. That hasn't helped anyone believe that they can trust Microsoft anymore than anyone can trust Facebook to care about user privacy.

  7. Marketing Hack Silver badge
    Windows

    I'd have to wonder about the smarts of a leaker...

    Who leaked MS' intellectual property to a web services account controlled by MS.

  8. frank ly

    I'm slow to notice things

    " ...we started using cloud email in the 1990s ..."

    I thought the 'cloud' was a shiny and new thing.

    1. Marco van Beek
      Windows

      Re: I'm slow to notice things

      Only the word is new. Frankly most things called Cloud are all 10 to 20 years old. Those that aren't are 30 to 40 years old.

      Yes, why invent something new when you can just rebadge the old stuff with a shiny new name.

      1. M Gale

        Re: I'm slow to notice things

        Those that aren't are 30 to 40 years old.

        And the rest.

        You could argue that Compuserve, initially set up to lease out the spare computational capacity of a very powerful business machine, was one of, if not the first "cloud provider". Sounds very similar to how AWS started, doesn't it?

  9. Uffish

    Let's be clear...

    ... I still have no reason to believe any company would put the interests of a customer before its own interests.

    Mobile phone tapping, wiretapping and reading paper-in-an-envelope mail is illegal*, stalkers can be taken to court; when will personal internet traffic and activities have the same overall protection.

    *court order aparts etc.

    1. Vociferous

      Re: Let's be clear...

      > when will personal internet traffic and activities have the same overall protection

      Clearly never, as there is no public opinion for privacy and all government and corporate entities benefit from the current state of affairs.

      That said, the hacker who figured out the password to Sarah Palin's Yahoo mail account was sentenced to one year in prison. I feel whichever Microsoft exec who took the decision to hack this guys account has committed as great, or greater, intrusion.

  10. malle-herbert

    "when will personal internet traffic and activities have the same overall protection"

    never...

    Because it's pretty easy to simply change the goal-posts

    after being cought red-handed...

  11. Michael Habel Silver badge

    Anyone who wants to read my friends facebook blurbs, and associated spam is more then welcome too....

  12. JaitcH
    FAIL

    Not me: I use Tor, PGP and air-gapped MS Office

    No longer can the cops and Plod demand things ad nauseum, the general public has learned much since World Hero Snowden released his NSA library.

    It seems only just that if they want to see my stuff, they have to work their buns off for it. Somewhat of a self-defeating exercise, though.

  13. Rallicat

    So, judging by the comments here, despite Microsoft going out of their way to tighten up their privacy, that's still not good enough?

    This really is conspiracy theory territory we're in now. Microsoft can't win because despite zero evidence to support the position, people still believe Microsoft are the bad guys. I can only hope that the tin foil hat wearers are still in the minority.

    1. Trevor_Pott Gold badge

      "So, judging by the comments here, despite Microsoft going out of their way to tighten up their privacy, that's still not good enough?"

      Microsoft are not going out of their way at all, and they certainly aren't tightening privacy nearly enough. They also are one of the few major technology companies not out there fighting the good fight to the tune of a few billion to ensure that their lobbying might is used to pressure the government into reducing the instances where our mails can be read by busybodies or spooks to as near zero as is realistically possible.

      In addition, Microsoft have the technology available to them to decouple their cloudy services from America, but choose not to. They have this "cloudOS" thing: install a private cloud on your own servers, on the servers of service providers, or use the Microsoft Azure public cloud. But they don't offer Office 365 for Service Providers. They don't offer the backend for Hotmail or many of the other "cloudy" services. If you want this stuff your only choice is an American company, and that is completely, utterly and totally unacceptable.

      If I am going to shot my stuff int eh cloud it will be with a Canadian (or Swiss) company that hosts in Canada (or Switzerland) and has no American legal presence what soever. Zero legal attack surface in the USA is the only acceptable means to obtain privacy. Microsoft can choose to do this tomorrow. Until they do, they absolutely haven't done enough.

      "Microsoft can't win because despite zero evidence to support the position, people still believe Microsoft are the bad guys."

      Microsoft are the bad guys. Microsoft have repeatedly said "fuck you" to developers, customers and partners. It isn't ever any one thing with them...it's the hundreds and thousands of things over the years that ultimately boil down to their attempt to force the market to conform to their wishes instead of finding out what the market wants and providing that.

      I could provide Microsoft with a list of over 100 specific action items that would not only rebuild trust amongst developers, partners and customers it would increase their profits and ultimately serve their long-term strategic interests. I have to believe that Microsoft, for all it's money, has people smarter than me working for them. Thus it is that I am absolutely Microsoft chooses not to implement any of the tactical changes required to rebuild trust. From that I deduce that they don't give a bent fuck about developer, partner or customer trust.

      We are, to Microsoft, their chattel. We exist to serve them. They have forgotten that in markets where competition exists, the exact opposite is true.

      1. Baskitcaise
        Thumb Up

        Bravo!

        See title.

        Where is the "Applause" icon when you need it?

        A thumbs up will have to do.

      2. tom dial Silver badge

        @Trevor Pott

        Well said, indeed. However, while abandoning the US and US companies may give protection from untrustworthy companies and some protection from legal process, it is unlikely to bring much real protection from the signals intelligence activities of various governments, including yours and mine. Most of the attention has been on the NSA and, somewhat less, the UK GCHQ. However, Canada has the CSEC and its own FISC-like secret courts, and I expect that Australia and New Zealand are not much different. Germany, Iceland, and Switzerland seem like they might offer privacy protection against legal process. No matter where data are stored, however, they are potentially vulnerable to extralegal access - by governments, criminals, administrators (e. g., Edward Snowden), and others. Those connected to the internet are potentially vulnerable from anywhere on earth.

        My personal conclusion is that information I wish to keep private is best kept on my premises, on either paper or systems that I maintain, protected by a combination of firewalls that I configure, air gaps, and encryption. And I know that if I become a target much of that may be worthless, whether because I have to choose between giving it up and jail or because someone who wants it badly enough (not necessarily my government or any government) can circumvent my technical protections. I think the same is true for companies.

        1. Trevor_Pott Gold badge

          Re: @Trevor Pott

          "However, Canada has the CSEC and its own FISC-like secret courts"

          Wrong. We have CSEC, but no secret courts. CSEC still works out in the open, and our Supreme Court has absolutely zero issue with slapping those bastards - or the conservative government - upside the head with a trout if they get out of line.

          Besides, even if we did have secret courts, they'd be our secret courts, not American ones. The only laws in play with be those of my own nation. That's a huge difference, especially as regards my legal, moral and ethical obligations to protect the data of my clients.

          As for Switzerland, their legal processes regarding privacy are far better than anywhere else. I trust them more than any other country on earth, and far more than I trust America or Americans.

          It isn't about keeping the information secret, it's about due diligence. It is about doing everything I can to keep that information away from those who would misuse and abuse it. America has misused information, is misusing information and will misuse information in the future. That country nor her people can be trusted. They conduct economic espionage even against their allies, and they spy on innocent civilians (even amongst their allies) and then hand that data off to people like their bottom-of-the-barrel border patrol. There, power corrupts quickly and absolutely.

          So even if Canada's spooks are just as secretive (and I don't believe that for a second), Canadians and Canadian data have a path to address any issues within the framework of Canadian law. We have no rights and now powers to address abuse by Americans...and abusing information is simply what they do down there.

          1. tom dial Silver badge

            Re: @Trevor Pott

            Canada has "designated judges" who meet in secret (in a bunker, according to the CBC program aired in Utah last Saturday) and issue decisions as secret as those of the US FISC. It appears to me that Canada has pretty much the same types of control on CSEC as we have on the NSA.

            Consider

            http://www.cbc.ca/news/world/secret-surveillance-courts-in-u-s-and-canada-explained-1.2591337

            and http://www.cbc.ca/day6/popupaudio.html?clipIds=2445314567 for the audio.

            The first ~half is about FISA, and the remainder about the Canadian analogue.

            Governments will be governments.

            1. Trevor_Pott Gold badge

              Re: @Trevor Pott

              So far as I understand, the judges who review national security issues have an extremely limited mandate, and their decisions can be challenged in the Supreme Court. (Though the hearing will be sealed until the court makes a decision.) The laws they implement aren't secret, nor are the legal interpretations they arrive at. What is kept secret (for obvious reasons) are the details of cases involving national security.

              What should be pointed out is that these judges don't exist simply to rubber stamp requests for spying. They handle all cases involving national security. In any rational world, it makes perfect sense for such a panel of judges to exist, so long as there exist concepts such as "national security."

              I've never had an issue with the concept of a court that handles secret things. I've had all sorts of issues with how those courts are run, specifically, the ability to challenge decisions and the ability to even gain access to the results of past judgements. I.E. are the people expected to be held to the standards of what amount to secret laws?

              There are lawyers in this country with security clearance. Even if their clients cannot be party to a a suit, they can be represented appropriately.

              Have the conservatives done a shitload of damage to our rights and freedoms since taking over? Yes...but the difference between Canada and the US is that we can (and do!) challenge this crap in court...and win. The conservatives try to give sweeping powers to CESC and CSIS; the Supreme Court kills the laws on constitutional grounds and then makes the government go back to the drawing board and come up with something that's actually constitutional. It doesn't take decades here; it takes only a few years.

              More to the point, to my knowledge there is no concept of "you aren't able to sue the government for that because you aren't clear to see the information about whether or not you have standing." If you believe there's something untowards going on, you can get a lawyer with clearance and the trial can be held, even if you cannot yourself participate. (Bizzare, but there it is.)

              And if the government loses one of those...it isn't covered up. If the government does something unconstitutional then it must be declassified. At least, such is the theory. We are currently seeing how this will all play out in practice.

              I agree wholeheartedly that governments will be governments, but the separation of powers still exists here in Canada, despite the PMO trying to eliminate it. The government can be as corrupt as it wants, the court will slap them down and the mounties will still haul their asses off to jail one asshole at a time.

              Ultimately, there's the difference. I don't believe for a second in the American courts. I don't believe for a second that they will stand up for your rights or freedoms. Your government has gotten away with obliterating the fourth amendment of your constitution without a fight and they are working damn hard at obliterating the first.

              My government would like to do the same thing. Our courts repeatedly deny them the option. For now, at least, there's the gap: we are still nominally in control of our government.

              It's getting worse. Day by day. Conservative judicial appointment by conservative judicial appointment. But we're a long way from as corrupt as America. A long way.

              1. tom dial Silver badge

                Re: @Trevor Pott

                The description here of the Canadian designated judges' actions is quite different from David Frazier's description on the CBC program I heard, of ex parte hearings, decisions as secret as those of the FISC, and CSEC opinion that it does not need court approval for metadata collection.

                As I have no direct knowledge, I shall leave it at that except to note that Mr. Frazier is an attorney specializing in matters relating to the Internet, technology, and privacy.

                1. Trevor_Pott Gold badge

                  Re: @Trevor Pott

                  My understanding of how this works comes from reading Michael Geist's blog (he's a PhD who makes it a business to know about such things) and talks with the OpenMedia.ca folks. (Digital media lobby here in Canada.)

                  You are 100% correct in that CSEC believes it does not need court approval for metadata collection. This, however, is in violation of our charter of rights and freedoms and is currently winding it's way through court. Unlike in the US, we can challenge activities of our spooks, even when they are "secret."

                  Again: hearings are indeed held in secret when national security is on the table, (as is logical) and the only folks in the room as those with security clearances, but the forms and rules of a proper trial are followed. It is not a deliberation by judges nor dictation by fiat.

                  How secret decisions are allowed to remain is currently under review by both politicians and the judiciary. There is an acknowledged requirement for some decisions to remain secret while national security interests remain active, however, pretty much everything about the rest of our laws says no judicial decisions should ever be private.

                  The generally agreed upon middle ground is that decisions will be reviewed regularly and declassified as soon as possible instead of kept classified for decades past any possible relevance. Who exactly sits on the review panel and the frequency of reviews are currently the subject of political manoeuvrings, but the government has been warned that the judiciary will brook no US-style "forever secrets" in order to cover up political blunders or breaches of law by the government.

                  So yes, things are not as open as I would ideally like, but our judges are still pretty firm on the concept that nobody - from spooks to politicians - is above the law. The spooks disagree, and the next two or three years of suits about this will be quite entertaining...but at least we can take the bastards to court here.

                  What's really interesting is the push from many politicians - and several members of the judiciary - to have foreign data stored within Canada given the same rights and protections as data belonging to Canadian citizens. America barely acknowledges that non-Americans deserve basic human rights; There is basically zero chance that within my lifetime the USA is going to declare that I, a dirty furriner, have the same rights to privacy, due process and so forth as an American citizen.

                  So yeah, Canada has a ways to go to clean this up, but I think we're on the right track towards a more free and equitable society. Unlike the US, I think the worst of this big brother bullshit is behind us here.

                  I don't believe that this is being done (from the political side) because of morality and goodwill. I think that politicians are biting on this because they see a real economic advantage to cultivating high privacy standards here in Canada. "Put your data on this side of the border, eh? We're close enough to the yanks that you can suck the money out of 'em, but our laws are ever so slightly less asstastic."

      3. James Pickett

        "they don't offer Office 365 for Service Providers"

        BT use it for their 'btconnect' email - is that not the same thing?

    2. tom dial Silver badge

      Microsoft seem now, on the third try, to have arrived at a reasonably correct position they really ought to have been able to figure out on the first.

  14. Paul S. Gazo
    WTF?

    I see that this isn't going to be a popular view but I'm not sure I see where the problem is.

    A Microsoft employee used a Microsoft-owned mail service to leak Microsoft-owned IP. Microsoft later found out this now ex-Microsoft employee had done this, so they reached into the Microsoft-owned mail storage to obtain evidence of the leak. Once Microsoft had isolated the mails stored in the Microsoft-owned mail service, they handed them over to law-enforcement for laws to be enforced.

    I don't see any need to complicate things here. An employee acting in violation of their employer's policies who uses their employer's resources to do so shouldn't have any expectation that the employer won't use every resource they have ownership of to deal with them.

    This isn't about your e-mails to your grandmother. This isn't about you at all. This isn't even about privacy. It's about a moron who used a VoIP-provider's VoIP service to phone in death-threats to his boss. Even if he was paying for said VoIP service, if his boss recognizes his voice, he should expect the logs to be pulled and (if such a thing were done) recordings to be listened-to.

    1. Yet Another Anonymous coward Silver badge

      An ex-Ford employee is believed to have leaked info - so Ford use a master to key to open all Fords in the UK and search through them for evidence ?

      1. John Brown (no body) Silver badge
        FAIL

        "An ex-Ford employee is believed to have leaked info - so Ford use a master to key to open all Fords in the UK and search through them for evidence ?"

        Not sure why you got so many upvotes for a clearly wrong analogy. Ford DO NOT own those cars. Your analogy would be more akin to MS reading your locally stored emails in an Outlook mailbox. There's also no indication in the story that MS went trawling to find the bloggers mailbox. It's more likely they followed a trail.

        Shit. I can't believe I've now posted three times in here to defend MS. That must be an indication of the level of fuckwittery being posted by "outraged" Hotmail users.

    2. Uffish

      Re: (un)popular view

      If you have a safe deposit box in the local bank for your legal papers, a few gold bricks and your wife's vast jewel collection you would be a bit miffed if you found that the bank had opened a bunch of the boxes without any consultation or court order simply because one of their employees had misappropriated some of the bank's money and given it to someone with a box at the bank.

      It has been a long standing practice for organisations to provide services whilst keeping their noses out of other people's business. Just because internet based services were put together in a rush and legislators are slow to catch up with reality there is no reason whatever to continue with the crap privacy arrangements.

      No one is castigating Microsoft for moving in the right direction, no-one is castigating Google for publishing its 'Do no evil' policy (well, we might laugh at it's childishness, but it was a step in the right direction). But the industry will have to get its house in order before long. Microsoft knows that, Google knows that, Facebook probably thinks they can move fast enough when the time comes.

    3. Peter Gathercole Silver badge

      @Paul S. Gazo

      I don't think you've followed the story.

      I totally agree that Microsoft have the right to scan their employee's work provided mail account.

      But that does not appear to be what they did. They scanned one or more of their customer's mailboxes, and used that to identify which employee was the culprit, and then provided that information to the police. So it appears Microsoft provided the private mail of one of their customers to the law enforcement agency without a warrant. Now, it's not clear whether the mail provided to the police was the mail from the customer's inbox, from the outbound mail transmission log, or the employee's outbox. You would have to look at the headers on the mail the police were given to be sure. If it was from the outbox or the transmission log, then that is within Microsoft's internal domain. If it comes from the customer's inbox, then it is not, even if it is hosted on a Microsoft mail server.

      I agree that you would be stupid to expect that mail travelling through any part of the Internet is particularly safe from prying eyes unless you encrypt it, but you would not expect the mail host to use your (as a customer's) mailbox to as evidence against either you or someone else without the correct legal authorization.

      Reading between the lines, the article suggests that Microsoft may have scanned many of their customers in order to identify who had received the mail. Without a warrant, that may be illegal, but difficult to prove, because an mail service provider must have the right to read their mail server's contents, at least for backup purposes. How different is that to grepping (I know, it's Microsoft, but grep means more than just saying find) a phrase from the mailboxes. Not really any different at all. It's not like anybody is reading and comprehending the mail.

      So nothing that's happened is definitely illegal, but some of it is definitely questionable.

    4. Vociferous

      Well, the problem is simply this: if you own a road, that does not mean you own the cars on it. Microsoft owns Hotmail, but does not own the messages passing through it. Employee X mailed secrets to person Y, and Microsoft (without a warrant) read person Y's mails -- this is a federal crime. Admittedly a misdemeanor, but the person who figured out Sarah Palins mail password and read her mails was sentenced to one year in prison.

      In addition to that, the fact that it was at all possible for Microsoft to read its users mails suggest that the service is badly designed, not to mention unsecure.

      That Microsoft after the fact realized that it had committed a federal crime and changed its policy to preempt being sued, does not exonerate Microsoft, or even reflect well on the company.

  15. Jim 59

    Good Grief

    Surely a deal of naivety on display in this article and the comments. Most jobs I have taken, and internet services I have signed up for, always contain a clause about "all bets are off if you break the law", ie. your data is private but not if you use it to steal, plan a bank job, or whatever, in which case it goes straight to the local police. Would you honestly expect otherwise ?

    On the employee side, would it be reasonable, for example, for a guy to work for Siliconchips.inc, and secretly ship the company's designs to a confederate in Somalia, and then start blubbering when the company gets suspicious, reads their coorporate email and finds out ? WTF ? Employee used company time and property (mail system) to break law (steal designs), threatening the company's future and the livlihoods of everyone who works there. In my view it is fine to snoop the mail in this case and in the Microsoft case, and probably entirely legal but I'm no expert.

    "By going into Hotmail without a warrant and turning over some of the contents to the police they really challenged their users' expectations about what level of privacy they were going to get out of Microsoft," ...Kurt Opsahl told The Register"

    Oh stop it Kurt. Stop it. If anyone has expectations of serious privacy in this area, the expectations are unwarrented and bizarre, the the individuals are in need of some education. In fact they are probably still at school. If you want privacy, do what everybody does: use PGP, TLS and a host of other apps designed for the purpose. A whole industry is waiting to server your privacy needs.

    1. Anonymous Coward
      Anonymous Coward

      Will you read the goddam article?!

      The person whose private email was read had not broken the law. There is no law against receiving email containing secret information about a company you have no relation with.

      I'll explain it more simply so that you will understand: A Microsoft employee sent an email containing secret information to a third-party blogger. Microsoft found out about it, not by looking into the account of the employee, but into the account of the blogger. The rogue employee was apparently clever enough not to use an email service controlled by Microsoft to send the email, so Microsoft found instead the information from the account of the person who received the email. Who was not and had never been a Microsoft employee.

      The privacy of the rogue employee is not the one we are talking about. It is the privacy of the third-party blogger.

      1. Jim 59

        Re: Will you read the goddam article?!

        Thanks for explaining "so I can understand". Just to clarify: the blogger was not just a passivie recipient. Sender and receiver used MSN Messanger to arrange the drop, before using Skydrive to transport the data.

        Even if the blogger was not in prior collusion with the rogue, it wouldn't make any difference. That T&C clause about passing your data to "law enforcement officials... to aid the investigation of a crime" does not say the crime has to be yours.

        I fail to be outraged or surprised by Microsofts actions. Clear text handed off to a third party for delivery has never been secure, not since the invention of writing, not now and never will be. And nor should it.

        The puzzle is why so many serious commentators believe that should be somebody else's unpaid job to keep their secrets. Even when they are not paying the messenger to keep quiet, even when the messanger has said the data will be divulged if the occasion demands, and even - get this - when the message is used to wound the unpaid messanger.

        However I am less happy about the new/future MS policy of just allowing the police direct access. That is a different story.

        1. tom dial Silver badge

          Re: Will you read the goddam article?!

          "... the new/future MS policy of just allowing the police direct access." This is not the policy announced. From Brad Smith's blog:

          "Effective immediately, if we receive information indicating that someone is using our services to traffic in stolen intellectual or physical property from Microsoft, we will not inspect a customer’s private content ourselves. Instead, we will refer the matter to law enforcement if further action is required."

          That is, if they think it's a criminal matter they will file a complaint. The police, constrained by the laws, will obtain subpoenas, as necessary to conduct their investigation, for material from Microsoft and other providers.

          I never have thought Microsoft a good ethical example to follow. In this case they stumbled badly and deserved to be criticized, but since have modified their stated practice in ways that make it quite unexceptionable. The only nit to pick here is that they don't say what they will do in case a criminal referral is unnecessary.

  16. BlueGreen
    Megaphone

    We've advocated that governments should rely ...

    ...on formal legal processes and the rule of law for surveillance activities

    Well, fuck me.

    Brave MS. Well done you all. Holding back 1984 all on your lonesome.

    (icon represents your brave stand)

  17. Anonymous Coward
    Anonymous Coward

    Pathetic and hypocrite Microsoft as usual

    Remember that Google-bashing campaign it once run? Gmail Man?

    Oooh Google is the new big bad evil empire who shoves ads into your face.

    Well, Microsoft, you would do the same too, if only your acquisition of aQuantive hadn't flopped.

    Pot, meet kettle. In this case, Microsoft, you're the darker one, no contest.

  18. BillRM

    All you need to do is to encrypted your email using pgp or 7-zip or whatever and why would anyone discussed doing any illegal act without encrypting email?

  19. BillRM

    Encrypted your email with pgp or 7-zip or.......with special note if your are discussing doing anything illegal.

  20. Anonymous Coward
    Anonymous Coward

    Since... "cloud email in the 1990s companies now recognize this is a market issue for them"

    Back in the 90's Microsoft's true interest in its customers was the same as asking a customer service rep if God exists... Both answers summed up in one sentence... "Please stay on the line your call is important to us".. So what's changed? Not much. It was always about the almighty dollar!

  21. s. pam
    FAIL

    Boy I feel so much better now...

    "From now on, Redmond staff won't probe the email inboxes of its customers, but will outsource the job to law enforcement."

    Yeah, so the Gestapo in the USA will now be purposely going through your hotmail just as we'd suspected they were. Take a serious look at their statement for a moment kids. They're NOT saying an outside law firm or their law firm, but law enforcement.

    Yes that's right, the same goons that Snowden exposed.

    End of days for hotmail.

    1. tom dial Silver badge
      FAIL

      Re: Boy I feel so much better now...

      As I stated early on in the comment thread, this has nothing at all to do with the NSA. It has to do with Microsoft quite inappropriately assuming police like authority to conduct searches of data stored on their own service that they would have had to seek court approval for if the data were stored by someone else (like, for example, Google).

      If the release of the Windows stuff was illegal, they could go to the police, who could get a proper subpoena. If the release was a civil matter, they probably could obtain a subpoena as part of a civil lawsuit. Whichever case applies would work on any email provider, although with a good deal more difficulty if the provider was not in the US. They took a brain dead shortcut because it was Hotmail and they could.

      Bad Microsoft. And better Microsoft for confessing error and promising to be better in future.

  22. Bladeforce

    At Microsoft

    We Value Our Privacy

  23. southpacificpom
    Coat

    Perhaps we have ourselves to blame

    If you use online services like email etc, then you should not expect privacy. Just in the same way you should have expected your email addresses to be harvested and onsold to marketing companies about ten years ago when the said online companies told you they weren't.

  24. Anonymous Coward
    Anonymous Coward

    What morons

    Nobody cares about your e-mail unless you are a terrorist or cyber crim. Get real.

    1. tom dial Silver badge

      Re: What morons

      "Nobody cares about your e-mail unless you are a terrorist or cyber crim" or offend the owners or managers of your email provider.

      1. T I M B O

        Re: What morons

        I care about my emails. My thoughts or expressions are my own as well as any business i conduct over the internet. I also think that all these places that snoop weather they be British or American, always have lots of money and you wonder why our healthcare is going to the wall. It seems that every country has no respect for anybody's privacy. Lets have more from snowden.

  25. Anonymous Coward
    Anonymous Coward

    there's a difference between abstractly claiming the right and actually doing it.

    WTF? It's their rule, I signed to it, why should I be indignant that they exercise it? Get a grip people!

    p.s. yes, I value my privacy (very, very much), so I don't use hotmail to say anything which could be used against me.

  26. T I M B O

    All for rubbish

    I agree totally that any employee that works in a secret environment should expect checks on the individual companies computer & email. But snooping or infringing on peoples right to privacy is a big NO NO. Whats more ironic, it was not worth leaking in the 1st place as Win 8 is totally useless. Maybe if people spent more time in making an operating system that they would like other then snooping and then telling tails to the paranoid American snoopers, then life would be more enjoyable.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2020