Microsoft will no longer access email accounts that steal company IP

It recently became apparent that Microsoft accessed a bloggers email when they found out he was receiving sensitive Microsoft material from a source inside Microsoft. In short, Microsoft got spooked that its intellectual property was walking out the door and took steps to stop these actions.

Microsoft accessed the account without a warrant and as you can imagine, this caused quite a stir in the tech community. In an effort to save face, Microsoft has changed its policy and will not access any information on company owned services and will instead turn the information over to the police.

Microsoft’s new policy is as noted by Brad Smith, General Counsel & Executive Vice President, Legal & Corporate Affairs, Microsoft:

Effective immediately, if we receive information indicating that someone is using our services to traffic in stolen intellectual or physical property from Microsoft, we will not inspect a customer’s private content ourselves. Instead, we will refer the matter to law enforcement if further action is required.

This is step that will likely appease those who were critical of the company and its practices for investigating such instances. Of course, this policy comes after the fact that these practices were in place but if you are willing to trust Microsoft’s word here, then it will not happen again (without a warrant that is).

Source: Microsoft

Report a problem with article
Previous Story

Facebook confirms plans to offer Internet access via solar-powered air drones

Next Story

Videos shows leaked Windows Phone 8.1 OS running on Lumia 630

76 Comments

Commenting is disabled on this article.

I can't believe the negativity on this towards Microsoft. If it was Google, noone would've made such a fuss and everyone would congratulate Google for capturing such 'criminals'.

But nah, you have MS sourcecode and you use MS services to receive/distribute or whatever... Thats just being retarded. MS isn't in the wrong where there is no need for courts to be involved (waste of tax payers money), the people behind this were total tools for using MS's service.

But yeah, Microsoft, autohate.

As far as I am concerned definitely a PR disaster - Microsoft decided they didn't have to follow the bizarre let-me-call-the-police-to-look-in-my users' content on my servers routine. In reality little changes. They wouldn't have had an issue with getting a court order on this one.

Encryption would be a simple solution across the board, but then companies couldn't scan your data to push ads, report things they deem improper etc. This is especially true of supposed "free" services. So we get to hear things like "MS isn't the only one", which is such a lame argument. As if it somehow excuses it. It's a nice gesture, but you'd be a fool to think alphabet agencies haven't already found a way to circumvent these new "rules". I use my One drive for a lot of stuff, only not a single item is in any way sensitive, therefore it's not worth one cent past free.

Hahaiah said,
Encryption would be a simple solution across the board, but then companies couldn't scan your data to push ads, report things they deem improper etc.
Email is a different matter but when talking about cloud storage you are free to encrypt your own data any way you see fit before uploading. As for "MS isn't the only one", that's the plain truth that everyone should know and indeed there are far worse culprits than them. The alternative is that people blithely think they can use other services without a care because with those their data is supposedly "safe". Ha! As you said, trust none of them with sensitive data, as simple as that.

By the way, these new "rules" have nothing to do with alphabet agencies and official data requests - that's an entirely separate issue altogether (although the effect on the privacy of your data is the same).

Wow....Microsoft easily folded like a cheap tent when it came to this issue. People who defended the company hard, like Ed Bott, must feel like they've been slapped in the face. People like Ed Bott and Paul Thurrott argued that Microsoft had the right to do what they did and now Microsoft is saying "We won't ever do it again."

All in all, like I've said so many times,....people have to know their constitutional rights. People have to know that THOSE rights easily trump the most "legalese" wordings of any agreement, or in this case ToS. What Microsoft did was utterly wrong. Now the question is,...with all the deceitful things that Microsoft has done in the past few years, do they really mean when they say "we will not inspect a customer's private content ourselves. Instead, we will refer the matter to law enforcement if further action is required." NOTE the legal language of the phrase "....if further action is required."

Far less deceitful than other companies IMO, and none of those even make such a commitment because they clearly know they won't be sticking to it any time soon given they do this on a daily basis.

The damage has been done now, I see their "scroogled" campaigns for the hypocritical circle jerks they actually are, and it's about time Neowin's readers did the same thing and stopped piling the excuses on.

As somebody who doesn't use either aside from forum registrations and such (and frankly don't really care either way), I can't see how you could possibly consider automated systematic scanning of all mail for advertising purposes to be the exact same thing as looking at one specific account looking for stolen property. Apples and oranges.

Max Norris said,
As somebody who doesn't use either aside from forum registrations and such (and frankly don't really care either way), I can't see how you could possibly consider automated systematic scanning of all mail for advertising purposes to be the exact same thing as looking at one specific account looking for stolen property. Apples and oranges.

Don't let the details of this being focused on one specific person who stole company IP get in the way of things.

Javik said,
The damage has been done now, I see their "scroogled" campaigns for the hypocritical circle jerks they actually are, and it's about time Neowin's readers did the same thing and stopped piling the excuses on.

This has nothing to do with data mining email for financial gain. This was an IP theft investigation. Two different things.

I really don't care how you rationalised it, it's the same thing. They snooped on a person's private property without a warrant. It's still hypocritical to criticise people offering other services for privacy concerns when you're also prepared to trample over people's privacy as soon as it suits your agenda. And knowing you if it were Google doing it I'm sure you'd be all over it like a rash.

Javik said,
I really don't care how you rationalised it, it's the same thing.

It's really not hard to understand.. one time with probable cause versus all the time for money. Not the same thing, at all. And you really shouldn't expect any sort of "right to privacy" on any third party server. Ever. Even Google will tell you this. You want to steal stuff, that's fine but protip, don't put it on a third party network, especially if it's your employer's network and their stolen property to begin with... they most certainly can and will look at it.

Javik said,
I really don't care how you rationalised it, it's the same thing. They snooped on a person's private property without a warrant. It's still hypocritical to criticise people offering other services for privacy concerns when you're also prepared to trample over people's privacy as soon as it suits your agenda. And knowing you if it were Google doing it I'm sure you'd be all over it like a rash.

It wasn't their private property - In any sense of the definition. Neither the employee, nor the "blogger" owned the services used to commit the crimes.

Javik said,
The damage has been done now, I see their "scroogled" campaigns for the hypocritical circle jerks they actually are, and it's about time Neowin's readers did the same thing and stopped piling the excuses on.

There is no damage done.

No, but the data contained on the service is there property. Which is why almost all modern governments have data protection laws.

Actually it was Microsofts stolen property contained within both users accounts that Microsoft rightly reserved the right to access once the employee admitted wrongdoing

Today they revised that policy, to protect even blatant thieves of their own services and IP, that's something to be applauded in the end. Microsoft put privacy over protecting its own IP assets

Javik said,
No, but the data contained on the service is there property. Which is why almost all modern governments have data protection laws.

Um. No, Microsoft's code is not their property.

Is there an implication in these posts that Google hasn't been doing this for years? Based on Google's EULA, there is little to no privacy assumed by using Gmail whether you work for Google or not.

Personally speaking, I'm not sure there should be any expectation of privacy if I use a company-owned device to access personal accounts and move company IP. Just me, i guess.

Really just statement that people need to take on faith. They still have the ability to view whatever they want as well as any other email provider.

This much is true about any data we store online on any site. There's actually nothing one can do about this short of encrypting one's data, because unless it comes to our notice somehow there's no way we can state for certain that our data has never been accessed without our knowledge.

A stir, that shouldn't have been. Still not sure why Microsoft was made out to be the bad guy here, for an internal investigation involving their own services.

So you think it's OK for a company to sift through your personal property as long as you get accused of wrongdoing by them first?

Dot Matrix said,
A stir, that shouldn't have been. Still not sure why Microsoft was made out to be the bad guy here, for an internal investigation involving their own services.

Because if you agree with it or not people consider email service like mail service. The U.S. Postal service, UPS, FedEx, etc. can't just go reading your letters you send to someone using their service. You're using their service, your letter is in their possession, it's on their truck but they can't just open it up and read it. Very few people read ToS statements and even if they tried many probably wouldn't fully understand them without having a strong legal background.

I don't think the majority of the public had any idea MS could do this and when they found out they didn't like it. Hopefully MS shining a light on this will cause people to put pressure on other providers to do the same (yeah right, one can hope). I've been clear in my opposition to what MS did but I think this is totally the right thing for them to do and am very glad they've made this change.

Javik said,
So you think it's OK for a company to sift through your personal property as long as you get accused of wrongdoing by them first?

Accused? The two of them were more than accused, they were caught in the act.

Javik said,
So you think it's OK for a company to sift through your personal property as long as you get accused of wrongdoing by them first?

If you work for the company in question, I bet it's under their right to scan your work computer and files at the least, be it MS or any other big company out there. I'd like to see some deals that people sign when they go to work for big corporations and just what "rights" they have over work related materials.

Dot Matrix said,
A stir, that shouldn't have been. Still not sure why Microsoft was made out to be the bad guy here, for an internal investigation involving their own services.

Quite simple: 90%, and I am optimistic, of users do not read the TOS; although MS actions have been within what is said in the TOS it was bad publicity therefore they have changed it.

Cosmocronos said,
The fact is that MS went through the emails of the blogger who was not an employee.
That was their PR problem.

He was still (idiotically) using their services.

George P said,

If you work for the company in question, I bet it's under their right to scan your work computer and files at the least, be it MS or any other big company out there. I'd like to see some deals that people sign when they go to work for big corporations and just what "rights" they have over work related materials.

I've been a corporate email admin in my career and the company I worked for at least explicitly spelled it out in the employee handbook that the company email was NOT a private account and they reserved the right to look through it. I actually did have to act on that a few times and go rooting through their email. That said that's not what was at issue here. MS did NOT go through an employees email. They went through a bloggers email who had published leaked information. They had reason to believe he had "trade secrets" that were leaked (in addition to the screenshots and stuff he'd already published) and he happened to have a PERSONAL hotmail account and so they went rooting around in his PERSONAL account to see if they could find evidence. They hit the jackpot and were able to discover who leaked the info to the blogger and turned that evidence over to the FBI who arrested the leaker. Their suspicions were confirmed in this case but they didn't know what they were going to find when they went rooting around in his personal files and people object to them being able to look through any hotmail account just because they suspect wrongdoing.

Asmodai said,

I've been a corporate email admin in my career and the company I worked for at least explicitly spelled it out in the employee handbook that the company email was NOT a private account and they reserved the right to look through it. I actually did have to act on that a few times and go rooting through their email. That said that's not what was at issue here. MS did NOT go through an employees email. They went through a bloggers email who had published leaked information. They had reason to believe he had "trade secrets" that were leaked (in addition to the screenshots and stuff he'd already published) and he happened to have a PERSONAL hotmail account and so they went rooting around in his PERSONAL account to see if they could find evidence. They hit the jackpot and were able to discover who leaked the info to the blogger and turned that evidence over to the FBI who arrested the leaker. Their suspicions were confirmed in this case but they didn't know what they were going to find when they went rooting around in his personal files and people object to them being able to look through any hotmail account just because they suspect wrongdoing.

Right, but I'm just saying as a common practice for work devices this goes on all the time. Now in the future MS will just go to the feds and see where it leads that way instead of proactively doing it on their own. I'm sure they could've worked it the other way and scanned their workers work email to find it but that would've taken longer.

George P said,

Right, but I'm just saying as a common practice for work devices this goes on all the time. Now in the future MS will just go to the feds and see where it leads that way instead of proactively doing it on their own. I'm sure they could've worked it the other way and scanned their workers work email to find it but that would've taken longer.

If they had scanned their workers email (I doubt the employee sent the leaked data from his work account) and/or took their suspicions to the authorities and had them look through the bloggers Hotmail account (assuming their suspicions were well founded enough to get probable cause for a warrant) then this controversy would never have arisen. Apparently they even concede that is doable now as this new policy appears to say that's exactly what they will do in the future, which is great.

Asmodai said,
Their suspicions were confirmed in this case but they didn't know what they were going to find when they went rooting around in his personal files
How many times are you going to repeat this lie? He mailed someone the stolen SDK code from his Hotmail account so they knew very well he was in violation of the TOS and also in possession of trade secrets stolen from them and stored in his account.

Edited by Romero, Mar 28 2014, 11:44pm :

We all know there's only one company and its fans whose agenda it is to try and sling mud here. Too bad, they can shovel all they want but can never crawl out from under the pile they find themselves buried under.

Asmodai said,
Because if you agree with it or not people consider email service like mail service. The U.S. Postal service, UPS, FedEx, etc. can't just go reading your letters you send to someone using their service. You're using their service, your letter is in their possession, it's on their truck but they can't just open it up and read it.
Other than first-class letters or parcels all other classes of mail can and are opened if deemed suspicious by the USPS without any warrant whatsoever. I'm sure UPS etc. have similar rules too. So much for the supposed sanctity of the mail service.

Dot Matrix said,

He was still (idiotically) using their services.

Although we do not know all the facts I find weird that "a partner in crime" would contact MS about what the company employee was doing.
Looking to see what will happen in Court.

Cosmocronos said,
Although we do not know all the facts I find weird that "a partner in crime" would contact MS about what the company employee was doing.
He contacted someone outside the company to make a fake activation server for him so he could sell activation keys online. Whether this person was an MS contract employee or how else he was connected to the company is unknown to us. What we do know is this guy went and informed Sinofsky and things unravelled for the thieves from there.

i don't get it
if they are Microsoft's servers why shouldn't they
be able to look at all information on them
including employee email,
i would have a problem it they weren't their servers they were looking at

Romero said,
He contacted someone outside the company to make a fake activation server for him so he could sell activation keys online. Whether this person was an MS contract employee or how else he was connected to the company is unknown to us. What we do know is this guy went and informed Sinofsky and things unravelled for the thieves from there.

Not exactly, you can check the allegations, not proven facts, here:

http://seattletimes.wpengine.n...14/03/Kibkalo-complaint.pdf

Edited by Cosmocronos, Mar 29 2014, 12:10am :

Romero said,
How many times are you going to repeat this lie? He mailed someone the stolen SDK code from his Hotmail account so they knew very well he was in violation of the TOS and also in possession of trade secrets stolen from them and stored in his account.

He mailed someone at Microsoft a sample of the stolen SDK code that was leaked from his Hotmail account yes. So they knew he was in possession of it but they did not know it was stored in his account. He could have had it anywhere, on his local PC, on another account, and then just copied and pasted or attached or whatever the code to the email he sent (like an idiot) to see if the stuff was legit. The fact he sent them evidence that he had leaked code should have been sufficient for probable cause to get a warrant but instead they took it upon themselves to invade his privacy and rifle through his personal things. Now in this case it turns out they uncovered more evidence but the fact they can just take it upon themselves to look through any users personal account without any oversight has upset many. This new policy is meant to address that.

Asmodai said,

He mailed someone at Microsoft a sample of the stolen SDK code that was leaked from his Hotmail account yes. So they knew he was in possession of it but they did not know it was stored in his account. He could have had it anywhere, on his local PC, on another account, and then just copied and pasted or attached or whatever the code to the email he sent (like an idiot) to see if the stuff was legit. The fact he sent them evidence that he had leaked code should have been sufficient for probable cause to get a warrant but instead they took it upon themselves to invade his privacy and rifle through his personal things. Now in this case it turns out they uncovered more evidence but the fact they can just take it upon themselves to look through any users personal account without any oversight has upset many. This new policy is meant to address that.

Again, a commercial service is not private. You do not own the servers your data is stored on, Microsoft does. You are leasing space from them.

devobtch said,
i don't get it
if they are Microsoft's servers why shouldn't they
be able to look at all information on them
including employee email,
i would have a problem it they weren't their servers they were looking at

They CAN look at employee email. The guy whose email they looked at wasn't an employee. He was just a guy who had a personal Hotmail account. People are upset that MS can just decide to look through their personal Hotmail accounts. This is a big issue especially since MS made it seem like they don't look through users email in the Scroogled campaign. Also MS is trying really hard to get businesses, colleges and such to allow them to host their email (part of their services push). If MS can just look through anything on their servers without any outside oversight then what stops MS from looking through a hosted businesses "trade secrets" or colleges confidential research, etc.

Asmodai said,

They CAN look at employee email. The guy whose email they looked at wasn't an employee. He was just a guy who had a personal Hotmail account. People are upset that MS can just decide to look through their personal Hotmail accounts. This is a big issue especially since MS made it seem like they don't look through users email in the Scroogled campaign. Also MS is trying really hard to get businesses, colleges and such to allow them to host their email (part of their services push). If MS can just look through anything on their servers without any outside oversight then what stops MS from looking through a hosted businesses "trade secrets" or colleges confidential research, etc.

This was an internal investigation, that involved numerous lawyers and higher ups. There's a difference.

Cosmocronos said,
Not exactly, you can check the allegations, not proven facts, here:

http://seattletimes.wpengine.n...14/03/Kibkalo-complaint.pdf
I've read those court docs and various other sources. What in my comment is not borne out by the docs? Also how can you just term them allegations when they've been scrutinized and reviewed and presented to a judge by an FBI agent, and the judge agreed with what the agent stated and the thief has confessed and been arrested?

Asmodai said,
So they knew he was in possession of it but they did not know it was stored in his account.
However much of the code he posted via his Hotmail account was enough to prove his complicity in the crime and he further compounded it by attempting to profit from the stolen data. At that point his account was more than fair game, period.

Asmodai said,
If MS can just look through anything on their servers without any outside oversight then what stops MS from looking through a hosted businesses "trade secrets" or colleges confidential research, etc.
Indeed, why only MS, what stops anyone including Google? And what sort of outside oversight can ever stop any of these companies from "looking through a hosted business' trade secrets or college's confidential research"? Unless their snooping ever comes to light no amount of oversight will help, not unless that oversight involves a whole team of people sitting right there at each company and data center 24x7 and keeping a close watch on what user data is being accessed by the company itself.

Because you are guilty at the end of a trial if the jury find you guilty. The time of Judge Roy Bean are gone.
If you have read the Court docs you should have noted that there is no accusation that the blogger was trying to sell activation keys.... because the stolen software could not generate them.

Cosmocronos said,
Because you are guilty at the end of a trial if the jury find you guilty.
Ok, we'll find out soon enough, trial starts in 4 days.

Cosmocronos said,
If you have read the Court docs you should have noted that there is no accusation that the blogger was trying to sell activation keys.... because the stolen software could not generate them.
The accusation is he had sold keys in the past on eBay and was attempting to set up a generation mechanism for them again. By the way, the blogger is obviously not the primary subject in the court docs for obvious reasons. Only the ex-employee was charged, not the blogger who's a French citizen and resident in France I believe (although he lied and said Quebec). Charges against him aren't going to be filed in a US district court (unless perhaps he comes to the States for some reason like the Russian ex-employee did).

Edited by Romero, Mar 29 2014, 2:46am :

sure no one here is amazed, but at least this show many "people" for one final time that storing your data in the praised "cloud" means the provider of the service will view, modify, erase and sell your data at will and with no regrets and you have zero rights on it if something bad hapens.

Other companies don't have to follow since they are not practicing this method of spying on their employees. Microsoft got caught, not anyone else, don't put the pressure on anyone than Microsoft.

BTW, this is not commitment, this is marketing. If they need to read again someone's email, they will do it if it is important enough. This statement is worth nothing and how they deal with privacy cannot be taken seriously. It should have never happened in the first place.

To be taken seriously, they need to change the way the emails are stored and encrypted so that no one inside the company can read them. This is extremely easy to do but all they come up, is just a simple PR statement. Pathetic. If it wasn't for the bad press, they would not even have delivered this PR statement.

vacs said,
Other companies don't have to follow since they are not practicing this method of spying on their employees.

Oh, I am sure spying is going on elsewhere. It just has not been well known.

vacs said,
Other companies don't have to follow since they are not practicing this method of spying on their employees. Microsoft got caught, not anyone else, don't put the pressure on anyone than Microsoft.

BTW, this is not commitment, this is marketing. If they need to read again someone's email, they will do it if it is important enough. This statement is worth nothing and how they deal with privacy cannot be taken seriously. It should have never happened in the first place.

To be taken seriously, they need to change the way the emails are stored and encrypted so that no one inside the company can read them. This is extremely easy to do but all they come up, is just a simple PR statement. Pathetic. If it wasn't for the bad press, they would not even have delivered this PR statement.

Google has fired numerous employees for reading the email accounts of the ex spouses, friends, lovers, rivals, and even a couple of child perverts.

So if you think Microsoft opening one email is equivalent to Google letting ALL engineer class employees have full account access to ANY user, you are confused.

Don't take my word for it.. Do a freaking Google search, these stories even turn up in their search results. Be sure to at least go back to 2010 where they fired two child perverts for reading emails and GVoice chat logs of minors.

vacs said,
Other companies don't have to follow since they are not practicing this method of spying on their employees. Microsoft got caught, not anyone else, don't put the pressure on anyone than Microsoft.

BTW, this is not commitment, this is marketing. If they need to read again someone's email, they will do it if it is important enough. This statement is worth nothing and how they deal with privacy cannot be taken seriously. It should have never happened in the first place.

To be taken seriously, they need to change the way the emails are stored and encrypted so that no one inside the company can read them. This is extremely easy to do but all they come up, is just a simple PR statement. Pathetic. If it wasn't for the bad press, they would not even have delivered this PR statement.

Bullsh-t. Other companies have shown that they do this as well. This in fact puts Microsoft ahead of the others.

And if you think that any random employee can open up a customer's mailbox and look through you're nuts. I'm sure this was handled at the executive level - you need an extremely strong justification to get the permissions to view customer data. (you cannot be default)

Mobius Enigma said,

Google has fired numerous employees for reading the email accounts of the ex spouses, friends, lovers, rivals, and even a couple of child perverts.

So if you think Microsoft opening one email is equivalent to Google letting ALL engineer class employees have full account access to ANY user, you are confused.

Don't take my word for it.. Do a freaking Google search, these stories even turn up in their search results. Be sure to at least go back to 2010 where they fired two child perverts for reading emails and GVoice chat logs of minors.

The fact that they were able to view the email once, is proof enough that employees have the abilities to do this, and there is nothing stopping them from doing it.

You fail to see that microsoft is guilty of the same thing you are accusing Google of. At least Google had the balls to take corrective action and come clean by firing the employee. The fact that we haven't heard any such story from microsoft, even though employees have the capability simply means such activities are being carried out by their employees unchecked.

Mobius Enigma said,

Google has fired numerous employees for reading the email accounts of the ex spouses, friends, lovers, rivals, and even a couple of child perverts.

So if you think Microsoft opening one email is equivalent to Google letting ALL engineer class employees have full account access to ANY user, you are confused.

Don't take my word for it.. Do a freaking Google search, these stories even turn up in their search results. Be sure to at least go back to 2010 where they fired two child perverts for reading emails and GVoice chat logs of minors.

For all the times you state that would have happened one would thing you'd have came up with at least a couple of different cases instead of talking about the exact same single one you have mentioned three times already.

recursive said,

The fact that they were able to view the email once, is proof enough that employees have the abilities to do this, and there is nothing stopping them from doing it.

No it's not. You really have no clue at all.

Audien said,
I'm sure this was handled at the executive level - you need an extremely strong justification to get the permissions to view customer data. (you cannot be default)
Is that so? Why don't you go read about it before making assumptions? He was a site reliability engineer and had full unrestricted access to user accounts.

ichi said,
For all the times you state that would have happened one would thing you'd have came up with at least a couple of different cases instead of talking about the exact same single one you have mentioned three times already.
He accessed multiple accounts and isn't that enough? Everyone pointing fingers at MS doesn't seem to have a problem repeating this one and only case ad nauseam, and the two don't even compare in terms of motivation involved.

Romero said,
Is that so? Why don't you go read about it before making assumptions? He was a site reliability engineer and had full unrestricted access to user accounts.

I don't see any reference to the person who made the access in the linked article in the source article or the original article on Neowin so could you provide something substantiate that?

I find it *highly* unlikely that it's be possible for an engineer to access customer data without approval from a manager at least two levels up. I don't know how it's done over in the consumer Outlook.com but in O365 they rarely grant CustomerDataAccess permissions. Much work has gone into tooling to avoid having to elevate basic permissions in the datacenter.

Audien said,
I don't see any reference to the person who made the access in the linked article in the source article or the original article on Neowin so could you provide something substantiate that?
Wait, are we talking about MS or Google here? Because I was talking of the latter (SREs having unrestricted access to user accounts and data), but if you were talking of the former then I got mixed up and apologize. I agree with you, in MS at least it's not possible for any odd employee to go rooting through customer data as it is in Google.

Romero said,
Wait, are we talking about MS or Google here? Because I was talking of the latter (SREs having unrestricted access to user accounts and data), but if you were talking of the former then I got mixed up and apologize. I agree with you, in MS at least it's not possible for any odd employee to go rooting through customer data as it is in Google.

I am talking about Microsoft. :)

recursive said,

The fact that they were able to view the email once, is proof enough that employees have the abilities to do this, and there is nothing stopping them from doing it.

You fail to see that microsoft is guilty of the same thing you are accusing Google of. At least Google had the balls to take corrective action and come clean by firing the employee. The fact that we haven't heard any such story from microsoft, even though employees have the capability simply means such activities are being carried out by their employees unchecked.

No it isn't the same...

I have worked at the MSN data centers directly with MS employees as content contributor.


Here is why it is vastly different...

At Microsoft, an employee has to trigger a machine queue, that is time based, and flags people above them. And this is just for simple things that DO NOT GIVE THEM ACCESS to the content.

When a content request is issued, final authorization has to pass through MS legal and STILL goes through a machine request, that gets flagged and must obtain secondary approval.

There is NO WAY an employee at Microsoft can see inside a user's account.

There are some really good papers/books on data privacy and encryption models, that explain how an organization can retain information with a server based system that logs and seeks approval before releasing or unlocking the information to abstract the data from the IT people that have direct access to the servers. (An IT person at the CIA can't read top secret information, an IT person at the Pentagon can't read top secret information stored on the servers they manage.)

These types of systems are commonly used in the government, banking, and other organization where there is highly confidential and classified information.


Let me give you a specific example of when I was working with MSN. I ran into a migration issue that needed to 'release' (aka delete) five of my personal MS Passport accounts so they could be reassigned to a Microsoft domain.

This process took over 60 days, as all I or any MS employee could do was issue the request to the servers, wait for approval, and then wait for the request time allocation to pass.

It was actually a problematic mess, as we needed to migrate the account sooner, and we tried to get the 'time based' lock lifted through MS Legal, and it was rejected each time.


So NO, Microsoft does not store your information in a way that anyone can just pull it up and read it.


You don't understand security or encryption or handling classified data, so you should not be offering your hypothetical assumptions.


Romero said,

He accessed multiple accounts and isn't that enough? Everyone pointing fingers at MS doesn't seem to have a problem repeating this one and only case ad nauseam, and the two don't even compare in terms of motivation involved.

Enough to be concerned about your privacy on Google? Sure it is, I'm not arguing that.

What I'm saying is that if someone's talking about multiple repeated instances like that one and employees being fired left and right he sure should be able to provide other examples besides that one.

Romero said,
Wonder if other companies will follow suit and make a similar commitment?

I don't think it matters. If leaks are to happen, it'll be via PGP. I'm somewhat surprised they didn't use encrypted email to leak something as important as that, but more so that they used Microsoft's own service to do it. I'd not be surprised it it wasn't also hosted on skydrive too...

Romero said,
Wonder if other companies will follow suit and make a similar commitment?

Microsoft is the only company to have taken this approach and is therefore the only company that needs to make such a commitment. The company should have know the negative backlash it would generate, especially when it is still running its Scroogled campaign.

theyarecomingforyou said,

Microsoft is the only company to have taken this approach and is therefore the only company that needs to make such a commitment. The company should have know the negative backlash it would generate, especially when it is still running its Scroogled campaign.

Just dealing with pure fact, no, you are completely incorrect.

theyarecomingforyou said,
Microsoft is the only company to have taken this approach and is therefore the only company that needs to make such a commitment.

A lot of the discussion/news around what happened with MS also commented other email providers. Really everyone should make the same comment and change their policies to match.

theyarecomingforyou said,

Microsoft is the only company to have taken this approach and is therefore the only company that needs to make such a commitment. The company should have know the negative backlash it would generate, especially when it is still running its Scroogled campaign.

I was thinking the same thing. Microsoft was the one that went sifting through user emails, no one else. It sets a disturbing precedent.

That being said, I'm also not entirely surprised considering MS' invasive scanning of its cloud services. I wouldn't trust them with my data, that's for sure.

theyarecomingforyou said,

Microsoft is the only company to have taken this approach and is therefore the only company that needs to make such a commitment.

To be fair a more accurate statement probably would be they were the only company to take this approach *and* have it disclosed publically in court documents. There is no guarantee other companies have not done the same.

theyarecomingforyou said,
Microsoft is the only company to have taken this approach and is therefore the only company that needs to make such a commitment.
Nope, everyone does. What makes you think all others are oh so innocent or will never go down this path?

simplezz said,
Microsoft was the one that went sifting through user emails, no one else.
Yeah, keep plugging your ears and turning a blind eye to Google's misdeeds. Then again you clearly think spying on and harassing kids is perfectly all right compared to catching thieves.

Edited by Romero, Mar 28 2014, 10:11pm :

anothercookie said,
do yahoo and aol have secrets worth selling? :p

Obviously Yahoo does just look at how many times in the last 12 months they've been hacked