Well, that was quick. Yesterday Google announced its new email security/encryption transparency report, which revealed that Comcast and Verizon were primary offenders, in not using TLS to encrypt emails, making them much more vulnerable to surveillance. And, in less than 24 hours, Comcast quickly said that it is rushing to roll out TLS, with a company spokesperson saying it will be out there "within a matter of weeks" and that the company is being "very aggressive about this." That's good to see. Once again, greater transparency leads to greater protection.
Back in December of 2012, we wrote about (and agreed with) Julian Sanchez's suggestion that Google should do end-to-end encryption of emails, even if it (only slightly) mucked with its advertising business model. The impact on overall security would be great (and this was before the Snowden revelations had even come out). As Sanchez pointed out, not only would this (finally) drive more widespread adoption for email encryption, it would create enormous goodwill among privacy advocates. About six weeks ago, we mentioned this again, when it was rumored that Google was trying to make encrypted email easier, though it was said that it wouldn't go "site-wide" on end-to-end encryption.
A new blog post on the Google blog* has now detailed at least some of Google's plans, including offering a new End-to-End Chrome extension that will make it much easier for anyone to send and receive encrypted email messages. This is a big step forward, and hopefully shows how serious Google is about actually encrypting messages, rather than leaving them open for snooping.
This announcement came along with adding a new section to Google's famed transparency report, entirely focused on email encryption in transit, which will hopefully increase the use of Transport Layer Security (TLS) from other email providers out there. In the initial report, Google notes that 65% of outbound messages on Gmail to other providers use TLS, while 50% of inbound messages use TLS (over the last 30 days). And, more importantly, it highlights who supports TLS... and who doesn't (Comcast seems to be a shameful leader on that front). With some transparency, hopefully it will lead more email providers to adopting TLS.
* For the sake of full disclosure, the author of the blog post on Google's site is an old friend of mine, whom I've known for nearly 20 years (I feel old), since long before he worked at Google. I had no idea he was working on this and actually haven't spoken to him in probably a year or two (because life happens). I didn't find out about it from him, but from people talking about it on Twitter.
Last month, after Lavabit lost its appeal, we noted that the court avoided the major constitutional issues, focusing on how the company and its founder Ladar Levison mucked up procedural stuff early on, effectively barring him from raising the more serious constitutional issues on appeal. We pointed out that this was unfortunate on many levels, but also noted that this shows how important it is to get a good lawyer early on, rather than trying to handle things yourself. Levison has now written a more thorough explanation over at the Guardian, in which he seeks to explain why gag orders and other issues made it almost impossible for him to get good legal help, leading to the procedural issues later on:
In the first two weeks, I was served legal papers a total of seven times and was in contact with the FBI every other day. (This was the period a prosecutor would later characterize as my "period of silence".) It took a week for me to identify an attorney who could adequately represent me, given the complex technological and legal issues involved – and we were in contact for less than a day when agents served me with a summons ordering me to appear in a Virginia courtroom, over 1,000 miles from my home. Two days later, I was served the first subpoena for the encryption keys.
With such short notice, my first attorney was unable to appear alongside me in court. Because the whole case was under seal, I couldn't even admit to anyone who wasn't an attorney that I needed a lawyer, let alone why. In the days before my appearance, I would spend hours repeating the facts of the case to a dozen attorneys, as I sought someone else that was qualified to represent me. I also discovered that as a third party in a federal criminal indictment, I had no right to counsel. After all, only my property was in jeopardy – not my liberty. Finally, I was forced to choose between appearing alone or facing a bench warrant for my arrest.
In Virginia, the government replaced its encryption key subpoena with a search warrant and a new court date. I retained a small, local law firm before I went back to my home state, which was then forced to assemble a legal strategy and file briefs in just a few short days. The court barred them from consulting outside experts about either the statutes or the technology involved in the case. The court didn't even deliver transcripts of my first appearance to my own lawyers for two months, and forced them to proceed without access to the information they needed.
Then, a federal judge entered an order of contempt against me – without even so much as a hearing.
This is, without a doubt, problematic, and shows the kind of massive imbalance that is set up in these situations. The government has the power to force companies to do what it wants, and companies have little ability to push back, especially when they're left scrambling under gag orders and with limited information.
That said, Levison still should shoulder some of the blame. Yes, he had to scramble to find lawyers, but if you're setting up a "private" and "secure" email service, in which you're making certain promises to users that you must know the government won't like, you need to have ready and competent legal help on call from the beginning. In the last year or so, there has been an explosion of new startups and services promising more private and secure messaging. I hope that all of them are reading what happened here and that they all have competent legal representation who understands the underlying issues ready to go now, rather than waiting until the DOJ knocks on their doors. There will still be some issues, depending on the specifics of the request and jurisdiction, but from what Levison is saying, he was starting from scratch at a point when he should have been much more prepared.
Again: if you are offering private or secure services, you need to have a competent and knowledgeable lawyer on call who can pick up your case immediately.
In the end, while the ruling against Lavabit was disappointing, perhaps it's a blessing in disguise. Hopefully, the next time this issue comes up, it comes up with a company that's much more legally prepared to deal with it, and can present a much stronger case.
As we covered recently, a couple of magistrate judges (Judge John Facciola and Judge David Waxse) have started pushing back against the government's broad warrant requests for electronic data. Facciola has now twice sent the government back to rewrite its warrant requests, once in relation to a seized iPhone and another dealing with a person's Gmail account. In the latter, Facciola stated the following:
[T]he government continues to submit overly broad warrants and makes no effort to balance the law enforcement interests against the obvious expectation of privacy e-mail account holders have in their communications.
The government apparently decided that rather than narrow its request, it would just ask another judge. It took this warrant request all the way across the nation to another magistrate judge in California, hoping to get the rubber stamp it couldn't coax out of the Washington, DC court. Judge Paul Grewal of California's Northern District has just joined Facciola in rejecting the request as being overly broad. He attacks the government's wish to "seize first, search later" approach as inappropriate for the securing of data stored by third parties, which face none of the limitations inherent to searching a computer on site.
The court is nevertheless unpersuaded that the particular seize first, search second proposed here is reasonable in the Fourth Amendment sense of the word. On past occasions, the government at least submitted a date restriction. Here, there is no date restriction of any kind. The activity described in the application began in 2010; Gmail has been broadly available since 2007 and in beta release "since 2004." Nor has the government made any kind of commitment to return or destroy evidence that is not relevant to its investigation. This unrestricted right to retain and use every bit Google coughs up undermines the entire effort the application otherwise makes to limit the obvious impact under the plain view doctrine of providing such unfettered government access.
Even though the warrant and all other court documents are sealed, based on what Grewal states here, it's reasonable to assume the government is seeking every email in this account, dating back to the account's creation. This sort of broad seizure meets no reasonable person's definition of "relevant," especially considering the lack of timeframe limitation.
Grewal goes on from there to criticize the government for its attempt to find someone to rubber stamp its haystack-building efforts.
A final point. This is not the first time that the substance of this application has been before a magistrate judge. On March 26, 2014, United States Magistrate Judge John Facciola denied a previous application for a similar warrant in the United States District Court for the District of Columbia.
The judge grants the government points for not attempting to hide its intentions, but doesn't let it off the hook for its unwillingness to narrow its warrant request.
But there is a long-recognized presumption against duplicating court efforts, what some charitably call "judge shopping."
He points out that the government had other options, including modifying its request or seekng a writ of mandamus. Instead, he states, the government made the shadiest and shabbiest choice: taking its business elsewhere. But it didn't work, and the government's warrant request has again been denied. Judge Grewal doesn't even give the government the option of rewriting and resubmitting, meaning it's probably going to have to take another run at this warrant in front of Judge Facciola. Or maybe it will just go on a tour of courthouses until it finds the rubber stamp it wants -- one that doesn't care about the messy paper trail of failure it's leaving behind it.
Adopting a tactic that has been used by officials ranging from Sarah Palin to staffers of New Jersey Gov. Chris Christie, aides to New York Gov. Andrew Cuomo are sending emails from private accounts to conduct official business.
I know because I got one myself. And three other people who interact with the governor's office on policy or media matters told me they have too. None of the others wanted to be named.
The tactic appears to be another item in the toolbox of an administration that, despite Cuomo's early vows of unprecedented transparency, has become known for an obsession with secrecy. Emailing from private accounts can help officials hide communications and discussions that are supposed to be available to the public.
"Government business should never be conducted through private email accounts. Not only does it make it difficult to retrieve what is a government record, but it just invites the suspicion that a government employee is attempting to evade accountability by supervisors and the public," said Christopher Dunn of the New York Civil Liberties Union, a frequent requester of records under the state's Freedom of Information Law.
Emailing from private accounts also may violate state policy. State employees are not to "use a personal email account to conduct State business unless explicitly authorized," according to a policy bearing the governor's name published by the Office of Information Technology Services.
The Cuomo administration declined to comment on whether any employees are authorized to use private accounts.
Back when he was running for governor, Cuomo pledged, "We must use technology to bring more sunlight to the operation of government."
The governor himself uses a Blackberry messaging system that does not save messages to communicate with aides, the Daily News reported in 2012. Under the Freedom of Information Law, those records would typically not have to be released because there is an exemption for internal deliberative material.
But emails with anyone outside of the administration – such as lobbyists, company executives, or reporters – usually have to be made public upon request. It is for those communications, with people outside the administration, that private email accounts have been used.
Last year, I was poking around on a possible story and filed some public records requests that sought emails from Director of State Operations Howard Glaser, a top Cuomo adviser. One day in October, just hours after filing a request with the governor's office, an email appeared in my inbox from Glaser himself.
The email, inquiring what I was working on, was sent from a @glasergroup.net address rather than a government account. The note had a signature line about not using the email address for official business (even though it appeared to be doing just that). My interest was piqued.
So I filed a request under the state's Freedom of Information Law, asking for all records sent to and from Glaser's private account. It is not supposedto matter if an email is sent from an official account or a private one: If it pertains to government business, it typically has to be released.
A couple of months later, the Cuomo administration responded with a terse denial: "Please be advised that the New York State Executive Chamber has conducted a diligent search, but does not possess records responsive to your request."
I appealed, noting that I had in my possession a record responsive to the request – Glaser's email to me – and included it as an attachment.
The administration upheld its original denial, now citing a retention issue.
"[T]he fact that this record is in your possession does not mean that the Chamber failed to produce a responsive record in its possession. Emails and certain other correspondence are not required to be preserved indefinitely," the March letter said.
When I asked about the email this month, Cuomo spokesman Rich Azzopardi took a different tack, now disputing that Glaser was emailing me in his official capacity at all and calling the email "informal." "It would be inaccurate to characterize Howard's email as official business – as he noted, your official business was being handled by the FOIL office, not him," Azzopardi said.
But I have no personal relationship with Glaser, and my Freedom of Information Law requests focused only on his activities as a state official. When I recently asked Glaser about his email practices, he said, "I don't use personal email to conduct official business." He would not say how he defines "official business."
In its letter denying my request for emails from Glaser's private account, the administration cited the general retention policy of the State Archives. That policy says that "many email communications are not records and are therefore suitable for immediate destruction" but also that those emails which are records must be preserved.
So how does one determine which emails are "records"?
The governor's office seems to take a particularly narrow view. The governor's policy says that emails are only "records" if they are formal documents like press releases and nominations. Azzopardi, the Cuomo spokesman, said: "Official email is not required to be retained unless it meets the definition of a particular kind of record (eg – contract), consistent with the State Archives policy."
But the Archives, which Cuomo's office itself cited, takes a more expansive view, even as state law gives the governor leeway to determine which records should be kept.
Quoting the official definition of records, Archives spokeswoman Antonia Valentine said an email is a record if it is created "in connection with the transaction of public business (and provides) … evidence of the organization, functions, policies, decisions, procedures, operations, or other activities (of an agency)."
In practice, Glaser seems to be either eschewing his official email account or promptly deleting messages of substance. When I asked for a 10-day sample of emails from Glaser's official account, I got back little actual communication: 147 pages that are largely filled with newsletters, press releases, and the occasional terse email to set up a phone call.
The use of private accounts can result in even more roadblocks when an official leaves the government. (Glaser is reportedly leaving the administration in June.)
The issue has come up before.
In 2007, executives from the insurance giant AIG filed a public records request with the Office of the Attorney General, seeking, among other things, former Attorney General Eliot Spitzer's communications with the press from the period when he had sued the insurance giant. That request was resisted for years by Spitzer's successor as attorney general: Andrew Cuomo.
While Cuomo's office eventually released emails sent from official accounts, it maintained that Spitzer's use of a private account put any of those emails beyond its reach.
"[T]he reality is that the Office of the Attorney General lacks access to this account and possession of whatever e-mails it may contain, thus rendering them beyond the scope of petitioner's FOIL request both practically and legally," Cuomo's office said in a 2009 court filing.
A judge ruled against the attorney general's office, which has appealed. Seven years since the original request, the case is still in the courts and Spitzer's private email account – which he was known to use in his capacity as a state official – has never been searched for records.
Lawyers for Spitzer joined the case this year, arguing in a March filing that because Spitzer is now a former employee and a private citizen, the Freedom of Information Law doesn't apply.
Beyond the governor's office, the state is reportedly moving toward an email system that would automatically delete emails after 90 days except for those marked by users to save.
It's not clear how that process would work or how the state will ensure that records are not destroyed. The Office of Information and Technology Services declined to provide the memo describing the new policy, requiring that I file a formal public records request to get it.
Transparency advocates have criticized 90 days as too short a period because emails may only become relevant months later after a scandal or other event.
A document on the IT office's website references the possibility in a state email system for "recovery of deleted mailbox contents for the length of the retention period" – another capability that would not exist for officials using private accounts.
Across the river in New Jersey, private email accounts are at the center of the Bridgegate scandal.
The infamous "Time for some traffic problems in Fort Lee" email was sent from a Christie aide's Yahoo account to another official's Gmail account. That tactic held off public access to the email for a time.
In December, the Christie administration claimed it did not have records in response to a request from the Record of Bergen, N.J. The emails became public later, only after the officials were subpoenaed by the state Assembly.
If you have gotten emails from the private account of an official in the governor's office or other state or city agencies, email me at justin@propublica.org.
Reposted from ProPublica via its Creative Commons (BY-NC-ND) license.
About six months before Ed Snowden leaked his documents, we had written a post about why Google should encrypt our email, based on a bit of back-and-forth between Julian Sanchez, arguing why Google should encrypt all email, and Ed Felten, who noted it's not as easy as it sounds (though Julian highlighted how none of the problems Felten raises are insurmountable). There are, of course, already ways that you can add PGP encryption to Gmail, with tools like Mailvelope, but it can be a little kludgy, and not exactly foolproof. Still, many have insisted that Google would never go this route, since it would limit the company's ability to target ads based on the contents of email.
However, VentureBeat is reporting that, partly inspired by all of the Snowden revelations, researchers at Google are looking at ways to make encryption much easier within Gmail. While the report suggests that Gmail won't go site-wide end-to-end encryption, anything it does to bring real encryption more into the mainstream would be a good thing -- though it might make the NSA and DOJ freak out. But, as we've seen, well-done crypto does work. The problem is that so much crypto is not particularly well implemented, leading to all sorts of leaks. Still, it's encouraging to hear that Google is working on something, and hopefully it releases something that is both user-friendly and open to some sort of audit to ensure that it's safe.
A New York University Law trustee's company wants two students to hand over their personal emails after they circulated a letter criticizing him, according to a subpoena.
The law students, second-year Luke Herrine and first-year Leo Gertner, were targeted after they helped circulate a letter denouncing NYU Law School trustee Daniel Straus, who owns Care One Management, a home health aide and nursing home company embroiled in a labor dispute.
The two students started a petition asking for the removal of Straus from the Board of Trustees, pointing out that a law school should probably be associated with someone who respects the law, something Straus' companies seem to have trouble doing. His two companies, CareOne and HealthBridge Management, have been cited at least 38 times by the National Labor Relations Board for violating federal labor laws. In addition, HealthBridge was held in contempt of court for refusing to allow 600 workers to return to their jobs at their pre-strike pay levels.
CareOne spokesperson Deborah Maxson said the deadline for the requested information is April 25.
“Straus is not a party to the lawsuit and is not managing the litigation,” Maxson said.
Straus may not be a party to this lawsuit, but these are his companies, and there can be very little doubt that Straus would prefer the ongoing criticism of his business efforts be halted. If CareOne wants to use the excuse that Straus isn't a "party" to this lawsuit, then it needs to extend that same courtesy to the two students, who also aren't a "party" to the ongoing legal fight.
Then there's the content sought by the subpoenas. This, too, mentions Straus directly, even as CareOne claims this has nothing to do with him. According to a letter sent by the Board of Trustees to NYU administration, this is what CareOne is hoping to obtain:
“The subpoenas requested information regarding any contact the students may have had with SEIU and any activity they may have engaged in, such as protests or meetings, relating to Mr. Straus or CareOne...”
If Straus isn't "party" to this lawsuit, why does CareOne need information relating to Straus? Beyond that, the information requested bears all the hallmarks of trying to use the power of the court to silence free speech. Protests and meetings, both activities covered by the First Amendment, are mentioned specifically by the subpoena.
For what it's worth, NYU has stepped up and has provided the students with the pro bono help of one of the school's lawyers. It also issued a very carefully-worded defense of the students, no doubt mindful of Straus' $1.25 million annual endowment.
“The Law School is not a party to the litigation between Care One and SEIU, and will remain uninvolved in it," the school wrote in a statement to DNAinfo New York sent Thursday. "We vigorously support the right of our students to express their views and to organize and participate in lawful demonstrations and other protest activity, at the same time that we acknowledge that parties to litigation are permitted, subject to applicable rules and judicial oversight, to gather evidence in support of their case."
Further statements reiterated NYU's support for its students' rights but also noted it considered Straus to be an "upright and honorable person."
That said, it seems that there is a clear -- and somewhat massive -- conflict of interest for Straus to remain on the board of trustees at NYU Law at the same time he's using the legal process to demand the email contents from two of its students.
Forcing students to turn over emails and other private communications in litigation that does not concern them can chill free speech on campus and make students think twice about raising their voice about controversial issues. This is antithetical to NYU's mission of open academic inquiry and commitment to the public interest.
Rather than address these concerns, Straus is allowing (or directing) his company to shut down his critics by seeking personal communications from non-party NYU students. Straus also has additional leverage with the university should this fail to keep future criticism at bay. Of course, there's always a chance NYU will side with the students and decide that Straus' companies don't really reflect the culture it's trying to instill in its students. But until this all plays out, we're just witnessing the sort of tactics deployed by entities who would rather shut people up than address their concerns.
Last week, we wrote about Microsoft's ridiculous decision to search through a reporter's Hotmail email account after realizing that reporter had an unauthorized copy of Windows 8. The whole thing seemed like a huge overreaction by the company -- in trying to track down an almost meaningless leak that was unlikely to have any real impact on anything, the company effectively alerted the world that you had no real privacy in your email. The move was even more ridiculous since Microsoft has more or less bet its email farm on a marketing campaign about how it respects your privacy more than others. Microsoft's first response to this was exceptionally weak. While it announced a "change" in policies, it was still the same basic policy, that effectively (and misleadingly) claimed that it could and would continue to search anyone's email if the company had evidence that you might reveal a leaker.
Apparently -- and somewhat surprisingly -- it appears that Microsoft and its legal team took the criticism seriously. Microsoft's General Counsel Brad Smith has now put out a new blog post announcing a complete change in policy, promising that it will not unilaterally look through any Microsoft user's content in search of "stolen" intellectual property:
Effective immediately, if we receive information indicating that someone is using our services to traffic in stolen intellectual or physical property from Microsoft, we will not inspect a customer’s private content ourselves. Instead, we will refer the matter to law enforcement if further action is required.
Furthermore, the company will officially change its terms of service to reflect that change in policy. On top of that, it is starting a (somewhat undefined) project with EFF and CDT to work on "best practices" concerning privacy. Smith's apology is quite heartfelt, which is also rare from a big company:
It’s always uncomfortable to listen to criticism. But if one can step back a bit, it’s often thought-provoking and even helpful. That was definitely the case for us over the past week. Although our terms of service, like those of others in our industry, allowed us to access lawfully the account in this case, the circumstances raised legitimate questions about the privacy interests of our customers.
In part we have thought more about this in the context of other privacy issues that have been so topical during the past year. We’ve entered a “post-Snowden era” in which people rightly focus on the ways others use their personal information. As a company we’ve participated actively in the public discussions about the proper balance between the privacy rights of citizens and the powers of government. We’ve advocated that governments should rely on formal legal processes and the rule of law for surveillance activities.
While our own search was clearly within our legal rights, it seems apparent that we should apply a similar principle and rely on formal legal processes for our own investigations involving people who we suspect are stealing from us. Therefore, rather than inspect the private content of customers ourselves in these instances, we should turn to law enforcement and their legal procedures.
Personally, I wish the announcement and policy change went a bit further -- beyond just "intellectual or physical property," but making it clear across the board that, absent a reasonable warrant signed by a judge, Microsoft will not allow anyone to access anyone's content. But, perhaps we'll get there some day. In the meantime, Microsoft does deserve some kudos for changing positions. Most large companies would try to just let this issue fade away rather than proactively address it.
Yesterday, we wrote about the bizarre decision by Microsoft to search through a reporter's Microsoft Hotmail email account, in an attempt to catch the Microsoft employee who had leaked that reporter a copy of Windows 8. While most of the initial stories about this had focused on the arrest of the employee, Alex Kibkalo, and had pushed the email snooping issue to the bottom of the story, it appears that the email snooping is quickly becoming the story. After all, the leak itself was basically meaningless. Some early screenshots of Windows 8 were never a big deal, and Microsoft has struggled to get adoption of Windows 8 not because of any leak, but because a variety of other issues. So capturing the leaker does little of benefit for Microsoft.
However, at the same time, revealing that the company has no problem snooping through users' email accounts if it feels it is beneficial to Microsoft is hugely damaging to the company. People need to trust their email providers. A well-known venture capitalist I know has spoken repeatedly about how so many people use Gmail, even when doing things like negotiating deals with Google (or competitors!) because they actually trust Google not to abuse their privacy and snoop on those emails. In part, they do this because they know if Google was exposed for snooping on emails that way there would be a mass exodus from Gmail to alternative providers. Yet, Microsoft doesn't seem to have considered just how astoundingly damaging it is to violate its own users privacy -- whether permitted by Microsoft's terms of service or not.
On a basic cost-benefit analysis it's difficult to see how anyone at Microsoft thought this was a wise move. Absolutely wipe out any possible trust and privacy for all email users to track down one meaningless leaker? Instead, what this shows is how "piracy obsession" blinds companies. They seem to forget all about cost-benefit analysis and assume that "something must be done" at all costs, even if it basically destroys an entire business line for the company.
Microsoft is now desperately trying to minimize the damage as it's realizing just how it's wiped out all of its bogus talk about protecting your privacy. They've announced new policies concerning how and when they'll violate your privacy, but this seems quite clearly to be a case of too little, too late.
Apparently, Microsoft's desire to track down someone who leaked screenshots of Windows 8 is so strong that it's willing to violate its own privacy guidelines and promises to the public -- even if it means undermining Microsoft's main promotional campaign for email services.
A few weeks ago, Microsoft promoted Mark Penn to chief strategy officer. Penn is most famous as a PR man and political pollster who was the driving force behind Hillary Clinton's failed campaign for President in 2008. He's known for his negative attack ads and his claims to do everything based on data -- though, people who have explored some of his techniques say it's a lot more flimflam than actual statistical analysis. His main contribution to Microsoft over the past few years seems to be its ridiculous "Scroogled" campaign, in which Microsoft -- a company not at all known for its privacy protections -- attempts to portray Google as being bad on privacy. The campaign has been a colossal and expensive flop according to most.
Either way, you'd think that for a company who's main marketing strategy these days is all about how it protects the privacy of your email account wouldn't then break into a user's email account. But that's exactly what Microsoft apparently did in tracking down the guy who leaked Windows 8 to a reporter. Alex Kibkalo, a software architect for Microsoft, sent a French blogger some Windows 8 code and the way to get around its anti-piracy measures. The French blogger posted screenshots and also emailed Microsoft for comment -- and that's when Microsoft apparently decided to throw its privacy promises out the window:
The engineer was caught after the blogger emailed Microsoft to confirm the authenticity of the leaked Windows 8 code. Investigators at the firm then reportedly looked through the blogger’s hotmail account and instant messenger chats to identify the source of the leak, and found an email from Kibaklo.
Of course, Hotmail today has morphed into Outlook.com, and the current ad campaign about it states: "Outlook.com prioritizes your privacy!" and "Your email is nobody else's business." Oh really? I guess Microsoft considers it their business. It's kind of astounding, first, that Microsoft did this, and second that they appear to openly admit that you have no privacy at all in your email if Microsoft suddenly decides it wants to dig through and dig up something.
Update: And, from the criminal complaint we see, indeed, that Microsoft figured it was fine to violate this journalist's privacy:
