Kudos: Microsoft Changes Policy, Promises Not To Inspect Customers' Content
from the good-move dept
Last week, we wrote about Microsoft's ridiculous decision to search through a reporter's Hotmail email account after realizing that reporter had an unauthorized copy of Windows 8. The whole thing seemed like a huge overreaction by the company -- in trying to track down an almost meaningless leak that was unlikely to have any real impact on anything, the company effectively alerted the world that you had no real privacy in your email. The move was even more ridiculous since Microsoft has more or less bet its email farm on a marketing campaign about how it respects your privacy more than others. Microsoft's first response to this was exceptionally weak. While it announced a "change" in policies, it was still the same basic policy, that effectively (and misleadingly) claimed that it could and would continue to search anyone's email if the company had evidence that you might reveal a leaker.Apparently -- and somewhat surprisingly -- it appears that Microsoft and its legal team took the criticism seriously. Microsoft's General Counsel Brad Smith has now put out a new blog post announcing a complete change in policy, promising that it will not unilaterally look through any Microsoft user's content in search of "stolen" intellectual property:
Effective immediately, if we receive information indicating that someone is using our services to traffic in stolen intellectual or physical property from Microsoft, we will not inspect a customer’s private content ourselves. Instead, we will refer the matter to law enforcement if further action is required.Furthermore, the company will officially change its terms of service to reflect that change in policy. On top of that, it is starting a (somewhat undefined) project with EFF and CDT to work on "best practices" concerning privacy. Smith's apology is quite heartfelt, which is also rare from a big company:
It’s always uncomfortable to listen to criticism. But if one can step back a bit, it’s often thought-provoking and even helpful. That was definitely the case for us over the past week. Although our terms of service, like those of others in our industry, allowed us to access lawfully the account in this case, the circumstances raised legitimate questions about the privacy interests of our customers.Personally, I wish the announcement and policy change went a bit further -- beyond just "intellectual or physical property," but making it clear across the board that, absent a reasonable warrant signed by a judge, Microsoft will not allow anyone to access anyone's content. But, perhaps we'll get there some day. In the meantime, Microsoft does deserve some kudos for changing positions. Most large companies would try to just let this issue fade away rather than proactively address it.
In part we have thought more about this in the context of other privacy issues that have been so topical during the past year. We’ve entered a “post-Snowden era” in which people rightly focus on the ways others use their personal information. As a company we’ve participated actively in the public discussions about the proper balance between the privacy rights of citizens and the powers of government. We’ve advocated that governments should rely on formal legal processes and the rule of law for surveillance activities.
While our own search was clearly within our legal rights, it seems apparent that we should apply a similar principle and rely on formal legal processes for our own investigations involving people who we suspect are stealing from us. Therefore, rather than inspect the private content of customers ourselves in these instances, we should turn to law enforcement and their legal procedures.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: brad smith, email, policies, privacy
Companies: microsoft
Reader Comments
Subscribe: RSS
View by: Time | Thread
Recheck facts
How they did it is one thing, and you can be against that, but claiming that they did not have a VERY good reason for doing so is intellectually dishonest.
[ link to this | view in chronology ]
Re: Recheck facts
[Not that I endorse MS Actions in this case]
[ link to this | view in chronology ]
Re: Recheck facts
Taking the law into ones own hands is frowned upon.
I have a very good reason for breaking into that guys house, because I promised my mom I would find the guy who let his dog shit in the yard. Sounds silly in that context doesn't it?
[ link to this | view in chronology ]
Re: Re: Recheck facts
This is a MAJOR flaw in the US legal system, and Google/Apple/Facebook would be forced to do this the same way in similar circumstances. Except they don't have enterprise customers that they have contracts with to secure their code, so they aren't as worried about this issue and are using it to attack microsoft.
There is a techdirt article from years back of Google doing the same thing (to Gchat messages) when one of their engineers was abusing his access to communicate with minors. They had no issue looking through the mis-accessed accounts to confirm that.
Get your reps to change the CFAA and make information you create, stored at a 3rd party your own property. Otherwise, cloud storage providers will ALWAYS be forced to use only internal policies to decide these matters.
[ link to this | view in chronology ]
Re: Re: Re: Recheck facts
Now it is you who should recheck the facts. That was Microsoft's story but it was misleading. What they could have done -- and what they now admit they will do in the future -- is simply hand over the basic info they have to law enforcement. Law enforcement absolutely can go seek a warrant for that information if it has credible evidence that the information will reveal criminal behavior.
[ link to this | view in chronology ]
Re: Re: Re: Re: Recheck facts
We should continue to applaud positive interactions whilst denigrating those actions which lead to these situations.
[ link to this | view in chronology ]
Re: Re: Re: Re: Recheck facts
But will Microsoft require a warrant if its an investigation that they instigated?
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Recheck facts
The warrant is handed to the company but it is actually a warrant to AUTHORISE the acquirement of the evidence by the LEO's not by the company.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Recheck facts
I really don't understand why this group would rather have cops searching through Hotmail than MS. Seems that every other story about the government searching emails has this site up in arms, but when MS does it you run back to the government. So weird.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Recheck facts
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Recheck facts
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Recheck facts
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Recheck facts
The search was not authorised in any way whatsoever, it wasn't even authorised under MS's own WRITTEN policy and therefore is at minimum forfeiture of contract by themselves.
The reason why people want LEO's searching through things for criminal and civil tort purposes is called due process. It is designed to allow transparency and the use of un-biased parties that have no axe to grind.
Or do you in your practice as a Sys engineer go searching all logs for pertinent passwords and other identifiers of all clients that use your systems because your feelings might be hurt or you somehow assume that something wrongful might of occurred? If so you should be sacked and criminally prosecuted if not.. well why are you so aghast at people questioning MS doing nearly exactly the same thing.
[ link to this | view in chronology ]
Re: Re: Re: Re: Recheck facts
I think a lot of the outrage towards this is because people don't understand how big a deal this is to Microsoft's biggest customers, both OEMs and EAs. They had to do something, and they did, they just didn't have a good solution on hand and guessed wrong.
[ link to this | view in chronology ]
Re: Re: Recheck facts
Show me a legal US method of subpoenaing information YOU legally own, and I will retract my defense of them. But until you can, you are arguing the wrong point.
[ link to this | view in chronology ]
Re: Re: Re: Recheck facts
That's what criminal investigations are for. That's why Victims and witness's play no part in investigations other than giving statements and facts that are requested. If they give information on their own behest then that information if it is to become evidence has to be verified as correct. The informant (in this regard the victim) has too much of a bias for this to not occur.
A warrant/subpoena is not just to obtain evidence. It is the procedural correct way of allowing that evidence to be properly obtained by the appropriate parties for ALL sides. Otherwise anarchy reigns and rules of evidence goes out the window and hearsay is fully allowed in criminal matters.
Civil cases on the other hand are different though the same problems of bias, relevance, authenticity and probity also crop up with discovery. This is why it is always best practice to allow outside third parties that have no other interests in analysing, obtaining, and preserving this sort of volatile data.
Microsoft were trying to enact a criminal investigation internally being judge, jury and executioner. That's wrong both legally and ethically anywhere.
As for their statement of "While our own search was clearly within our legal rights", that is blatantly false in the context of what they were planning to use that evidence from the search for.
[ link to this | view in chronology ]
Re: Recheck facts
You statement suggests that you are relying on the trustworthiness of a company that demonstrated that trust may be misplaced.
Security via obscurity is no security, and allows NSA back-doors to be built in.
[ link to this | view in chronology ]
Re: Re: Recheck facts
[ link to this | view in chronology ]
Re: Re: Re: Recheck facts
Windows sucks and always as done from 95... I didn't find 3.11 too bad but I didn't move from dos for a long time because I didn't like the direction things were going. Since then I've been proven tight year after year!
Sheeple
[ link to this | view in chronology ]
Re: Re: Re: Recheck facts
The other side of that coin is that having access to the source also allow you to discover the nefarious "features" that a self-serving corporation might put into their proprietary code.
I know you are about to explain to me how Linux can do it, but I'm an Enterprise Architect and you aren't, and you're wrong.
It is possible though - just ask the folks over at Ernie Ball.
But I am curious why you claim that open source couldn't replace MS in the enterprise. What's missing?
[ link to this | view in chronology ]
Re: Re: Re: Re: Recheck facts
Manageability: making environment wide changes (and confirming they were successful) is very difficult in an enterprise linux environment, and prone to failure. Getting better every day, but not there yet and the least of the issues.
Supportability: Not that its necessarily harder, but it is WAY more expensive to pay a Linux systems analyst to do workstation support than it is to pay a tech support monkey with a HS education. Scale that out to 1000+ IT people, and its a multi-million dollar problem.
Confirmation/Testing: This is a lot more nuanced, and really only affects the ultra-large enterprises, but having a consistent code base among your 100 000+ computers in a large enterprise has economies of scale when testing new rollouts that is impossible to replicate in a package-based environment. It comes down to man-hours required to test changes under an ITIL/COBIT managed environment. Again, efforts are being made (successfully) to nullify this problem, but it still exists.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Recheck facts
I'll defer to your apparent knowledge on the 1st and 3nd points. Those sound like reasonable concerns.
On the second one concerning supportability though, isn't that really just a matter of developing tools and training for Linux that are equivalent to what the first line guys are using now?
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Recheck facts
The U of A where I worked has a large OSS infrastructure, that I helped manage, and its hard to hire good people to support it. They manage it, but it would be impossible to scale it out to the desktop for 800 end user IT people, 10 000 staff and 45 000 students in the computer labs. In contrast, the EA agreement is only low 7 figures for all their MS licensing.
Its changing, and it will likely be a completely different ballgame in 10 years, but its not really a contest at my level.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Recheck facts
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Recheck facts
Remember that Linux was, and still is to a degree, not as user-friendly as Windows to the layperson. You can put a person down in front of Windows (even Windows 8) and talk them through how it works, then leave them to it and get the work done. IF something goes wrong, you can call for help from most people relatively easily. For Linux, sadly, not so much.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Recheck facts
Wouldn't the cost of extra training, developing, and whatnot be offset by a huge degree by not having to fork over a fortune in licenses every year for proprietary software?
On the scale you are dealing with, even just the switch from MS Office to LibreOffice would be a significant savings.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Recheck facts
Its complicated, but man hours, power, user hardware, user training and consulting make up the bulk of an IT budgets. Training 100 000 users on something new costs WAY more than licensing 100 000 windows workstations at 60 bucks a pop. And don't get me started on migrating from Office.....
[ link to this | view in chronology ]
Re: Re: Re: Recheck facts
Appealing to your own authority without evidence, why should anyone believe you.
[ link to this | view in chronology ]
Re: Re: Re: Re: Recheck facts
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Recheck facts
[ link to this | view in chronology ]
Re: Re: Re: Recheck facts
Which is how all those exploits used to attack Windows systems have been found!!.
Almost all exploits are found by calling routines with bad parameters, such as overlong strings, out of range indexes etc. If the program crashes, they can then try the various ways of using the bug. Very few exploits are found by either access to the source code, or reverse engineering the binaries.
[ link to this | view in chronology ]
Re: Recheck facts
We can disagree over that. There is little evidence that there was a significant real threat here. Code gets leaked all the time. The full impact of that leak was minimal.
[ link to this | view in chronology ]
Re: Re: Recheck facts
Its my job to be VERY aware of whats going on here, and even though I personally hate that they did this, professionally i have to stand with them, and thats why they did it.
[ link to this | view in chronology ]
Re: Re: Re: Recheck facts
I just have to chime in here, since this is at least the second time you've mentioned how much more qualified you are than everyone else here. First, I doubt that's true -- there are a lot of commenters here that have quite a lot of experience in this exact thing.
Regardless, you are engaging in a logical fallacy -- appeal to authority. It means absolutely nothing, and gains you no credibility. You'd be better off actually explaining the facts and reasoning behind your opinion rather than simply saying "I'm an expert, so everything I say must be true."
[ link to this | view in chronology ]
Re: Re: Recheck facts
[ link to this | view in chronology ]
But will they ask for a warrant?
MS : Officer, a reporter with an hotmail account has reported on secret stuff. Will you look in his account for us? We promised we wouldn't.
Officer : Shall I get a warrant?
MS : No need. Here's all her email messages. Would you mind telling us what they say?
[ link to this | view in chronology ]
If you didn't notice, I was being sarcastic.
Nobody should ever trust Microsoft again because if they were willing to do it once, they are more likely to do so again.
[ link to this | view in chronology ]
Great, maybe your friends at Google will pay heed.
[ link to this | view in chronology ]
Re:
Not sure what kind of "gotcha" you think you're making here, but I agree that I hope Google does the same. I hope that all tech companies that offer cloud-like services will make this sort of thing standard and think its ridiculous that they did not do so from the beginning.
[ link to this | view in chronology ]
Re:
This is changing as Google becomes more attracted to Enterprise revenues (very stable), and MS becomes more consumer focused. As their incentives drift towards each other their behavior will become more similar and Mike will hate on them equally (or cash twice the shill checks as you seem to think)
[ link to this | view in chronology ]
"Post-Snowden"
[ link to this | view in chronology ]
[ link to this | view in chronology ]
have to agree with blacktron
There's one other problem that no one has touched so far, business or logistical software. Often times these products are platform specific, usually Windows, and there *is* no alternative to them.
Whether or not your business IT people 'trust' Microsoft or not is no longer a question in that situation. You lock down as much as you can and hope it's enough to keep out *most* prying eyes.
[ link to this | view in chronology ]
Re: have to agree with blacktron
[ link to this | view in chronology ]
Is this one of those Terms of Service that they can just change anytime they want (such as how they are doing that here and now)?
If yes, then I would not put too much faith into the fact that this will now be included in those ToS, as they can just modify or take it out later (after this blows over and the dust settles).
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Any port in a shit storm
As sincere as the statement sounds, it is still Microsloth and I'm certain that the only thing that has changed is the manner in which they lie to the public.
Its more sincere sounding now.
But, its still a lie.
MS will always do as it pleases first and attempt PR afterwards, but only if it feels the PR skit might have some chance of successfully fooling the public, or if it thinks its absolutely necessary - like this time, since they're hoping to prevent a mass customer exodus.
Normally it would just weather this shit storm for the period of consumer memory - a couple weeks - and then pretend it never happened, but the off-hand manner in which they violated their own privacy agreement, as if it simply did not exist, really spooked the public.
Drastic measures were necessary.
In this case Pseudo-Sincerity!
[ link to this | view in chronology ]
Nothing is free..... except ignorance
Any freemail is open data mining, your data available for sale to the highest bidder.
Privacy costs money. (It costs to keep it and lose it)
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
The one exception remains gaming, but even that is getting to be a smaller and smaller exception as time goes by.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
SEO Services
SEO gloucester
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Happy to find your blog
[ link to this | view in chronology ]
Really Informative Knowledge you have shared
Really good information Mike Masnick. I am really happy to read your article in significant way. Recently, I was searching for <a href="https://risingmax.com"> IT Consulting Companies in New York</a> and I found the great one. I hope all your reader will like it and trust me you are doing very well. Keep it up Mike. I can believe that you will do something amazing.
[ link to this | view in chronology ]