Microsoft responds to SkyDrive privacy concerns

We recently reported on a man who claimed that Microsoft had locked him out from his own Microsoft Account after finding disallowed content in a private folder on his SkyDrive. That raised some questions about just how private private SkyDrive folders are, and after a bit of investigation, we've got a response from Microsoft on the issue.

In general, Microsoft says, they don't comment on internal processes, either on how their systems work or about this man's specific case, but they do have 'strict internal policies' in place to limit employee's access to user data. As many of you suspected, this involves Microsoft Research's PhotoDNA project, which is a pretty amazing piece of automated software that helps law enforcement and ISPs track down child pornography. Obviously, Microsoft's rules cover way more than that, too.

Without giving any specific details, a Microsoft spokesperson says that they have "advanced mechanisms to ensure that users abide by [their] Code of Conduct," the implication being that most of this would happen through automated processes.

And since SkyDrive's Code of Conduct involves a lot more than child pornography, it's possible that they're using something similar to PhotoDNA to track down pornography in general, and pirated materials. When that happens, and this is just a hunch, someone probably does look in to the account to confirm that the content is in violation of the CoC, and then takes action. That's actually probably a good thing, since it means that they're taking the time to make sure that you really are breaking the rules, and not just banning you willy nilly.

So, where does this leave SkyDrive privacy? That's a choice that you'll have to make for yourself, but generally speaking your account really should be for your eyes only so long as you're not in violation of Microsoft's rules. We care a lot about our privacy, and we're sure that you do, too, but so long as you play by Redmond's rules while you're on their turf, things should work out pretty well.

Does that mean that Microsoft's privacy practices are perfect? Heck no! There's a lot of speculation going on here, but there's always going to be lots of room for improvement - even they admit that. In the end it all comes down to using common sense about what you're willing to trust someone other than yourself with. With that, we're gonna leave you with Microsoft's full statement, below:

With 60 million SkyDrive customers in more than 100 countries, Microsoft works hard to keep SkyDrive available around the world as the trusted place for people to store personal data. In order to do this, we’ve built SkyDrive to respect the privacy of our users while also ensuring it is not used for illegal activity – such as the distribution of child pornography.

As a general practice, we do not comment on internal processes; however, we have strict internal policies in place to limit access to a user’s data, and we have advanced mechanisms to ensure users abide by our Code of Conduct. For example, we pioneered automated scanning for child pornography through the PhotoDNA project – now used by other industry leaders. 

Any content we find to be in violation of our Code of Conduct is subject to removal – and in rare cases, can lead to temporary or permanent shutdown of an account. 

We understand no system is perfect. That’s why we are constantly improving our ability to ensure the privacy, security and availability of our user’s data around the world.

Secure cloud image by Shutterstock

Report a problem with article
Previous Story

Imagine Cup 2012 gets its own Windows 8 Metro app

Next Story

Google's Nexus 7 tablet in short supply

51 Comments

Commenting is disabled on this article.

this is why you should pre-encrypt EVERYTHING BEFORE sending it to ANY cloud service. do you really trust these companies when the goverment comes waving a subpoena, or worse yet, when they don't even have one?

Which is an silly point since MS's wants us to link our personal stuff to their cloud in WP/Win8. Sure I can encrypt, and give up all the cool features that makes Skydrive great.

To those who think this only covers the horrors of child porn and piracy:

I lost all my business (contemporary art gallery) documents when Microsoft decided that my press release-- which included something that is acceptable even in my predominantly Muslim country's newspapers (nudity in art)--was reason enough to delete my entire account.

To add insult to injury, it took me over 8 months of correspondence to get all the Live services functional again on my 10+ year account. I'm still not sure everything is working right.

That I do not own my files is plain ludicrous. I will never switch to Skydrive if MS doesn't fix this.

They only suspend your account until you remove the offending content once that's done your good to go again I had it happen to me with a desktop screen shot that showed an partially nude female deleted the original covered the boobs with a couple of icons and re-uploaded and all was fine

although anything thats not shared should not be subject to PhotoDNA or any other such scrutiny unless a complaint has been made

To those curious of the suspension process:
I have a photographer friend who had uploaded partially nude photos before on their SkyDrive, and only their SkyDrive account got temporarily disabled (everything else still worked)... they got an automated email with specfic folder and filenames that were their automated checks found suspicous, and it provided links to delete them or contact them to re-evaluate. They then unblocked his account after reviewing it's for professional purposes and not exploitive or vulgar purposes and he's now able to use it. It sounds perfectly reasonable in my opinion.

Yes: Pics of your cat, dog, goldfish, family outing, work outing, happy hour, happy birthday, road trip, trippy place, house, hallway, art gallery, museum... etc

No: Your amateur porn

Once you put your files to a "cloud storage" these files become NOT YOURS. Cloud service provider can delete them, can use them, they can outsource file processing to 3rd world country and everyone from some dodgy data centre will look at your files etc etc etc. They may fool you about "strict provacy policies", but... you know how things are done there.

If you want your files to stay yours - put them on YOUR device and do not sync them with any cloud storage.

lexp said,
Once you put your files to a "cloud storage" these files become NOT YOURS. Cloud service provider can delete them, can use them, they can outsource file processing to 3rd world country and everyone from some dodgy data centre will look at your files etc etc etc. They may fool you about "strict provacy policies", but... you know how things are done there.

If you want your files to stay yours - put them on YOUR device and do not sync them with any cloud storage.

That is what happens if you're using Google Drive, yes

THolman said,

That is what happens if you're using Google Drive, yes


Haha! And I thought journalists were supposed to be unbiased.

How long until some enterprising business man starts up a PornBox, or PornDrop service where you can access all your pornographic images and videos via the cloud.

and this is just a hunch, someone probably does look in to the account to confirm that the content is in violation of the CoC

Any content subject to 'human' review is provided to the reviewer via automation, they are NOT given access to the account or the data beyond the questionable item/items.

So if you upload something illegal, that item/document is pulled for review by machine automation to be reviewed by a person, the 'human' does not gain access to the account, only the specific item in question.

If there is reason to view an entire account, like a court order, an 'unlock' of the account is machine queued with temporal restrictions and is key encrypted to the court order, which keeps it machine only readable until the authorized authority unlocks the content.

Getting the authorization to machine queue these types of requests is massive, and is not something an employee can do as they do not have the keys necessary to even 'queue' an account unlock on their own. At most an employee could mothball an account which takes 3 months or more to go off-line, and remains encrypted and locked until it is eventually purged.

Microsoft does this for their own protection, in addition to the protection of users, as a court order that demands SkyDrive or Hotmail data could contain sensitive or classified information, which Microsoft does not want the responsibility of exposure nor the liability of employee access to the sensitive data.

**This is a vast contrast to Google, where they have soft policies in place, and an engineer can literally do queries on specific user accounts, or general trend information. So they can literally sample 10 million users to see if people are talking about buying Apple stock, and go home and buy stock. They can also directly open and read through any user's account and any data stored by the user.
(Go look up the pervert fired for using GVoice chat logs to try to solicit sex from a teenager. Google defended the fact that 'employees' could read data claiming it was necessary, which is a lie.)

Machine and automated data systems have been around for a long time, with various key and encryption protections in place so that an IT admin can't be digging through financial data, and still have complete control over the data storage.)


(PS This is how data was handled when I worked with Microsoft's data centers several years ago, and my sources confirmed it is still in place and without adding specifics is even more locked down and encrypted now. As they noted, an employee at Microsoft that wanted to 'read/see' the content of an account would need a good supercomputer and about 12billion years just to pop the GUID key, and that is only one level of the protection in place.)

Flip the file bytes or do a simple byte-shift and it'll probably no longer work.
Heck maybe even renaming .jpg to .dll might stop them being scanned! XD

Would me having my 1year old child pictures having a fun shower, stored in a private folder be considered child pornography? The pictures are just him playing with water/ducks and having fun. Just curious.

WaqasTariq said,
Would me having my 1year old child pictures having a fun shower, stored in a private folder be considered child pornography? The pictures are just him playing with water/ducks and having fun. Just curious.

In Canada that has gotten a number of parents in trouble. I think they've corrected that now as Canadians are pretty chill overall.

WaqasTariq said,
Would me having my 1year old child pictures having a fun shower, stored in a private folder be considered child pornography? The pictures are just him playing with water/ducks and having fun. Just curious.

Likely nothing to worry about, PhotoDNA tries to match against a database of known illegal material, so any family photos are probably safe.

~Johnny said,

Likely nothing to worry about, PhotoDNA tries to match against a database of known illegal material, so any family photos are probably safe.

I wondered if maybe they were using some sort of special version of the software that had been altered to look for any nudity in general? If you read the last article, there was a photographer who said he was banned for some photographs he himself took.

THolman said,

I wondered if maybe they were using some sort of special version of the software that had been altered to look for any nudity in general? If you read the last article, there was a photographer who said he was banned for some photographs he himself took.


true, but I think that (assuming Microsoft does have humans check over what PhotoDNA finds) the Microsoft checker would see that it's a family photo and leave it alone if not, @j2006 says you could always ask someone to reevaluate it and explain to them that it's a family photo, and not intended to be child porn.

I honestly see nothing wrong with this process. If you choose to post questionable stuff into the cloud it's on you if you get caught and it's likely you will. If an automated system detects such content and it is then verified by human eyes before the account is locked fair enough.

No-one is holding a gun to your head to use a free service for storing this content so don't use it if you do not agree. There's plenty other options available.

I'm sorry but thats BS. I can't see why many of you are so complacent on this.

For example, I have a WP7 phone set to auto-upload to my SkyDrive roll. This means that if I snap some semi-nekked pics of some honey from my phone I'm in violation and could virtually brick my phone.

Dashel said,
I'm sorry but thats BS. I can't see why many of you are so complacent on this.

For example, I have a WP7 phone set to auto-upload to my SkyDrive roll. This means that if I snap some semi-nekked pics of some honey from my phone I'm in violation and could virtually brick my phone.


until you delete the file. If Microsoft disables your SkyDrive account, just delete the file and your phone'll be unbricked

Matthew_Thepc said,

until you delete the file. If Microsoft disables your SkyDrive account, just delete the file and your phone'll be unbricked

Aaaah... so all is fine right?
Just remove personal files and no harm has been done......... Gimme a break.

GS:mac

Can you confirm that this policy is different for Office365 users since it is supposed to be HIPPA complaint?

The problem is that their CoC is far too broad to apply to private and public content.

Edited by Dashel, Jul 22 2012, 5:39am :

kryten said,
If your account was blocked, how did you remove it?

according to @j2006, they send you an email where you can either choose to delete the file or have Microsoft re-evaluate it

I had a funny picture that someone drew in draw something. It was a large naked man with all private parts censored but my account was blocked until I removed it.

Ad Man Gamer said,
All you need to do is hold all your data in a truecript container. Then you don't need to worry about them snooping on you.

please explain how to, and in a way that i don't need to upload a 2-4GIG file every time i add or remove a file.

th3r3turn said,

please explain how to, and in a way that i don't need to upload a 2-4GIG file every time i add or remove a file.


When you use a truecrypt container, it is ONLY uploaded once, and after that it only uploads the parts that change, this is from the DropBox forums and was replied by a 'Dropboxer'.

There are a few select services which encrypt your files using a private password. I'll never use any cloud storage service that doesn't give me this option.

SpiderOak, Wuala, and BackBlaze are just a few. There's also 3rd party software which can encrypt files on Dropbox.

Xinok said,
There are a few select services which encrypt your files using a private password. I'll never use any cloud storage service that doesn't give me this option.

SpiderOak, Wuala, and BackBlaze are just a few. There's also 3rd party software which can encrypt files on Dropbox.


I don't have anything illegal uploaded, but before I upload a backup, I always encrypt documents that I don't want others seeing, with a very long password using AES256, that I save in Lastpass. I don't trust the security on the websites.

Without knowing the specific details and what the content in question was we can't really say much about this. I do believe that they run an automated photo check to make sure you're not uploading porn though. That's just something I expect, out of these free services. If you really want privacy then you get your own private server and use that. Though if you're really hosting questionable content on even that then there's not much you can do because at some point the hosting company will get a complaint and take down the server and your files with it (which is why you also have backups of even stuff in the cloud).

I understand why child porn and pirated files may get your account shutdown, but why aren't we allowed to have nudity in any form? I feel like the reason is because MSs tools cant tell the difference between child porn, porn, and artwork, so they just refuse all of it.

Omen1393 said,
I understand why child porn and pirated files may get your account shutdown, but why aren't we allowed to have nudity in any form? I feel like the reason is because MSs tools cant tell the difference between child porn, porn, and artwork, so they just refuse all of it.

agreed, Microsoft should work on improving their tools to be more accurate but IMO, I'd rather block all porn than be too restraining on their algorithms so that people who encourage & produce child porn get away unscathed, given the two options.

Omen1393 said,
I understand why child porn and pirated files may get your account shutdown, but why aren't we allowed to have nudity in any form? I feel like the reason is because MSs tools cant tell the difference between child porn, porn, and artwork, so they just refuse all of it.

Actually, nudity IS allowed as long as it's tastefully done (i.e. a professional photographer stores many photos from various photoshoots). I have a photographer friend who had uploaded partially nude photos and their SkyDrive account got temporarily disabled (everything else still worked)... they got an automated email with specfic folder and filenames with a link to delete them or contact them to re-evaluate. They then unblocked his account after reviewing it's for professional purposes and not explotive or vulgar purposes and he's now able to use it. It sounds perfectly reasonable in my opinion.

j2006 said,

Actually, nudity IS allowed as long as it's tastefully done (i.e. a professional photographer stores many photos from various photoshoots). I have a photographer friend who had uploaded partially nude photos and their SkyDrive account got temporarily disabled (everything else still worked)... they got an automated email with specfic folder and filenames with a link to delete them or contact them to re-evaluate. They then unblocked his account after reviewing it's for professional purposes and not explotive or vulgar purposes and he's now able to use it. It sounds perfectly reasonable in my opinion.

I keep images of paintings with nudity on my SkyDrive and I've never had an issue with Microsoft. But as far as I've read, its still technically against the EULA, which is something they should change.

Enron said,
So, if you're not breaking the rules, you have nothing to worry about.

That's the excuse governments use to justify internet surveillance and data retention.

excalpius said,

Fascism is the creeping death of privacy and freedom one inch at a time...

Sure, if they just turned around and did this without prior warning then maybe you had a case, but MS has it's CoC up and you're free to read them at any time before you use the service. If you didn't then that's partly your own fault.

Every Cloud service has this kind of surveillance of documents and illegal documents, if its gonna be in the cloud you just need to be careful and know that they will go though you docs sometime....

erikpienk said,
Every Cloud service has this kind of surveillance of documents and illegal documents, if its gonna be in the cloud you just need to be careful and know that they will go though you docs sometime....

+1, if you're going to put your files on a remote server owned & operated by another company, you just have to understand that you need to be a bit more careful about what kind of files you put up. If you're gonna use someone else's servers, you have to acknowledge that the host might have rules you need to follow by.

Ignoring the fact that he might have had inappropriate content uploaded to his skydrive account, it is still a breach of privacy! I think I might have to remove my documents now.

Biglo said,
Ignoring the fact that he might have had inappropriate content uploaded to his skydrive account, it is still a breach of privacy! I think I might have to remove my documents now.

what's a breach of privacy? that Microsoft uses an automated program to scan your pics and make sure you're not uploading child porn? if you're uploading child porn (and other illegal files), then IMO you deserve to have at the very least your account suspended