They're Reading Your Mail: Microsoft's ToS, Windows 8 Leak, and Snooping

After the recent Windows 8 leak by recently arrrested then-Microsoft employee Alex Kibkalo, Microsoft has tweaked its privacy policies, but also defended reading the email of the French blogger to whom Kibkalo sent the software. "The blogger in question, who remains unidentified, happened to use Hotmail—the investigation began in 2012 before Hotmail's Outlook.com transition—as his primary email account. So as part of its investigation, Microsoft peeked into the blogger's email account to read that person's correspondence with Kibkalo. ... Microsoft says it was justified in searching the blogger's email account, because it had probable cause to believe Kibkalo was funneling trade secrets to the blogger.The company also pointed out that even with its justification for searching the account, it would have been impossible to gain a court order." "The legal system wouldn't have let us" seems a strange argument to defend any act of snooping.

According to Arrington, Google reads it too

[mTor]

Here's what Michael Arrington, former editor of TechCrunch, says:

I have first hand knowledge of this. A few years ago, Iâ(TM)m nearly certain that Google accessed my Gmail account after I broke a major story about Google.

A couple of weeks after the story broke my source, a Google employee, approached me at a party in person in a very inebriated state and said that they (Iâ(TM)m being gender neutral here) had been asked by Google if they were the source. The source denied it, but was then shown an email that proved that they were the source.

The source had corresponded with me from a non Google email account, so the only way Google saw it was by accessing my Gmail account.

A little while after that my source was no longer employed by Google.

ABOUT THAT TIME GOOGLE SPIED ON MY GMAIL [uncrunched.com]

Re:

[sumdumass]

Its interesting that no one claimed someone else planted the emails there. If they are accessing accounts then i'm not sure how they can claim no one else (including them at another time) accessedthe accounrs and sent that message in order to escape being discovered. I mean they went behind their backs so why wouldn't they go behind their backs.

Re:

[davester666]

Sure, the TOS gives Microsoft the right to look at pretty much whatever they want, whenever they want, and it's true that Microsoft could not have got a warrant to search their own email service [because companies don't get issued search warrants, either for themselves or to permit them to search other businesses or individuals].

What they gloss over is, Microsoft could have avoided this whole mess by getting the police/FBI to run the investigation. The FBI would have no problem getting a search warrant for

Re:According to Arrington, Google reads it too

[stoploss]

All I'm hearing is that these bloggers are incompetent at protecting their sources.

I mean, WTF? Who the hell would imagine it's safe to use a company's services when collecting insider information? I mean the data is on the company's servers, FFS. I bet real spies don't need to be told not to set up a dead drop inside, say, the Capitol rotunda or the FBI headquarters, either.

Protip for any planning to publish dirt on Yahoo: don't use Yahoo mail to collect the information. Not that anyone still uses Yahoo mail anymore...

Re:

[amiga3D]

You would be far safer using snail mail. It's way too easy to have a computer sift through millions of e-mails whereas someone has to get off their dead-ass and work to go through real mail. The labor alone makes it cost prohibitive. Using PO boxes and fake names and you are probably worlds ahead of e-mail for safety. At least your deniability goes up.

Re:

[fermion]

MS, Google, Yahoo, all free service, I don't think there is an expectation for privacy. I have seen no situations where our information is protected from employees. In the past few years they have apparently set up more guidelines, but I wonder anyone actually get fired for browsing the occasional email.

What is clear is there no legal recourse. You can't stop paying because you do not pay. I think suing over such a thing would be hard as showing damages would be hard.

I guess this shows the need for

Re:

[jc42]

MS, Google, Yahoo, all free service, I don't think there is an expectation for privacy.

Or, more generally, anyone who stores anything on a commercial server and expects privacy is a fool.

Yes, this is especially true with "free" services, which must be profitable or they won't exist for long. But one should generally assume that any data that's ever been on any company's machines will be saved (at least backed up) and available indefinitely to any company employee or customer who's willing to pay. Anything else just shows a total misunderstanding of how these companies work.

Actually, so

Re:According to Arrington, Google reads it too

[K. S. Kyosuke]

Wow, you suck at reading comprehension.

Re:

[1s44c]

Uhm, so Google read the email of one of its employees? Gosh!

Google read the email of a third party that that one their employees sent an email to. Google have the ability to, and willingness to, read private email of people who use gmail who are not otherwise connected to google. Gmail isn't to be trusted.

Re:

[mysidia]

Google read the email of a third party that that one their employees sent an email to.

No... we have a hearsay claim that Google must have read the email of a third party.

They assumed because the recipient account was a gmail account; they must have gotten the message by opening his mailbox.

There might be some other way(s) they could have gotten ahold of the message, such as internet traffic monitoring of the employee's computer.

Re:

[DexterIsADog]

There might be some other way(s) they could have gotten ahold of the message, such as internet traffic monitoring of the employee's computer.

Or just, you know, search the outgoing email of every Google employee. Why is this not obvious?

Re:

[mysidia]

Or just, you know, search the outgoing email of every Google employee. Why is this not obvious?

Well... they say the employee was not using a Google e-mail account. What they don't tell us... is whether or not the employee was on a computer connected to Google's network at the time, or using a Google laptop, or other computer with Google-provided software, in order to send the e-mail.

We also can't rule out the possibility that the person's Ex logged into the employee's non-Google e-mail account, saw t

Re:

[DexterIsADog]

Uhm, so Google read the email of one of its employees? Gosh!

Google read the email of a third party that that one their employees sent an email to. Google have the ability to, and willingness to, read private email of people who use gmail who are not otherwise connected to google. Gmail isn't to be trusted.

Do you actually know this, or are you guessing? If I were Google (though I'm not really evil), if I suspected a Google source for a journalist's story, I'd look at the SENT email from all employees, for any emails going to the journalist.

Come on, it's friggin' Google, that search would probably take a second. Also, they'd find every source within Google, and it would all be legal; no reading of a non-Google employee required.

Re:

[sjames]

No. Google read the email of a person who corresponded with a Google employee. The mailbox they found the mail in was not that of a Google employee.

Re:

[gnasher719]

No. Google read the email of a person who corresponded with a Google employee. The mailbox they found the mail in was not that of a Google employee.

An email can be read at the sender, in transit, or at the receiver. The receiver was a google employee, and the content was apparently Google's business. If I give my employer permission to read emails that I receive, they are allowed to read emails that _you_ sent to me.

There was a case a while ago that some people thought protected journalistic sources, but where in reality a judge totally destroyed the safety of any sources: Some information leaked from Apple to some website, Apple naturally tried to

Re:

[sjames]

No, read carefully. The *SENDER* was a Google employee using a non-google mail account (for obvious reasons). The *RECIPIENT* was not a Google employee but was using a gmail account.

At least that is the allegation.

Bad summary

[whoever57]

Much as I hate to defend Microsoft, the summary mischaracterises Microsoft's statement. Microsoft is saying that it already had the right to search the mailbox, so a court would not have issued an order. It's like asking a court for permission to search your own house. The court won't issue an order, but that doesn't mean that it would be illegal to do the search.

I don't know if Microsoft is right in its claim that it would not have been able to get a court order, but let's get the facts straight when criticising Microsoft.

Re: Bad summary

[nickmalthus]

Typical corporate behavior - lobby incessantly against regulation but when caught in blatant malfeasance shirk accountability with the excuse "it may be unethical but it is not illegal"

Re:

[Zontar The Mindless]

Typical corporate behavior - lobby incessantly against regulation but when caught in blatant malfeasance shirk accountability with the excuse "it may be unethical but it is not illegal"

It's more like, "If we ask, we know that we'll be told it's illegal. Therefore, we won't ask."

Re:

[Richy_T]

The phrase used to be "it is easier to seek forgiveness than permission" but I think it should probably be modified to be "It is easier to say 'Screw you, what are you going to do about it?' than seek permission"

Re:

[TapeCutter]

Yes, that plus the fact a private individual or company will not be given a search warrant for anything.

Re:

[jonwil]

Are companies that run private mailbox services allowed to search/read the mail that they handle on behalf of their customers? Are self-storage places allowed to search the lockers of people hiring them?

In both cases the answer is "not without a warrant/court order". The same should apply to Microsoft in this case.

Re:

[Antique Geekmeister]

Please read the contract. From work with email systems, I've often needed access to the mail queues in order to verify operation or delivery of email, and the relevant agreements have been very clear that I had the access to do so.

I've been asked to do monitoring on more than one occasion. I was once asked to to replicate all email for a particular user to a manager's mailbox, for a company I was collaborating with, while their core IT administrator was on another project. I carefully did the work, document

Re:

[donaldm]

Much as I hate to defend Microsoft, the summary mischaracterises Microsoft's statement. Microsoft is saying that it already had the right to search the mailbox, so a court would not have issued an order.

This is such a grey area and I would be surprised if there is not some precedent in law that would classify reading someone's mail and private data as a serious offence without the express permission of the owner of that data or a court order requesting such access. Stating that we own the infrastructure therefore we have the right to do what we please is not a valid excuse.

Consider the following. Say a person owns the building that houses a post office, would they have the right to enter that post office

Re:

[l0n3s0m3phr34k]

thus why at any job if a manager asks me to do anything gray like this I request some documentation from them telling me to do whatever, so if / when it blows up I at least have something to point to...but in this situation, it all depends on the TOS that you have to agree to so you can set up an email there. If the TOS said somewhere they can search your inbox, and you agree, then what?

Re:

[l0n3s0m3phr34k]

And I'll bet that MS had also discussed this with their legal team first, who told them all this. Maybe they have a console cowboy who just goes and does stuff like this without telling his management, but I doubt it.

Re:

[Albanach]

Tl;dr : You must be batshit crazy to think that was legitimate without a court order. But hey, MS said so. Must be true then. Facepalm

So, you say they can't do it without a court order, but don't seem to address their statement that they cannot get a court order.

So what exactly is your proposal in these circumstances?

Re:

[l0n3s0m3phr34k]

I'm sure that buried in MS's TOS for hotmail it specifically says (in complex legalese no normal human can comprehend) that they can do whatever they want with their own service.

Re: Bad summary

[Anonymous Coward]

That is not a universal law. In Europe your landlord can not enter the flat without the tenants permission. It is expressly forbidden.

Re:

[gnasher719]

That is not a universal law. In Europe your landlord can not enter the flat without the tenants permission. It is expressly forbidden.

There are conflicting interests: The right of the tenant to use the rented space, including the right to privacy and the right to secure their property from theft (landlord could easily pick up any cash or valuables lying around), and the right of the landlord to protect his property or the right and duty to keep the public safe, including the tenant.

Assume you are on a long holiday, and there's a major water leak in your flat. Would you insist that the landlord can't get in and fix the leak, and instead

Re:

[l0n3s0m3phr34k]

It all comes down to the rental agreement really. Very few people read the whole thing, but almost all of them state they can enter for maintenance, pest control, etc.

Re:

[bipbop]

True in California. Landlords can't just decide to issue 24 hours notice and enter an apartment because they want to, no matter what the rental agreement says. That said, I've never had a rental agreement or a landlord that respected the law.

Re:

[Cochonou]

You'd probably lose your dollars. For instance, under French law, there are two exceptions to this rule.
- When there are maintenance or urgent works to be done (and actually not for just any work)
- When you have noticed of your intention to leave, to allow for visits
In these cases, the schedule of the visits must be agreed by both parties. They cannot exceed two hours or occur during weekends. In any other instance, there is no right of access. Of course, the landlord can ask (like any other person), an

Re:

[mjwx]

If the landlord needs to upgrade the piping in the building, you can't prevent him. And I'd bet you bottom dollar the same is true in Europe or anywhere else. Any other rule is patently stupid.

How much do you want to bet. In Australia a landlord or representative requires permission to enter, may not enter the premises without the landlord (or their representative) being present or providing their express permission if they are unable to be present. I believe we inherited this from Europe. Above this, a landlord must provide 7 days notice in writing.

Where can I collect on this bet.

Re: Bad summary

[sribe]

A landlord can go into your apartment without your permission also.

Wrong. Except in cases of emergency, he needs your permission. Unlike what some people think, you do get a few rights when you pay for the use of the apartment...

Re:

[guruevi]

You could've sued and gotten your rent back for every day that something was claimed to be out of order (if your furnace doesn't work for 3 days, you technically don't have to pay rent for 3 days).

Re:

[l0n3s0m3phr34k]

your apartment provided fire extinguishers? I've found the best security system is a big dog, but that usually doesn't work well in an apartment! But I too have set up a web cam now...mostly to record my cats flying around chasing each other, but if someone did come in I'd have the evidence now.

Re:

[Runaway1956]

Castle doctrine, anyone?

Jingle jingle - creeeeaak - BANG BANG BANG BANG BANG BANG!

Officer: "Ma'am, why did you shoot the landlord six times?"

Tenant: "I ran out of bullets, officer!"

Re:

[Anonymous Brave Guy]

A landlord can go into your apartment without your permission also.

Not in my country, he can't, other than under quite strictly defined conditions such as to effect repairs in an emergency.

What you say might be true in the US, but Europe typically has stronger privacy safeguards.

Re:

[Antique Geekmeister]

Do read the rental agreement. Many in the US,and overseas, do include clauses to address precisely this sort of thing, and a clearly written contract can help prevent many confusing "edge" cases.

Re:

[Anonymous Brave Guy]

They can include whatever clauses they like, but they still won't override statute law.

Under the law in my country, a landlord can't just turn up and let himself into a property you're renting from him, other than under certain specific conditions that are typically emergencies. At a minimum, there are normally some basic requirements for giving notice and visiting at a reasonable time in other cases, even where there normal landlord's rights such as being able to inspect the property to check its current c

Re: Bad summary

[sjames]

But he absolutely cannot open your mailbox or paw through your personal papers. Generally, landlords who enter without permission are limited to actions necessary to protect the property from damage (fire, leaking pipe, etc).

Re: Bad summary

[Zontar The Mindless]

Intruder is saying he already had the right to break into the house. No need to ask for permission.

That's right. He owns the house. And guess what. A landlord can go into your apartment without your permission also.

That's not quite how it has worked in in my experience as a renter in the US, Australia, and Sweden.

Re:

[l0n3s0m3phr34k]

the BEST emergency maintenance was when I was dying some clothes red in my sink...apparently there was a leak into the apartment below...the maintenance guy said it really freaked the people downstairs out, looked like blood or something leaking from the walls! It had been leaking for awhile, but they hadn't really noticed until their ceiling started bleeding.

Re:

[camperdave]

Around here, they need to give you written 24 hrs notice except in an emergency.

Re:

[Zedrick]

> That's right. He owns the house. And guess what. A landlord can go into your apartment without your permission also.

Perhaps in Somalia and North Korea, it doesn't work like that in most other countries.

Re:

[l0n3s0m3phr34k]

Thus why the first thing I do in a new apartment is change the locks. If they leave a note telling me they need to come in, I call the leasing office to find out when they will be there so I'm there too...I have way too much $$$ in equipment to trust a maintenance guy, it would be far too easy for them to walk out with something I might not even notice is gone for awhile, and it's happened to me before, and all the leasing office would do is say "we'll look into it". That, and they let me "break my lease"

Re:

[Imagix]

Thus why the first thing I do in a new apartment is change the locks.

In certain jurisdictions this is illegal without a court order.

Re:

[mysidia]

I know someone who owns a house that his ex wife has been staying in. When they divorced it also resulted in a restraining order being taken out by her against him. It is his house though. So he is in the position of being unable to approach the house or her to collect rent on the house or to evict her.

Simple solution to this. Pay an agent to serve the notice for eviction.

These actions can still be done on his behalf by a paid employee or contractor.

Re:

[l0n3s0m3phr34k]

it's his house, set it on fire! lol

Re:

[mysidia]

it's his house, set it on fire! lol

Until all the requirements are met for lawful eviction: a tenant occupying has a legal right to continue living there, undisturbed.

This right takes priority, even over the landlord's ownership claim to the property.

Attempting to disturb the tenant -- such as through harassment, turning off critical services, pumping in noxious gasses, taking other actions to make the place unlivable, setting the building on fire, would all be acts of unlawful eviction; possible crim

Re:

[Stormy Dragon]

He doesn't even have to hire someone. In most parts of the US, his municipal government will have already hired someone who's job includes serving eviction notices:

http://en.wikipedia.org/wiki/S... [wikipedia.org]

Re:

[mysidia]

(such as repairs, inspections or to show prospecting buyers).

Not unless you signed a lease that says they can enter and disturb you to show to prospecting buyers.

Of course if they disturb your right to quiet enjoyment of the property, you might be inclined to move out early, and terminate the rental, resulting in financial loss for the landlord.

Don't store unencrypted email online

[gwstuff]

While this story is crazy, and MS should be spitballed for it... I don't buy that other companies that let your store your data online don't give access to your data to their employee, if only for "debugging and administrative purposes." If you want to store your data online encrypt it.

Re:

[phantomfive]

I came here to say exactly this. All the cloud companies whose internal workings I am familiar with use the data in ways that violates people's privacy, or to actively destroy competition. The sole exception was a company that was too incompetent to find a useful use for the data, otherwise I know they would have as well.

Re:

[aaaaaaargh!]

I see a few problems with your advice:

1.) Storing encrypted mail on the server only really works in practice if the sender encrypts the mail he sends to you, but sometimes people send unencrypted mail to you.

2.) Encryption and data integrity are in natural conflict with each other and most encryption programs do not introduce enough redundancy to improve the latter. Twiddle a bit and your data is gone.

3.) Technical solutions to social, moral, and legal problems? If the cloud provider was legally allowed to

Re:

[gwstuff]

All good points. Just a quick note about (1): you can encrypt all your email by using a passthrough email address in a domain that you trust. So me@myname.com received all your email, encrypts it and forwards it to gmail or wherever.

Re:

[l0n3s0m3phr34k]

and I would even "encrypt" the text inside it too first, so even if they did manage to get into it it wouldn't make any sense. Even just using http://encryption.online-toolz... [online-toolz.com] you could "encrypt" the text, then convert that to hex, then convert that to binary, and send that as the message. The sysadmin may eventually figure it all out, but probably not...

Re:

[gwstuff]

Using an unknown encoding scheme is obfuscation, not encryption. So you're suggesting using obfuscation as a cheap substitute for encryption. That might be fine in some situations but 1) It really is very, very easy to crack - you don't need human intervention - there are tools that let you compute polynomial mappings between two data sets. 2) You can encrypt the data using a powerful algorithm using off the shelf free tools, so why not just go one baby step further and do it so that even in the unlikely ca

Re:

[Dutch Gun]

Unless you're using a one time pad, don't bother... You're only slowing down the script kiddies.

Funny, I wasn't aware that PGP, TwoFish, AES, and ECC have all been broken by script kiddies. Thank God we still have the ole one-time pad to fall back on!

In all seriousness, no matter how smart the hacker or how well funded the organization, modern encryption standards, implemented correctly, are essentially unbreakable. Please don't discourage people from encrypting their data online, as it's absolutely essential for properly protecting your data. If you encrypt your data locally with a well-vetted sta

Scroogled by Microsoft!

[hsmith]

Here is to Microsofts shit ad campaign "Scroogled" - first they snoop on all Skype communication and now they admit to reading emails LOOKING for things.

I fully expect the daft ad men at Microsoft to continue their pathetic ad campaign.

Glass houses and all that.

Re:

[cheesybagel]

I once went to Microsoft for a meeting and was talking with someone. They had my entire work profile stored in there. I never gave it to them nor did I ever apply for a position in Microsoft. They have a profile database on everyone they have even a tangential connection with.

Re:

[cheesybagel]

LinkedIn did not even exist back then. They have their own internal database for stuff like that.

They checked without a warrant

[assemblerex]

Does ownership of the network override the laws of the country the network is in?

If they had opened physical mail, this would be a criminal charge. But because it's digital, somehow ownership of the service exempts them from having to obey any kind of privacy laws.

Dangerous and shows why you should not trust anything online.

Re:

[raburton]

> Does ownership of the network override the laws of the country the network is in?

It's not a legal question at all. If you use the service you have accepted their terms and so have given them permission to do this.

> If they had opened physical mail, this would be a criminal charge. But because it's digital, somehow ownership of the service exempts them from having to obey any kind of privacy laws.

The fact it's digital doesn't make it a special case, if you agreed to let them open your physical mail t

Re:

[ArcadeMan]

Companies can write all the terms they want, they shouldn't be able to override the laws already in place.

Re:They checked without a warrant

[tgv]

> It's not a legal question at all. If you use the service you have accepted their terms and so have given them permission to do this.
That *is* a legal question. If the EULA says: we own your first born, is that so just because you checked a box on a web site? Nope. There are laws governing the reading of email, and Microsoft has to obey those rules like everyone else.

Re:

[raburton]

> That *is* a legal question. If the EULA says: we own your first born, is that so just because you checked a box on a web site? Nope. There are laws governing the reading of email, and Microsoft has to obey those rules like everyone else.

I'll ignore your stupid analogy and stick to the point. Do these laws you reference say that that you aren't allowed to give your permission for someone else to read your email? I'd be very surprised (though you haven't stated any specific laws to check), so if you've g

Re:

[tgv]

Clicking a check box does not overrule the law. You ignore my "stupid analogy" because you don't have a counter-argument.

Re:

[Bite The Pillow]

Which law? And, since you are familiar with the rule of law, which precedent set the case law for a provider checking its own mail? And set the relevant limits on EULA clauses?

And how does that differ from a warrantless law enforcement request where the provider, who has the data, does not ask for a warrant?

Is it only a search if the provider is looking for something?

Re:

[tgv]

There is a European law that forbids email providers to use knowledge of the contents of email. Anyway, your point was: it isn't a legal question. But anything, and certainly access to personal information, can be ruled by laws, hence it is a legal question.

Anyway, your profile text speaks volumes. I'll copy it here: "If I seem a little confrontational, it's probably because you are an idiot. I will argue any side of any point if you demonstrate that you haven't put in a little thought or research into what

Re:

[l0n3s0m3phr34k]

I thought that too, until someone I know had MS show up at there door with an empty baby carriage...

Re:

[assemblerex]

EULA does not and never will override legal, law of the land.

I can put slavery in a EULA, that doesn't make it legal.

I can put invasion of your privacy, that doesn't make it legal either.

This is a matter for the courts. A company documents does not make law.

Re:

[raburton]

> EULA does not and never will override legal, law of the land.
> I can put slavery in a EULA, that doesn't make it legal.
> I can put invasion of your privacy, that doesn't make it legal either.

I think you are missing an important legal distinction. Microsoft / the EULA isn't overriding any law. You can't make slavery illegal by putting it in an EULA because slavery is illegal. Reading email is not inherently illegal. Reading it without the permission of the owner might well be, but microsoft does h

Re:

[mrbester]

If a contract contains a clause that abrogates inalienable rights then that clause can be deemed as unenforceable and should be removed in order that you have a fair contract fully agreed by both parties. If that part cannot be removed then the whole contract is null and void. This is basic contract law.

Of course this relies on the agreement of a EULA forming a valid contract in the first place due to there being no signatories, other identifying marks or even a verbal agreement noted on it. A click on a bu

Dear Microsoft,

[LookIntoTheFuture]

Fine. Read peoples' emails. Whenever you think it's necessary. But don't be surprised when people stop trusting you, and, consequently, your profits go down because of it.

Before it did look inside the blogger's account, however, the company claims it went through a "rigorous process" to justify the snooping.

Uh huh.

Personal criminal liability applies

[gweihir]

I suspect that certain MS managers and system administrators should now refrain from traveling to the EU for the next few years. Under EU law, you may not even look at email of your employees without having gotten a signed waiver on paper or a court order.

Re:

[Baloroth]

I'm neither a lawyer nor intimately familiar with the details of this particular case, but I'm a bit confused how EU law would apply to a US based company running a US-based service (such as an outlook.com email address), regardless of the nationality of the person who signed up for said service.

Re:

[Teun]

Microsoft offers these services as a commercial enterprise to nationals of and in other countries, separate jurisdictions from the US.

The laws of the land where they are doing business is rather relevant, this 'business' was not in the US.
It would surprise me if their local representative isn't going to be charged for this breach of confidentiality.

Re:

[SeaFox]

Even if this is illegal on paper, I don't expect to see anyone who works at Microsoft be arrested for this if they go to the EU.
There are laws, and then there are laws that actually get enforced on individual people who work for big businesses. This is one of those laws that gets resolved with a fine against the corporation, not by tossing people in jail.

Re:

[account_deleted]

Comment removed based on user account deletion

Don't steal stuff..

[KliX]

..from the company controlling your comms! Jesus Christ these were crappy thieves!

Remember kids...

[mwvdlee]

Remember kids...
Do not store incriminating evidence on the servers of the company you're trying to screw.

The legal system wouldn't have let us

[Sir_Sri]

>The legal system wouldn't have let us

Using "The French legal system will not let us spy on someone in France about charges in a country that is not France' as a justification makes sense actually. Trying to shield yourself by working with someone in a third country shouldn't shield you from domestic actions, and the French are notoriously bad about doing anything about people in france charged elsewhere, including on very serious crimes. See Roman Polanski.

That blogger is an airhead

[rainer_d]

Who receives leaks from Microsoft at an email-account owned by a division of Microsoft?
That's as if Snowden had contacted Greenwald from his BAH account.

Insane.

What TOS are you reading?

[sgt scrub]

Has anyone seen a TOS that does not give the company rights of ownership of you, yours, and all things associated with everything else they can cram into the TOS? I've often wondered why TOS are so wordy. I would simply write, "Do you confirm that you are our bitch and everything yours is now ours?".

Re:I want to be shocked, but honestly I'm not

[pushing-robot]

Not to defend Microsoft's actions, but this does seem like exceptionally poor judgement on the part of the leaker, on par with robbing a bank and having them put the money in your safe deposit box.

Re:

[techno-vampire]

My thought exactly. If you're going to leak information about your company to a blogger, don't use either your company email account or an account with a service your company owns. Best, of course, is to find a way to get the data home and send it from there using an email address they neither know about nor have access to.

Re:

[NoKaOi]

Not to defend Microsoft's actions, but this does seem like exceptionally poor judgement on the part of the leaker, on par with robbing a bank and having them put the money in your safe deposit box.

That's true. And in your analogy, the bank couldn't just open up your safety deposit box. In that case, law enforcement would have to obtain a warrant in order to open your safe deposit box. The question is not wether the leaker made a bad call by sending it to the blogger's hotmail account, it wether Microsoft had the right to search the blogger's (it wasn't even the employee's account) emails.

"Courts do not, however, issue orders authorizing someone to search themselves, since obviously no such order is needed," Microsoft Deputy General Counsel John Frank explained in the blog post. "So even when we believe we have probable cause, there’s not an applicable court process for an investigation such as this one."

Preventing this situation is exactly why private entities aren't allowed to get court order for searches...beca

Re:

[l0n3s0m3phr34k]

or just do it the old fashion way, mail it via USPS. Then there is no electronic record to read from. Sometimes the simplest solution is the best.

Re:

[Virtucon]

Where's Groklaw when we need it?

In the US, under the CFAA [digitaltrends.com] you can be prosecuted for violating a ToS.

If a prosecutor so chooses, she can use the CFAA to argue that anyone who violates a Terms of Service is committing a felony. That means every 12-year-old who uses Google Search (or Facebook, for that matter) could technically be targeted under CFAA.

It's not a great law by any means and I don't support it but until it's repealed it can ruin anybody's life.

Re:

[russotto]

I believe that reading of the CFAA -- that violating the TOS is a felony -- was struck down by the 9th Circuit in the Lori Drew case. Which doesn't mean they can't try to prosecute you for it, it just means it's an uphill battle (especially in the area of the 9th circuit).

Re:

[Virtucon]

Good point on the Drew case but still the CFAA is very dangerous legislation especially in the hands of prosecutors who feel that they're going to pursue a case at whatever the cost.

Re:

[QuasiSteve]

So, when they try to justify trespassing on someone's email account

Which is a service provided by them. Hosted on their servers. Stored on their servers. Wait, which part of this was trespassing?

stealing their email

Reading. Unless they somehow actually moved the bits of the e-mail out of the person's account, and into theirs. Even if they made a copy, it's not stealing.

by saying that they had "probable cause to believe" whatever, it doesn't fly

Why doesn't it, though? And in what sense? A moral sense,

Re:

[1s44c]

Microsoft have the strong advantage that they are no good at it. You have no privacy if you give your email to either of these companies.

The traditional slashdot approach was to run your own mail server. I don't know how common that is any more but I still do it.

Re:

[1s44c]

All multinationals are hypocrites. All advertising is an attempt at making people believe things that are at best only part true.

If you give your data away you don't have it anymore. Don't give Google, Microsoft, or anyone else all your private email.

Re:

[the eric conspiracy]

> private email

There is no such thing as private email.There never has been, and unless there are some big changes there never will be.

Re:

[Richy_T]

End-to-end encryption has been available in several of the clients for a while now. Of course, third parties can still see who is sending to who but the content can be protected.

Re:

[dbIII]

US Government officials would be still forbidden from "taking bribes from foreign government officials"

Are they forbidden? Nobody took Ford to task for accepting (in person) a donation to the Republican Party from the Indonesian President in Jakarta on 7 December 1975. That's just one example from something that came up on a different story yesterday. The technicality is such things are a "gift", theoretically with no strings attached and they are not to the person directly. A foreign company (technica

Re:

[flyneye]

I wasnt quite that overcome, but did have a ROFLMAO thinking that I use hotmail as my spamcatcher email for those inconvenient software installs,membership applications, product inquiries and everything else that gets you on a mailing list. Its a horrible cesspit of ads , offers, spam, shit and brimstone. I ENCOURAGE MICROSOFT TO READ IT ALL THOROUGHLY (as well as any NSA,CIA,NBC,CBS,NAACP,NFL or equally stodgy agencies who have their nose in my asscrack)
YEah Baby! Lick my rigid shimmering throbbing column