Electronic Frontier Foundation slams Microsoft for searching a blogger's Hotmail

The controversy over Microsoft searching through a person's Hotmail account in September as part of a company investigation has now gotten the attention of the non-profit Electronic Frontier Foundation. As you might expect, the EFF thinks that Microsoft's actions violate the U.S. Electronic Communications Privacy Act,

Microsoft admitted this week that as part of its actions to find evidence against a person who allegedly leaked Windows 8 files and other code to a third party, it examined some of the Hotmail account content of a French blogger who was in communication with the leaker, now former Microsoft employee Alex Kibkalo. Microsoft's Terms of Service for Hotmail and Outlook.com users state that the company has the right to search through those accounts if such actions are needed to "protect the rights or property of Microsoft or our customers."

The EFF believes, however, that Microsoft should have gotten a warrant to search the Hotmail account. Microsoft's argument is that "courts do not issue orders authorizing someone to search themselves," but according to EFF legal fellow Andrew Crocker it's the content of the emails on those servers created by a third party that is being searched.

Crocker says:

To the contrary, if Microsoft’s independent legal team concluded that there was probable cause, it could have passed the tipster’s information to the FBI to obtain a warrant and conduct the search under the auspices of the criminal justice system. The warrant protections enshrined in the Constitution would be preserved, ECPA would be satisfied, and Microsoft could have claimed the high moral ground. Instead, Microsoft has opted for an internal corporate shadow court.

Microsoft has said it will be updating its policies on searching email accounts, which will include adding a separate legal team to determine if a search is needed, followed by sending that opinion to an outside attorney who is a former federal judge. That's not good enough, according to Crocker, who says it violates the Fourth Amendment right to have such evidence presented to a "neutral and detached magistrate."

Crocker also thinks that Microsoft's Terms of Service could be abused thanks to the specific wording. He stated, "Combined with the kangaroo court potential of the company’s new internal Warrants for Windows policy, Microsoft is playing with fire." So far, there's no word on if the EFF plan to launch any legal actions against Microsoft.

Source: EFF | Image via Microsoft

Report a problem with article
Previous Story

California DMV compromised, credit cards breached

Next Story

13 great Windows apps for users switching from Android and iOS tablets

119 Comments

Commenting is disabled on this article.

exactly.. that's an unfortunate precedent.. their position shows bad intent since it was very simple to get a warrant.. there was nothing extraordinary about that
and what guarantee anybody have that they are not violating ppls privacy on a daily basis

Besides the fact that software they make constantly leaks out? If they were going through employee e-mail 24/7, he never would have been able to leak anything. Especially something that can be used to destroy their activation system.

Badcat007 said,
and what guarantee anybody have that they are not violating ppls privacy on a daily basis
So which free mail service are you using with that guarantee? I'm interested too. I'm also interested to know how a guarantee would help if you never come to know that your mails have been read?

Screw EFF and the lot of them.

You don't get to sign up for a FREE service that's hosted using SOMEONE ELSE'S hardware and infrastructure and then start whining about your "rights."

Host your own email if you want control over it, otherwise know what you are agreeing to when you get in bed with someone else.

Lord Method Man said,

Host your own email if you want control over it, otherwise know what you are agreeing to when you get in bed with someone else.

Unless you only use that setup to email yourself you are still not in control of your mail. It'll end in someone else's inbox, subject to third parties' policies.

Shrug.

I have no problem with companies searching through email to in extraordinary circumstances -- whether it's something like this, child pornography, or whatever. I think the most amazing thing in this whole story is that this blogger was stupid enough to think that Microsoft couldn't/wouldn't search their Hotmail account. I'd say the same thing if the search algorithms for Google were stored on Google Drive, and the person had evidence of it on their gmail.

I don't view it as an invasion of my privacy. And, I use Office365 :p

This has just gotten to be a bit crazy, and here is why...

Google and other mail hosting providers open user email accounts all the time, without escalation and without having to go through their legal. If this was Google or 99% of any other ISP that hosts email, they would have pulled and read the user's email. There would be NO STORY, as this stuff happens ALL THE TIME.

The only reason this is a 'story' is that it was NECESSARY to go through Microsoft Legal just for them to get the security key to open the user's account.

So because Microsoft has such a complex process of approval and decryption to gain access to a SINGLE user's email, this has become a story.

So we are being hypercritical of one of the few companies that take user privacy seriously. Really?

I think one of the reasons of why it is a story is due to Microsoft's stance on privacy as you mentioned. This case appeared to go against the grain.

DonC said,
I think one of the reasons of why it is a story is due to Microsoft's stance on privacy as you mentioned. This case appeared to go against the grain.

Microsoft doesn't data mine user's accounts. Just because they value privacy in this regard, doesn't mean they're not able and willing to pull a user account if the situation calls for it.

Dot Matrix said,

Microsoft doesn't data mine user's accounts. Just because they value privacy in this regard, doesn't mean they're not able and willing to pull a user account if the situation calls for it.

Of course MS data mine user accounts, their targeted advertising business doesn't work on magic.

"The information we collect may be combined with information obtained from other Microsoft services and other companies."
"We use cookies and other technologies to keep track of your interactions with our sites and services to offer a personalized experience."
"We use your information to inform you of other products or services offered by Microsoft and its affiliates, and to send you relevant survey invitations related to Microsoft services."
"In order to help provide our services, we occasionally provide information to other companies that work on our behalf."

What they might not do is data mine the contents of your mail, but "MS reserves the right to review materials posted to the Comunication Services".

I must say I bit surprised by some Neowin readers being double faced.

For months we were reading about scroogled campaign (which was stupid and was bending the truth a bit in my opinion) and people were commenting a lot in favor of MS.
Yet now we can see Microsoft is no better and people still defend MS.

Let me remind you: Google scans emails and matches keywords to ads - it's automatic process, noone reads it, no ad company sees it or even your email account.
Now we see Microsoft who READS your email, a person, bypasses account security, goes into your account and just reads it.

If that was a normal mail/post, it would break few laws already - many countries have a law preventing anyone from reading mail not addresses to you.
TOS can be wrong - it's mostly written for the benefit of the company, not their users. No mail company can open a letter and read it when they want, even if it's something connected to that company.

I could understand it if that was an employee email account - although still edgy, employers are, to my knowledge to check employees emails, but, from what I see Microsoft check guys *PRIVATE* account, isn't that right?
That changes everything!
TOS or not, if someone wants to read a private mail or email - get a warrant or GTFO.


The whole case is worrying because we see Microsoft becoming it's own police force, defining what's legal and what's not, ignoring reporting the crime to the police and waiting for them to investigate, like it should happen in the first place.
What's next? MS will employ full-time judges to sentence people who committed crimes against Microsoft? Will MS be running prisons as well or everyone gets death sentence?


Seriously people, this is not right, doesn't matter which company does it, but now you not only have a proof that Microsoft scroogled you (I think someone has to come with a new word for it then) but they did it way better than Google. (or worse, depending how you look at it)

Remember what Apple did when they where searching for the "lost" iPhone prototype?
When they hired people to pose as officers of the law, and entered a civilians house and searched it.

This should be an eye opener for all people who care about their privacy to be wary of this recent cloud fad. These days every one is so eager to hand over their digital life on some big corporate companies server voluntarily. I am sure we will soon be hearing stories about cloud storage snooping as well.

all of them does that and unfortunately you can't do anything about it, because people's desire to use free stuff is more than their desire to keep their privacy. google started this when they introduced their gmail service with that ridiculous counter to increase your inbox limit by seconds. then everybody else to compete with that gone unlimited free storage with virus scanner and anti-spam engine. of course something has to pay for these. ads infesting, giving up your privacy. manythings...

The_Observer said,
Cool show me a paid product where they will not jump into your email account, where they protect your rights and not give out any of your details. Thinking the best setup is a email server on your own computer! mmm i wonder????

(EDIT) found answer to my own question. http://web.appstorm.net/roundu...email-with-your-own-domain/

Unless a cloud provider offers end to encryption, for which you and only you hold the keys, they will always be tempted to get a sneak peek at your data should the situation warrant itself, despite what their marketing brochure and PR team might insist.

The only way to be absolutely certain is to host your email yourself. If you know what you are doing, any old desktop lying around will do, and it shouldn't cost you over $20 a month over what you alread pay for internet. With feature rich software like Zimbra, Kolab, etc available for free, there is absolutely no reason to not do so if privacy is even of the slightest concern to you.

The_Observer said,
Cool show me a paid product where they will not jump into your email account, where they protect your rights and not give out any of your details. Thinking the best setup is a email server on your own computer! mmm i wonder????

(EDIT) found answer to my own question. http://web.appstorm.net/roundu...email-with-your-own-domain/


there are some corp email provider with encryption but if you really care you can make your own datacenter or rent one and implement an email sevice with custom highend encryption

Isn't it great to see the EFF are not only standing up for the rights of thieves, they're now standing up for the rights of French thieves too.

recursive said,
If by thieves you mean microsoft, then you are absolutely right.

O its you again ...trolling MS once again ?
Microsoft are not Thieves, we pay them for products to use.
With this case, I don't see where Ms went wrong, they didn't just search a random account, it was proven that the guy ( MS employee ) stole Win-8 Code and passed it on to someone and that email was sent to a Hotmail account, the Employee is stupid if he was thinking he could get away with it ...

Now, im going LOL at the Employee, because MS are going to make an example out of him by properly suing the Ex-Employee and in the USA you get sued, its not petty cash, its going to be in the millions ...o well that guy isn't going to get a IT job anywhere lol

At first blush, Microsoft's unilateral decision to rifle through its user's emails sounds like a violation of the Electronic Communications Privacy Act, ECPA.
"At first blush ... sounds like", then what happened?

To the contrary, if Microsoft's independent legal team concluded that there was probable cause, it could have passed the tipster's information to the FBI to obtain a warrant and conduct the search under the auspices of the criminal justice system.
"could have"? Which means it was optional? If it was absolutely required why not say "should have"? If you're a lawyer you know better than to use ambiguous language.

Come right out and say if it was illegal or not. Not that hard to do instead of beating around the damn bush. Troubling is one thing, illegal entirely another. If the latter then MS may be sued, but if the former then the EFF needs to petition for the law to be changed for all companies, not just MS. This was a very wishy-washy article. Man up and point the finger EFF if you truly believe a crime has been committed by the company, state clearly which laws were broken and file a suit against them immediately.

Romero said,
"At first blush ... sounds like", then what happened?

"could have"? Which means it was optional? If it was absolutely required why not say "should have"? If you're a lawyer you know better than to use ambiguous language.

Come right out and say if it was illegal or not. Not that hard to do instead of beating around the damn bush. Troubling is one thing, illegal entirely another. If the latter then MS may be sued, but if the former then the EFF needs to petition for the law to be changed for all companies, not just MS. This was a very wishy-washy article. Man up and point the finger EFF if you truly believe a crime has been committed by the company, state clearly which laws were broken and file a suit against them immediately.

Probably because it's not clear.

Does Microsoft has they right to investigate in their own property? Sure.
Does investigating mean accessing mails originated on third party services, and hence constitute a violation of the privacy of communication? Well, yes, that too.

So which one prevails here, legally? Not clear, probably the former, but that still makes the "could" not mutually exclusive with the statement about the privacy violation.

ichi said,
Probably because it's not clear.
If it's not clear but the EFF and their lawyers feel so strongly that it was illegal, let them file suit and get the courts to clarify once and for all. It'll be better for everyone instead of letting things remain ambiguous.

Romero said,
If it's not clear but the EFF and their lawyers feel so strongly that it was illegal, let them file suit and get the courts to clarify once and for all. It'll be better for everyone instead of letting things remain ambiguous.

I'm not seeing a explicit qualification of "illegal" in the EFF article. What they state though is that it sets a dangerous precedent, more so when Microsoft's TOS cover a whole lot of more generic reasons than just suspicion of illegal activities.

ichi said,
What they state though is that it sets a dangerous precedent
Right, so where is their appeal to lawmakers to get the laws changed? In between their MS-bashing perhaps they can take some time out to tell us what they're actually doing about it? This state of affairs is hardly specific to a single company after all. I'm also amazed it took them this long to realize that companies can access user data on their servers.

Romero said,
Right, so where is their appeal to lawmakers to get the laws changed? In between their MS-bashing perhaps they can take some time out to tell us what they're actually doing about it? This state of affairs is hardly specific to a single company after all. I'm also amazed it took them this long to realize that companies can access user data on their servers.

Maybe they will appeal, maybe won't. I don't know.

If you read the original article on the EFF site anyway it stems from their own "who has your back" report, in which they rate companies for their performance on standing for users' privacy. They awarded MS a start on the "requires a warrant for content", and are commenting on the subtleties arisen by this event.

Commenting on the collision between the right to access data on your own servers (as agreed on the TOS) and the privacy of communications is hardly MS-bashing in any case.

It's hard to argue that Microsoft wouldn't have saved face had they gone with a warrant, more so when they are so commited to their "scroogled" campaign.

ichi said,
Commenting on the collision between the right to access data on your own servers (as agreed on the TOS) and the privacy of communications is hardly MS-bashing in any case.
It is when they go on and on about this case without noting the problem is far more widespread than just one company's policies, and seem to be doing nothing to address the lacuna in the law. And yeah, this case lead to an arrest so the events became public via court documents, but what proof do we have (besides their own word) that other companies (or even the same one) haven't looked at users' data before? Heck, even if the warrant requirement is brought into effect how does that prevent these companies from looking at user data in the first place? Ultimately you have to recognize the fact that without sufficiently strong encryption by users (not the companies themselves) no data stored on third party servers is ever 100% guaranteed safe from snooping. Given that, I don't know on what basis the EFF is handing out those silly stars anyway to any of these companies, as if they mean something when it comes to privacy.

Edited by Romero, Mar 26 2014, 12:47am :

Romero said,
It is when they go on and on about this case without noting the problem is far more widespread than just one company's policies, and seem to be doing nothing to address the lacuna in the law.

They published one single article about this case (which I don't think qualifies as "going on and on") because this case is recent news, but the EFF has also been critical of Gmail's privacy before.

Going on and on in that article; it was lengthy enough without addressing the larger concerns this brings up about privacy of email or cloud storage data in general. As for Gmail, I don't know what they criticized or how much but it clearly shows companies don't care what they have to say because nothing's changed there.

Was it "Wrong" of MS to do this?
Yes, I think it was. Ideally they should have gone though the police and got all done nice and clean.. but it would have taken more time.

Was it Illegal?
No. You gave them permission when you agreed to the TOS.
It's no ones fault but your own if you don't read and understand the TOS, but choose to accept it anyway.

Hey Mr. Police man, I think we have found the guy who got our trade secrets and storing it in hotmail account. We think he is linked to one of our employees.

So have you found anything?

Well, we haven't found any evidence. We need you to get warrant to investigate this.

You want me to get warrants to search yourself?!

Note: As part of any criminal/legal investigation, you are free to ask MS/Google etc for any emails on their servers. They can provide them to you if they wish. If they don't, then you get a warrant to make them comply.

So you are saying MS wants to search Hotmail, but MS is not willing to search Hotmail. So MS needs to get warrant to get MS comply with the search request (to itself). Makes sense /s

No what they should have done is gave the evidence they had in the first place to the FBI, FBI would begin their investigation, order MS to search the guys hotmail, get the name, and go from there. That's the clean route that keeps MS from just freely search their own mail for whatever they want.

The Investigation should have been carried out by law enforcement, not by the internal division of MS. God knows all the conflicts that could have arisen if someone on the team knew the guy that did it, or any number of other issues. It is Always a safer bet to hand it off to a 3rd party and have them conduct the search.

Ryoken said,
No what they should have done is gave the evidence they had in the first place to the FBI, FBI would begin their investigation, order MS to search the guys hotmail, get the name, and go from there. That's the clean route that keeps MS from just freely search their own mail for whatever they want.

The Investigation should have been carried out by law enforcement, not by the internal division of MS. God knows all the conflicts that could have arisen if someone on the team knew the guy that did it, or any number of other issues. It is Always a safer bet to hand it off to a 3rd party and have them conduct the search.


Yes, companies need to go to police for every internal affair. May be call police next time a coffee mug is missing.

Crimson Rain said,

Yes, companies need to go to police for every internal affair. May be call police next time a coffee mug is missing.

It's not an internal affair. They had information that the information MAY have been leaked by a FORMER employee, to a THIRD Party. It ceased to be an internal issue. Additionally, since they are bringing Criminal Charges, that makes it not internal also.

This isn't a missing coffee mug, this is a leak of IP to a 3rd party leading to criminal charges.

Ryoken said,
It's not an internal affair. They had information that the information MAY have been leaked by a FORMER employee, to a THIRD Party.
Kibkalo was already under suspicion and I believe when he was interviewed on September 24-25, 2012 he was still an employee and was fired subsequently after confessing everything.

Romero said,
Kibkalo was already under suspicion and I believe when he was interviewed on September 24-25, 2012 he was still an employee and was fired subsequently after confessing everything.

But still the accout they accessed wasn't Kibkalo's but the one of the French blogger.

ichi said,
But still the accout they accessed wasn't Kibkalo's but the one of the French blogger.
Who's denying that? Just as you can't deny that the blogger contacted someone over Hotmail and sent the SDK source over for that someone to create a fake activation server, and that someone in turn contacted Sinofsky. In this case this guy had it coming to him. I have absolutely zero sympathy for either of them. As for the TOS, I've already said it before many times, if the EFF feels so strongly about what MS and Google and Yahoo and other companies' TOS contains, let them get the laws changed so warrants are made mandatory for such cases in future.

Not sure why MS is so scared of leaks that they had to search a bloggers Hotmail! Ever since Sinofsky, builds always display "Microsoft Confidential" all over the place. In the Vista days, you always got CTP's every month. MS even claimed that Vista was the most tested OS in MS history! These days, you only get a few previews but nothing more. But you should be aware that the incident happened while Sinofsky was still Windows president. I hope that the current leakers (WZor, user "leaked" at WinClub.pl) don't get scared off by this. WZor just disappeared from the internet but I hope it's just temporary for now.

WinMetro said,
Not sure why MS is so scared of leaks that they had to search a bloggers Hotmail!

This isn't about leaked iso files or screenshots. This is about stolen information that could be used to bypass activation, or create a product key generator. That's way more valuable.

They wouldn't have done this if it was just over a leaked screenshot or iso file.

I'm sorry but I think its appalling that organizations like this have powers to be to strike back at Microsoft for them searching an account provided by themselves.

I don't care to hear classic "they are destroying your privacy!" arguments. You made the choice to have an account with them, you should learn to accept the risk. As I said in another thread, Microsoft is providing a charity service and no one forced you to take it on.

This would be different if Microsoft was selling your information or using it in some way for personal gain. In this case, they aren't and everyone really needs to stop riding the popular "stick it to Microsoft" wave.

Exactly!
What people don't realize:
Microsoft - uses your information to protect users and businesses and only does this when legally required to do so.

Google - uses your information for the same PLUS data mining and selling it for advertising to gain them profit.

Big difference, between good and bad. But of course bloggers love to hate on Microsoft for no valid reason.

Zidane said,

Yes I am? Are you paying Microsoft for your outlook email account? No? Sit down :).


I guess Gmail and iCloud are charity services too, then.

CJEric said,

I guess Gmail and iCloud are charity services too, then.

Yes...which we all know this? They are provided free of charge :)

I assume you were trying to make a point with that statement or speaking the obvious.

Because you didn't make a monetary payment doesn't mean it is free. They do inject ads in your content, which generates revenue for them.

What microsoft is providing is more like the landlord who gives you a free room, barring one nail in it, on which he constantly hangs rotten fish.

Except that if no one suggests that people are unhappy with this practice, companies would not care as much. [Good] companies will try to give the people what they want, and if you make that message clear as a collective, they will listen.

Microsoft of all companies has been keen on listening to the feedback of their users.

Just because you clicked agree on some TOS that most people don't read doesn't mean you can't tell them what you want. The companies do not hold the power here, but are rather empowered by their user base. If people want to get upset, cool! Let them! Perhaps things will change then.

This idea that, "Oh man, you clicked a button, you're life is over now. There's nothing you can do," is a bit absurd.

recursive said,
Because you didn't make a monetary payment doesn't mean it is free. They do inject ads in your content, which generates revenue for them.

What microsoft is providing is more like the landlord who gives you a free room, barring one nail in it, on which he constantly hangs rotten fish.


Except that it is free...you were not sold the software, no monetary transaction occurred between you and Microsoft.

Ads have nothing to do with this. Again, if you have an account with them, you did so of your own free will and agreed to their terms ;).

Zidane said,
I don't care to hear classic "they are destroying your privacy!" arguments. You made the choice to have an account with them, you should learn to accept the risk. As I said in another thread, Microsoft is providing a charity service and no one forced you to take it on.

The issue is that you are not alone in your decission: if you waive your privacy you are also waiving that of everyone who's sending mail your way.

Which is exactly what the EFF is arguing and the reason why a warrant could have been appropriate. MS wasn't searching the mail generated by the user that agreed to the TOS, it was searching the mail received from another user who might or might not be using that same service under those same conditions.

Microsoft had every right to do this. Anyone arguing against that is just ignorant or simply hates Microsoft.

The French blogger notifies Microsoft to see if it's legit. They find out it's an employee and was using THIER e-mail service to leak software. They then look through his account (allowed by the TOS in cases like this) for the proof needed for their internal investigation, confront the guy and he admits it.

You people make it sound like they do this 24/7. If that were true, he would never have been able to leak anything. It was the blogger that brought it to their attention. If not for him, they wouldn't have had a clue.

They did nothing wrong, but some of you just can't see the truth sitting right in front of you because you're blinded by hate towards Microsoft.

shawnsdada said,
Microsoft had every right to do this. Anyone arguing against that is just ignorant or simply hates Microsoft.

The French blogger notifies Microsoft to see if it's legit. They find out it's an employee and was using THIER e-mail service to leak software. They then look through his account (allowed by the TOS in cases like this) for the proof needed for their internal investigation, confront the guy and he admits it.

You people make it sound like they do this 24/7. If that were true, he would never have been able to leak anything. It was the blogger that brought it to their attention. If not for him, they wouldn't have had a clue.

They did nothing wrong, but some of you just can't see the truth sitting right in front of you because you're blinded by hate towards Microsoft.


There is one part that you miss! They could have easily go the legal way, and just submit their cause to the police, get a warrant and do it. Legally! But they did not bother. So you wonder, how many other accounts do they look at, and read, because they can, for their interest?

If they avoid going to the police, even for an obvious theft case?


PS.
I think it is you who probably more ignorant then me ;)
and I LOVE Microsoft products, i just don't agree with some of the policies.
i certainly do not hate them, so you are wrong on 2 accounts here.

While mostly I agree with you, I do think it's in the interest of everyone for the service provider to have oversight in place.

so if you live in a rental property, that gives the landlord right to search the property if they suspect something illegal going on?

not a valid comparison. in this case you signed over your property to the landlord allowing him to search it if he needs to.

pandorum said,
so if you live in a rental property, that gives the landlord right to search the property if they suspect something illegal going on?

Barring a few special situations that'll be spelled out in your rental agreement, of course not. But unless you've managed some new trick to digitize yourself, you're not living on their servers. Those rights don't apply.

pandorum said,
so if you live in a rental property, that gives the landlord right to search the property if they suspect something illegal going on?

If you want to try going this route make the situation similar first. Your example is nothing similar at all. Try again, buddy ;).

Now, the landlord has you sign a contract (TOS) and it says that he/she is allowed to enter your apartment/home if he/she has evidence you're doing something to hurt his property (assets) and you agree to the contract (TOS) without reading it. Time goes by and you're doing something illegal using his/her property. He/she has enough evidence something is going on and enters the property while you're away (allowed by that contract/TOS you agreed to that you never read) finds evidence you're doing something illegal that can hurt their property and confronts you with that evidence. Not a freaking thing you can do about it because you gave them that right when you agreed to their contract/TOS. Now this is how your poor example should have looked ;)

Some of you people are ignoring the FACT that Microsoft DID NOT access his account until AFTER they had enough EVIDENCE to do so. It was in the TOS that they could do this to protect their assets if necassary BEFORE the guy did it. It wasn't changed after the fact.

To the ones who took my ignorant comment personally. I said some of you are either ignorant or just Microsoft haters. I didn't name a single person. So if you take that personally, you're just showing that you felt you are ignorant of the situation when you reply to me as if I was posting that directly towards you.

Some of you should think before typing. Comes in handy.

shawnsdada said,
Microsoft had every right to do this. Anyone arguing against that is just ignorant or simply hates Microsoft.

The French blogger notifies Microsoft to see if it's legit. They find out it's an employee and was using THIER e-mail service to leak software. They then look through his account (allowed by the TOS in cases like this) for the proof needed for their internal investigation, confront the guy and he admits it.

The "blogger" used another entity to very the information, however that entity turned it over to Microsoft. I'm not sure if he was another employee of Microsoft or not.

panacea said,

There is one part that you miss! They could have easily go the legal way, and just submit their cause to the police, get a warrant and do it. Legally! But they did not bother. So you wonder, how many other accounts do they look at, and read, because they can, for their interest?


No, you are missing something here: You cant get warrant to search yourself or things that are in your property.

In most states in the US, a written agreement certainly can - and often will, if it is a standard rental agreement, simply to protect the landlord against being dragged into court for complicity or as an accessory. Why else do you think drug-distribution networks NEVER (as in ever) use their own properties to store their illicit goods, for example? They typically use abandoned properties instead - if anything, to further cloud the waters.

Crimson Rain said,

No, you are missing something here: You cant get warrant to search yourself or things that are in your property.

Why not? MS says you can't, the EFF sais you can.

Personally I don't know which is true, but in a hypothetical scenario where searching your property could break third parties' rights I think a warrant could be due.

Sure, Hotmail/Outlook is Microsoft's property, but we are talking about communications here so it gets murky: the Outlook user signed the TOS, but those sending emails to Outlook users didn't. If you are sending mail to a domain address you don't even know what TOS the recipient is subject to.

If Microsoft can break third parties' privacy of communications based on the TOS of the Outlook users without any kind of warrant then I don't see how any company using their service can be trusted. All it takes is some evidence of breach of TOS by any employee.

As an Outlook user you might agree with that (and actually you do when you sign up) but as a user of other service (specially in the case of inhouse corporate mail servers) you most likely don't.

Long story short: they weren't legally required to get a warrant, but it would have been in their best interest if they did.

ichi said,

Why not? MS says you can't, the EFF sais you can.

Personally I don't know which is true, but in a hypothetical scenario where searching your property could break third parties' rights I think a warrant could be due.

Long story short: they weren't legally required to get a warrant, but it would have been in their best interest if they did.


You gave them the right to search inboxes if they have valid reason to believe you are doing something illegal.

It is either they can or they can not.

Crimson Rain said,

You gave them the right to search inboxes if they have valid reason to believe you are doing something illegal.

It is either they can or they can not.

You are actually giving them right to search inboxes as they see fit, illegalities involved or not.

And yes, they can do it. The issue is that their right to do so conflicts with the privacy of communications of third parties, ie. those sending the mail that ends up in your inbox.

That's not exactly true.

A privately communicates with B. B does something illegal and gets searched. If B has retained a copy of that communication with A, then it doesn't matter whether A is not involved or not.

Crimson Rain said,
A privately communicates with B. B does something illegal and gets searched. If B has retained a copy of that communication with A, then it doesn't matter whether A is not involved or not.

Which is the reason why the EFF argues that a warrant would have been appropriate.
"A" might not be involved (with "A" potentially being comprised by any number of different individuals), yet the privacy of his(/their) communications is being violated.

Again I'm not saying that MS didn't have the right to do what they did. What I'm saying is that all things considered they would have been far better off in all respects if they had gone through the hassle of getting a warrant. The EFF sums it up nicely:

"The warrant protections enshrined in the Constitution would be preserved, ECPA would be satisfied, and Microsoft could have claimed the high moral ground".

I'm with the EFF on this one. There is a clear conflict of interest in MS's idea to get permission from an ex-judge they hire. I'm no lawyer so I don't know if the EFF or MS is right about being able to get a warrant. If you can get a warrant as the EFF suggests then I believe that was the correct route to take. If you can not as MS claims then they need a neutral third party not just another body employed by MS. Heck maybe they can even get the EFF to be that third party. That would go a long way in ensuring peoples confidence that their privacy was being protected.

The EFF is correct. A warrant can always be obtained using the legal process... It just requires Microsoft to go to the police first (so the police can request the warrant).

Asmodai said,
I'm no lawyer

Then, please, stop commenting. Microsoft has every right to protect their assets, and they took the rights steps in order to do so. Their legal team aren't idiots, they know what they need to do first before opening up someone's inbox.

Edited by Dot Matrix, Mar 22 2014, 11:29pm :

Actually the Microsoft is paying a lot of money for attorneys so they think they can bend the law. they are already adjusting the policies because they are learning that they cannot, legally.

Dot Matrix said,
Then, please, stop commenting.

do you have to act so rude? everyone here can comment!
are you acting so rude because you are covering the fact that you are also incorrect?

Dot Matrix said,

Then, please, stop commenting.

Sorry, I didn't realize being a lawyer was a requirement to comment here.
Dot Matrix said,

Microsoft has every right to protect their assets

Not by any means necessary. The EFF isn't suggesting they should have done nothing. The EFF spelled out what they believe should have been done.
Dot Matrix said,
and they took the rights steps in order to do so.

According to who? Them and their lawyers, that's really impartial. You? Are you a lawyer? I mean if I'm not allowed to comment without being a lawyer what entitles you to offer your opinion without being one? Is everyone else commenting here lawyers too? I didn't realize we had so many lawyers at Neowin.
Dot Matrix said,
Their legal team aren't idiots, they know what they need to do first before opening up someone's inbox.

EFF's legal team aren't idiots either. You do realize that two sets of lawyers can disagree about what is or isn't legal right? Everything isn't always so clear cut. Clearly there is room here for reasonable people to disagree.

Privacy issues are a pretty hot button issue right now. I happen to think a vigorous debate about them is warranted and good. Trying to shut people up just because they disagree with you is not. Likewise simply accepting bad behavior because everyone else does it is not good either.

I get that you disagree with me and that's fine. If my posts bother you so much don't read them, no one is forcing you. I do not intend to stop commenting, certainly not because you asked me to.

Asmodai said,
If you can not as MS claims then they need a neutral third party not just another body employed by MS. Heck maybe they can even get the EFF to be that third party. That would go a long way in ensuring peoples confidence that their privacy was being protected.
Nope, don't trust some odd EFF rep deputed to look into a case not to be susceptible to influence either. If we need a neutral party, why not the courts? Make it mandatory for a judge to issue a warrant in all such cases. Problem solved.

panacea said,

do you have to act so rude? everyone here can comment!
are you acting so rude because you are covering the fact that you are also incorrect?

Not what I meant. Microsoft took all the right steps in this case. Microsoft isn't the enemy here. Not sure why people make them out to be. The inbox was searched by a team of specialized investigators. Several people have already backed this up, and you'll see plenty more elsewhere, including industry specialists, as well.

Just because someone doesn't agree with what they did, doesn't mean Microsoft is in the wrong. Continuing to disagree with them isn't going to do much. Any online service provide can and does pull human readable user data as part of both internal and external investigations. An employee gave away trade secrets to a third party "blogger" (and I use that term loosely), and they acted to protect their assets. This "blogger" then used Microsoft's own services to store this stolen information. It's like having a room mate steal from you, and then hiding your stolen belongings away in your own house. You're not going to (and shouldn't need to) go to the courts to search your own house to retrieve them. If this stolen code had been stored elsewhere, then yes, they would have certainly needed a warrant almost immediately to search those services to uncover the source of the theft.

Edited by Dot Matrix, Mar 23 2014, 3:31am :

Asmodai said,

Sorry, I didn't realize being a lawyer was a requirement to comment here.
It's isn't, but don't say something a lawyer decided is not allowed because you think so, that's bullsh*t. Those people know what they do so if you don't know anything about the subject on a legal matter, don't judge and don't comment, because you're comment is probably wrong.

Studio384 said,
It's isn't, but don't say something a lawyer decided is not allowed because you think so, that's bullsh*t. Those people know what they do so if you don't know anything about the subject on a legal matter, don't judge and don't comment, because you're comment is probably wrong.

No... Just because a lawyer decides something is legal doesn't make it so... This is why there are two lawyers arguing that they are both right at every legal dispute (hint: only one can be right)...

The job of MS' legal team is to protect MS above all else. Their job isn't to ensure they comply with the law, but to assess the risk of breaking it.

Studio384 said,
It's isn't, but don't say something a lawyer decided is not allowed because you think so, that's bullsh*t. Those people know what they do so if you don't know anything about the subject on a legal matter, don't judge and don't comment, because you're comment is probably wrong.

Did you even read the article? Did you even read my original post? I didn't say anything was not allowed. The EFF (who also has very good lawyers) said MS could have gotten a warrant. Microsoft said they couldn't. I simply stated that not being a lawyer myself I don't know which one is legally correct and then went on to outline my opinion IN BOTH CASES. I did NOT assume the EFF was correct but nor did I assume Microsoft was correct just because they consulted their lawyers. If you just believe everything a company says because their lawyers said it was ok that's great for you but I don't. It isn't MS specific either, that's true with any company. Just because they lawyers they pay say it is ok doesn't mean it is. The NSA's lawyers say their spying is OK too. Heck the majority of people who actually are guilty of something and go all the way to court probably have lawyers that will tell you they did nothing wrong. Why do we even need a justice system if you can just hire a team of lawyers to say what you do is ok? If that doesn't work then you can hire an ex-judge to say what you do is ok and you're golden.

This is the problem in today's world where people are willing to give up their personal liberty and freedom for the sake of some ad infested free service. There is due process involving searching personal record of consumers. Companies should not be allowed to do whatever they want just because they can. If they had some reasonable and probable ground to search blogger's email then they should have applied for the warrant. French blogger should sue MS for breach of privacy.

Auditor said,
French blogger should sue MS for breach of privacy.
I don't think he has a leg to stand on given what he did but yeah, I'd like to see the outcome too. If nothing else maybe the laws will be changed for all companies so a warrant is required, not just leaving it up to them to decide.

It's hard to sue for "breach of privacy," when: A) It's the Internet, there is no privacy here. There is limited right to privacy, and when you sign up for Internet based services, you do agree upon that you can and will be monitored. Also, B) It's Microsoft's own house. If you have a room mate who is stealing from you, giving your belongings to a neighbor, who is then hiding those belongings on your property, then you do not need a warrant to search your own property to recover the stolen belongings. You are also free to set up your own surveillance to monitor the activity going on, and then take your findings to the proper authorities for appropriate legal action.

Had the "blogger" used an external source, instead of Hotmail/SkyDrive, then yes, Microsoft would have needed a warrant to retrieve that information. Microsoft acted well within their boundaries given the circumstances.

Dot Matrix said,
It's hard to sue for "breach of privacy," when: A) It's the Internet, there is no privacy here. There is limited right to privacy, and when you sign up for Internet based services, you do agree upon that you can and will be monitored. Also, B) It's Microsoft's own house. If you have a room mate who is stealing from you, giving your belongings to a neighbor, who is then hiding those belongings on your property, then you do not need a warrant to search your own property to recover the stolen belongings. You are also free to set up your own surveillance to monitor the activity going on, and then take your findings to the proper authorities for appropriate legal action.

Had the "blogger" used an external source, instead of Hotmail/SkyDrive, then yes, Microsoft would have needed a warrant to retrieve that information. Microsoft acted well within their boundaries given the circumstances.

Dude Matrix, you have no idea what you are talking about. Who gave you this idea that you can search your room mate's room without his consent. You have no legal right to search someone else property even when you have given them consent to live at your place. You can search things around in common room or other stuff but you can't be going inside his bag and try to look for things. The data here is user's property stored on MS server. Your analogy of comparing MS snooping with roommate is hugely flawed and nonsense.

So what you are saying is that there is privacy protection as long as things are stored on someone else server. Just to give you an example, our health and tax information is saved on government servers but other agencies even government agencies not directly related to same department still need people's consent to release the information. What about this if MS legally put loophole in their OS such as sending your private information back to MS and then claim that you had agreed TOS when you installed their OS. Let's see how that reasoning is going to work out in court. You have provided one of the stupidest defense in favor of MS.

Auditor said,

Dude Matrix, you have no idea what you are talking about. Who gave you this idea that you can search your room mate's room without his consent. You have no legal right to search someone else property even when you have given them consent to live at your place. You can search things around in common room or other stuff but you can't be going inside his bag and try to look for things. The data here is user's property stored on MS server. Your analogy of comparing MS snooping with roommate is hugely flawed and nonsense.

So what you are saying is that there is privacy protection as long as things are stored on someone else server. Just to give you an example, our health and tax information is saved on government servers but other agencies even government agencies not directly related to same department still need people's consent to release the information. What about this if MS legally put loophole in their OS such as sending your private information back to MS and then claim that you had agreed TOS when you installed their OS. Let's see how that reasoning is going to work out in court. You have provided one of the stupidest defense in favor of MS.

I think you're making this up based on what you want to believe your rights are. You'll never find any documented legal protections for a roommate's personal belongings. If you go into your roommate's bedroom and look through his closet, there's nothing he can do about it. You're welcome to try to prove me wrong, but do more than just type text at me (ex., link to something official).

This whole thing is a lot more like a delivery company reserving the right to search the packages you ship through them, which they can do, at their own discretion, under any circumstance they feel like, and you can't press charges if they do, and it's always been that way.

Auditor said,

Dude Matrix, you have no idea what you are talking about. Who gave you this idea that you can search your room mate's room without his consent. You have no legal right to search someone else property even when you have given them consent to live at your place. You can search things around in common room or other stuff but you can't be going inside his bag and try to look for things. The data here is user's property stored on MS server. Your analogy of comparing MS snooping with roommate is hugely flawed and nonsense.

So what you are saying is that there is privacy protection as long as things are stored on someone else server. Just to give you an example, our health and tax information is saved on government servers but other agencies even government agencies not directly related to same department still need people's consent to release the information. What about this if MS legally put loophole in their OS such as sending your private information back to MS and then claim that you had agreed TOS when you installed their OS. Let's see how that reasoning is going to work out in court. You have provided one of the stupidest defense in favor of MS.

I think you're blurring the lines of our right to privacy from government search and seizure vs the rights of individuals. I'd imagine it is not legal to go through your mates room in your house. If you stole those goods, used them to extort/blackmail them etc. then you'd get into trouble. Outside of that I'd love to see you try and get a roommate arrested for going into your room and finding your diary.

Auditor said,

Dude Matrix, you have no idea what you are talking about. Who gave you this idea that you can search your room mate's room without his consent. You have no legal right to search someone else property even when you have given them consent to live at your place.

You can when you own the house.

Dot Matrix said,

You can when you own the house.

If there was reason to think he was stealing from you then it would be odd indeed if you could not.
And all the more so when he agreed - before he moved in - that you have "the right to search through [his room] if such actions are needed to "protect the rights or property of [you or your] customers."

"then you do not need a warrant to search your own property" You cannot do that, try it and see if you don't get sued. You cannot go inside of a house that is rented to someone without that persons permission or with the proper authorities.

wahoospa said,
"then you do not need a warrant to search your own property" You cannot do that, try it and see if you don't get sued. You cannot go inside of a house that is rented to someone without that persons permission or with the proper authorities.
Actually, in many cases a landlord can enter a house they own even if its rented. Different states handle it differently or haven't handled it at all. Your right to privacy if you rent a place is not implicit. In fact, it's a good idea to check your rental agreement which will usually outline the way they can or can't come in. In the end, right to privacy, warrants, search and seizure rules for for governments... not private entities.

MrHumpty said,
Actually, in many cases a landlord can enter a house they own even if its rented. Different states handle it differently or haven't handled it at all. Your right to privacy if you rent a place is not implicit. In fact, it's a good idea to check your rental agreement which will usually outline the way they can or can't come in. In the end, right to privacy, warrants, search and seizure rules for for governments... not private entities.

24 hours notice for me! ;)

spenser.d said,
How long has their TOS said that and the EFF only makes waves now? :laugh:

As far as the public knows, this is the first incidents of Microsoft invading a person's email account.

Ambiance, what you need to know (for your own benefit) are your rights . You clearly don't know them because you give to much credence over a TOS.

Wait... you're wrong Victor. And so are EFF. You are free at any time to not use Microsofts' services. And you know that 40 whatever page long TOS that you agreed to? The one you didn't read? Yea, it says they can do this. Further, given a (former) employee of Microsoft was engaged in a criminal conspiracy to steal trade secrets, why WOULDN'T they scan his emails?

Why isn't anyone saying how utterly, totally, phenomenally stupid these people are? They steal code from Microsoft using their Hotmail accounts? Really? I don't want them driving a car. I don't want them on the streets. They are dangerously stupid. They deserve to go to prison just for being idiots.

Look, you have options if you want your emails to be totally private. Hotmail is not one of them. Nor is Outlook. Nor is Gmail. You have NO expectation of privacy if you use these services. And you are free to not use them at any time. If the legal people at EFF were any good, this is what they would tell you. They would also tell you to ACTUALLY READ the TOS before you click 'Agree'. That's what a competent attorney would advise you to do: Read the contract you are about to agree to. Always.

All this makes me wonder about EFF. They mean well, but they apparently have really bad legal counsel. If someone tells you you have an expectation of privacy in your free email account, while committing a crime, they have given you the worst possible advise.

Like George Bluth once said, "I have the worst fuc*ing lawyers". They probably worked for EFF.

No expectation of privacy is nonsense. Bend over if you will, but I find it absurd to think that you're at the mercy of companies.

it always comes down to people hating ms, they didn't do anything wrong here with what they did and for anyone else carrying on illegal activities on any online service this should be a warning to you to not be so stupid and stop doing your illegal dealings on these services.

dead.cell said,
No expectation of privacy is nonsense. Bend over if you will, but I find it absurd to think that you're at the mercy of companies.

If you expect certain things, you best read the TOS and then decide if its right for you. If you don't, its all on you.

dead.cell said,
No expectation of privacy is nonsense. Bend over if you will, but I find it absurd to think that you're at the mercy of companies.

I don't see how this is all that different from the fact that UPS/FedEx have reserved the right to open/inspect packages for ages.

That's a child-like position. I'm not at the mercy of the companies. I'm free to not use their services. For example, I don't use anything Google.

How can you have an expectation of privacy when you have waived any expectation of privacy in the TOS? What you call nonsense is called a contract by adults. The Provider agrees to give you the service for free, and in return you will allow the Provider access to your data. Why do you think it's free? Do you think Google likes you? Do you think that's why they give you all that cool free stuff? Of course not. To believe that would be stupid.

Google wants to know what you do, who you talk to, and what your interests are. They then sell this information to others, including your email address, for a profit. If you have a Gmail account, you have agreed to this. Tell me this is all new to you. Say you weren't aware of any of this. Wait... you didn't read the TOS, did you?

I've got some bad news for you, sunshine. If you have a free email account, such as Gmail or Outlook, you have agreed to allow the Provider to sell very personal information about yourself to others. Some Providers are worse about this than others. Google is the worst of the lot. By far.

This should be called "Remedial Internet for Home-Schooled Kids". When you open an Outlook.com account, and click "I Agree", you have waived any right to privacy you had concerning communications in that account. It's spelled out in the TOS that you didn't read. Didn't you notice the exponential explosion of junk mail you got when you opened that Gmail account? Did you think that happened by accident?

And you're being condescending towards me?

I don't bend over. I pay for a secure email account. An account where a real cop would need a real warrant to access my data. Where the Provider does not have access to my data. I pay money for that. I have an expectation of privacy, because that's what the TOS calls for. I also have an Outlook account, and a Hotmail account. I use these accounts for the things that Pishaw does. I don't expect any privacy, because I waived the right to such. That's why they give email to me for free. How do you not get this?

Many of the people that comment on sites such as this seem to think they're intelligent. Even to the point of arrogance, like Deadcell has here. Yet Deadcell believes he has an expectation of privacy when the expectation of privacy has been waived in the TOS he agreed to. What would you call that? Stupidity? Naivety? Optimism? A combination of all the above?

In the end it doesn't matter, because they are still selling your data if you have a free email account. I have found that Microsoft is the least of the worst. They do send me admail, but they don't seem to be whoreing my stuff out there like Google does. Google is by far the worst.

Deadcell, a better approach might be to ask questions about a given topic before you start talking down to people. You obviously don't understand this whole privacy on the internets thing.

Bottom line: If you want privacy, you HAVE to pay for it. There is no other way.

spenser.d said,
How long has their TOS said that and the EFF only makes waves now? :laugh:
Just because it's in the TOS doesn't mean it's legal. They could put that they have the right to kill you in there, doesn't mean it's legally true.

VictorWho said,

As far as the public knows, this is the first incidents of Microsoft invading a person's email account.

Ambiance, what you need to know (for your own benefit) are your rights . You clearly don't know them because you give to much credence over a TOS.


And they had a very good reason to do so. It's dumb to spread that Microsoft searched an users email, but not saying that that user had stolen source code from Microsofts software.

Yes if only the EFF could snoop on microsoft's email like microsoft could on their customers, they might have found this out a long time ago.

But good for them for standing up for privacy and bringing this evil to light.

Pishaw said,
<an unnecessary novel>

I simply disagree with you. Sorry if you got all upset thinking I'm being condescending to you, but I've heard it all before which is why I didn't quote you directly. I still don't agree with it. You're not right just because you disagree, so you can take your opinion and speak it freely, but it still doesn't come out a fact, just as my opinion is not a fact either.

Sunshine, insinuations of arrogance, stupidity, naivety? Yeah, no thanks bud. You can keep your bait in the tackle box because I'm not interested in name calling contests.

recursive said,
Yes if only the EFF could snoop on microsoft's email like microsoft could on their customers, they might have found this out a long time ago.

But good for them for standing up for privacy and bringing this evil to light.

Microsoft freely admitted to doing this. The EFF didn't bring anything to light.

dead.cell said,
No expectation of privacy is nonsense. Bend over if you will, but I find it absurd to think that you're at the mercy of companies.
I agree with you completely. Unless you have agreed to any specific waivers of that privacy expectation (which was the case here) you definitely shouldn't expect that all data on these company servers is subject to random search since nearly all the TOS specifically states what they can and can't do with your data.

"For example, I don't use anything Google". good points but you cannot escape Google. I bet if you serf the web, chances are you have Google cookies in your browser.

wahoospa said,
"For example, I don't use anything Google". good points but you cannot escape Google. I bet if you serf the web, chances are you have Google cookies in your browser.
Learn what the hosts file is. It's actually possible to avoid google completely, unless someone you want to do business with or communicate with requires that you use google.

I'd block that stuff but I want sites I visit to make money. Otherwise I'd be running privoxy/squidguard on my router so all my devices would be covered, not just ones you have access to the hosts file on.

Geezy said,
I'd block that stuff but I want sites I visit to make money. Otherwise I'd be running privoxy/squidguard on my router so all my devices would be covered, not just ones you have access to the hosts file on.
Yes, but the point is you can. And google grabs data through all of its services Ads, Analytics, ReCaptcha, Fonts, JQuery (and other CDN style hosting) etc. Recaptcha is the main one you really can't avoid in some cases.

Hosts is much easier to setup for the average user rather than any specific hardware/software solutions network wide :D

I kind of agree that flashing a new firmware is beyond most users, but it's far from difficult to install. The hardest step is figuring out the exact model of your router. I know this probably doesn't happen often in reality, but whenever I've installed a router for someone I was kind enough to make sure they got something compatible with dd-wrt and made sure to flash a stable version for them and secure it.

Geezy said,
I kind of agree that flashing a new firmware is beyond most users, but it's far from difficult to install. The hardest step is figuring out the exact model of your router. I know this probably doesn't happen often in reality, but whenever I've installed a router for someone I was kind enough to make sure they got something compatible with dd-wrt and made sure to flash a stable version for them and secure it.
I, too, have installed DD-WRT whenever I've helped someone at home or a small business. It's our world though. It's far from the norm. In fact, whenever I tell people what I'm doing their eyes glaze over like I just started reciting Physics formulas or something.

Like many other things in tracking etc. If users all had someone like us looking after them much of what Google and others do to track them would be ineffective :|