Microsoft snooped through blogger's email to find source of Windows 8 leaks

The story of how much of Windows 8 information was leaked a few years back is coming into clarity after the individual responsible for leaking much of the content has been arrested. Alex Kibkalo is stated to have leaked the goods to a blogger who is widely believed to be French blogger, Canouna, and it was the this person who tipped off Microsoft, accidently, after emailing the company to determine if the code was legitimate at which point, Microsoft accessed the bloggers email and found the source of the leaks.

It seems a bit obvious that if you are dealing with leaked content that you got directly from a source, you should not verify it with Microsoft using the same account that is owned by Microsoft to determine authenticity.

Of course, Microsoft snooping through the email account of the blogger does raise a few questions about privacy but at this point, when using a company’s service, it’s hard not to anticipate that they have the ability to read all of your emails/messages no matter the vendor. Especially when it comes to their own IP being leaked, you can bet that they will go to any measure to make sure their code is protected.

The court documents detail that Microsoft was not all that upset about the screenshots of Windows 8 being leaked but it was when Kibkalo obtained information relating to the activation of Windows and wanted to find a way to bypass authentication. In short, he was helping to create a keygen for Windows 8 and that’s what Microsoft feared most.

Not surprising, really, sure they would love to keep Windows 8 features a secret but the leaks, while certainly not loved by Microsoft, do not directly harm the bottom line of the company’s income statement. It’s the keygen that Microsoft feared as a working keygen can be expensive to patch and could result in millions in lost revenue.

Further, Neowin is able to confirm that at the time Microsoft was going through Canouna's email accounts, he become aware of their actions. In conversations with Neowin during this timeframe, he became increasingly paranoid that Microsoft would uncover his source.

We reached out to the blogger to see if he would like to tell his side of the story and will follow-up if he wants to comment but he simply stated, "no comment" on the above information.

View: Court Documents

Report a problem with article
Previous Story

Microsoft reveals DirectX 12 for PC, Xbox One and mobile

Next Story

Sony to add PS4 video gameplay editor, PlayStation Network to stream "Powers" TV series

163 Comments

Commenting is disabled on this article.

Long story short, don't look to Canouna for info on Windows 9 :D

I don't have an issue with this honestly. I use outlook.com as my primary email and this doesn't change my opinion of it at all. If they felt they had to do this to protect their I.P. (and more than just a hunch, they were right) then whatever.

Notice this required a massive 'escalation', just like if Microsoft had to response to an external warrant; which is why it had to go all the way through Microsoft legal to issue the security encryption keys.

This is not a story about Microsoft going through a random user's email.

Exactly, and as for the usual suspects complaining, I have no doubt if their favorite company had done the same in a similar situation (an act I'd also have approved of) they wouldn't be protesting so much.

Edited by Romero, Mar 21 2014, 5:34am :

A lot of people are here are in denial. It's quite obvious to people who work with data that linkages can be made through quite abstract means and that where the data can warrant it an investigation can be appropriate.

As a basic example, cross reference DOB, address, email address etc with company records and you can get a hit which is "very likely".
It's not rocket science that a company with analysts can detect this sort of stuff without invading the privacy of other people.
I should add that I am no supporter of NSA type activity, but as a competitive company I would exercise powers over analysing bulk data for leaks if potential is there.

And to also add into this debate, MS did it to themselves with forced ranking... you are asking for retribution when you are targeting people for the sake of a chart compliance.

londan said,
And to also add into this debate, MS did it to themselves with forced ranking... you are asking for retribution when you are targeting people for the sake of a chart compliance.
There's nothing good to be said about stack ranking, but that in no way condones theft. And who's to say this guy didn't absolutely deserve his negative review? I find it extremely likely. I'm sure other people were truly unfortunate to have been made targets but they didn't first threaten to resign if their reviews weren't not amended and subsequently compromise their ethics and morals and resort to outright theft to "get back" at the company.

Well that's the thing if you work for a large company and work with items that are deemed secret, private etc then you really have no expectation of privacy what so ever. Any manager can snoop on your work, browser history etec to make sure you are following their own rules.

It's becoming apparent that Microsoft are clamping down on 'leakers' and as such leaks could be a thing of the past but Microsoft need to look at more ways to protect their IP even from those who work for them.

Robbie Ride said,
Microsoft need to look at more ways to protect their IP even from those who work for them.
This is not a problem specific to Microsoft of course and there's only so much they can do. Some employees have to be trusted with access to the source and the company can't make security protocols so tight that it affects their normal work. It's a fine line and I suppose a sufficiently determined and resourceful thief can always succeed.

So don't do anything illegal!

Microsoft's Windows source code is a trade secret. MS does not go after screenshots posting.

If they did the leakers who talk to Paul Thurrott and Mary Jo Foley would be in jail.

mmjm said,
So don't do anything illegal!

The blogger didn't do anything illegal. The employee who stole the source code did. MS read through an innocent persons email to try to catch a criminal. So if I emailed you some "trade secrets" it's ok for MS to go read through your personal email? The sender is the criminal not the recipient.

Their legal team says otherwise and I'm sure if they're wrong they'll be held accountable for it just like anybody else. It's just generating all sorts of rage because it's Microsoft, if this were Google going after somebody who ripped them off you'd be f'ing delusional to think they wouldn't do the exact same thing. Never mind receiving stolen property pretty much knocks "innocent" into the trash can. Illegal you know.

Max Norris said,
Never mind receiving stolen property pretty much knocks "innocent" into the trash can. Illegal you know.
Exactly what I think he'll be charged with. It's not as if he can act all wide-eyed and innocent. "Oh, all this data and source code was stolen? Really your Honor, I had no idea." Especially considering that he was explicitly told by the thief that he snuck inside a building at the company's Redmond, Washington campus to copy the files. Also considering he himself told the thief that the leaks would be “pretty illegal” and Kibkalo responded “I know :)

Edited by Romero, Mar 21 2014, 12:50am :

Asmodai said,

The blogger didn't do anything illegal. The employee who stole the source code did. MS read through an innocent persons email to try to catch a criminal. So if I emailed you some "trade secrets" it's ok for MS to go read through your personal email? The sender is the criminal not the recipient.

Wat? If you received those trade secrets then yes you are held accountable for the crime too.

-Razorfold said,

Wat? If you received those trade secrets then yes you are held accountable for the crime too.

So why isn't the blogger whose account they read the data from being charged with any crime? Why aren't the reporters for the various news agencies being charged for publishing the NSA's "trade secrets". That's even a far more serious crime yet they are not being charged because reporting leaked data is not illegal, only leaking it is.

Asmodai said,

So why isn't the blogger whose account they read the data from being charged with any crime?
How about because it takes time to navigate another country's legal system, provide their law enforcement with evidence, have them file charges and so on?

Here is the thing ...you do nothing illegal with your email or cloud account, no person will snoop into your account other than an occasional software scan to see if you are in compliant. Do something wrong, then someone will look into it. It is simple as that. If there are illegal activities, then expect legal proceedings.

Microsoft were well within their rights as they were dealing with their intellectual property being sent via their network. That is theft which is against their TOS. From LiveSide http://www.liveside.net/2014/0...ont-use-hotmailoutlook-com/ "After confirmation that the data was Microsoft's proprietary trade secret" so they acted appropriately.

Sorry MS-hating google lovers but this is a world away from google scanning your email to sell your data for ads.

efjay said,
Sorry MS-hating google lovers but this is a world away from google scanning your email to sell your data for ads.
+1

I state this without reading it, but I don't feel like I'm really going out on a limb here-- I am sure that buried somewhere in the Terms of Service that you click "Agree" to use the service, that you have given Microsoft express permission to do this, if they feel in good faith that unlawful acts are being committed. It just so happens to be their own interests at issue in this case. This is very convenient for them in this case, but nevertheless, the law was being broken so I don't really see much of a fuss here.

bitslasher said,
I state this without reading it, but I don't feel like I'm really going out on a limb here-- I am sure that buried somewhere in the Terms of Service that you click "Agree" to use the service, that you have given Microsoft express permission to do this, if they feel in good faith that unlawful acts are being committed. It just so happens to be their own interests at issue in this case. This is very convenient for them in this case, but nevertheless, the law was being broken so I don't really see much of a fuss here.

If that's the case it kind of makes the whole Scroogled campaign a bit hypocritical then doesn't it?

mmjm said,
no it was because the source code, which is a trade secret, was compromized

Yes, which is illegal. The blogger emailed to confirm the leak with Microsoft, which gave them reasonable suspicion of illegal activity.

Asmodai said,

If that's the case it kind of makes the whole Scroogled campaign a bit hypocritical then doesn't it?

Microsoft wasn't data mining. They've always have had, and always will have access to their services. Don't confuse the two.

Dot Matrix said,

Microsoft wasn't data mining. They've always have had, and always will have access to their services. Don't confuse the two.

Their commercials don't restrict their jokes to data mining. They have ones where a mailman is opening a letter to the recipient. Not EVERY letter, not data mining, just a single letter and the recipient gets upset that the mailman is reading it. They mock google because google reads emails and imply that they don't. In this case they are EXACTLY like the mailman in their anti-google example. They happen to own the service so they are reading a private customers mail. It's not even to catch THAT customer it's just to get information to catch someone else. The blogger isn't charged with anything in this case, just the former employee who leaded the code to him.

Asmodai said,

The blogger isn't charged with anything in this case, just the former employee who leaded the code to him.

They could, though, depending on what the blogger did with the trade secrets.

You claim to have been an email admin and yet have no knowledge of TOS for such services? Go read up section 3.5 of the Microsoft Services Agreement or their Online Privacy Statement which all users agree to. Google has similar terms, as does pretty much every provider.

As part of the investigation, we took the step of a limited review of this third party's Microsoft operated accounts. While Microsoft's terms of service make clear our permission for this type of review, this happens only in the most exceptional circumstances. We apply a rigorous process before reviewing such content. In this case, there was a thorough review by a legal team separate from the investigating team and strong evidence of a criminal act that met a standard comparable to that required to obtain a legal order to search other sites. In fact, as noted above, such a court order was issued in other aspects of the investigation.
Do tell us all again how your legal knowledge surpasses that of MS' legal team with your repeated allegations of illegal conduct.

Regarding the blogger not being charged, I wouldn't be so sure.

The investigation repeatedly identified clear evidence that the third party involved intended to sell Microsoft IP and had done so in the past.
While it's unclear why this employee would engage in such an activity, he schemed with the blogger to open a "fake" activation server in a virtual machine (VM) that the two could control and use to sell illegal Windows 8 activation codes online. (The blogger in question had previously engaged in a similar but less sophisticated scheme to sell such codes on eBay.)
Steven Sinofsky was tipped off by an anonymous source. That source had been approached by the blogger to help use the SDK code to create a fake activation server, but he balked and emailed Mr. Sinofsky
The blogger allegedly admitted in an interview to “knowingly obtaining confidential and proprietary Microsoft IP from Kibkalo, and selling Windows Server activation keys on eBay,” according to the complaint, which also says computer files found in the blogger's home showed the blogger trying to get Kibkalo to find pre-release software, attempting to use Kibkalo's corporate network access to access Microsoft servers, and discussing Kibkalo leaking data.
Prior knowledge of crime, instigation of crime, accessory to crime, concealment of crime, possession of stolen property, possible attempt to profit from sale of stolen property... Sources say there's a real possibility that more charges will be filed, perhaps in France. So much for your claims that he's just an "innocent" 3rd party who somehow got caught in the cross-fire.

You can go on trying to make the case that what MS did was illegal, or that this one incident is the same as what Google does every single day (albeit in an automated manner), but none of it holds up to scrutiny.

Edited by Romero, Mar 21 2014, 5:09am :

rfirth said,

They could, though, depending on what the blogger did with the trade secrets.

We agree on that. My point is just a blogger receiving a leak (be it from an ex-MS employee or Snowden) has not broken a law simply in receiving it and does not deserve having their privacy violated just because they did. Nor should publishing this data (be it MS's source or NSA data files) void their privacy rights. HOWEVER if instead of publishing they attempt to blackmail the organization the data was stolen from, or they attempt to sell the data to competitors, or other such things then absolutely they are THEN breaking the law. They then go from reporting on a leak to becoming a party in a crime. Likewise if they paid or conspired with the leaker to get the data the that is also a crime. Furthermore I'm not arguing against searching emails with a valid warrant. If you have enough evidence to get a warrant then of course they can search the account.

Romero said,
You claim to have been an email admin and yet have no knowledge of TOS for such services?

I was the email admin for a company. I administered the internal mail servers and I was very familiar with the TOS of that company at that time (although we didn't call it TOS, the rules were just outlined in the employee handbood). The point I was making in bringing that up is because people keep getting confused and thinking that the email being read was the leakers employee email account and MS has a right to read that.
Romero said,

Go read up section 3.5 of the Microsoft Services Agreement or their Online Privacy Statement which all users agree to. Google has similar terms, as does pretty much every provider.

Well then maybe they should stop making misleading ads about mailmen reading letters at other providers but not theirs when they are doing it too.
Romero said,

Do tell us all again how your legal knowledge surpasses that of MS' legal team with your repeated allegations of illegal conduct.

I don't claim my legal knowledge surpasses that of MS. I'm saying MS is acting hypocritically from their scroogled messaging. I'm saying they invaded a users privacy (which apparently is not illegal). And I saying that I don't believe simply recieving and/or publishing a leak is illegal.
Romero said,

Regarding the blogger not being charged, I wouldn't be so sure.

Not being charge for recieving and/or publishing the leak. I'm not saying I'm sure the blogger didn't do any other illegal activity. I have no idea who the blogger is and what else they've done I'm just saying that the act of receiving and publishing leaks goes on all the time and is not wrong. It's the leaking that it is wrong and the leaker HAS been charged.

Romero said,

Prior knowledge of crime, instigation of crime, accessory to crime, concealment of crime, possession of stolen property, possible attempt to profit from sale of stolen property... Sources say there's a real possibility that more charges will be filed, perhaps in France. So much for your claims that he's just an "innocent" 3rd party who somehow got caught in the cross-fire.

Again simply receiving and publishing a leak I don't believe is wrong. What you quote there are a whole bunch of different issues. If the blogger encouraged the leaker to steal data then that is wrong, it make the blogger an accessory to the crime. If the blogger did indeed attempt to profit from the sale of the stolen data then that is wrong. The act of receiving an unsolicited leak and then posting said leak publicly is not wrong. It happens all the time with things as mild as screenshot and as serious as NSA national security data. You're also using the benefit of hindsight. The really disturbing thing is that MS learned this by reading someones email who they didn't know had done any of it until after they read it. What if they were wrong? The disturbing thing as that MS can unilaterally decide (oh but it's a different team inside Microsoft! Give me a break) that it's ok for them to read your email... while at the same time running ads where a postman reads a recipients letter and claiming their competitors do that and they don't so use their service instead. Again I'm cool with them reading emails when they are presented with a warrant. I'm even cool with them being honest and saying hey, yeah all us cloud providers reserve the right to read through your emails... it's just a price you pay for cloud email. But it's pretty sketchy of them to have an ad campaign against a competitor calling out that the competitor reads through your email and they don't when they do it too. The ads don't differentiate between automated or not, or every message or one, they imply MS as the postman doesn't read mail they are deliver while Google does. This is apparently a very deceptive ad for Joe Public to watch.

I don't claim my legal knowledge surpasses that of MS. I'm saying MS is acting hypocritically from their scroogled messaging. I'm saying they invaded a users privacy (which apparently is not illegal). And I saying that I don't believe simply recieving and/or publishing a leak is illegal.

Oh you now think that isn't illegal? Wow only 100 posts of facts before you changed your mind :rolleyes:

And we've already told you, STOP BELIEVING MARKETING.

Again simply receiving and publishing a leak I don't believe is wrong. What you quote there are a whole bunch of different issues. If the blogger encouraged the leaker to steal data then that is wrong, it make the blogger an accessory to the crime. If the blogger did indeed attempt to profit from the sale of the stolen data then that is wrong. The act of receiving an unsolicited leak and then posting said leak publicly is not wrong. It happens all the time with things as mild as screenshot and as serious as NSA national security data.

Actually it's still JUST AS ILLEGAL. The US government may not go after and jail the reporters because it would be an international shitshow that the Government, right now, doesn't want to deal with...especially after all the Snowden revelations.

But you bet your dam ass that they're monitoring those reporters emails, phones etc in great detail to find out as much information they can.

The disturbing thing as that MS can unilaterally decide (oh but it's a different team inside Microsoft! Give me a break) that it's ok for them to read your email... while at the same time running ads where a postman reads a recipients letter and claiming their competitors do that and they don't so use their service instead.

And would you be cool if Google did the same thing? Oh you probably would :rolleyes:

Again I'm cool with them reading emails when they are presented with a warrant. I'm even cool with them being honest and saying hey, yeah all us cloud providers reserve the right to read through your emails... it's just a price you pay for cloud email.

Yet again you don't need a warrant to search through your own property. Just like you posted on the other thread "oh a landlord cant just walk into a renters house", yes he can. He just has to tell you that he's doing it. Your permission, your presence and a warrant isn't required by law.

And they do tell you that they reserve the right to do it, it's in their ToS. Every company has pretty much a similar ToS. "What you do on our service, belongs to us and we can do what we want with it when we see fit". Stop judging your reality based on stupid marketing because here's a fact for you, marketing isn't truthful. It never has been, it never will be.

Asmodai said,
Well then maybe they should stop making misleading ads about mailmen reading letters at other providers but not theirs when they are doing it too.
Are they doing it to every user's mail, especially if the user has not violated their TOS? Are they doing it using automated algorithms like Google does? You can try your best to equate the two but any intelligent person can see the difference.

Asmodai said,
I'm just saying that the act of receiving and publishing leaks goes on all the time and is not wrong.
So what makes you so convinced that he was investigated solely because he published some innocuous screenshots? I've mentioned all the things he did above to which he has confessed. Putting him on the same pedestal as an investigative reporter covered by freedom of press and First Amendment freedom of speech rights is downright disgusting.

Asmodai said,
If the blogger encouraged the leaker to steal data then that is wrong, it make the blogger an accessory to the crime. If the blogger did indeed attempt to profit from the sale of the stolen data then that is wrong. The act of receiving an unsolicited leak and then posting said leak publicly is not wrong.
So at least you are admitting he's not as innocent as you were claiming so far. He was not receiving an unsolicited leak, again you're classifying him with ethical investigative journalists. I bet publishing/distributing stolen trade secrets isn't covered under freedom of press either. Even if he was completely ignorant and received the stolen source code by mistake, publishing it instead of informing MS would definitely make him liable for prosecution. This isn't a "greater good" scenario that he can hide behind.

As far as journalists reporting on NSA's activities go, there are lots of cases where they can and are muzzled, even legally (you can disagree with the overly-broad anti-terrorism laws but they still remain laws till repealed). Read up on David Miranda and others. If you think they're free to report all they know you're living in a fantasy world.

Asmodai said,
The really disturbing thing is that MS learned this by reading someones email who they didn't know had done any of it until after they read it. What if they were wrong?
Again with the distortion and lies. Did you read my comment above fully? The blogger himself contacted someone and asked that someone to help use the stolen source code to create a fake licensing server for Win8 using which keys could be sold. He initiated contact and made a clear attempt to profit from stolen trade secrets. That source then informed Sinofsky and subsequently MS' investigative team got into the act. So the blogger pretty much informed MS he was either a thief or collaborating with a thief/thieves. It's clear MS' legal team knew the blogger was far from innocent when they launched an investigation against him. When he had already broken Hotmail's TOS by using it to transfer stolen code to someone asking for a fake licensing server to be made, how does that leave any doubt and how is it illegal for MS to then search that very Hotmail account for more evidence? You can go on being intellectually dishonest and keep claiming what MS did was illegal but the evidence is very much against you. But obviously you'll go right on believing what you want despite any and all evidence to the contrary.

Asmodai said,
The disturbing thing as that MS can unilaterally decide (oh but it's a different team inside Microsoft! Give me a break) that it's ok for them to read your email...
So can Google, Yahoo or any other mail provider. As per MS' counsel:

Courts do not issue orders authorizing someone to search themselves, since obviously no such order is needed.
If you're so concerned about what Google, MS, Yahoo and co. can do with your mail then write to your Congressman or Senator and ask them to change the law, demanding warrants be required for companies to search their own servers when it comes to user data. Until the law is changed all of them can and will go rummaging through your data if the situation warrants it, and especially when (as in this case) you are clearly known to be violating the TOS and in possession of stolen trade secrets stored on their own servers. Obviously though if the data is stored elsewhere they would need a warrant already per existing laws.

Asmodai said,
The ads don't differentiate between automated or not, or every message or one, they imply MS as the postman doesn't read mail they are deliver while Google does. This is apparently a very deceptive ad for Joe Public to watch.
You seem to be obsessed with ads and how true they are. Fine, they can continue the ads with a small disclaimer added below. "We will never* read your mail. *As long as you don't steal from us and violate our TOS and store the stolen data on our servers." I mean, this should be obvious but apparently isn't to some so I'm ok with that; the rest is perfectly accurate.

-Razorfold said,
STOP BELIEVING MARKETING.

We agree then, Microsoft's (and any major corporation for that matter...) isn't trustworthy despite their claims otherwise.
-Razorfold said,

And would you be cool if Google did the same thing? Oh you probably would :rolleyes:

Nope, I'm not pro-google on privacy. I think in many ways Google is worse than Microsoft on privacy in general which is why my cloud email of choice is hotmail and not gmail. That being said they aren't running ads mocking their competition about reading emails and acting like they don't.
-Razorfold said,

Yet again you don't need a warrant to search through your own property. Just like you posted on the other thread "oh a landlord cant just walk into a renters house", yes he can. He just has to tell you that he's doing it. Your permission, your presence and a warrant isn't required by law.

For the record the landlord/renter analogy was not mine.
-Razorfold said,

And they do tell you that they reserve the right to do it, it's in their ToS. Every company has pretty much a similar ToS. "What you do on our service, belongs to us and we can do what we want with it when we see fit". Stop judging your reality based on stupid marketing because here's a fact for you, marketing isn't truthful. It never has been, it never will be.

I doubt anyone reads the ToS and companies change them from time to time even if you do. The point is exactly what you say that the marketing isn't truthful. The scroogle campaign is misleading and hypocritical because they do the same thing. That's what I'm arguing, I thought the people who were arguing against me were saying that wasn't the case and defending MS but if you agree that they are misleading the public then we are in fact on the same page.

As for me personally I know not to trust them. I do use hotmail and I know not to expect they won't look at things but that doesn't mean I can't call them out on their misleading marketing. As consumers I think we should point out when marketing is misleading for those who are less informed not just say "oh, all marketing isn't truthful" and just give them a pass. I'm not saying charges should be filed against MS or anything like that, but I do hope they take a PR hit from this that is strong enough to make them consider being a little less misleading to the public in future marketing campaigns. Hotmail is a great product and has lots of things they could promote in marketing without resorting to giving false impressions of privacy. And again I don't think google respects your privacy any more than MS does, probably even less, but they aren't prompting privacy as a benefit over their competitors either. I think google just tries to talk about privacy as little as possible because there really isn't much they can say that would possibly come off good in how they act.

Asmodai said,

We agree then, Microsoft's (and any major corporation for that matter...) isn't trustworthy despite their claims otherwise.

Nope, I'm not pro-google on privacy. I think in many ways Google is worse than Microsoft on privacy in general which is why my cloud email of choice is hotmail and not gmail. That being said they aren't running ads mocking their competition about reading emails and acting like they don't.

For the record the landlord/renter analogy was not mine.

I doubt anyone reads the ToS and companies change them from time to time even if you do. The point is exactly what you say that the marketing isn't truthful. The scroogle campaign is misleading and hypocritical because they do the same thing. That's what I'm arguing, I thought the people who were arguing against me were saying that wasn't the case and defending MS but if you agree that they are misleading the public then we are in fact on the same page.

As for me personally I know not to trust them. I do use hotmail and I know not to expect they won't look at things but that doesn't mean I can't call them out on their misleading marketing. As consumers I think we should point out when marketing is misleading for those who are less informed not just say "oh, all marketing isn't truthful" and just give them a pass. I'm not saying charges should be filed against MS or anything like that, but I do hope they take a PR hit from this that is strong enough to make them consider being a little less misleading to the public in future marketing campaigns. Hotmail is a great product and has lots of things they could promote in marketing without resorting to giving false impressions of privacy. And again I don't think google respects your privacy any more than MS does, probably even less, but they aren't prompting privacy as a benefit over their competitors either. I think google just tries to talk about privacy as little as possible because there really isn't much they can say that would possibly come off good in how they act.

The Scroogled campaign is in no way hypocritical. THEY ARE TWO DIFFERENT THINGS.

Dot Matrix said,
The Scroogled campaign is in no way hypocritical. THEY ARE TWO DIFFERENT THINGS.
I don't think anything can be done about deliberate denial of this fact.

It was within their legal right to physically look in to the email account. Criminal activity would be a reason that would allow this. Not sure how some aren't understanding this.

Yeah, but Scroogle fanboys somehow think this is a great opportunity to get back at Microsoft. What an insane world-view they have where thieves can cry privacy violation when they've clearly stolen trade secrets. If they think Google wouldn't go to the same lengths in a similar situation then I'd like to have some of what they're smoking.

rippleman said,
It was within their legal right to physically look in to the email account. Criminal activity would be a reason that would allow this. Not sure how some aren't understanding this.

First of all MS doesn't determine what is criminal activity. To make that determination they need a warrant. Second the person whose account they were reading emails from isn't the one who is even suspected of doing criminal activity. They read the bloggers account NOT the leakers. The leaker is the criminal not the blogger. Not sure how some aren't understanding this.

Asmodai said,

First of all MS doesn't determine what is criminal activity. To make that determination they need a warrant. Second the person whose account they were reading emails from isn't the one who is even suspected of doing criminal activity. They read the bloggers account NOT the leakers. The leaker is the criminal not the blogger. Not sure how some aren't understanding this.

MSFT doesn't need a warrant to look into your email buddy. you agreed to the TOS giving them permission to do as they wish. sorry.

neonspark said,

MSFT doesn't need a warrant to look into your email buddy. you agreed to the TOS giving them permission to do as they wish. sorry.

Then their whole Scroogled campaign certainly looks hypocritical now. If they can read any of your email just because they decided they want to then they are no better then google who at least admits they do it. They come off looking even worse by mocking google for doing it then turning around and doing it themselves. I personally don't care, to me putting crap in the cloud means I'm pretty sure the cloud provider can look at it but again MS has a whole ad campaign making it seem like they don't and making fun of google for doing it. I think it's silly to trust any major corporation to not do something just because they said they wouldn't. We won't turn on your Xbox One camera, trust us. RIIIIGHT.

How does it look hypocritical, the blogger is also a criminal. Or is just okay to use illegally obtained material for your own gain? Why are you defending him.

Also a few years ago t here was a lot of fuss about Google employees being able to read user emails unencrypted at any time they please.

This shows nothing. Microsoft took action against criminal activity. Or them going through onedrive to find child porn is a big problem for you as well? (IIRC Google has such a project too, or had)
A random MS employee will not just access my email I hosted on their services without going through their legal department and bureaucratic pathways.
There will be a paper trail. And as in my country, email falls under posted mail laws. They can't just access my mail UNLESS I'm suspected for criminal intent.

As it should be.

Asmodai said,

Then their whole Scroogled campaign certainly looks hypocritical now. If they can read any of your email just because they decided they want to then they are no better then google who at least admits they do it. They come off looking even worse by mocking google for doing it then turning around and doing it themselves. I personally don't care, to me putting crap in the cloud means I'm pretty sure the cloud provider can look at it but again MS has a whole ad campaign making it seem like they don't and making fun of google for doing it. I think it's silly to trust any major corporation to not do something just because they said they wouldn't. We won't turn on your Xbox One camera, trust us. RIIIIGHT.

wait, you wanted a marketing campaign to be honest HA HA HA HA.

SMH. Some people here are trying so damn hard to defend criminals and desperately equating one-off response to this crime with regular parsing of mail data.

Asmodai said,

Then their whole Scroogled campaign certainly looks hypocritical now. If they can read any of your email just because they decided they want to then they are no better then google who at least admits they do it. They come off looking even worse by mocking google for doing it then turning around and doing it themselves. I personally don't care, to me putting crap in the cloud means I'm pretty sure the cloud provider can look at it but again MS has a whole ad campaign making it seem like they don't and making fun of google for doing it. I think it's silly to trust any major corporation to not do something just because they said they wouldn't. We won't turn on your Xbox One camera, trust us. RIIIIGHT.

No it does not. Plenty of people have explained this to you so quit your trolling.

He somehow obtained leaked code related to Microsoft and used an email service given by, wait for it, Microsoft. MS is well within it's right to look through that users email, its not like they opened 300 million email accounts and went through it.

Your boss can look through your company email account too if he suspects something and feels like he needed to. Don't need a warrant for that.

Edited by -Razorfold, Mar 21 2014, 12:14am :

-Razorfold said,

No it does not. Plenty of people have explained this to you so quit your trolling.

Well you still seem to have it wrong.
-Razorfold said,

He somehow obtained leaked code related to Microsoft and used an email service given by, wait for it, Microsoft. MS is well within it's right to look through that users email, its not like they opened 300 million email accounts and went through it.

Wrong. He's a blogger that just happens to have a personal Hotmail account. He didn't somehow receive it. As a blogger a source leaked information to him, the source is who broke the law. The source is who worked for Microsoft and Microsoft has every right to look through the SOURCES employee email but not the blogger. Especially if they have an whole campaign talking about how they do NOT read your email and google does.
-Razorfold said,

Your boss can look through your company email account too if he suspects something and feels like he needed to. Don't need a warrant for that.

Right, I've been an email admin and I've had to look through employees email accounts. Again Microsoft has every right to look through the company email accounts of their employees, in this case the leaker (not the blogger). If they are providing a public email service and they are advertising how they don't read your email and a competitor does then their customer (not employee) has a reasonable expectation of privacy. They shouldn't just read through private (non company) emails of their customers because they suspect they might get information that will lead them to someone else.

Well you still seem to have it wrong.

Nope, you still do.

Wrong. He's a blogger that just happens to have a personal Hotmail account. He didn't somehow receive it. As a blogger a source leaked information to him, the source is who broke the law.

I'm going to repeat it again. POSSESSION OF STOLEN PROPERTY IS STILL A CRIME.

f they are providing a public email service and they are advertising how they don't read your email and a competitor does then their customer (not employee) has a reasonable expectation of privacy. They shouldn't just read through private (non company) emails of their customers because they suspect they might get information that will lead them to someone else.

Er yes thats what they'll do. The blogger had a copy of the source code, now either he stole it or he knew someone who stole it.

People don't just email MS every day going "hey is this source code from Windows 8" and then include a legit copy of the source.

MS had a part of Windows 2000 sources code leaked way back in the day and they went after it pretty ####ing brutally too.

Shadowzz said,
How does it look hypocritical, the blogger is also a criminal. Or is just okay to use illegally obtained material for your own gain? Why are you defending him.

And how do they know the blogger is a criminal? they had to snoop into his email first, right?
So they had a suspicion, broke their own laws about not snooping user's email accounts, and only after that they "confirmed" him as a criminal.

The thing is that if they did not have a warrant BEFORE snooping on that blogger's email, then they are the ones breaking the law.

gonchuki said,
And how do they know the blogger is a criminal? they had to snoop into his email first, right?
He contacted someone using his Hotmail account to help use the stolen code to create a fake activation server, and that person informed Sinofsky. So much for being innocent. MS' investigative team didn't simply go on a blind fishing expedition, he lead them to his own door (i.e. mail account on their own servers which they knew contained stolen trade secrets). Check out my comment below for what else he did: http://www.neowin.net/news/mic...ows-8-leaks#comment-2536721

gonchuki said,
broke their own laws about not snooping user's email accounts
Their own TOS has exceptions, as does the TOS of every mail provider. If you think thieves can claim privacy protection in such a case then dream on.

gonchuki said,
The thing is that if they did not have a warrant BEFORE snooping on that blogger's email, then they are the ones breaking the law.
As per MS' counsel:
Courts do not issue orders authorizing someone to search themselves, since obviously no such order is needed.
You seem to know much more about the law than MS' legal team and the FBI. Perhaps you're interested in representing this blogger in court, or in suing MS on his behalf and on behalf of all their other users for their "illegal" activities?

Edited by Romero, Mar 21 2014, 7:15pm :

OMG.....Microsoft did that?! I don't ever recall Google doing anything like this. For Google it has always been about the smart algorithms to determine ads that might interest the user. However, with Microsoft....this is flat out invasion of personal privacy.

When Microsoft discovered this leak, the only thing they had to do was find out through this employees account to find out to who he leaked the code, and they are allowed to do that with their own employees.

@VictoWho, go and read the Google's term of service. They reserve the right to go through your data to protect the interest of Google as well.

Studio384 said,
When Microsoft discovered this leak, the only thing they had to do was find out through this employees account to find out to who he leaked the code, and they are allowed to do that with their own employees.

That is not at all what this says. When Microsoft discovered this leak they invaded the privacy of the person the leaked data was given to (the blogger) in order to find out which employee was responsible for the leak. It MAY be legal for them to do so but their PR keeps saying they don't do it and in fact they call out Google for looking for using algorithms on gmail to target ads which now looks totally hypocritical.

The blogger did nothing wrong. Just like the newspapers that publish the leaked Snowden documents aren't doing anything wrong. The person at fault is the leaker not those that report the leak so MS had no right to violate the bloggers privacy. Turns out the blogger was stupid for trusting MS at its word that it doesn't look through its users email. Moral of the story is don't blindly trust MS (or Google, or any other big company for that matter).

Asmodai said,
It MAY be legal for them to do so but their PR keeps saying they don't do it and in fact they call out Google for looking for using algorithms on gmail to target ads which now looks totally hypocritical.
They don't do it as a matter of course with every mail. Clearly the situation demanded it (I'm positive Google has similar caveats in its EULA for dealing with similar situations) and as you yourself admit, I'm sure MS' legal department approved this after ensuring its legality. Even Google is not going to rely on automated algorithms to ferret out proof from a Gmail account - they will go in manually.

Romero said,
They don't do it as a matter of course with every mail.

I don't know about you but a real person reading through SOME of my emails is worse than an algorithm reading through ALL of them. I'm not saying either is GOOD though but at least Google is up front about it while MS has a whole ad compaign that gives the impression they don't and makes fun of Google for doing it. (I actually find the ad campaign amusing, if hypocritical now)

Romero said,
Clearly the situation demanded it

I beg to differ. The blogger did nothing wrong and did not deserve having their privacy violated. If Employee A for a company leaks confidential/secret data to person B which person B then publishes (via blog, newspaper, etc), person A has committed a crime but person B has not. This is why for example the Washington Post can publish government leaks. The leaker (Employee A) is the criminal NOT the reporter (person B). MS had every right to search through their own internal email if the leaker was dumb enough to leak the data from their work account for example. They shouldn't have the right to go rummaging through a blogger/reporters personal email account just because they suspect it might lead them to someone else who has committed a criminal act. To do something like that should require a Warrant.

Romero said,
(I'm positive Google has similar caveats in its EULA for dealing with similar situations)

The difference is Google is up front about going through your mail. It's something MS mocks them about implying that they don't when clearly they do too.
Romero said,
and as you yourself admit, I'm sure MS' legal department approved this after ensuring its legality.

Microsoft should not be able to violate your privacy because their legal department says they can. They should have to have a warrant. Otherwise they should probably stop putting out the ads about how they don't look through your email because it's pretty darn misleading. It's not even that they suspected the person was doing something wrong, like when they catch child porn people, in this case the person whose email they read didn't do anything wrong they could just lead them to someone who could. What if there was a bunch of really personal information or even trade secrets for the bloggers company in that account? MS just violated their privacy even though they did nothing wrong just to catch SOMEONE ELSE.

The blogger did nothing wrong.

Microsoft's investigation of the blogger began when they obtained evidence that the blogger was revealing and distributing confidential intellectual property via his Hotmail account.

VictorWho said,
OMG.....Microsoft did that?! I don't ever recall Google doing anything like this. For Google it has always been about the smart algorithms to determine ads that might interest the user. However, with Microsoft....this is flat out invasion of personal privacy.

I'm going to assume you're sarcastic because google is mr creepy.

zhangm said,

Microsoft's investigation of the blogger began when they obtained evidence that the blogger was revealing and distributing confidential intellectual property via his Hotmail account.

Revealing and distributing confidential intellectual property isn't illegal. Unless the blogger hacked the MS system or something then the act of hacking is illegal. Instead the "confidential intellectual property" was given to the blogger. The criminal is the guy that got arrested, the leaker. If it was illegal to publish confidential information then everyone publishing the Snowden leaks would be criminals. Snowden and Kibkalo (the leaker in this case) are criminals. The French blogger is not (at least not for this, maybe he did something else).

Revealing and distributing confidential intellectual property isn't illegal.

I would venture to guess that the blogger would be charged with a violation of Title 18, United States Code, Section 1832, Theft of Trade Secrets:

[...]receives, buys, or possesses such information, knowing the same to have been stolen or appropriated, obtained, or converted without authorization...

zhangm said,

I would venture to guess that the blogger would be charged with a violation of Title 18, United States Code, Section 1832, Theft of Trade Secrets:

[...]receives, buys, or possesses such information, knowing the same to have been stolen or appropriated, obtained, or converted without authorization...


And you believe that MS has the sole right to determine this? If MS demonstrated probable cause to the FBI and obtained a warrant to search the bloggers email I'm totally cool with that. MS shouldn't just, of it's own accord, get to root through your email though. If their terms of service says they can then they should probably not have an entire ad campaign making fun of google for reading your email and saying they don't.

And you believe that MS has the sole right to determine this?

Well, this is why the persons are being charged and will go through the court system, as opposed to being throw in Microsoft jail. It's not like Microsoft is the final word on guilty vs innocent and if the courts find that evidence was illegally obtained, then these folks should go free.

Asmodai said,

I don't know about you but a real person reading through SOME of my emails is worse than an algorithm reading through ALL of them.

What are you saying? They only pulled his emails as a result of the investigations. There is no one at Microsoft reading your mails, otherwise. Microsoft has better things to do.

Asmodai said,
I don't know about you but a real person reading through SOME of my emails is worse than an algorithm reading through ALL of them. I'm not saying either is GOOD though but at least Google is up front about it while MS has a whole ad compaign that gives the impression they don't and makes fun of Google for doing it. (I actually find the ad campaign amusing, if hypocritical now)

Dot Matrix said,
What are you saying? They only pulled his emails as a result of the investigations. There is no one at Microsoft reading your mails, otherwise. Microsoft has better things to do.

This. Try and exaggerate and spin this all you want but no real person at either company is sitting and reading your or anyone else's mails in normal course of events. But yeah, if you pull a stunt like this and their legal team okays it you can bet your *** both companies will go after you with everything they've got. MS' ad campaign doesn't magically become hypocritical because of this incident. I'll repeat, just because they don't have automated algos like Google sifting through your mails doesn't mean there's no TOS and no legal recourse for them when stolen trade secrets are present in someone's account on their servers.

As for what the blogger will or will not be charged with, zhangm has addressed already. Ultimately the courts will decide, and if data was illegally pulled then that evidence will be discarded for sure.

Asmodai said,

And you believe that MS has the sole right to determine this? If MS demonstrated probable cause to the FBI and obtained a warrant to search the bloggers email I'm totally cool with that. MS shouldn't just, of it's own accord, get to root through your email though. If their terms of service says they can then they should probably not have an entire ad campaign making fun of google for reading your email and saying they don't.

What? MS has the sole right to determine this? Yes they do, it was their source code that appeared on that bloggers account.

Source codes don't magically just appear, he got it somehow and MS' security team will investigate. Massive companies spend a ton of money protecting their trade secrets and they will go to the ends of the earth to find out who stole it and who has it.

If google did this, I'd say good he deserves it. If Apple did it, same thing. If Bob's Laundry Services? Same thing.

-Razorfold said,

What? MS has the sole right to determine this? Yes they do, it was their source code that appeared on that bloggers account.

They didn't know their source code was in that bloggers account before they looked. They knew the data was leaked to the blogger because the blogger posted some of the information that was leaked on their blog. MS found out the blogger had a Hotmail account and they went fishing for more information by browsing through the bloggers email account. It just so happens that they got a catch but they didn't KNOW they were going to find that. It's pretty F'd up if they can just go browsing through anyone's email whenever they want because they thing maybe they might find some information about criminal activity (of someone else no less). More importantly this is in complete contradiction to their commercials where they point out that google reads your mail and they don't.
-Razorfold said,

Source codes don't magically just appear, he got it somehow and MS'

No it was leaked by the criminal ex-employee, not the blogger whose email they read.
-Razorfold said,

security team will investigate. Massive companies spend a ton of money protecting their trade secrets and they will go to the ends of the earth to find out who stole it and who has it.

Security team should absolutely investigate but they shouldn't go so far to read a private individuals personal email because they think they might find something. The U.S. spends a lot more money protecting their national secrets they don't get to search through the personal files of everyone who reports the Snowden leaks.

They didn't know their source code was in that bloggers account before they looked. They knew the data was leaked to the blogger because the blogger posted some of the information that was leaked on their blog.

Er yes they did, the guy emailed MS using his hotmail account asking if the source code he has was legit. I'm going to assume it included an exert of that source code.

No it was leaked by the criminal ex-employee, not the blogger whose email they read.

Did I say he leaked it? If I stole something and gave it to you, the police can still arrest you for possession of stolen goods.

Security team should absolutely investigate but they shouldn't go so far to read a private individuals personal email because they think they might find something. The U.S. spends a lot more money protecting their national secrets they don't get to search through the personal files of everyone who reports the Snowden leaks.

You really don't think that they're doing that?

Er yes they did, the guy emailed MS using his hotmail account asking if the source code he has was legit. I'm going to assume it included an exert of that source code.

I don't want to go too far with assumptions, but just to add to this, if the person who ratted out the blogger was compliant enough to grant MS access to the e-mail contents that included exchange of the stolen source code, then I expect that MS legal took that to be sufficient evidence that an MS service was being used to commit a crime - sufficient for them to access the blogger's e-mail account.

zhangm said,
I expect that MS legal took that to be sufficient evidence that an MS service was being used to commit a crime - sufficient for them to access the blogger's e-mail account.
Obviously all the internal details of the investigation are unlikely to make it into the public domain, but unlike the guy above (vehemently protesting the blogger's absolute innocence) I'm guessing MS Legal had all the necessary and sufficient evidence to do what they did, and none of their actions violated their own TOS or local laws. Given the various crimes the blogger reportedly committed and the fact that he confessed to his actions too, I'm also guessing he's not going to get away scot free. Regardless of how he ends up though I don't see how he'd be in a position to sue Microsoft any time soon for illegally violating his privacy.

Asmodai said,

I don't know about you but a real person reading through SOME of my emails is worse than an algorithm reading through ALL of them. I'm not saying either is GOOD though but at least Google is up front about it while MS has a whole ad compaign that gives the impression they don't and makes fun of Google for doing it. (I actually find the ad campaign amusing, if hypocritical now)


I beg to differ. The blogger did nothing wrong and did not deserve having their privacy violated. If Employee A for a company leaks confidential/secret data to person B which person B then publishes (via blog, newspaper, etc), person A has committed a crime but person B has not. This is why for example the Washington Post can publish government leaks. The leaker (Employee A) is the criminal NOT the reporter (person B). MS had every right to search through their own internal email if the leaker was dumb enough to leak the data from their work account for example. They shouldn't have the right to go rummaging through a blogger/reporters personal email account just because they suspect it might lead them to someone else who has committed a criminal act. To do something like that should require a Warrant.


The difference is Google is up front about going through your mail. It's something MS mocks them about implying that they don't when clearly they do too.

Microsoft should not be able to violate your privacy because their legal department says they can. They should have to have a warrant. Otherwise they should probably stop putting out the ads about how they don't look through your email because it's pretty darn misleading. It's not even that they suspected the person was doing something wrong, like when they catch child porn people, in this case the person whose email they read didn't do anything wrong they could just lead them to someone who could. What if there was a bunch of really personal information or even trade secrets for the bloggers company in that account? MS just violated their privacy even though they did nothing wrong just to catch SOMEONE ELSE.

The blogger accepted stolen IP. That is illegal.

Dot Matrix said,

The blogger accepted stolen IP. That is illegal.

The New York Times, Washington Post, Guardian, etc. accepted data they know was stolen from the NSA by Snowden. They've knowingly published it even though the U.S. government considers it a National Security risk which is FAR more serious some some companies "trade secrets". According to you then all the reporters, all the news agencies that publish any Snowden leaked files is breaking the law and the government has a right, without a warrant to go looking through those reporters and agencies private data. Also if it's so illegal... why is the blogger not charged with anything? The only person who has been charged is the ex-employee who actually leaked the data (who I believe we all agree is a criminal).

According to you then all the reporters, all the news agencies that publish any Snowden leaked files is breaking the law and the government has a right, without a warrant to go looking through those reporters and agencies private data.

And like I already told you, they probably did that.

The CIA spied on the very same senate committee that were investigating them.

So "the blogger" gets confidential Microsoft code from a Microsoft employee and then emails Microsoft from his Microsoft account to ask if it's legit?

It reads like one of those dumb criminal stories.

Was the keygen actually made? I associate keygens with the warez era, I didn't know they were possible anymore. I thought they were made obsolete, especially with something as big as an OS.

xankazo said,
Was the keygen actually made? I associate keygens with the warez era, I didn't know they were possible anymore. I thought they were made obsolete, especially with something as big as an OS.

wzor posted screenshots of their keygen about 1 month ago and said it worked. I posted a topic about this but the mods deleted it. Wzor never uploaded it so there was no reason to delete my topic, but that's life.

xankazo said,
Was the keygen actually made? I associate keygens with the warez era, I didn't know they were possible anymore. I thought they were made obsolete, especially with something as big as an OS.

key generators are fairly simple once you understand the basic principles haven't changed. what is difficult is bypassing the activation servers which is why very often you're asked to activate what is otherwise an invalid key using a fake server which lets any key activate just fine.

you always go after the weakest link.

Translation: don't use Microsoft email services when you are working together with a crimenal who's leaking closed source source code from a Microsoft project.

Fixed taht for you.

Oh right, well as long as they allege criminal activity (completely unproven I might add) that makes it perfectly OK to snoop on people's private property without a warrant.

Javik said,
Oh right, well as long as they allege criminal activity (completely unproven I might add) that makes it perfectly OK to snoop on people's private property without a warrant.
Unproven? When the leaker has actually confessed to the FBI? Are you crazy enough to still claim these guys are innocent?

Since it was approved by their legal department, apparently it is, especially since it was for investigating theft and not just "snooping on people's private property", which happened to be stored on their servers mind you.

In an ideal world, one shouldn't use an external email provided for exactly this reason, regardless of whether it be Google, Microsoft, Yahoo or anyone else. You want secure email, either find a company that with zero-knowledge encryption (i.e. they don't have the keys to see your email), or, even better, host it yourself locally.

We like to give Google a lot of crap for "scanning emails" and stuff like that, and people cry foul about it calling for nonsense like "scroogled", yet we're all happy uploading all the most important of our emails onto their servers.

Bottom line, if you don't want people to look at your email, don't give it to companies like Microsoft or Google, because stuff like this will happen.

Majesticmerc said,
Bottom line, if you don't want people to look at your email, don't give it to companies like Microsoft or Google, because stuff like this will happen
... if you do something illegal. They may use automated algorithms to scan mails but neither will approve of a manual sifting through a user's data unless it's a serious enough matter, and they're sure to get their legal departments to sign off on it first.

Romero said,
Unproven? When the leaker has actually confessed to the FBI? Are you crazy enough to still claim these guys are innocent?

Are you aware that any evidence obtained in a manner not complying with the law will be discarded in Court?

Romero said,
Unproven? When the leaker has actually confessed to the FBI? Are you crazy enough to still claim these guys are innocent?

he probably confessed after the emails. Illegally obtaining evidence is inadmissible in court. If they didn't have the emails he would probably have denied it.

torrentthief said,

he probably confessed after the emails. Illegally obtaining evidence is inadmissible in court. If they didn't have the emails he would probably have denied it.

It's all part of the "discovery" legal process. Microsoft's legal team is very good. They wouldn't have messed this up like that.

Javik said,
Oh right, well as long as they allege criminal activity (completely unproven I might add) that makes it perfectly OK to snoop on people's private property without a warrant.

actually the government does need a warrant but MSFT is a private company and you agreed to the EULA. MSFT is not held to any warrant standards as they are not a law enforcement agency. I don't know what freaking planet you're living at but a private corporation like MSFT, google or apple can look in its own servers any time it wants to.

Cosmocronos said,

Are you aware that any evidence obtained in a manner not complying with the law will be discarded in Court?

and given we don't have all the facts we can't say if the evidence was obtained illegally. however if MSFT snooped its own mail servers, this is in their TOS which the blogger agreed to therefore making it not just lawful, but perfectly admissible in court as it should be.

Right, I mean it's not like there are data protection laws for private companies handling third party data or anything.

Javik said,
Right, I mean it's not like there are data protection laws for private companies handling third party data or anything.

these laws are not all inclusive, and certainly do not include your email when you agree to the TOS giving them permission to do this. the laws you mention have been created to handle things like medical and financial data. MSFT email servers aren't built to those standards nor are their services limited by those restrictions.

oh did I mention email travels UNENCRYPTED on the web? what sort of freaking privacy do you expect when using email? this is why the first thing your lawyer tells you is: DON'T USE EMAIL. It doesn't matter if it comes from google, FB, whatever. It is all fair game when you clicked that "I AGREE" button.

#dealwithit

Cosmocronos said,
Are you aware that any evidence obtained in a manner not complying with the law will be discarded in Court?
Of course, but what proof does anyone here pointing fingers have that MS' Office of Legal Compliance is so incompetent as to have f'ed up and made them liable to be sued, or for precious evidence to be discarded?

torrentthief said,
he probably confessed after the emails. Illegally obtaining evidence is inadmissible in court. If they didn't have the emails he would probably have denied it.
Proof that it was illegally obtained? And there's also the small issue of the blogger asking MS itself to validate the stolen data...

Edited by Romero, Mar 20 2014, 11:34pm :

I'm confused. Is that snippet of text supposed to show that they snooped through the bloggers email? It doesn't really say how they got the communication between the employee and the blogger, but I'd imagine it is more likely they got it from the employee...

The guardian article says "Investigators at the firm then reportedly looked through the blogger's hotmail account " but doesn't say who made that report or provide any facts to back it up.

Not saying its NOT true. Just neither of these articles present the actual evidence that it happened.

Microsoft has no obligation to monitor the Communication Services. However, Microsoft reserves the right to review materials posted to the Communication Services and to remove any materials in its sole discretion. Microsoft reserves the right to terminate your access to any or all of the Communication Services at any time, without notice, for any reason whatsoever.
Microsoft reserves the right at all times to disclose any information as Microsoft deems necessary to satisfy any applicable law, regulation, legal process or governmental request, or to edit, refuse to post or to remove any information or materials, in whole or in part, in Microsoft's sole discretion.

They don't, but when they find out some blogger is working together with a developer at Microsoft itself to leak source code that can cost Microsoft millions of dollar, seems legit if they do so.

Studio384 said,
They don't, but when they find out some blogger is working together with a developer at Microsoft itself to leak source code that can cost Microsoft millions of dollar, seems legit if they do so.

Yup. Employers always reserve the right to look at emails.

techbeck said,

Yup. Employers always reserve the right to look at emails.

They do, but the blogger wasn't employed by Microsoft... It said MS went through the bloggers emails to determine the connection. Not the other way around.

techbeck said,
Ah, I would think that would require a warrant or some kind of court order to do that then.
I doubt that, one of the agreements you have to sign when joining Microsoft might look like this:

"Microsoft is permitted to access your email, and the email of those you've contact with when leaks point at your direction."

Or something very similar, and hey, no reason to blaim them, it's their right.

Yup. Employers always reserve the right to look at emails.

The blogger was a user, not an employee. If either of them believes that the communications pull in this case was not legal, they could successfully sue and have this evidence tossed out. I think folks who have paid attention to tech news over the last several years should be aware that Microsoft does take action against users who conduct illegal activities while using their services. They need to do this in order to avoid being legally culpable for such activities, and their means have historically included looking through user files (when hosted on Microsoft's servers) when there exists significant evidence that illegal activity is taking place.

Anyone who is concerned about privacy will already employ a local means to encrypt data before uploading to a third-party host. Clearly the people involved here were careless to use non-encrypted communications services hosted by the company that they were stealing from in the first place.

LogicalApex said,

They do, but the blogger wasn't employed by Microsoft... It said MS went through the bloggers emails to determine the connection. Not the other way around.

I think MS went through his email for the period that he worked for them and found out who he was working with. I must have missed it, did the article say it was his personal account.

I think MS went through his email for the period that he worked for them and found out who he was working with. I must have missed it, did the article say it was his personal account.

Regarding the blogger:

On September 3, 2012, an outside source who requested that Microsoft not reveal the source's identity, contacted Steven Sinofsky, the former President of the Windows Division of Microsoft, and indicated that the source had been contacted by the blogger who sent the source proprietary Microsoft code. [...] A subsequent interview of the source by TWCI and an examination of the code determined that the code transmitted to the source by the blogger was the Microsoft Server SDK sample code.

Since by that point, Microsoft was aware that confidential information had been publically disclosed, they were obligated to pursue the leak through any available means, or risk the confidential status of the disclosed materials (see the court docs for all the evidence that Microsoft had to present to prove that the material was protected and secured to such a degree that no reasonable person might presume that it was publically viewable).

uxo22 said,

I think MS went through his email for the period that he worked for them and found out who he was working with. I must have missed it, did the article say it was his personal account.

You have it wrong. Person A works for Microsoft and illegally steals intellectual property. Person A is a criminal. Person A sends the stolen information to person B, a blogger. Person B is a blogger and publishes the information, they have done nothing wrong. Microsoft doesn't know who Person A is, so they read person B's email in order to find out who gave them the information. So they read through an innocent persons personal account to find out the identity of a criminal. I don't think anyone disagrees that Person A is a criminal. The disagreement is if MS has a right to read through person B's personal mail in order to try to catch him.

LogicalApex said,

They do, but the blogger wasn't employed by Microsoft... It said MS went through the bloggers emails to determine the connection. Not the other way around.

The blogger with evidence of criminal activity with strict terms of service from MS.

Asmodai said,

You have it wrong. Person A works for Microsoft and illegally steals intellectual property. Person A is a criminal. Person A sends the stolen information to person B, a blogger. Person B is a blogger and publishes the information, they have done nothing wrong. Microsoft doesn't know who Person A is, so they read person B's email in order to find out who gave them the information. So they read through an innocent persons personal account to find out the identity of a criminal. I don't think anyone disagrees that Person A is a criminal. The disagreement is if MS has a right to read through person B's personal mail in order to try to catch him.

Thanks for clarifying that for me. I don't know that's how it went down. However, both people are criminals in your explanation. Person B is also guilty of breaking the law for accepting know illegal property.

If I give you a bag of dope to deliver to a friend and you take the delivery and get caught with it, you're not getting off Scott free simply because you claim that you were only delivering the dope. You're going down for possession of and illegal substance, depending on how much, they may even pin with intent to sell on you.

The receiver of this information knew it was stolen property, and he accepted it, and then distributed it; which actually made the entire scenario even worse.

Asmodai said,

Person B is a blogger and publishes the information, they have done nothing wrong.

I'm afraid you've got this one totally wrong. Person B is knowingly receiving stolen goods and is aware they are stolen. This itself is a crime in most jurisdictions. Publishing them is a further crime. Even if published by a "blogger" the act of publishing is legally regarded as a "sale". The blogger exchanged the stolen goods for "goodwill".

Regardless of how you feel about yumin rites, both of these are criminals - thieves. Worse, both might also be personally liable for civil damages in the millions of dollars.

uxo22 said,
The receiver of this information knew it was stolen property, and he accepted it, and then distributed it; which actually made the entire scenario even worse.

So every reporter, every news agency, every blog that reports the contents of the Snowden leaks is breaking the law? They know the Snowden documents are stolen property, they accepted it, and then distributed it.

Asmodai said,

So every reporter, every news agency, every blog that reports the contents of the Snowden leaks is breaking the law? They know the Snowden documents are stolen property, they accepted it, and then distributed it.

Let's not get the press confused with the general public. The average person also can't flash they're ID card and gain access to crime scenes either. There's also this thing that you should know about called "Freedom of the Press" which provides the press with protections for disclosing things like the Snowden leak. This way, no one can be considered above the law.

What you are arguing are the principles of what is interpreted as right or wrong. But if you don't believe it, go out and buy something in public that you know is stolen and see how much water your argument holds.

Just Saying...

uxo22 said,

Let's not get the press confused with the general public. The average person also can't flash they're ID card and gain access to crime scenes either. There's also this thing that you should know about called "Freedom of the Press" which provides the press with protections for disclosing things like the Snowden leak. This way, no one can be considered above the law.

What you are arguing are the principles of what is interpreted as right or wrong. But if you don't believe it, go out and buy something in public that you know is stolen and see how much water your argument holds.

Just Saying...


I guess it depends on what you consider the media then. I consider a blogger media. This is the 21st century and papers are dying. Even CNN and major news outlets often get their stories from blogs. There is a heated debate in the U.S. about if bloggers get reporters rights or not, I happen to believe they should. In this particular case though the blogger was from France and I admittedly don't know much about French law. It is my understanding though that the E.U. actually has MORE strict privacy laws that the U.S. not less.

Also flashing a press ID doesn't magically get you into any crime scene. When that does happen it's because a relationship has been established between that particular media outlet and law enforcement agency. The law enforcement agency could establish a similar relationship with anyone else too. The law enforcement agency can easily just say no we aren't going to let reporters in and while it may hurt their relationship with the news agency it's not like the news agency has some RIGHT to access the crime scene.

Okay...well I'm done with this pointless debate. It is what it is. BTW, my son's a blogger and he is by no means a reporter nor does he have a press ID.

gonchuki said,
I hope Google was waiting for the perfect time for a strike back. This is it.
You don't think Google would have done the same if a Google employee was leaking data using a Gmail account?

If all the legal documentation is in place, any company is within their right to protect their trade secrets through whatever means accessible to them. Whether the little people (us) like their methods or not doesn't matter.

If this was done without the necessary legal documentation, then grab your popcorn because this is going to be entertaining!

Kalint said,
Google isn't going to stoop down to Microsoft's level. They'll do nothing.

Spit the Kool-Aid out before you make a fool of yourself.

Kalint said,
Google isn't going to stoop down to Microsoft's level. They'll do nothing.

They have been pretty quiet. Which is fine by me. Dont need anymore trash talk in the tech world

Kalint said,
Google isn't going to stoop down to Microsoft's level. They'll do nothing.
Ha, they wish they were at Microsoft's level. Google was the one who fired some poor chap who was happy about the 10% raise everyone was gonna get and let outsiders know, even though the memo was something that projected the company in a positive light. Real classy. Even Microsoft isn't so vindictive. And anyway Google can't say anything because if it was them facing this sort of situation they'd have done the exact same thing.

The Google employee released an internal memo marked for internal use only to the public and was fired. He didnt follow the rules, period. Doesnt matter if it showed the company in a good light or not. Most companies these days have a no tolerance policy as well.

techbeck said,
He didnt follow the rules, period.
Neither did this blogger, so I don't see what all this nonsensical talk about Google "striking back" entails.

I'm also sure if MS started aggressively going after and firing everyone who leaks screenshots of internal builds or even the compiled builds themselves there'd be a huge hue and cry about it everywhere about what tyrants they are and so forth (even though they'd be far more justified than Google was in the case above). Different standards for different companies.

Edited by Romero, Mar 22 2014, 2:14am :

Romero said,
Neither did this blogger, so I don't see what all this nonsensical talk about Google "striking back" entails.

I'm also sure if MS started aggressively going after and firing everyone who leaks screenshots of internal builds or even the compiled builds themselves there'd be a huge hue and cry about it everywhere. Different standards for different companies.

I am not denying what the blogger did or condeming MS for their actions. Users agreed to the TOS so really they have no recourse.

techbeck said,
I am not denying what the blogger did or condeming MS for their actions.
You aren't but lots of others here are, especially Google fans who seem to be deluded about what its own TOS contains, or what its response would have been had it found itself in the same situation. If anything I'm sure they'd have been far more aggressive in protecting their IP.

Romero said,
You aren't but lots of others here are, especially Google fans who seem to be deluded about what its own TOS contains, or what its response would have been had it found itself in the same situation. If anything I'm sure they'd have been far more aggressive in protecting their IP.

Damn right, we'd kill the family dog.

Dot Matrix said,
What?

Did I stutter? I made a statement/question that I thought MS didnt have the ability to look thru users emails.

techbeck said,
Wait. Thought MS didn't have the ability to do this.

What made you think Microsoft *can't* do this? Because they said your privacy is so important to them? Trust me it really isn't! That is just a marketing line. They can read every single thing you do on Skype, Outlook.com, etc. Hell I wouldn't be surprised if they could read just what you are typing and not even sending. Facebook was accused for doing exactly this a few months ago.

ditoax said,
What made you think Microsoft *can't* do this?

I thought it was mentioned at one time. Why I asked the question. If I am mistaken, then fine.

What would make you think they *CAN'T*. Maybe they said they WON'T, but can't? When has hot-mail ever claimed to be encrypted?

techbeck said,

I thought it was mentioned at one time. Why I asked the question. If I am mistaken, then fine.

They always could, they just said they won't. (Unless the Government comes with a valid warrant)

McKay said,

They always could, they just said they won't. (Unless the Government comes with a valid warrant)

Ahh, ok. Thanks. My mistake. Thanks for actually answering my question.

McKay said,

They always could, they just said they won't. (Unless the Government comes with a valid warrant)

That is what makes this troubling. They didn't say a warrant was obtained here. They said that MS' internal team of investigators decided to dig into the email... They probably contacted the FBI after this.

But none of this is a shocker. It has been what privacy advocates have been saying since the early days. That accessing the emails of the user is trivial on these services.

The best response to that would be to insert all your comments personally attacking other about being paranoid, creating things to be worried about to slander Google, it not being an issue, not having anything to hide, that you can disable this (even though Microsoft's competition claims you can, but then ignore your setting), and so on.

Besides, this article and the linked one was devoid of any real information. It states that Kibkalo acknowledged that laws were being broken. Information about the leak was then relayed to Microsoft. Did Microsoft obtain a court order? The article does not confirm nor deny, and if they were real news sources they would investigate (OK, real investigative journalism does not exist today) but instead they would rather spread the belief that Microsoft is snooping on everything we do, from Kinect to Hotmail to give fodder to people like yourself to attack Microsoft and defend Google from doing the same and worse.

WhatTheSchmidt said,
The best response to that would be to insert all your comments personally attacking other about being paranoid, creating things to be worried about to slander Google, it not being an issue, not having anything to hide, that you can disable this (even though Microsoft's competition claims you can, but then ignore your setting), and so on.

Besides, this article and the linked one was devoid of any real information. It states that Kibkalo acknowledged that laws were being broken. Information about the leak was then relayed to Microsoft. Did Microsoft obtain a court order? The article does not confirm nor deny, and if they were real news sources they would investigate (OK, real investigative journalism does not exist today) but instead they would rather spread the belief that Microsoft is snooping on everything we do, from Kinect to Hotmail to give fodder to people like yourself to attack Microsoft and defend Google from doing the same and worse.

Why don't you read the article:
"Microsoft Office of Legal Compliance (OLC) approved content pulls of the blogger's Hotmail account"

Cosmocronos said,

Why don't you read the article:
"Microsoft Office of Legal Compliance (OLC) approved content pulls of the blogger's Hotmail account"

Doesn't mean that OLC didn't get a court approval first. Also that bit about OLC was not in this article when I made my comment, the article was amended after.

WhatTheSchmidt said,

Doesn't mean that OLC didn't get a court approval first. Also that bit about OLC was not in this article when I made my comment, the article was amended after.

Courts do not approve, Courts issue orders and the receiving subjects comply with them.
Fair enough about the second part of your statement; articles are edited quite often here.

LogicalApex said,

That is what makes this troubling. They didn't say a warrant was obtained here. They said that MS' internal team of investigators decided to dig into the email... They probably contacted the FBI after this.

But none of this is a shocker. It has been what privacy advocates have been saying since the early days. That accessing the emails of the user is trivial on these services.

Why is that troubling? Why would an internal investigation need one?

Dot Matrix said,

Why is that troubling? An internal investigation doesn't need a warrant, especially, when it involved Microsoft's own services.

Are you aware that there are Countries which consider emails as any other form of private correspondence and as such protected by law?

The OLC probably justified it as a TOS violation... at the very least, they were using their Outlook account to violate the DMCA and other applicable international copyright law.

Cosmocronos said,

Courts do not approve, Courts issue orders and the receiving subjects comply with them.
Fair enough about the second part of your statement; articles are edited quite often here.

Court approval == issuing a warrant to search. This has been investigated by the FBI, and the wouldn't look into data unless they have a warrant.

ditoax said,

What made you think Microsoft *can't* do this? Because they said your privacy is so important to them? Trust me it really isn't! That is just a marketing line. They can read every single thing you do on Skype, Outlook.com, etc. Hell I wouldn't be surprised if they could read just what you are typing and not even sending. Facebook was accused for doing exactly this a few months ago.

Wasn't this guy a Microsoft employee at one point. If so, they have the right to look at any employee's email as long as it is company email that was assigned to them for work.

There is no assumption of privacy within a companies email infrastructure.

WhatTheSchmidt said,

Court approval == issuing a warrant to search. This has been investigated by the FBI, and the wouldn't look into data unless they have a warrant.

Based on the article it seems that MS and not the FBI pulled the emails, big difference.

Cosmocronos said,

Are you aware that there are Countries which consider emails as any other form of private correspondence and as such protected by law?

Right, but this occurred using Microsoft's own services, while he was employed there.

wernercd said,
What would make you think they *CAN'T*. Maybe they said they WON'T, but can't? When has hot-mail ever claimed to be encrypted?

There was a quite lengthy and technical post some time ago by thenetavenger explaining how all your data was encrypted on Microsoft servers with absolutely no way to be read by anyone other than you.

I guess it's safe to assume now that it was a load of bull.

Dot Matrix said,

Right, but this occurred using Microsoft's own services, while he was employed there.


Check the article: MS pulled the blogger' s emails not its employee one and, if I remember correctly the blogger lives in France.

Cosmocronos said,

Check the article: MS pulled the blogger' s emails not its employee one and, if I remember correctly the blogger lives in France.

Ahh, I see it now. It still doesn't sound like they're doing anything wrong. I would assume if the blogger was using an outside service - say GMail - they then would have had to take extra steps to procure those emails.

Edited by Dot Matrix, Mar 20 2014, 9:24pm :

ichi said,
There was a quite lengthy and technical post some time ago by thenetavenger explaining how all your data was encrypted on Microsoft servers with absolutely no way to be read by anyone other than you.

I guess it's safe to assume now that it was a load of bull.

I'd find that hard to believe this side of the mail being encrypted so *no* one else can read it but you.

When have you ever needed a Public/Private key? That MS doesn't have? If you can open your email without providing that... then MS has full access. I know I've never provided anything but a password.

Now... it could all be encrypted such that someone who has access to the server/database won't be able to read the email. The main issue is that Google and MS mine the emails for ad profiles.

How can they do that without being able to read your emails?

"It's the keygen that Microsoft feared as a working keygen can be expensive to patch and could result in millions in lost revenue."

Mhm, share the screenies, but don't mess with the code.