Skip to main content
Advertising

Originally published March 20, 2014 at 8:20 PM | Page modified March 21, 2014 at 11:34 AM

  • Share:
           
  • Comments (33)
  • Print

Microsoft takes heat after snooping in email leak case

Microsoft said Thursday that it did not need a court order to read such content because its own terms of service allow for it under “exceptional circumstances.” Besides, Microsoft said, courts do not issue orders to companies to search themselves.


Seattle Times technology reporter

Most Popular Comments
Hide / Show comments
Ah, yes, the cloud computing revolution. Where you can outsource your privacy, secur... MORE
"I always expect any of my accounts on hotmail/yahoo/gmail/linkedin/fb/twitter/on-... MORE
Whether you think the the ends justified the means in this particular case or not, it... MORE

advertising

Microsoft took flak Thursday for reading emails from a blogger’s Hotmail account in the course of identifying a former employee who is being accused of stealing Microsoft trade secrets and leaking them to the blogger.

That Microsoft did so was revealed in a court complaint filed by federal prosecutors against Alex Kibkalo, a former Microsoft software architect.

Kibkalo, who was arrested Wednesday, is accused of stealing trade secrets related to pre-release software updates for Windows 8 and Microsoft’s “Activation Server Software Development Kit,” and giving that information to an unidentified tech blogger in France.

Microsoft found out about Kibkalo after searching the blogger’s Hotmail account, raising concerns Thursday over when and why Microsoft would be able to look at content from users of its services — Hotmail is a webmail service Microsoft owns that now goes by the name Outlook.com — and what legal processes the company followed in this case.

Microsoft said Thursday that it did not need a court order to read such content because its own terms of service allow for it under “exceptional circumstances.” Besides, Microsoft said, courts do not issue orders to companies to search themselves.

But the company also said Thursday that it was putting into place some new policies, including proceeding with such a search only after an outside attorney who is a former federal judge deems there’s sufficient evidence to justify a court order.

The complaint, filed in U.S. District Court in Western Washington earlier this week, says that on Sept. 3, 2012, an outside source who asked not to be identified contacted Microsoft, saying that he or she had been contacted by the blogger.

The blogger had sent the source the proprietary Microsoft code, asking the source to help the blogger understand it better, the complaint says.

“The source indicated that the blogger contacted the source using a Microsoft Hotmail email address that TWCI [Microsoft’s Trustworthy Computing Investigations department] had previously connected to the blogger,” according to the complaint. “After confirmation that the data was Microsoft’s proprietary trade secret, on September 7, 2012 Microsoft’s Office of Legal Compliance (OLC) approved content pulls of the blogger’s Hotmail account.”

The blogger’s Hotmail content subsequently revealed communication from Kibkalo establishing that Kibkalo had “shared confidential Microsoft information and data with the blogger through Kibkalo’s Windows Live Messenger account.”

Microsoft said in a statement issued Thursday that its investigation was conducted “over many months with law-enforcement agencies in multiple countries” and that the investigation included getting a court order for a search of the blogger’s home. It said the investigation “identified clear evidence that the third party involved intended to sell Microsoft IP [intellectual property] and had done so in the past.

“As part of the investigation, we took the step of a limited review of this third party’s Microsoft operated accounts,” Microsoft’s statement goes on to say.

“While Microsoft’s terms of service make clear our permission for this type of review, this happens only in the most exceptional circumstances. We apply a rigorous process before reviewing such content. In this case, there was a thorough review by a legal team separate from the investigating team and strong evidence of a criminal act that met a standard comparable to that required to obtain a legal order to search other sites.”

Indeed, Microsoft’s terms of service specify that the user agrees Microsoft may access, disclose or preserve users’ personal information and content when the company thinks that doing so is necessary to comply with the law, to prevent loss of life or serious physical injury to anyone, or to protect the rights or property of Microsoft or its customers.

“In this case, it does appear that Microsoft’s terms of service permit the company to have taken the action that it did,” said Nate Cardozo, an attorney with digital civil-liberties organization Electronic Frontier Foundation. “The terms of service is a contract. By opening a Hotmail account, all Hotmail users consent to Microsoft searching their emails for this sort of content.”

But “from our perspective, it was clearly not the right thing for Microsoft to have done this,” Cardozo said of the case. “The proper remedy for Microsoft would have been to have the government get a warrant to search this guy’s email.”

When Microsoft — or other companies such as Yahoo and Google, which have similar stipulations in their terms of service — reserve the right to access users’ content, “what they’re saying is: ‘Trust us. We will only use this right in extraordinary circumstances,’ ” Cardozo said. “That’s not enough because what that means is that any Microsoft account holder is leaving it up to Microsoft to decide when it’s appropriate to search your email.”

Microsoft issued a statement later Thursday outlining the policies it follows and detailing a few new ones.

“It’s not feasible to ask a court to order us to search ourselves,” but the company does not conduct a search of its own email and other customer services “unless the circumstances would justify a court order, if one were available,” John Frank, Microsoft’s deputy general counsel, said in the statement.

The company has a legal team, separate from the internal investigating team, that assesses evidence to see if there’s enough to justify a court order.

From now on, Frank said, the company will also submit any such evidence to an outside attorney who’s also a former federal judge and will move forward with a search only if that attorney agrees there’s sufficient evidence for a court order.

Any such searches will be limited to the matter under investigation and be conducted under supervision by legal counsel.

And the number of such searches will be published in the company’s twice-yearly transparency report on data it discloses to law-enforcement agencies.

Janet I. Tu: 206-464-2272 or jtu@seattletimes.com.



Want unlimited access to seattletimes.com? Subscribe now!

News where, when and how you want it

Email Icon

Meet the winemakers

Meet the winemakers

View video interviews, conducted by The Seattle Times wine writer Andy Perdue, profiling five of our state's top winemakers.

Advertising

Advertising

The Seattle Times photographs

Seattle space needle and mountains

Purchase The Seattle Times images


Advertising
The Seattle Times

The door is closed, but it's not locked.

Take a minute to subscribe and continue to enjoy The Seattle Times for as little as 99 cents a week.

Subscription options ►

Already a subscriber?

We've got good news for you. Unlimited seattletimes.com content access is included with most subscriptions.

Subscriber login ►