Microsoft to add new policies that will limit internal Hotmail-Outlook.com searches

Earlier today, it was revealed that Microsoft accessed the email of an unnamed blogger's Hotmail account to find the source of Windows 8 code leaks, The revelation raised questions about the privacy of all Hotmail or Outlook.com emails, even though Microsoft's own Terms of Service state flat out that the company does have the right to search those accounts if it feels such actions will be needed to "protect the rights or property of Microsoft or our customers."

That certainly seems to be the case in this particular instance, but now Microsoft has sent the Re/code website a statement from its Deputy General Counsel John Frank on this matter. Frank says the company will now be adding a couple of extra steps in its policies to make sure that the rights of its Hotmail and Outlook.com customers are protected.

Frank's statement said, in part:

To ensure we comply with the standards applicable to obtaining a court order, we will rely in the first instance on a legal team separate from the internal investigating team to assess the evidence. We will move forward only if that team concludes there is evidence of a crime that would be sufficient to justify a court order, if one were applicable. As an additional step, as we go forward, we will then submit this evidence to an outside attorney who is a former federal judge. We will conduct such a search only if this former judge similarly concludes that there is evidence sufficient for a court order.

Frank says that email searches for information related to company property will not expand to other matters, and such investigations will be supervised by counsel to make sure this rule is followed. Finally, Microsoft will add the number of those particular kinds of searches as part of its bi-annual data transparency report from now on. His statement added, "The privacy of our customers is incredibly important to us, and while we believe our actions in this particular case were appropriate given the specific circumstances, we want to be clear about how we will handle similar situations going forward."

Source: Re/code | Image via Microsoft

Report a problem with article
Previous Story

Microsoft releases new update for Windows 8 Lync app

Next Story

Seagate CEO Stephen J. Luczo departs Microsoft's board of directors

50 Comments

Commenting is disabled on this article.

using hotmail/outlook as a PRIMARY email service, thinking MS wouldn't be data mining, would be about as stupid as thinking Google doesn't data mine gmail.

jasondefaoite said,
MS pokes fun of Google "reading" emails in ads (scroogled)

MS actual reads customers emails.

Definitely damage control

How so? They read his emails as part of an internal investigation into criminal activity. There is a difference.

Exactly. An internal investigation. No external oversight. No warrant to access the account. Who do they think they are, the NSA?

If this was a investigation into criminal activity, one wonders why the police/courts weren't involved? I guess because MS didn't need them to be.

They obviously recognise some potential PR concerns here, hence the changes they are implementing. They still won't go so far as getting a court order. But now they ping a retired judge for the go ahead instead. Fair enough, an improvement over the current practise, but why not go the whole way and actually involve the courts and get a court order.

Speaking about Outlook ads vs Gmail ads. With Google, I know all the ads I see from them are about things I am interested in. With Microsoft,......on Outlook, I get an ad about Allstate Drivers Insurance. I don't care about that! WHen I refresh the screen, the next ad is about Vonage! WHo cares?! Next one is about Office 365,....which I could care less for. Guys, I don't want to setup these ads for these freemium services. I have better things to do.

VictorWho said,
Speaking about Outlook ads vs Gmail ads. With Google, I know all the ads I see from them are about things I am interested in. With Microsoft,......on Outlook, I get an ad about Allstate Drivers Insurance. I don't care about that! WHen I refresh the screen, the next ad is about Vonage! WHo cares?! Next one is about Office 365,....which I could care less for. Guys, I don't want to setup these ads for these freemium services. I have better things to do.

Maybe if you use Outlook.com just a bit more, you will decide you want to get Vonage and buy Allstate Drivers Insurance. ;)

Complaining that you 'as a consumer' are not being 'manipulated by marketing' as well, is a bit strange.

All the things you stated are precisely what I like about non-targeted Outlook ads vs targeted Gmail ads. I don't care for either but lacking an option for a completely ad-free experience I'll go for the former any day.

How about simply using Adblock Plus on either Chrome or Firefox? (or even Adaway on 'droid)

MS, Yahoo! and Gmail can target me with ads all they like - I don't see ANY of them........

The ToS is termed very loosely.

ANyway, this is very hypocritical of Microsoft, referring to the Scroogled campaign.

With Google, they at least use complex Algorithms to target search terms in order to drive advertising according to the user's interest. With Microsoft, this is flat out invasion of privacy.
If Microsoft has to do something like this, I would feel much better if a judicial court order were to be obtained rather than the company just going into someone's account. Like I said the ToS is termed to loosely.

I love how the only thing that you and Asmodai, care about is the scroggled campaign :rolleyes:

Because you know, marketing is always 100% factual and truthful. Just like how Google claims they do no evil. How Apple claims they make some revolutionary every year. How Samsung claims their products are vastly superior to competitors.

VictorWho said,
The ToS is termed very loosely.

ANyway, this is very hypocritical of Microsoft, referring to the Scroogled campaign.

With Google, they at least use complex Algorithms to target search terms in order to drive advertising according to the user's interest. With Microsoft, this is flat out invasion of privacy.
If Microsoft has to do something like this, I would feel much better if a judicial court order were to be obtained rather than the company just going into someone's account. Like I said the ToS is termed to loosely.

Again, something that is being lost...

Even if Microsoft 'goes into your account', there is already quite an elaborate process that ends with your GUID being released by a server. That is then used to open the account in an atypical way.

Your data isn't sitting 'viewable, or human readable' on their servers.

In contrast, at Google, any Engineer level employee can open and read yours and 50 other user's email at any time, and query them.

There is a great deal of difference in user privacy/security between Microsoft and how most companies operate.

How about you show us where Google's TOS is so much better in this regard? As for scroogled, seems people who can't really refute it are desperate to "pull one back" because the events of this case and that campaign are connected only in their minds.

VictorWho said,
The ToS is termed very loosely.

ANyway, this is very hypocritical of Microsoft, referring to the Scroogled campaign.

With Google, they at least use complex Algorithms to target search terms in order to drive advertising according to the user's interest. With Microsoft, this is flat out invasion of privacy.
If Microsoft has to do something like this, I would feel much better if a judicial court order were to be obtained rather than the company just going into someone's account. Like I said the ToS is termed to loosely.

This is 100% different from scroogled. This is a single instance of a single mailbox being looked at AFTER multiple court orders were granted for searches outside of MS control (apartments etc.) and there was comparable evidence to suggest that evidence would be found on their own outlook service for this particular user.

They cant get a court order to search their own servers, so the absolute most they can do is thoroughly review the situation and make sure they are following stringent guidelines before the search is authorised.

You compare this to a situation where all email is data mined using an automated algorithm for all mailboxes on the system, it makes my brain hurt, the level of dumb here.

The only comparison of any merit would be if google had a similar situation of data theft that started with legal investigations and court ordered searches and led to google being in a position where they were almost certain that evidence would be held in a users Gmail account and then and only then you could compare the actions of both companies.

I'm not sure what google would do, as I'm not google, but what choices would you have in this situation? You cant get a court order, you are certain you will find evidence on this mailbox, you have exhausted legal routes and have followed due diligence and the only thing left is to decide to look at the mailbox or not.

Brony said,
It is amazing how some people defend MS. Just STOP the nonsense!.

Everything they said makes perfect sense and the only thing to be defended against would be speculated foul play.

again its impossible to get a court order to search your own servers, so are you suggesting that even given mountain of evidence ms had along with the previously granted court orders of house searches and the legal process between them and the FBI, they simply shouldn't have accessed the account at all? Leave it at that, no matter what?

I'm happy. I'm aware that Microsoft can read my emails, anytime, for any reason, and generally don't, but can. Knowing that they're going to try to keep it within certain legal boundaries is a good move by Microsoft, and helps ease fears that I had - after all, they call the team that investigates if someone yells "Fag" too many times on XBL an "investigative team" too.

neonspark said,
Read the TOS. Stop bitching

Nobody read the TOS, specially since they are anything but clear and they change at whim.

I'm not sure what this is supposed to solve. Either you trust MS or you don't. If you trust them to only read your email if necessary then these extra steps are redundant and unnecessary. If you don't trust them then how is setting up a different group of MS employees going to ease your mind at all? They would need to actually get a court order not just have someone on their payroll say that they think they have enough evidence to get one... even if it is an ex-judge.

For people who have a concern over privacy, I don't see why they'd trust any company regardless of what they might say. If it's unencrypted, consider it a postcard.

zhangm said,
For people who have a concern over privacy, I don't see why they'd trust any company regardless of what they might say. If it's unencrypted, consider it a postcard.

Put it this way... Whether you use Microsoft, Google, Yahoo, or any other online services provider, one thing is certain, and that's each and every one of those providers can, and will access that data if the case warrants it.

Not sure why so many are claiming this to be a case of pot meets kettle, but this is in no, way, shape, or form related to the "Scroogled" marketing campaign. There is a difference between accessing user data for a criminal investigation, and data mining for commercial gain.

No one here should be under any assumption that they have a right to anonymity, or privacy in this regard.

Dot Matrix said,

Put it this way... Whether you use Microsoft, Google, Yahoo, or any other online services provider, one thing is certain, and that's each and every one of those providers can, and does access that data if the case warrants it.

Not sure why so many are claiming this to be a case of pot meets kettle, but this is in no, way, shape, or form related to the "Scroogled" marketing campaign. There is a difference between accessing user data for a criminal investigation, and data mining for commercial gain.

No one here should be under any assumption that they have a right to anonymity, or privacy in this regard.


The issue is who decides "if the case warrants it". I don't believe anyone has an issue with MS accessing an account if a legal warrant is issued for them to do so. The problem is with a company deciding on its own that the case warrants looking at users private data.

Asmodai said,

The issue is who decides "if the case warrants it". I don't believe anyone has an issue with MS accessing an account if a legal warrant is issued for them to do so. The problem is with a company deciding on its own that the case warrants looking at users private data.

A company as big as MSFT isn't going to be rifling through user's data without the proper authorizations and cause. The fact that they have their own checks and balances assures this.

Dot Matrix said,

Put it this way... Whether you use Microsoft, Google, Yahoo, or any other online services provider, one thing is certain, and that's each and every one of those providers can, and will access that data if the case warrants it.

Not sure why so many are claiming this to be a case of pot meets kettle, but this is in no, way, shape, or form related to the "Scroogled" marketing campaign. There is a difference between accessing user data for a criminal investigation, and data mining for commercial gain.

No one here should be under any assumption that they have a right to anonymity, or privacy in this regard.

Correct. This is why I have always hosted my own email and data storage and will never use anyone's cloud services.

The only way to protect your data is to keep it under your control.

Sadly, most users online aren't capable of making a choice in this area.

Asmodai said,

The issue is who decides "if the case warrants it". I don't believe anyone has an issue with MS accessing an account if a legal warrant is issued for them to do so. The problem is with a company deciding on its own that the case warrants looking at users private data.

The problem is that they can't get a warrant to look at data on their own servers.
That's why they now will do their own investigation. If they feel they want to look at data they will present their findings to an outside company. If they also find a judge would issue a warrant in that case, then and only them MS will look at the content of the emails.

Seems like a nice and fair thing to do

Stoffel said,

The problem is that they can't get a warrant to look at data on their own servers.
That's why they now will do their own investigation. If they feel they want to look at data they will present their findings to an outside company. If they also find a judge would issue a warrant in that case, then and only them MS will look at the content of the emails.

Seems like a nice and fair thing to do

This is a mockery of the legal system it is claiming to replicate...

I get that I am far more privacy conscience than most... But the whole reason we require warrants is to have a neutral party review the information and make an unbiased decision to violate someone's rights.

Since everyone in this works for Microsoft there is no independence. There is no additional safety earned for the users in this.

But I agree that users shouldn't expect privacy on these services. Sadly, they are land locked.

Information is the most important asset people have and they are forced to give it up like candy with no ability to relinquish that control. A very sad reality for the average user.

LogicalApex said,

This is a mockery of the legal system it is claiming to replicate...

I get that I am far more privacy conscience than most... But the whole reason we require warrants is to have a neutral party review the information and make an unbiased decision to violate someone's rights.

Since everyone in this works for Microsoft there is no independence. There is no additional safety earned for the users in this.

But I agree that users shouldn't expect privacy on these services. Sadly, they are land locked.

Information is the most important asset people have and they are forced to give it up like candy with no ability to relinquish that control. A very sad reality for the average user.

But how can MS ever ask for a warrant to look at data that is stored on their own servers? They just can't.

The way I understand it is that they will present their findings to an outside attorney.
Only if that person also finds that he as a former judge would issue a warrant. Then MS would access your personal data.

What more could they do to make it more fair?

Dot Matrix said,

Put it this way... Whether you use Microsoft, Google, Yahoo, or any other online services provider, one thing is certain, and that's each and every one of those providers can, and will access that data if the case warrants it.

Not sure why so many are claiming this to be a case of pot meets kettle, but this is in no, way, shape, or form related to the "Scroogled" marketing campaign. There is a difference between accessing user data for a criminal investigation, and data mining for commercial gain.

No one here should be under any assumption that they have a right to anonymity, or privacy in this regard.

NO. This is a privacy issue. If you rent an apartment and the owner suspects that you doing something illegal in your space, does that owner have the right to freely walk into your apartment and investigate without a warrant?

What Google does with email in regards to data mining isn't a bad thing, simply because they use an algorithm to target ads to the user's interest. For me, I don't mind seeing ads about tech stuff, because it interests me. If I see ads about kitty litter or trips to the Bahamas, then that will annoy me. This is how Google pays their bills to offer fremium services. If Microsoft is serious about offering free Windows (as it is rumored) they will have to the same thing,....because it makes sense.

People have the right to assume privacy if email is considered to be a socially standard norm. Email should be considered private. If Microsoft were to invade one of their user's email account, it would be much better if the courts disallowed that action unless authorized with a "warrant." Think about it, I could just right Microsoft and say that "Dot Matrix is a plotting terrorist" and fabricate an authentic but disingenuous "truth" to lure Microsoft to invade your privacy.

Let me give you a little advice: Know your rights.

NO. This is a privacy issue. If you rent an apartment and the owner suspects that you doing something illegal in your space, does that owner have the right to freely walk into your apartment and investigate without a warrant?

Actually yes they can. He just has to let you know that he's doing it, your permission and you being there aren't required by law.

Stoffel said,

But how can MS ever ask for a warrant to look at data that is stored on their own servers? They just can't.

The way I understand it is that they will present their findings to an outside attorney.
Only if that person also finds that he as a former judge would issue a warrant. Then MS would access your personal data.

What more could they do to make it more fair?

Involving a truly neutral party would have helped...

That being said, Microsoft is always able to relay its concerns to police who can obtain a warrant for Microsoft servers.

VictorWho said,
NO. This is a privacy issue. If you rent an apartment and the owner suspects that you doing something illegal in your space, does that owner have the right to freely walk into your apartment and investigate without a warrant?
Apartment give too strong impression of your whole private life.
If you change the example from "Apartment" to "P.O. Box", will the impression of violation still be as strong ?

VictorWho said,
NO. This is a privacy issue. If you rent an apartment and the owner suspects that you doing something illegal in your space, does that owner have the right to freely walk into your apartment and investigate without a warrant?

A little advice. Know the difference between a dwelling and a free mail service. Laws protecting a renter's rights doesn't exactly apply to a computer... that makes zero sense why you think they would. (Should also check your lease, they sure as hell can under certain conditions.) Also, fourth amendment rights typically apply to the police and government agencies, not private entities.

LogicalApex said,

Correct. This is why I have always hosted my own email and data storage and will never use anyone's cloud services.

Can I get an @frazell.net email account?

And why is your site blocked by my workplace...

Dot Matrix said,

A company as big as MSFT isn't going to be rifling through user's data without the proper authorizations and cause. The fact that they have their own checks and balances assures this.

Right, just like a government as big as the U.S. isn't going to be rifling through your emails and yahoo video chats and phone call records without the proper authorizations and causes. The NSA had it's own checks and balances too, that's worked out great! They aren't checks and balances if it's all within one organization. You can't trust any organization (government or corporate) to police themselves. That's why you need a neutral third party.

Stoffel said,

The problem is that they can't get a warrant to look at data on their own servers.

I'm not sure that's true. I'm not a lawyer but I imagine say a storage company could get a warrant to search one of it's rented storage units. Even if they can't though then it doesn't have to the government specifically but it does need to be a neutral third party. Having someone you are paying validate what you are doing is not going to reassure anyone. Either you don't care and the validation is pointless to begin with or you do and you're not going to trust a validator paid by the person being validated. Maybe they could get a trusted privacy non-profit or something to sign off on search requests if warrants really are impossible.

Lord Method Man said,

Can I get an @frazell.net email account?

And why is your site blocked by my workplace...

Not sure why my site is blocked. It isn't anything all that exciting really...

My email is on @thinkist.net ;) Frazell.NET is just my blog...

And no, I don't host others. If I were to host your email I would have similar access to read the stored copies as Microsoft or Google would. If you care about your privacy the solution is for you to host yourself in some fashion (either renting a box or throwing one in your basement or something similar).

All I know is, I pay for my hotmail.com account have done for years and it's become a joke.

Whilst reading emails, the page refreshes.

Or I drag emails to certain folders, log off few hours later check via hotmail my messages

and they have returned t the inbox the messages I dropped into folders.

I have had my hotmail account before MS acquired hotmail and I like my email address.

I don't wish to make my outlook account the default and lose my hotmail account.

I wish they would sort it out.

The page refreshes probably because you have tracking protection lists active. The work-around is, IIRC, disable them, go to your email, load the page yadayada, then re-enable.

leesmithg said,
All I know is, I pay for my hotmail.com account have done for years and it's become a joke.

Whilst reading emails, the page refreshes.

Or I drag emails to certain folders, log off few hours later check via hotmail my messages

and they have returned t the inbox the messages I dropped into folders.

I have had my hotmail account before MS acquired hotmail and I like my email address.

I don't wish to make my outlook account the default and lose my hotmail account.

I wish they would sort it out.

I also had the folder display a email that I had moved earlier when I was logged in over an intermittent 3G connection.

The issues you are describing sound exactly like a connectivity issue between you and Microsoft. Although the tracking protection suggestion above may also be the problem, try disabling tracking protection on the outlook.com page (in IE11 click the 'no' symbol in the address bar).

If you are sure you connection is rock solid, and it isn't some other software or issue, you need to contact them, the issues aren't normal.

Mobius Enigma said,

I also had the folder display a email that I had moved earlier when I was logged in over an intermittent 3G connection.

The issues you are describing sound exactly like a connectivity issue between you and Microsoft. Although the tracking protection suggestion above may also be the problem, try disabling tracking protection on the outlook.com page (in IE11 click the 'no' symbol in the address bar).

If you are sure you connection is rock solid, and it isn't some other software or issue, you need to contact them, the issues aren't normal.

Thanks, I will try that, hopefully it will rid the problem away!.

dingl_ said,
anyone making Microsoft out to be the bad guys here is touched

Ahem, MS IS STILL a bad guy.


so .. if somebody kill you, police shouldn't be able to look for evidences at somebody's home ... makes sense

Why to wait the police?, just go inside and find for evidences. And if you don't find any then plant one.

Emiliano Magliocca said,

so .. if somebody kill you, police shouldn't be able to look for evidences at somebody's home ... makes sense

<sigh>

He's a better analogy, hopefully you'll get it:

Employee says "I killed someone and their body is in that office with the closed door."
Company security says "We better not go in there; we'll just wait until the police arrive."

Is that really what you are advocating?