Microsoft says it has the right to read everyone’s Hotmail or Outlook.com emails (without user permission or knowledge)

362494023_af376a35a8_z

An internal investigation conducted by Microsoft into one of their (ex)employees — Alex Kibkalo, who leaked a Microsoft-internal Activation Server SDK as well as pre-release updates for Windows RT — has raised concerns over the privacy of Hotmail/Outlook.com.

After finding out about what Kibkalo was doing from a source who was close to the French blogger that Kibkalo leaked information to, Microsoft made their own investigation into the matter, which was performed by Microsoft’s own Trustworthy Computer Investigations (TWCI).

The French blogger had used a Hotmail account to communicate with Kibkalo, and during their investigation TWCI went into this Hotmail account (without permission of the French blogger) and found incrimination emails that had been sent to the blogger from Kibkalo.

“During an investigation of an employee we discovered evidence that the employee was providing stolen IP, including code relating to our activation process, to a third party,” Microsoft wrote in a statement to Ars Technica.

“In order to protect our customers and the security and integrity of our products, we conducted an investigation over many months with law enforcement agencies in multiple countries,” Microsoft added. “This included the issuance of a court order for the search of a home relating to evidence of the criminal acts involved. The investigation repeatedly identified clear evidence that the third party involved intended to sell Microsoft IP and had done so in the past.

Microsoft went on to essentially claim that they are allowed to look into anyone’s Hotmail/Outlook.com emails without permission:

As part of the investigation, we took the step of a limited review of this third party’s Microsoft operated accounts. While Microsoft’s terms of service make clear our permission for this type of review, this happens only in the most exceptional circumstances. We apply a rigorous process before reviewing such content. In this case, there was a thorough review by a legal team separate from the investigating team and strong evidence of a criminal act that met a standard comparable to that required to obtain a legal order to search other sites. In fact, as noted above, such a court order was issued in other aspects of the investigation.

Microsoft then issued another statement in which they say that despite the fact that their search was was warranted, they will be making changes to their policy to make them more transparent:

We believe that Outlook and Hotmail e-mail are and should be private. Today there has been coverage about a particular case. While we took extraordinary actions in this case based on the specific circumstances and our concerns about product integrity that would impact our customers, we want to provide additional context regarding how we approach these issues generally and how we are evolving our policies.

Courts do not issue orders authorizing someone to search themselves, since obviously no such order is needed. So even when we believe we have probable cause, it’s not feasible to ask a court to order us to search ourselves. However, even we should not conduct a search of our own e-mail and other customer services unless the circumstances would justify a court order, if one were available. In order to build on our current practices and provide assurances for the future, we will follow the following policies going forward:

To ensure we comply with the standards applicable to obtaining a court order, we will rely in the first instance on a legal team separate from the internal investigating team to assess the evidence. We will move forward only if that team concludes there is evidence of a crime that would be sufficient to justify a court order, if one were applicable. As an additional step, as we go forward, we will then submit this evidence to an outside attorney who is a former federal judge. We will conduct such a search only if this former judge similarly concludes that there is evidence sufficient for a court order.

Even when such a search takes place, it is important that it be confined to the matter under investigation and not search for other information. We therefore will continue to ensure that the search itself is conducted in a proper manner, with supervision by counsel for this purpose.

Finally, we believe it is appropriate to ensure transparency of these types of searches, just as it is for searches that are conducted in response to governmental or court orders. We therefore will publish as part of our bi-annual transparency report the data on the number of these searches that have been conducted and the number of customer accounts that have been affected.

The only exception to these steps will be for internal investigations of Microsoft employees who we find in the course of a company investigation are using their personal accounts for Microsoft business. And in these cases, the review will be confined to the subject matter of the investigation.

The privacy of our customers is incredibly important to us, and while we believe our actions in this particular case were appropriate given the specific circumstances, we want to be clear about how we will handle similar situations going forward. That is why we are building on our current practices and adding to them to further strengthen our processes and increase transparency.

Erm. I’m not sure I am OK with Microsoft helping themselves to my email — without a legal warrant or my permission — whenever they see fit, despite whatever “rigorous reviews” that may take place. Meeting “a standard comparable to that required to obtain a legal order to search other sites” is not good enough for me. How about you? Let us know in the comments below!

[via Ars Technica, image via Amit Chattopadhyay]

Share this post

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

4 comments

  1. sl0j0n

    [@JMJ]
    Hello, “JMJ”.
    You wrote:
    “right to the privacy of his/her “papers and effects”, as guaranteed by, for example, the Constitution of the U.S. Can this possibly be legal???”
    The answer is: Yes, it can.
    The Constitution’s ‘guarantees’ are applicable *only* to the ‘government’.
    *NOT* to anyone else, & some courts have decided cases that way, while others have found that the legal restrictions in the Constitution apply to all entities within the U.S.
    The last amendments in the Bill of Rights states:
    “Amendment IX
    The enumeration in the Constitution, of certain rights, shall not be construed to deny or disparage others retained by the people.
    Amendment X
    The powers not delegated to the United States by the Constitution, nor prohibited by it to the States, are reserved to the States respectively, or to the people.”
    Some contend that the Ninth and Tenth Amendments allow for other entities to engage in activities that would not be legal for the ‘government’ to engage in.
    *Any* disputation or controversy regarding such actions would need to be decided by a court of law. [In accord w/ applicable state law, and possibly in federal court.]
    The ‘CONgress’ has consistently failed to protect the rights of Americans, as seen in the NSA telephone meta data debacle, and the ‘break the shrink-wrap & agree to the EULA’ fiasco.

    Have a GREAT day, Neighbor!

  2. JMJ

    Wow! The breadth of rights to read our email that Microsoft reserves to itself is breathtaking.

    I have not read Hotmail and Outlook.com Terms of Use to see whether, in using them, I surrendered ownership of my emails to them. It was my *understanding* that, if I accessed those services via their web interfaces, I agreed that my emails may be machine-read to detect keywords that would be used to target ads, for example. I’m reasonably certain that keywords that suggest criminal activity might trigger further, probably human, review. Can you expound on these issues?

    I can understand if Microsoft reserves the right to read emails sent/received by their employees in the course of their work for Microsoft. I can even understand their reading any emails sent/received using their equipment. But, if I read your article correctly, it says they reserve the right to read ANY email that is entrusted to them for delivery to a third party? Am I reading this right?

    The Microsoft internal legal review process seems rigorous and thorough but it seems to occur only AFTER their breaching a user’s right to the privacy of his/her “papers and effects”, as guaranteed by, for example, the Constitution of the U.S. Can this possibly be legal???

  3. stilofilos

    You are not sure you are OK with it ? Well, I am damn sure I would be NOT OK with it at all. Even if they repeat that infantile blablabla a million times, they will never have the moral right to do so. When studying, people sold me for truth that when we exchange a mail (be it snail mail or e-mail) it remains the exclusive property of sender and receiver, no-one elses. If they feel the need for an (maybe justified) investigation into suspect matters, let them follow the ways set out by laws just as everyone else has to do.
    On the other hand, people are free not to use their channels, aren’t they. They also managed to degrade the once so lovely Skype. I decided to not use any of them after I got similar information many years ago. They deserve millions of people would do the same as this information comes to light. But maybe, that’s exactly what they want : get rid of those freeriders and stop spending money for them…
    Anyway, they will not (have to) change their attitude in an environment with a government setting the example, having its own multi-billion offices to do exactly the same, and with courts endlessly being too busy about similarly looking icons and rounded angles on toys.
    Once more they are vividly living up to their name of Evil Empire…