Electronic Frontier Foundation slams Microsoft for searching a blogger's Hotmail

The controversy over Microsoft searching through a person's Hotmail account in September as part of a company investigation has now gotten the attention of the non-profit Electronic Frontier Foundation. As you might expect, the EFF thinks that Microsoft's actions violate the U.S. Electronic Communications Privacy Act,

Microsoft admitted this week that as part of its actions to find evidence against a person who allegedly leaked Windows 8 files and other code to a third party, it examined some of the Hotmail account content of a French blogger who was in communication with the leaker, now former Microsoft employee Alex Kibkalo. Microsoft's Terms of Service for Hotmail and Outlook.com users state that the company has the right to search through those accounts if such actions are needed to "protect the rights or property of Microsoft or our customers."

The EFF believes, however, that Microsoft should have gotten a warrant to search the Hotmail account. Microsoft's argument is that "courts do not issue orders authorizing someone to search themselves," but according to EFF legal fellow Andrew Crocker it's the content of the emails on those servers created by a third party that is being searched.

Crocker says:

To the contrary, if Microsoft’s independent legal team concluded that there was probable cause, it could have passed the tipster’s information to the FBI to obtain a warrant and conduct the search under the auspices of the criminal justice system. The warrant protections enshrined in the Constitution would be preserved, ECPA would be satisfied, and Microsoft could have claimed the high moral ground. Instead, Microsoft has opted for an internal corporate shadow court.

Microsoft has said it will be updating its policies on searching email accounts, which will include adding a separate legal team to determine if a search is needed, followed by sending that opinion to an outside attorney who is a former federal judge. That's not good enough, according to Crocker, who says it violates the Fourth Amendment right to have such evidence presented to a "neutral and detached magistrate."

Crocker also thinks that Microsoft's Terms of Service could be abused thanks to the specific wording. He stated, "Combined with the kangaroo court potential of the company’s new internal Warrants for Windows policy, Microsoft is playing with fire." So far, there's no word on if the EFF plan to launch any legal actions against Microsoft.

Source: EFF | Image via Microsoft

Report a problem with article
Previous Story

California DMV compromised, credit cards breached

Next Story

13 great Windows apps for users switching from Android and iOS tablets

119 Comments

View more comments

ichi said,
Commenting on the collision between the right to access data on your own servers (as agreed on the TOS) and the privacy of communications is hardly MS-bashing in any case.
It is when they go on and on about this case without noting the problem is far more widespread than just one company's policies, and seem to be doing nothing to address the lacuna in the law. And yeah, this case lead to an arrest so the events became public via court documents, but what proof do we have (besides their own word) that other companies (or even the same one) haven't looked at users' data before? Heck, even if the warrant requirement is brought into effect how does that prevent these companies from looking at user data in the first place? Ultimately you have to recognize the fact that without sufficiently strong encryption by users (not the companies themselves) no data stored on third party servers is ever 100% guaranteed safe from snooping. Given that, I don't know on what basis the EFF is handing out those silly stars anyway to any of these companies, as if they mean something when it comes to privacy.

Edited by Romero, Mar 26 2014, 12:47am :

Romero said,
It is when they go on and on about this case without noting the problem is far more widespread than just one company's policies, and seem to be doing nothing to address the lacuna in the law.

They published one single article about this case (which I don't think qualifies as "going on and on") because this case is recent news, but the EFF has also been critical of Gmail's privacy before.

Going on and on in that article; it was lengthy enough without addressing the larger concerns this brings up about privacy of email or cloud storage data in general. As for Gmail, I don't know what they criticized or how much but it clearly shows companies don't care what they have to say because nothing's changed there.

Isn't it great to see the EFF are not only standing up for the rights of thieves, they're now standing up for the rights of French thieves too.

recursive said,
If by thieves you mean microsoft, then you are absolutely right.

O its you again ...trolling MS once again ?
Microsoft are not Thieves, we pay them for products to use.
With this case, I don't see where Ms went wrong, they didn't just search a random account, it was proven that the guy ( MS employee ) stole Win-8 Code and passed it on to someone and that email was sent to a Hotmail account, the Employee is stupid if he was thinking he could get away with it ...

Now, im going LOL at the Employee, because MS are going to make an example out of him by properly suing the Ex-Employee and in the USA you get sued, its not petty cash, its going to be in the millions ...o well that guy isn't going to get a IT job anywhere lol

This should be an eye opener for all people who care about their privacy to be wary of this recent cloud fad. These days every one is so eager to hand over their digital life on some big corporate companies server voluntarily. I am sure we will soon be hearing stories about cloud storage snooping as well.

all of them does that and unfortunately you can't do anything about it, because people's desire to use free stuff is more than their desire to keep their privacy. google started this when they introduced their gmail service with that ridiculous counter to increase your inbox limit by seconds. then everybody else to compete with that gone unlimited free storage with virus scanner and anti-spam engine. of course something has to pay for these. ads infesting, giving up your privacy. manythings...

The_Observer said,
Cool show me a paid product where they will not jump into your email account, where they protect your rights and not give out any of your details. Thinking the best setup is a email server on your own computer! mmm i wonder????

(EDIT) found answer to my own question. http://web.appstorm.net/roundu...email-with-your-own-domain/

Unless a cloud provider offers end to encryption, for which you and only you hold the keys, they will always be tempted to get a sneak peek at your data should the situation warrant itself, despite what their marketing brochure and PR team might insist.

The only way to be absolutely certain is to host your email yourself. If you know what you are doing, any old desktop lying around will do, and it shouldn't cost you over $20 a month over what you alread pay for internet. With feature rich software like Zimbra, Kolab, etc available for free, there is absolutely no reason to not do so if privacy is even of the slightest concern to you.

The_Observer said,
Cool show me a paid product where they will not jump into your email account, where they protect your rights and not give out any of your details. Thinking the best setup is a email server on your own computer! mmm i wonder????

(EDIT) found answer to my own question. http://web.appstorm.net/roundu...email-with-your-own-domain/


there are some corp email provider with encryption but if you really care you can make your own datacenter or rent one and implement an email sevice with custom highend encryption

Remember what Apple did when they where searching for the "lost" iPhone prototype?
When they hired people to pose as officers of the law, and entered a civilians house and searched it.

I must say I bit surprised by some Neowin readers being double faced.

For months we were reading about scroogled campaign (which was stupid and was bending the truth a bit in my opinion) and people were commenting a lot in favor of MS.
Yet now we can see Microsoft is no better and people still defend MS.

Let me remind you: Google scans emails and matches keywords to ads - it's automatic process, noone reads it, no ad company sees it or even your email account.
Now we see Microsoft who READS your email, a person, bypasses account security, goes into your account and just reads it.

If that was a normal mail/post, it would break few laws already - many countries have a law preventing anyone from reading mail not addresses to you.
TOS can be wrong - it's mostly written for the benefit of the company, not their users. No mail company can open a letter and read it when they want, even if it's something connected to that company.

I could understand it if that was an employee email account - although still edgy, employers are, to my knowledge to check employees emails, but, from what I see Microsoft check guys *PRIVATE* account, isn't that right?
That changes everything!
TOS or not, if someone wants to read a private mail or email - get a warrant or GTFO.


The whole case is worrying because we see Microsoft becoming it's own police force, defining what's legal and what's not, ignoring reporting the crime to the police and waiting for them to investigate, like it should happen in the first place.
What's next? MS will employ full-time judges to sentence people who committed crimes against Microsoft? Will MS be running prisons as well or everyone gets death sentence?


Seriously people, this is not right, doesn't matter which company does it, but now you not only have a proof that Microsoft scroogled you (I think someone has to come with a new word for it then) but they did it way better than Google. (or worse, depending how you look at it)

This has just gotten to be a bit crazy, and here is why...

Google and other mail hosting providers open user email accounts all the time, without escalation and without having to go through their legal. If this was Google or 99% of any other ISP that hosts email, they would have pulled and read the user's email. There would be NO STORY, as this stuff happens ALL THE TIME.

The only reason this is a 'story' is that it was NECESSARY to go through Microsoft Legal just for them to get the security key to open the user's account.

So because Microsoft has such a complex process of approval and decryption to gain access to a SINGLE user's email, this has become a story.

So we are being hypercritical of one of the few companies that take user privacy seriously. Really?

I think one of the reasons of why it is a story is due to Microsoft's stance on privacy as you mentioned. This case appeared to go against the grain.

DonC said,
I think one of the reasons of why it is a story is due to Microsoft's stance on privacy as you mentioned. This case appeared to go against the grain.

Microsoft doesn't data mine user's accounts. Just because they value privacy in this regard, doesn't mean they're not able and willing to pull a user account if the situation calls for it.

Dot Matrix said,

Microsoft doesn't data mine user's accounts. Just because they value privacy in this regard, doesn't mean they're not able and willing to pull a user account if the situation calls for it.

Of course MS data mine user accounts, their targeted advertising business doesn't work on magic.

"The information we collect may be combined with information obtained from other Microsoft services and other companies."
"We use cookies and other technologies to keep track of your interactions with our sites and services to offer a personalized experience."
"We use your information to inform you of other products or services offered by Microsoft and its affiliates, and to send you relevant survey invitations related to Microsoft services."
"In order to help provide our services, we occasionally provide information to other companies that work on our behalf."

What they might not do is data mine the contents of your mail, but "MS reserves the right to review materials posted to the Comunication Services".

Shrug.

I have no problem with companies searching through email to in extraordinary circumstances -- whether it's something like this, child pornography, or whatever. I think the most amazing thing in this whole story is that this blogger was stupid enough to think that Microsoft couldn't/wouldn't search their Hotmail account. I'd say the same thing if the search algorithms for Google were stored on Google Drive, and the person had evidence of it on their gmail.

I don't view it as an invasion of my privacy. And, I use Office365 :p

Screw EFF and the lot of them.

You don't get to sign up for a FREE service that's hosted using SOMEONE ELSE'S hardware and infrastructure and then start whining about your "rights."

Host your own email if you want control over it, otherwise know what you are agreeing to when you get in bed with someone else.

Lord Method Man said,

Host your own email if you want control over it, otherwise know what you are agreeing to when you get in bed with someone else.

Unless you only use that setup to email yourself you are still not in control of your mail. It'll end in someone else's inbox, subject to third parties' policies.

exactly.. that's an unfortunate precedent.. their position shows bad intent since it was very simple to get a warrant.. there was nothing extraordinary about that
and what guarantee anybody have that they are not violating ppls privacy on a daily basis

Besides the fact that software they make constantly leaks out? If they were going through employee e-mail 24/7, he never would have been able to leak anything. Especially something that can be used to destroy their activation system.

Badcat007 said,
and what guarantee anybody have that they are not violating ppls privacy on a daily basis
So which free mail service are you using with that guarantee? I'm interested too. I'm also interested to know how a guarantee would help if you never come to know that your mails have been read?

Commenting is disabled on this article.