Microsoft just exposed email's ugliest secret

[techbeck]

If you're hiding something from Microsoft, you'd better not put it on Hotmail.

 

It came out yesterday that the company had read through a user's inbox as part of an internal leak investigation. Microsoft has spent today in damage-control mode, changing its internal policies and rushing to point out that they could have gotten a warrant if they?d needed one. By all indications, the fallout is just beginning.

 

But while Microsoft is certainly having a bad week, the problem is much bigger than any single company. For the vast majority of people, our email system is based on third-party access, whether it's Microsoft, Google, Apple or whoever else you decide to trust. Our data is held on their servers, routed by their protocols, and they hold the keys to any encryption that protects it. The deal works because they're providing important services, paying our server bills, and for the most part, we trust them. But this week's Microsoft news has chipped away at that trust, and for many, it's made us realize just how frightening the system is without it.

 

We've known for a while that email providers could look into your inbox, but the assumption was that they wouldn't. Even a giant like Microsoft is likely to sustain lasting damage, simply because there are so many options for free web-based email. Why stick with Microsoft if you trust Apple or Google more? But while companies have created a real marketplace for privacy and trust, you'll find the same structural problems at every major service. Ad-supported email means companies have to scan your inbox for data, so they need access to every corner of your inbox. (That's been the basis of Microsoft's Google-bashing "Scroogled" campaign.) Free email also means someone else is hosting it; they own the servers, and there's no legal or technical safeguard to keep them from looking at what's inside.

 

A close look at company privacy policies only underlines the fact. As Microsoft pointed out its initial statement, "Microsoft?s terms of service make clear our permission for this type of review." Look at the company privacy policy, and you?ll see that's true: "We may access or disclose information about you, including the content of your communications, in order to ... protect the rights or property of Microsoft." That?s a straightforward description of what happened in the Hotmail case.

 

You?ll find similar language in the privacy policies from Yahoo and Google. Yahoo reserves the right to look through your emails to "protect the rights, property, or personal safety of Yahoo, its users and the public." Google?s language is nearly identical, saying it will access user data "if we have a good-faith belief that access, use, preservation or disclosure of the information is reasonably necessary to ? protect against harm to the rights, property or safety of Google." Apple is a little better, but not much, promising to disclose user content "if we determine that for purposes of national security, law enforcement, or other issues of public importance, disclosure is necessary or appropriate." What counts as public importance, exactly?

 

What?s worse, the current laws won?t do anything to stop them. For standard law enforcement, it takes a warrant to read a person's email ? but there's no such restriction on hosting providers. Peeking into your clients' inbox is bad form, but it's perfectly legal. Even if the rights weren't reserved in the terms of service, it's not clear there are even grounds for a lawsuit. Without stronger privacy laws, all companies have to worry about is bad PR.

 

Microsoft's mole hunt isn't unprecedented either. There have been LOVEINT-style abuses of sysadmin access, as when a Google engineer was fired for spying on friends' chat logs. Last year, Harvard searched its own professors' email accounts as part of a cheating investigation. (The dean behind the search stepped down a few months later.) But those are just the instances we're aware of. In all likelihood, there are dozens of similar incidents that were simply never made public, encouraged by the open nature of third-party hosting. As long as the access is legal and technically feasible, there's no reason to think it will stop.

 

Anyone living a modern and complicated life over email is left in an awkward place. The crypto crowd has an easy answer: use end-to-end encryption, locking up emails with GnuPG and online chats with programs like Cryptocat. You can hold your own keys, making sure no one can decrypt the message but the person you're sending it to, and count on open-source code reviews to expose anyone who tries to slip a backdoor into the code.

 

It's a good system and it works, but for most users, it's still a bunch of extra inconvenience for no obvious benefit. In the end, it's easier to blame Microsoft for violating our trust and move onto the next company, with the same data practices and the same terms of service. With Google, Apple, Yahoo, and countless other free webmail services waiting in the wings, there are plenty of options to choose from. They'd never do a thing like this... right?

 

 

http://www.theverge.com/2014/3/21/5533814/google-yahoo-apple-all-share-microsofts-troubling-email-privacy-policy

 

Want to keep your data private?  Dont post it online regardless of what service you use and as the article states, Yahoo, Google, MS....and others...can view  your info at any time.

[Praetor]

Funny that Microsoft pushed the Scroogled campaign so far, only to be hit in the back!

[techbeck]

Funny that Microsoft pushed the Scroogled campaign so far, only to be hit in the back!

 

Of course, MS are the good guys and anyone else is bad.  In reality, they are only the good guys when is suits them.  Like anyone else.  And I have been saying it for a while, if I have personal data that I want to keep secure and private, I wont post it online regardless of who is hosting it.

[DConnell Member]

And there's no guarantee that ISPs are any safer in this regard. So if you want correspondence to be truly secure, I guess you need your own email server, probably for both parties.

 

Or snail mail with a wax seal, like in ye olden days.

[spenser.d]

And the world spins on.

[Dot Matrix]

Funny that Microsoft pushed the Scroogled campaign so far, only to be hit in the back!

Again, what does this have to do with that? Going into someone's inbox for a criminal investigation is not the same thing as data mining people's inboxes for advertising purposes.

 

Stop confusing the two.

[timster]

how exactly was this a secret?

[Praetor]

Again, what does this have to do with that? Going into someone's inbox for a criminal investigation is not the same thing as data mining people's inboxes for advertising purposes.

 

Stop confusing the two.

 

except that, according with the reports, there was no warranty, therefor it was illegal. Also there is a trust issue in this case.

[Romero]

I don't see what this has to do with Scroogled, but whatever...

Want to keep your data private?  Dont post it online regardless of what service you use and as the article states, Yahoo, Google, MS....and others...can view  your info at any time.

This I agree with. Any data outside your control should be assumed to be non-private, if not now then eventually. What I find amazing is how so many still become upset when embarrassing private information posted by them on social networks becomes public knowledge. If you're relying solely on some third party elastic privacy controls or someone's conscience to keep your secrets safe then prepare to be disappointed one day or another.

I don't know what can be done about email though. It was never built to be secure and as we've seen with Lavabit, Silent Cirlce and the rest even encrypted email services aren't the answer.

[techbeck]

except that, according with the reports, there was no warranty, therefor it was illegal.

 

Technically, it wasnt illegal. MS had a clause n the TOS that was kinda hidden (who ever reads the whole TS?) an they used that.  Was it right for MS to do that?  That is another question

[rfirth]

Again, what does this have to do with that? Going into someone's inbox for a criminal investigation is not the same thing as data mining people's inboxes for advertising purposes.

 

Stop confusing the two.

 

Exactly. At Microsoft, your case has to be escalated to the highest level before your inbox can be accessed.

 

You can be certain that if Google's proprietary search engine ranking algorithm was being stored on a gmail account, they'd nuke it.

 

 

Technically, it wasnt illegal. MS had a clause n the TOS that was kinda hidden (who ever reads the whole TS?) an they used that.  Was it right for MS to do that?  That is another question

Technically... the best kind of legal.

Microsoft isn't the government, and they already have your permission to access your account if you are using Microsoft services to facilitate illegal activity.

 

[Dot Matrix]

except that, according with the reports, there was no warranty, therefor it was illegal.

Their own internal investigations unit handled the whole thing. Specialized people trained to deal with these things are the ones that opened the inbox. Microsoft folks aren't idiots. They know what they are doing.

[Romero]

except that, according with the reports, there was no warranty, therefor it was illegal.

Warrant, not warranty.

 

Courts do not issue orders authorizing someone to search themselves, since obviously no such order is needed.

How was it illegal when no laws were broken? Now if you want it to be made illegal, petition for the laws to be changed so that companies will have to seek warrants/court orders before searching their own servers, even if those servers contain user data.

[techbeck]

how exactly was this a secret?

 

Because, it is buried in the TOS.  I dont know about anyone else, but who reads the TOS line for line?

[Romero]

Because, it is buried in the TOS.  I dont know about anyone else, but who reads the TOS line for line?

Ignorance of rules/laws isn't a valid justification for breaking them, and if you do so then fully expect to pay the price.

[Praetor]

Warrant, not warranty.

 

How was it illegal when no laws were broken? Now if you want it to be made illegal, petition for the laws to be changed so that companies will have to seek warrants/court orders before searching their own servers, even if those servers contain user data.

sorry, my bad (i'm writing in a hurry :D).

 

ok, so it *could* not be illegal, but definitely was unethical and distrustful.

[techbeck]

Ignorance of rules/laws isn't a valid justification for breaking them.

 

Did you read what I was replying to?  A question was asked how it was a secret.  I wasnt justifying breaking or ignoring the rules.

 

MS could legally do what they did because the user gave permission when they agreed to the TOS.  Same way  and reason why people shouldn't be complaining about Google since they have to agree to certain things as well.  Same with Yahoo, Apple, and many other companies.  If you dont read the rules, then only person anyone should be upset at is themselves.

[Romero]

ok, so it *could* not be illegal, but definitely was unethical and distrustful.

Unethical? In ordinary course of events if they did this to anyone's data then definitely. In this particular case? Not at all. I am actually with you that making any kind of snooping illegal for all these companies would probably be a good thing (though of course they could still do it as long as no-one outside knows, since they control their own servers after all). Whether these sorts of legal changes will ever come about is doubtful though.

 

Did you read what I was replying to?  A question was asked how it was a secret.  I wasnt justifying anything here.

Ah ok, I was mixing up your response with Praetor's.

[+Warwagon MVC]

Time to host your own email server.

[Praetor]

Unethical? In ordinary course of events if they did this to anyone's data then definitely. In this particular case? Not at all. I am actually with you that making any kind of snooping illegal for all these companies would probably be a good thing (though of course they could still do it as long as no-one outside knows, since they control their own servers after all). Whether these sorts of legal changes will ever come about is doubtful though.

 

that's would be possible if auditories by independent entities were made; unfortunately once data is in their servers, no one knows how it's being treated and processed. i'm all for making this sort of thing illegal; not only gives the consumers reasons to distrust the company that does this kind of snooping but it's a legal privacy violation.

Time to host your own email server.

 

actually everyone is doing the inverse.

[Auditor]

I am sure same thing will be coming on so called cloud storage as well. Many people these days are buying in to the notion of saving all their digital life on someone else server.  There is no guarantee that these corporations or some rogue employee from these corporation won't snoop on your personal data. It kind of amazes me that so many people these days trust someone else to store their digital life than to themselves on the pretext of convenience and some less probable house burned down. I personally have NAS which enables me to keep my data with myself and also provide on demand access remotely if I need some of my data. But that's just me.

[sc302 Veteran]

Time to host your own email server.

Nope.  Don't use mail.  email is a poorly encrypted service to use, it is slightly better than facebook but it still is bad as far as privacy goes. 

[Romero]

unfortunately once data is in their servers, no one knows how it's being treated and processed

And that is the main problem, isn't it? I doubt even independent audits will help, not to mention how many users will agree to pay for all the extra costs which these companies will likely not be willing to absorb. Ultimately it comes down to either trusting them, or storing your own data and cutting third parties out of the picture as far as possible.

Nope. Don't use mail. email is a poorly encrypted service to use, it is slightly better than facebook but it still is bad as far as privacy goes.

True, it was never built keeping privacy in mind. What do you suggest as an alternative though? Time for the world to come up with new communication protocols with end-to-end security as a focus?

[Praetor]

And that is the main problem, isn't it? I doubt even independent audits will help, not to mention how many users will agree to pay for all the extra costs which these companies will likely not be willing to absorb. Ultimately it comes down to either trusting them, or storing your own data and cutting third parties out of the picture as far as possible.

 

actually the company i work for hosts mailboxes for several organizations and it's our own internal policy NOT to snoop into peoples emails, even technicaly we could do it and no one would ever know; it's a matter of trust and business ethics.

[techbeck]

Ah ok, I was mixing up your response with Praetor's.

 

Np, i do that sometimes as well. :)