To Catch A Meaningless Leaker, Microsoft Made It Clear It Has No Concern For Your Privacy
from the cost-benefit dept
Yesterday, we wrote about the bizarre decision by Microsoft to search through a reporter's Microsoft Hotmail email account, in an attempt to catch the Microsoft employee who had leaked that reporter a copy of Windows 8. While most of the initial stories about this had focused on the arrest of the employee, Alex Kibkalo, and had pushed the email snooping issue to the bottom of the story, it appears that the email snooping is quickly becoming the story. After all, the leak itself was basically meaningless. Some early screenshots of Windows 8 were never a big deal, and Microsoft has struggled to get adoption of Windows 8 not because of any leak, but because a variety of other issues. So capturing the leaker does little of benefit for Microsoft.However, at the same time, revealing that the company has no problem snooping through users' email accounts if it feels it is beneficial to Microsoft is hugely damaging to the company. People need to trust their email providers. A well-known venture capitalist I know has spoken repeatedly about how so many people use Gmail, even when doing things like negotiating deals with Google (or competitors!) because they actually trust Google not to abuse their privacy and snoop on those emails. In part, they do this because they know if Google was exposed for snooping on emails that way there would be a mass exodus from Gmail to alternative providers. Yet, Microsoft doesn't seem to have considered just how astoundingly damaging it is to violate its own users privacy -- whether permitted by Microsoft's terms of service or not.
On a basic cost-benefit analysis it's difficult to see how anyone at Microsoft thought this was a wise move. Absolutely wipe out any possible trust and privacy for all email users to track down one meaningless leaker? Instead, what this shows is how "piracy obsession" blinds companies. They seem to forget all about cost-benefit analysis and assume that "something must be done" at all costs, even if it basically destroys an entire business line for the company.
Microsoft is now desperately trying to minimize the damage as it's realizing just how it's wiped out all of its bogus talk about protecting your privacy. They've announced new policies concerning how and when they'll violate your privacy, but this seems quite clearly to be a case of too little, too late.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: copyright, cost benefit, email, leaks, overreaction, privacy, trust
Companies: microsoft
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Re:
As for the privacy thing... I wonder if anyone read what actually happened?
It's also something that's allowed in the ToS, and I'm sure it's in the Google ToS as well. This was an investigation that led to someone being arrested, so it's not like someone was bored one day and decided to look at a random user's email account.
Also, it assumes Google has never done the same thing. Which no one knows. The only reason we know about this instance was because of a prosecutor's filing, so clearly there was a legal ground for seeking the information... not some random searching.
[ link to this | view in chronology ]
Re: Re:
You're so transparent.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re:
Of course! As long as it's in the TOS, nobody has any right be be upset about Microsoft scroogling you, which last time I checked was exactly what they accuse others of doing.
I wish there was some way to actually verify that. Unfortunately, it's obviously quite impossible to check. Maybe some sort of "engine" that would let you "search" for things?
Yes, we should be very Fearful of this. I mean there has never been anyone looking, so we should all express Uncertainty that there were no disgruntled employees, and we need to Doubt anything that hasn't been proven.
[ link to this | view in chronology ]
Re: Re:
I did, and I'll bet most of the people here did as well.
"This was an investigation that led to someone being arrested, so it's not like someone was bored one day and decided to look at a random user's email account."
You say that as if it makes everything OK, then. It doesn't. Nor does it make everything OK because it was allowed in the ToS.
"Also, it assumes Google has never done the same thing"
Huh? Outside of the one guy quoted in the article, who is assuming this?
This all underscores why it is really important to avoid using these services. You're giving up too much control over really sensitive information about you. It doesn't matter if it's Microsoft, Yahoo, Google, whoever.
[ link to this | view in chronology ]
Re:
Basically, after counting the number of people it sees in the room, it checks to see if you paid for the number of license of the current viewing program. If viewers > # of licenses, off goes the program.
no joke
Neat huh! /s
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
How do you make your server and network connection as reliable as gmail's without spending any extra money on them?
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
You're making a convenience argument, which is fair. Gmail is as convenient as it gets. But you pay a price for that convenience in the form of lack of control and privacy. That may be a price you're OK with, which is also fair.
But if you're concerned about these issues, running your own server isn't a very onerous thing to do.
[ link to this | view in chronology ]
Re: Re: Re:
I have run my own mail server for more than 15 years. I have had very few outages, only one that lasted 2+ days (due to a tornado taking down power lines and internet to my home).
Reliability isn't normally a problem these days. If you have a decent provider, good power... shouldn't really be an issue.
As far as time, knowledge and money. You can setup an email server in less than 5 minutes using a ready built VM (Virtual Machine); you don't really need to know all that much about it; You will need to spend $5-10/ year to purchase a domain name.
So the only real reason not to host your own servers, assuming you have an always on internet connection is laziness. It isn't complicated and only requires a bare minimum of knowledge time and expense. I run mine on an ultra low power server, so it is noiseless and uses very little power.
However, the real question is what good does that really do you? Chances are very high that your email is passing through some major internet backbones and / or is stored on major provider systems as well. So it can still be monitored and scoured by providers.
The answer is it is a little bit harder to 'get it all'.
The other thing that you can do, which I do for anything of substance is encrypt the communication with GPG. Done properly, it then doesn't really matter where your email is stored. But then again there is that personal responsibility thing.
[ link to this | view in chronology ]
The admin always has access
Only their good behavior keeps them from accessing it.
If you don't want them to have it, then you have to encrypt it before it gets to them.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
I don't need that to point out a person that has never read a ToS. I just need to point to a random person and odds are pretty good I'll be right. Terms of Service are full of legalese that takes immense amounts of time to read, and it's difficult to pull anything relevant out of them, and easy to miss things even if you do read them. Given they tend to be fairly boiler plate about "we are not liable for etc., we may yada yada" it's no surprise many people haven't read them in depth and thought about the full implications.
[ link to this | view in chronology ]
Re:
Just because a ToS states it can do something or that the company has all these rights to do whatever it thinks it can does not mean it has!
Look go read up on BASIC contract law and look at all the standard elements of ANY contract and then you might have an inkling of understanding about this.
Actually anyone anywhere who ever deals with any sorts of contracts daily (that means EVERYONE ON THE PLANET basically) ggo do a basic FREE course on contract law.. it will help you so much and also allow you to understand what companies can and cannot do.
[ link to this | view in chronology ]
Scroogled?
[ link to this | view in chronology ]
Re: Scroogled?
[ link to this | view in chronology ]
Just Plain Screwed
[ link to this | view in chronology ]
Re: Scroogled?
[ link to this | view in chronology ]
Re: Scroogled?
[ link to this | view in chronology ]
It wasn't just an issue of "a couple of screenshots", the leaker had stolen Windows 8 source code and was trying to help someone set up a fraudulent activation server to use it. That's a pretty fucking huge deal and it's simply wrong to present it as "just a couple screenshots".
In addition, Microsoft has ALWAYS had a clause stating that they will examine your accounts if necessary to protect their intellectual property - which "activation server code" certainly qualifies as. Not only that, but due to the public backlash over this perceived injustice, Microsoft has stated they're now going to make the whole process much more streamlined.
So, seriously - there's plenty of real things to be pissed about, can we not embellish nonissues like this quite so much?
[ link to this | view in chronology ]
Re:
In the previous discussion, somebody said their TOS allowed them access "To protect the rights or property of Microsoft or our customers".
Almost everyone is an MS customer, and "rights or property" is incredibly vague. If you use Windows and think your neighbor is bringing down the value of your house, MS would be allowed to provide their private data to you. When wouldn't this allow access?
[ link to this | view in chronology ]
Re:
So OMG possibly setting up an activation server would impact Microsoft revenue by interrupting the positively enormous flow generated by the stampede to Windows 8 when...oh...wait...
NOBODY, not even M$ fanboys, gives a hot shit about Windows 8. Everyone with the slightest sense knows it's garbage. Which is why it's dying in the marketplace. It's worthless tripe that isn't even worth stealing, which is why this leak truly is meaningless and M$'s best move would have been to just blow it off and forget about it. (They should have been flattered that someone would actually go through this much trouble to try that vomitous mass of code.)
[ link to this | view in chronology ]
Re: Re:
Some things on it are a nightmare to find if you don't know exactly where to look. There are definitely criticisms to be made of Windows 8 in the Desktop space, but those are (slowly) being resolved with each iteration.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re:
Just because you aren't concerned about it doesn't mean it's a nonissue. The primary issue is that people trust these companies far too much, and they are trusting that when the companies store their information, the companies aren't actually looking at it. This applies to webmail, anything cloud-based, facebook, etc.
Microsoft has done a big favor by underlying the fact that people need to stop trusting companies with their sensitive information.
[ link to this | view in chronology ]
Telling Example of Microsoft Culture
Microsoft wouldn't have trawled through a user's email if they weren't as big as they are -- that's fact #1. And this proves that they actively throw their weight around even when the ethical standard, regardless of their privacy policy, begs otherwise. They are too big, they should have been broken up, the government dropped the ball on the anti-trust case. The consent decree DID NOTHING to alter behavior, it just forced behaviors into different manifestations, but the big, bad bully culture permeates every team in Redmond... it's toxic and now it affects the hundreds of millions of users who innately trust them.
[ link to this | view in chronology ]
They're not the only ones
This is why outsourcing your email -- in any way, shape or form -- is suicidal. Running your own email server is EASY if you have even a minimally-competent IT staff. The entire software stack is open-source, there are multiple flavors to choose from, and defenses against threats like spam are extremely well-understood and simple to implement. Programs like Mailman make handling mailing lists of any size tractable, and programs like procmail and fetchmail help with plumbing into/out of such systems.
Anybody who has their email hosted at Microsoft or Yahoo or Gmail or any of others needs to yank it back TODAY, because you can bet that all of them can do, will do, and have done the exact same thing when it suited their purposes.
(Oh, you encrypt it? That's very nice. But you probably don't encrypt it very well, you probably facilitate plaintext attacks because of your poor discipline, and besides all that, traffic analysis will yield some highly useful metadata about you.)
Get your email the F*** out of the cloud. It should never have been there.
[ link to this | view in chronology ]
Why couldn't they get a court order?
If the evidence was "strong evidence of a criminal act that met a standard comparable to that required to obtain a legal order to search other sites", Microsoft could have presented their evidence to the police (or FBI in this case) and have them open an investigation and request the court order.
Spying on customers is easier than getting the law involved. I have 2 old hotmail accounts, one is still periodically used for contract work. I should have retired both accounts long ago - Microsoft has finally convinced me to do it now instead of eventually.
[ link to this | view in chronology ]
Re: Why couldn't they get a court order?
"Courts do not, however, issue orders authorizing someone to search themselves, since obviously no such order is needed. So even when we believe we have probable cause, there’s not an applicable court process for an investigation such as this one relating to the information stored on servers located on our own premises"
So there. MS didn't get a court order because court orders don't even exist for such searches (apparently anywhere in the world). And anyway, it's silly for people holding the keys to have to ask a court for permission to use them.
It's the same kind of attitude that prompted many states to pass "tenants' rights" laws many decades ago to rein-in abusive landlords.
[ link to this | view in chronology ]
Re: Why couldn't they get a court order?
[ link to this | view in chronology ]
Re: Re: Why couldn't they get a court order?
Is it? Maybe it's more like you have stuff in a safety deposit box at the bank. Since the bank "owns" the safety deposit box, then I suppose they can just go in and search it anytime without a warrant? And that a judge would not issue a warrant for said search because they "are searching themselves"?
I don't think so...
The email wasn't Microsoft's to search. They weren't "searching themselves". They looked into someone else's emails. It wasn't even an employee on a "corporate" email account.
This incident re-proves what's already been proven over and over again - you can't trust these companies with sensitive data. No matter how they try to spin things.
[ link to this | view in chronology ]
Re: Re: Why couldn't they get a court order?
[ link to this | view in chronology ]
Commenting on the article, why have a subject header?
[ link to this | view in chronology ]
Re: Commenting on the article, why have a subject header?
[ link to this | view in chronology ]
"Searching yourself"
Is that actually true? It seems like similar things would have come up long ago, e.g. in trust law. There are lots of circumstances where property is held for another person, and I assume there are legal restrictions on the trustee (which a court order could override).
[ link to this | view in chronology ]
Re: "Searching yourself"
[ link to this | view in chronology ]
Re: Re: "Searching yourself"
[ link to this | view in chronology ]
Re: "Searching yourself"
Reasoning being that if a company suspects that this has occurred they then go through the civil or criminal processes to allow discovery to take place. If criminal the LEO's will obtain a warrant for the purpose of preservation and investigation since the company is classified as a victim in that instance and will be out of the loop of ANY investigation. In a civil capacity the court will grant a preservation order so that NO ONE can touch it until the court after all due process's occur for BOTH sides of the matter agree that it is part of discovery..
Microsoft in this instance wanted to play prosecution, judge, jury and executioner mainly because they are egotistic enough to think (like most corporations of their size) that they have enough power, status and political pull not to worry about anything like law, ethics, or what the public might think.
AS I stated in the last article about this, the problem now for microsoft is that the 'evidence' they obtained is now highly unreliable since they themselves (a highly biased party with an axe to grind) obtained it by dubious means. The evidence might be a 'smoking gun' might be the truth but now reasonable doubt absolutely comes into play of.. well if they went and got it like that what guarantee is their that they haven't changed it.. See its forensically tainted now.
Not to mention the fact that MS have now royally screwed themselves on a PR basis most likely forever!
[ link to this | view in chronology ]
G Thompson
[ link to this | view in chronology ]
Re: G Thompson
And in the above context it is tainted. There is with MS doing it's own investigation an absolute problem with reliability of that acquisition of information. The forensic methodology that they would show to the court is absolutely tainted and creates a huge barrier for it to be accepted by any trier of facts.
[ link to this | view in chronology ]
Re: Re: G Thompson
[ link to this | view in chronology ]
That's a very diplomatic way of putting it. Kudos, Mike.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Search warrant
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Drunk too much Google lately ?
Could you please cut down on the Google drooling ? This is not reporting stuff, this is plain and simple advertisment on how great Google is; not backed with any fact.
[ link to this | view in chronology ]