Forgot your password?
typodupeerror
Microsoft Communications Privacy Windows

They're Reading Your Mail: Microsoft's ToS, Windows 8 Leak, and Snooping 206

Posted by timothy
from the learned-it-from-watching-the-nsa dept.
After the recent Windows 8 leak by recently arrrested then-Microsoft employee Alex Kibkalo, Microsoft has tweaked its privacy policies, but also defended reading the email of the French blogger to whom Kibkalo sent the software. "The blogger in question, who remains unidentified, happened to use Hotmail—the investigation began in 2012 before Hotmail's Outlook.com transition—as his primary email account. So as part of its investigation, Microsoft peeked into the blogger's email account to read that person's correspondence with Kibkalo. ... Microsoft says it was justified in searching the blogger's email account, because it had probable cause to believe Kibkalo was funneling trade secrets to the blogger.The company also pointed out that even with its justification for searching the account, it would have been impossible to gain a court order." "The legal system wouldn't have let us" seems a strange argument to defend any act of snooping.
This discussion has been archived. No new comments can be posted.

They're Reading Your Mail: Microsoft's ToS, Windows 8 Leak, and Snooping

Comments Filter:
  • by mTor (18585) on Saturday March 22, 2014 @04:05PM (#46553195)

    Here's what Michael Arrington, former editor of TechCrunch, says:

    I have first hand knowledge of this. A few years ago, Iâ(TM)m nearly certain that Google accessed my Gmail account after I broke a major story about Google.

    A couple of weeks after the story broke my source, a Google employee, approached me at a party in person in a very inebriated state and said that they (Iâ(TM)m being gender neutral here) had been asked by Google if they were the source. The source denied it, but was then shown an email that proved that they were the source.

    The source had corresponded with me from a non Google email account, so the only way Google saw it was by accessing my Gmail account.

    A little while after that my source was no longer employed by Google.

    ABOUT THAT TIME GOOGLE SPIED ON MY GMAIL [uncrunched.com]

    • by sumdumass (711423)

      Its interesting that no one claimed someone else planted the emails there. If they are accessing accounts then i'm not sure how they can claim no one else (including them at another time) accessedthe accounrs and sent that message in order to escape being discovered. I mean they went behind their backs so why wouldn't they go behind their backs.

    • Sure, the TOS gives Microsoft the right to look at pretty much whatever they want, whenever they want, and it's true that Microsoft could not have got a warrant to search their own email service [because companies don't get issued search warrants, either for themselves or to permit them to search other businesses or individuals].

      What they gloss over is, Microsoft could have avoided this whole mess by getting the police/FBI to run the investigation. The FBI would have no problem getting a search warrant for

    • by stoploss (2842505) on Saturday March 22, 2014 @05:39PM (#46553845)

      All I'm hearing is that these bloggers are incompetent at protecting their sources.

      I mean, WTF? Who the hell would imagine it's safe to use a company's services when collecting insider information? I mean the data is on the company's servers, FFS. I bet real spies don't need to be told not to set up a dead drop inside, say, the Capitol rotunda or the FBI headquarters, either.

      Protip for any planning to publish dirt on Yahoo: don't use Yahoo mail to collect the information. Not that anyone still uses Yahoo mail anymore...

    • Re: (Score:2, Insightful)

      by fermion (181285)
      MS, Google, Yahoo, all free service, I don't think there is an expectation for privacy. I have seen no situations where our information is protected from employees. In the past few years they have apparently set up more guidelines, but I wonder anyone actually get fired for browsing the occasional email.

      What is clear is there no legal recourse. You can't stop paying because you do not pay. I think suing over such a thing would be hard as showing damages would be hard.

      I guess this shows the need for

      • by jc42 (318812)

        MS, Google, Yahoo, all free service, I don't think there is an expectation for privacy.

        Or, more generally, anyone who stores anything on a commercial server and expects privacy is a fool.

        Yes, this is especially true with "free" services, which must be profitable or they won't exist for long. But one should generally assume that any data that's ever been on any company's machines will be saved (at least backed up) and available indefinitely to any company employee or customer who's willing to pay. Anything else just shows a total misunderstanding of how these companies work.

        Actually, so

  • Bad summary (Score:5, Informative)

    by whoever57 (658626) on Saturday March 22, 2014 @04:05PM (#46553205) Journal

    Much as I hate to defend Microsoft, the summary mischaracterises Microsoft's statement. Microsoft is saying that it already had the right to search the mailbox, so a court would not have issued an order. It's like asking a court for permission to search your own house. The court won't issue an order, but that doesn't mean that it would be illegal to do the search.

    I don't know if Microsoft is right in its claim that it would not have been able to get a court order, but let's get the facts straight when criticising Microsoft.

    • Typical corporate behavior - lobby incessantly against regulation but when caught in blatant malfeasance shirk accountability with the excuse "it may be unethical but it is not illegal"
      • Typical corporate behavior - lobby incessantly against regulation but when caught in blatant malfeasance shirk accountability with the excuse "it may be unethical but it is not illegal"

        It's more like, "If we ask, we know that we'll be told it's illegal. Therefore, we won't ask."

        • by Richy_T (111409)

          The phrase used to be "it is easier to seek forgiveness than permission" but I think it should probably be modified to be "It is easier to say 'Screw you, what are you going to do about it?' than seek permission"

    • Yes, that plus the fact a private individual or company will not be given a search warrant for anything.
    • by jonwil (467024)

      Are companies that run private mailbox services allowed to search/read the mail that they handle on behalf of their customers? Are self-storage places allowed to search the lockers of people hiring them?

      In both cases the answer is "not without a warrant/court order". The same should apply to Microsoft in this case.

      • Please read the contract. From work with email systems, I've often needed access to the mail queues in order to verify operation or delivery of email, and the relevant agreements have been very clear that I had the access to do so.

        I've been asked to do monitoring on more than one occasion. I was once asked to to replicate all email for a particular user to a manager's mailbox, for a company I was collaborating with, while their core IT administrator was on another project. I carefully did the work, document

    • by donaldm (919619)

      Much as I hate to defend Microsoft, the summary mischaracterises Microsoft's statement. Microsoft is saying that it already had the right to search the mailbox, so a court would not have issued an order.

      This is such a grey area and I would be surprised if there is not some precedent in law that would classify reading someone's mail and private data as a serious offence without the express permission of the owner of that data or a court order requesting such access. Stating that we own the infrastructure therefore we have the right to do what we please is not a valid excuse.

      Consider the following. Say a person owns the building that houses a post office, would they have the right to enter that post office

      • thus why at any job if a manager asks me to do anything gray like this I request some documentation from them telling me to do whatever, so if / when it blows up I at least have something to point to...but in this situation, it all depends on the TOS that you have to agree to so you can set up an email there. If the TOS said somewhere they can search your inbox, and you agree, then what?
    • And I'll bet that MS had also discussed this with their legal team first, who told them all this. Maybe they have a console cowboy who just goes and does stuff like this without telling his management, but I doubt it.
  • by gwstuff (2067112) on Saturday March 22, 2014 @04:08PM (#46553227)

    While this story is crazy, and MS should be spitballed for it... I don't buy that other companies that let your store your data online don't give access to your data to their employee, if only for "debugging and administrative purposes." If you want to store your data online encrypt it.

    • I came here to say exactly this. All the cloud companies whose internal workings I am familiar with use the data in ways that violates people's privacy, or to actively destroy competition. The sole exception was a company that was too incompetent to find a useful use for the data, otherwise I know they would have as well.
    • I see a few problems with your advice:

      1.) Storing encrypted mail on the server only really works in practice if the sender encrypts the mail he sends to you, but sometimes people send unencrypted mail to you.

      2.) Encryption and data integrity are in natural conflict with each other and most encryption programs do not introduce enough redundancy to improve the latter. Twiddle a bit and your data is gone.

      3.) Technical solutions to social, moral, and legal problems? If the cloud provider was legally allowed to

      • by gwstuff (2067112)

        All good points. Just a quick note about (1): you can encrypt all your email by using a passthrough email address in a domain that you trust. So me@myname.com received all your email, encrypts it and forwards it to gmail or wherever.

        • and I would even "encrypt" the text inside it too first, so even if they did manage to get into it it wouldn't make any sense. Even just using http://encryption.online-toolz... [online-toolz.com] you could "encrypt" the text, then convert that to hex, then convert that to binary, and send that as the message. The sysadmin may eventually figure it all out, but probably not...
          • by gwstuff (2067112)

            Using an unknown encoding scheme is obfuscation, not encryption. So you're suggesting using obfuscation as a cheap substitute for encryption. That might be fine in some situations but 1) It really is very, very easy to crack - you don't need human intervention - there are tools that let you compute polynomial mappings between two data sets. 2) You can encrypt the data using a powerful algorithm using off the shelf free tools, so why not just go one baby step further and do it so that even in the unlikely ca

  • by hsmith (818216) on Saturday March 22, 2014 @04:09PM (#46553235)
    Here is to Microsofts shit ad campaign "Scroogled" - first they snoop on all Skype communication and now they admit to reading emails LOOKING for things.

    I fully expect the daft ad men at Microsoft to continue their pathetic ad campaign.

    Glass houses and all that.
    • I once went to Microsoft for a meeting and was talking with someone. They had my entire work profile stored in there. I never gave it to them nor did I ever apply for a position in Microsoft. They have a profile database on everyone they have even a tangential connection with.

  • Does ownership of the network override the laws of the country the network is in?

    If they had opened physical mail, this would be a criminal charge. But because it's digital, somehow ownership of the service exempts them from having to obey any kind of privacy laws.

    Dangerous and shows why you should not trust anything online.
    • by raburton (1281780)

      > Does ownership of the network override the laws of the country the network is in?

      It's not a legal question at all. If you use the service you have accepted their terms and so have given them permission to do this.

      > If they had opened physical mail, this would be a criminal charge. But because it's digital, somehow ownership of the service exempts them from having to obey any kind of privacy laws.

      The fact it's digital doesn't make it a special case, if you agreed to let them open your physical mail t

      • Companies can write all the terms they want, they shouldn't be able to override the laws already in place.

      • by tgv (254536) on Saturday March 22, 2014 @04:57PM (#46553585) Journal

        > It's not a legal question at all. If you use the service you have accepted their terms and so have given them permission to do this.
        That *is* a legal question. If the EULA says: we own your first born, is that so just because you checked a box on a web site? Nope. There are laws governing the reading of email, and Microsoft has to obey those rules like everyone else.

        • by raburton (1281780)

          > That *is* a legal question. If the EULA says: we own your first born, is that so just because you checked a box on a web site? Nope. There are laws governing the reading of email, and Microsoft has to obey those rules like everyone else.

          I'll ignore your stupid analogy and stick to the point. Do these laws you reference say that that you aren't allowed to give your permission for someone else to read your email? I'd be very surprised (though you haven't stated any specific laws to check), so if you've g

          • by tgv (254536)

            Clicking a check box does not overrule the law. You ignore my "stupid analogy" because you don't have a counter-argument.

            • Which law? And, since you are familiar with the rule of law, which precedent set the case law for a provider checking its own mail? And set the relevant limits on EULA clauses?

              And how does that differ from a warrantless law enforcement request where the provider, who has the data, does not ask for a warrant?

              Is it only a search if the provider is looking for something?

              • by tgv (254536)

                There is a European law that forbids email providers to use knowledge of the contents of email. Anyway, your point was: it isn't a legal question. But anything, and certainly access to personal information, can be ruled by laws, hence it is a legal question.

                Anyway, your profile text speaks volumes. I'll copy it here: "If I seem a little confrontational, it's probably because you are an idiot. I will argue any side of any point if you demonstrate that you haven't put in a little thought or research into what

        • I thought that too, until someone I know had MS show up at there door with an empty baby carriage...
      • EULA does not and never will override legal, law of the land.

        I can put slavery in a EULA, that doesn't make it legal.

        I can put invasion of your privacy, that doesn't make it legal either.

        This is a matter for the courts. A company documents does not make law.
        • by raburton (1281780)

          > EULA does not and never will override legal, law of the land.
          > I can put slavery in a EULA, that doesn't make it legal.
          > I can put invasion of your privacy, that doesn't make it legal either.

          I think you are missing an important legal distinction. Microsoft / the EULA isn't overriding any law. You can't make slavery illegal by putting it in an EULA because slavery is illegal. Reading email is not inherently illegal. Reading it without the permission of the owner might well be, but microsoft does h

          • by mrbester (200927)

            If a contract contains a clause that abrogates inalienable rights then that clause can be deemed as unenforceable and should be removed in order that you have a fair contract fully agreed by both parties. If that part cannot be removed then the whole contract is null and void. This is basic contract law.

            Of course this relies on the agreement of a EULA forming a valid contract in the first place due to there being no signatories, other identifying marks or even a verbal agreement noted on it. A click on a bu

  • Fine. Read peoples' emails. Whenever you think it's necessary. But don't be surprised when people stop trusting you, and, consequently, your profits go down because of it.

    Before it did look inside the blogger's account, however, the company claims it went through a "rigorous process" to justify the snooping.

    Uh huh.

  • by gweihir (88907) on Saturday March 22, 2014 @04:20PM (#46553309)

    I suspect that certain MS managers and system administrators should now refrain from traveling to the EU for the next few years. Under EU law, you may not even look at email of your employees without having gotten a signed waiver on paper or a court order.

    • by Baloroth (2370816)

      I'm neither a lawyer nor intimately familiar with the details of this particular case, but I'm a bit confused how EU law would apply to a US based company running a US-based service (such as an outlook.com email address), regardless of the nationality of the person who signed up for said service.

      • by Teun (17872)
        Microsoft offers these services as a commercial enterprise to nationals of and in other countries, separate jurisdictions from the US.

        The laws of the land where they are doing business is rather relevant, this 'business' was not in the US.
        It would surprise me if their local representative isn't going to be charged for this breach of confidentiality.

    • by SeaFox (739806)

      Even if this is illegal on paper, I don't expect to see anyone who works at Microsoft be arrested for this if they go to the EU.
      There are laws, and then there are laws that actually get enforced on individual people who work for big businesses. This is one of those laws that gets resolved with a fine against the corporation, not by tossing people in jail.

  • When comparing email to snail mail, standard email is like a postcard. Everybody who gets their hands on it can read it.

    If I send a postcard and somebody else reads it, should I be upset? I think not. I should not have written it on a postcard.

  • ..from the company controlling your comms! Jesus Christ these were crappy thieves!

  • Remember kids... (Score:5, Insightful)

    by mwvdlee (775178) on Saturday March 22, 2014 @04:59PM (#46553599) Homepage

    Remember kids...
    Do not store incriminating evidence on the servers of the company you're trying to screw.

  • >The legal system wouldn't have let us

    Using "The French legal system will not let us spy on someone in France about charges in a country that is not France' as a justification makes sense actually. Trying to shield yourself by working with someone in a third country shouldn't shield you from domestic actions, and the French are notoriously bad about doing anything about people in france charged elsewhere, including on very serious crimes. See Roman Polanski.

  • Who receives leaks from Microsoft at an email-account owned by a division of Microsoft?
    That's as if Snowden had contacted Greenwald from his BAH account.

    Insane.

  • Has anyone seen a TOS that does not give the company rights of ownership of you, yours, and all things associated with everything else they can cram into the TOS? I've often wondered why TOS are so wordy. I would simply write, "Do you confirm that you are our bitch and everything yours is now ours?".

%DCL-MEM-BAD, bad memory VMS-F-PDGERS, pudding between the ears

Working...