Microsoft changes policies for snooping on Outlook.com accounts

[techbeck]

Microsoft revealed earlier this week that the company scanned a blogger?s Hotmail account to track down a Windows 8 leaker. An ex-Microsoft employee, who allegedly leaked confidential copies of Windows 8 and anti-piracy software, was subsequently arrested and charged after Microsoft identified the individual from a search of a French blogger?s Hotmail account. Microsoft used a clause in the company?s terms of service for Outlook.com to allow it to scan the account. The move has triggered widespread debate over the practice, and Microsoft tells The Verge that it?s planning to alter its policies in future.

 

While courts don?t issue orders to authorize a company to search its own data, Microsoft?s John Frank, VP and deputy general counsel, admits "even we should not conduct a search of our own email and other customer services unless the circumstances would justify a court order, if one were available." As a result, Microsoft?s policies are being changed so that a legal team, separate from the internal investigations team, will assess any cases to determine whether they would justify a court order. Microsoft says it will also submit the evidence to an outside attorney and only conduct a search if the former judge deems it necessary.

 

Microsoft is also planning to publish a bi-annual transparency report that will detail the number of searches and number of customer accounts affected."The only exception to these steps will be for internal investigations of Microsoft employees who we find in the course of a company investigation are using their personal accounts for Microsoft business," explains Frank. "And in these cases, the review will be confined to the subject matter of the investigation." Microsoft?s full statement is available below:

 

We believe that Outlook and Hotmail email are and should be private.  Today there has been coverage about a particular case.  While we took extraordinary actions in this case based on the specific circumstances and our concerns about product integrity that would impact our customers, we want to provide additional context regarding how we approach these issues generally and how we are evolving our policies.

 

Courts do not issue orders authorizing someone to search themselves, since obviously no such order is needed.  So even when we believe we have probable cause, it?s not feasible to ask a court to order us to search ourselves. However, even we should not conduct a search of our own email and other customer services unless the circumstances would justify a court order, if one were available.  In order to build on our current practices and provide assurances for the future, we will follow the following policies going forward:

• To ensure we comply with the standards applicable to obtaining a court order, we will rely in the first instance on a legal team separate from the internal investigating team to assess the evidence. We will move forward only if that team concludes there is evidence of a crime that would be sufficient to justify a court order, if one were applicable. As an additional step, as we go forward, we will then submit this evidence to an outside attorney who is a former federal judge.  We will conduct such a search only if this former judge similarly concludes that there is evidence sufficient for a court order.
  
• Even when such a search takes place, it is important that it be confined to the matter under investigation and not search for other information.  We therefore will continue to ensure that the search itself is conducted in a proper manner, with supervision by counsel for this purpose.
  
• Finally, we believe it is appropriate to ensure transparency of these types of searches, just as it is for searches that are conducted in response to governmental or court orders.  We therefore will publish as part of our bi-annual transparency report the data on the number of these searches that have been conducted and the number of customer accounts that have been affected.
  

The only exception to these steps will be for internal investigations of Microsoft employees who we find in the course of a company investigation are using their personal accounts for Microsoft business.   And in these cases, the review will be confined to the subject matter of the investigation.

 

The privacy of our customers is incredibly important to us, and while we believe our actions in this particular case were appropriate given the specific circumstances, we want to be clear about how we will handle similar situations going forward. That is why we are building on our current practices and adding to them to further strengthen our processes and increase transparency.

 

John Frank, Vice President & Deputy General Counsel

 

http://www.theverge.com/2014/3/20/5531428/microsoft-changes-outlook-com-email-policies

[Hurmoth]

Do you think Microsoft will add themselves to the Scroogled campaign: "Google [& Microsoft] violates your privacy by reading every single word of every single email sent to and from [your] accounts..." http://www.scroogled.com/email :laugh: 

[techbeck]

Who knows.  But it didnt take long for MS to release a statement.  Damage control apparenlty since it was a hot topic.  Appears to be a postive result tho.

[FloatingFatMan]

Who knows.  But it didnt take long for MS to release a statement.  Damage control apparenlty since it was a hot topic.  Appears to be a postive result tho.

 

Damage control indeed, after getting caught with their hands in the cookie jar.

[Torolol]

Disclaimer: You are Thief!! Unless you allow US (Microsoft) to search you up, to able declare you as non-thief user.

[Max Norris]

Do you think Microsoft will add themselves to the Scroogled campaign: "Google [& Microsoft] violates your privacy by reading every single word of every single email sent to and from [your] accounts..." http://www.scroogled.com/email :laugh:

Kind of a big difference between scanning all mail for ad targeting versus looking at a single account while investigating a crime. 

[FloatingFatMan]

Kind of a big difference between scanning all mail for ad targeting versus looking at a single account while investigating a crime. 

 

Something which, as far as I was aware, required a search warrant and police involvement...

[techbeck]

Kind of a big difference between scanning all mail for ad targeting versus looking at a single account while investigating a crime. 

 

Similar scans are made by all parties to search for malware or spam.  Google makes their money from ads and people seem to forget that and get upset that they are getting more ads.  Dont want to support a company who makes their money from ads, then users need to switch to something different.

[Max Norris]

Something which, as far as I was aware, required a search warrant and police involvement...

They're not the police and they're searching their computers for their stolen property.  If it were police or another government agency doing the search, then yes, they'd need a warrant.. searching their own hardware for their stolen property, not so much. Since people are bringing Google into this, even they say users should have no expectation of a right to privacy.

 

 

Similar scans are made by all parties to search for malware or spam.  Google makes their money from ads and people seem to forget that and get upset that they are getting more ads.  Dont want to support a company who makes their money from ads, then users need to switch to something different.

I'm not dissing GMail, I don't even use it (or Outlook) aside from random forum registrations, got my own ISP's mail server for my real stuff, just commenting on trying to compare Scroogled versus looking at a single account for stolen property.  Apples and oranges just to make a silly jab at big bad Microsoft.

[FloatingFatMan]

They're not the police and they're searching their computers for their stolen property.  If it were police or another government agency doing the search, then yes, they'd need a warrant.. searching their own hardware for their stolen property, not so much. Since people are bringing Google into this, even they say users should have no expectation of a right to privacy.

 

 

MS own the hardware, not the user account. They should have no legal right to access that account without a search warrant, and in the EU at least, certainly wouldn't be allowed to do this.

[techbeck]

 

 

 

I'm not dissing GMail, I don't even use it (or Outlook) aside from random forum registrations,

 

I know.  Just making a comment to yours  :)

[exotoxic]

 

While courts don?t issue orders to authorize a company to search its own data,

 

 

So Microsoft are saying if the data is hosted on their servers then it belongs to them??

[zhangm Supervisor]

So Microsoft are saying if the data is hosted on their servers then it belongs to them??

In this particular case, Microsoft was notified that stolen materials were being shared from the e-mail account in question, and were given access to the stolen materials and (presumably) given permission to read the conversation exchange between the blogger who owned the e-mail account, and the person who ratted out the blogger to Microsoft. This constitutes some pretty damning evidence.

Microsoft is also obligated to investigate when it receives strong evidence that their services are being used to commit a crime. Given these circumstances, I think that they had a strong case for accessing the e-mails. I think many people are getting hooked on the fact that in this case, Microsoft was being self-serving, but they're obligated to pursue any criminal activity as long as they receive evidence that their services are being used to facilitate it.

[techbeck]

So Microsoft are saying if the data is hosted on their servers then it belongs to them??

 

Pretty much.  And they used a loophole in the EULA that pretty much every users is oblivious about to look at the users emails.  Lots of people are not happy with MS right now and is why MS was quick to release new changes their policy and put stricter measures on how/when a users info is viewed.  Tho, along with most companies, this is just an upfront show and the will continue to do what they want regardless I am sure.  Why I keep saying that the user him/herself needs to take their own steps to protect their data and not just trust MS, Apple, Google, or anyone else to do it all themselves.

 

I also have a feeling the Scroogled campaign against Google accusing them of reading emails/stealing email data will be dead soon.

 

Although the move could be perceived as a breach of trust, Microsoft says it's allowed to make such unilateral decisions. It pointed to its terms of service: When you use Microsoft communication products -- Outlook, Hotmail, Windows Live -- you agree to "this type of review ... in the most exceptional circumstances," Frank wrote.

http://money.cnn.com/2014/03/21/technology/security/microsoft-email/index.html?hpt=hp_t2

 

So basically if MS itself suspects any wrong doing, they have the ability to go in and look at what you are doing.  Dont need a warrant or anything like that.

[exotoxic]

Microsoft is also obligated to investigate when it receives strong evidence that their services are being used to commit a crime.

 

...

 

they're obligated to pursue any criminal activity as long as they receive evidence that their services are being used to facilitate it.

 

I am not so sure, i think it should be up to the police to investigate. Microsoft get the tip off then pass it on to the police who get a search warrant to access the data. That way you don't end up with any privacy related issues, if you REALLY cared about your users privacy why would you want to jeopardize it??Microsoft are just too big to really care??