Microsoft has today performed a second volte-face in the Hotmail scanning scandal, and this time it looks serious. There was uproar after the software giant revealed it had rummaged through a blogger's Hotmail inbox to snare an employee who had allegedly leaked pre-release Windows 8 software. Microsoft runs Hotmail as part of …
"We've entered a 'post-Snowden era' in which people rightly focus on the ways others use their personal information ..."
No. Snowden's activity, whether one thinks it good or bad, has nothing do with this issue. Microsoft's action in this case should, and probably would, have have been considered out of bounds 10, 20, or more years ago. If they had a problem with their employee or contractor releasing proprietary information in a way that violated a law they ought to have filed a complaint and let the authorities get whatever warrants or subpoenas might be needed, against services they operate as well as others. They acted like police, but are not, and so earned whatever opprobrium they receive.
However, I expect Mr. Smith expressed his only true concern in the quote at the end of the article: "... companies now recognize this is a market issue for them."
Leaking IP is (generally) not a criminal offence - law enforcement would laugh at any such request. But if an organisation suspects that someone is leaking proprietary information, you can bet they'll be going through their email and other Internet logs - and if they find who it was, said person will very soon be sitting outside the front door holding a cardboard box of their belongings, with a surprised expression on their face. If you don't think that can happen to you, I suggest you read your employment Ts&Cs again.
Most organisations don't host a public email service, so Microsoft have additional PR concerns to worry about. But any such provider is bound to respond to legal requests from the appropriate authorities. You would rightly expect your bank to keep your account transactions private, and if they negligently disclosed them you would be entitled to compensation. But faced with a court order, they will hand them over to the authorities. And that's just as it should be.
The story seems to be that they found Microsoft secret information (that Windows 8.1.1 is still making users cry?) by opening the Hotmail e-mail of the non-employee blogger that it was leaked TO.
To do this, presumably they went through every other Hotmail user's e-mail, as well.
In other news, using Linux is considered to be stealing from Microsoft. Anyone receiving e-mails that mention Linux will henceforth be billed for damages. Welcome to what always was a post-Snowden world, only now you know it. (Which is what post-Snowden really means.)
Company owned and operated email for business purposes is one thing, and the company, as the employer, has the right (confirmed, I think, by court decisions) to examine company supplied email accounts that were established for the conduct of company business. The case in point, however, seems to concern a commercial email service that the company provides to non-employees and employees alike as customers. Microsoft's reported actions went well beyond what an employer is entitled to do: they were equivalent to Microsoft searching the gmail account of an employee or contractor.
@tom dial: I wish I could give you a couple more upvotes. That was a particularly insightful post that cut right through the smoke.
It's a simple matter in the UK
We are talking about a service offered by the company to third parties, and the fact that the 3rd party in question is a member of staff is actually irrelevant. In the UK, Microsoft would have broken the law accessing that account. A company has no right to act as if it's law enforcement (that's one of the main reasons I vehemently disagree with imposing filtering obligations, it's IMHO the thin edge of the wedge), and the only way this could have been investigated is indeed by law enforcement.
Off the top of my head, this would not only be violating privacy (which would be at best a slap with a wet noodle for all the power the Information Commissioner has at the moment), but also a criminal offence under the Computer Misuse Act as it's accessing IT resources without authorisation.
But hey, it's the US. They seem to have pretty much reverted to the Wild West approach of law enforcement, with the man in the street having as much in the way of rights as the former Indian tribes.
Re: It's a simple matter in the UK
the fact that the 3rd party in question is a member of staff is actually
irrelevant relevant if said member of staff has given permission for their email to be accessed in this way as part of their employment contract (and, these days, the vast majority will). I admire your libertarian sentiments as regards web filtering, but if I'm providing an Internet service so you can do your job, I reserve the right to control what can be accessed when. Even if it's just blocking timewaster.com or online betting sites.
15 years ago, we were contacted by the police who had found one of our staff posting stuff on Islamic web sites and chat rooms about killing kafirs. Needless to say, he was shown the door pretty swiftly. Imagine if he'd been storing stuff on our servers.
> the fact that the 3rd party in question is a member of staff is actually relevant
Read again. They accessed the emails of somebody who was not an employee, not a contractor, and who had no relationship at all with Microsoft. He just happened to have information sent to him by a Microsoft ex-employee.
"said person will very soon be sitting outside the front door holding a cardboard box of their belongings"
1- it was not the employees email account, it was a blogger's.the employee used a mail.ru account.
2- The employee didn't end up fired, they some how ended up locked up in the US.
Apparently the blogger in question was unwise enough to solicit comment on the leak from a Microsoft employee using the very same Hotmail account he had received the illicit materials on. I am not a Microsoft defender by any means, but this suggests that a broad sweep of Hotmail was not necessary.
"presumably they went through every other Hotmail user's e-mail, as well."
No, Microsoft knew who their target was. If you want to be SURE your email company reads your email then you need a GoogleMail account...
"using Linux is considered to be stealing from Microsoft"
Copyright and IP infringement is not theft.
However Linux likely does have lots of third party IP in it. The "free" model bypasses most of those issues as it is hard to demonstrate damages.
> In the UK, Microsoft would have broken the law accessing that account.
You haven't indicated what law you suggest Microsoft would have broken. I think you might have been thinking of either:
* the criminal offence of "unlawful interception" under section 1 of the Regulation of Investigatory Powers Act 2000;
* the civil "duty ... to comply with the data protection principles" under section 4(4) of the Data Protection Act 1998; or
* the equitable doctrine of "breach of confidence"?
By storing Hotmail emails in a form that they can access, Microsoft "intercepted" them; however, the interception was lawful under section 3(3) as Microsoft provide the (Hotmail email) service and the interception was "for purposes connected with the provision or operation of that service". Once lawfully intercepted, RIPA does not restrict what can be done with the data.
Microsoft also complied with the data protection principles, as their actions fell within their terms of service (with which Hotmail users explicitly agreed in signing up to the service). For the same reasons, they would not have breached any confidence.
There may be other relevant laws in England & Wales of which I'm not aware and, given that I know very little indeed about Scots law, Microsoft might well have broken some law up there. If you know the specifics, I would be very interested to learn more!
Re: Shame @Robert
the so-called blogger asked a friend of Steven Sinofsky, then head of Windows, for some help deciphering some of the source code in the MS activation server technology.
The friend passed the email onto Sinofsky, who handed it onto the security team, which then got approval from the legal bods to look at that 1 account to see if they could find out where the leak was coming from...
Re: @Chris Miller @ ratfox
the "ex-"employee was a current employee at the time the offence took place.
Although it was the French bloggers fault that it came to surface, he used his Hotmail account to contact a friend of the head of Windows to ask some questions about the source code for the MS activation server. The friend passed it on to MS...
Time to start hosting my own mail.
It always was that time.
Was there any time not to?
We seem to go through this whole process on a regular cycle.
Way back in the mists of time there were minor outcries when one or two people actually bothered to read the T&Cs of the like s of AOL and Geocities and suddenly realised that AOL and Geocities were pretty much claiming all rights over all data stored on their servers, including mail.
We've seen similar more recently with the likes of photos sharing sites and various "social media" sights making similar claims over user data including the use of photos of and owned by minors in publicty campagnes.
As has been stated so many times on these august pages, if the service is free, then the user is the resource for sale.
I'm not even sure anyone can claim an "expectation of privacy" since they ony have that expectation because they didn't read the T&Cs they agreed to when the signed up.
TANSTAAFL. You always pay, one way or another, just not always with cash.
I always have done. Gets a bit more expensive with the demise of Technet though!
In other words...
...they got caught with their hands in the cookie jar but hey, look at Google! Yeah, over there! They.. uhm... drove around with airodump-ng running! They have bots that fling adverts at you based on keywords! The bastards!
Re: In other words...
What I find interesting about the Scroogled campaign is it reflects (and always has) worse on MS than it has on Google. And now with this, and Scroogled often being mentioned in the same articles, it continues to draw attention to MS.
Now, yesterday was;
"Two people complained about the ad, pointing out that Microsoft scans the content of emails too. But the ASA ruled that, because this scanning was for the purposes of eliminating spam rather than targeting ads, Microsoft wasn’t being hypocritcal."
Sure more news companies will draw attention MS probably didn't want. They don't scan for ads, they manually read/snoop on your email.
Re: In other words...
I find it mildly amusing that the guy who got spied on and fired should have gone with Google if he wanted privacy.
Re: In other words...
Read the bloody article. The guy who was spied upon was not a Microsoft employee, and did not get fired. He was a blogger who got sent secret information from an ex-Microsoft employee, and happened to have an email account on Hotmail.
Re: In other words...
@AC: "The guy who was spied upon was not a Microsoft employee, and did not get fired. He was a blogger who got sent secret information from an ex-Microsoft employee, and happened to have an email account on Hotmail."
True enough, but could Microsoft have done to a gmail account what they did with his hotmail account? I do not think so. The earlier comment was incorrect in detail, but the main point certainly was not.
I was hoping they would stick to their guns on this one.
Re: Oh darn
I was hoping they would stick to their guns on this one.
I was hoping they would stick their guns.
Wasn't what Microsoft did illegal?
Mail account hacking is illegal in most parts, why is Microsoft getting away with a change of policy after the fact?
Looks like leaking of Windows 8 info didn't do Microsoft any favors. Took them long enough to bring this to light, long after Windows 8.1 and Surface tablets flopped in the market place. Bringing this up now and the fact that Microsoft attempted to act like Apple security acts, when Apple loses an iPhone prototype. That hasn't helped anyone believe that they can trust Microsoft anymore than anyone can trust Facebook to care about user privacy.
I'd have to wonder about the smarts of a leaker...
Who leaked MS' intellectual property to a web services account controlled by MS.
I'm slow to notice things
" ...we started using cloud email in the 1990s ..."
I thought the 'cloud' was a shiny and new thing.
Re: I'm slow to notice things
Only the word is new. Frankly most things called Cloud are all 10 to 20 years old. Those that aren't are 30 to 40 years old.
Yes, why invent something new when you can just rebadge the old stuff with a shiny new name.
Re: I'm slow to notice things
Those that aren't are 30 to 40 years old.
And the rest.
You could argue that Compuserve, initially set up to lease out the spare computational capacity of a very powerful business machine, was one of, if not the first "cloud provider". Sounds very similar to how AWS started, doesn't it?
Let's be clear...
... I still have no reason to believe any company would put the interests of a customer before its own interests.
Mobile phone tapping, wiretapping and reading paper-in-an-envelope mail is illegal*, stalkers can be taken to court; when will personal internet traffic and activities have the same overall protection.
*court order aparts etc.
Re: Let's be clear...
> when will personal internet traffic and activities have the same overall protection
Clearly never, as there is no public opinion for privacy and all government and corporate entities benefit from the current state of affairs.
That said, the hacker who figured out the password to Sarah Palin's Yahoo mail account was sentenced to one year in prison. I feel whichever Microsoft exec who took the decision to hack this guys account has committed as great, or greater, intrusion.
"when will personal internet traffic and activities have the same overall protection"
Because it's pretty easy to simply change the goal-posts
after being cought red-handed...
Anyone who wants to read my friends facebook blurbs, and associated spam is more then welcome too....
Not me: I use Tor, PGP and air-gapped MS Office
No longer can the cops and Plod demand things ad nauseum, the general public has learned much since World Hero Snowden released his NSA library.
It seems only just that if they want to see my stuff, they have to work their buns off for it. Somewhat of a self-defeating exercise, though.
So, judging by the comments here, despite Microsoft going out of their way to tighten up their privacy, that's still not good enough?
This really is conspiracy theory territory we're in now. Microsoft can't win because despite zero evidence to support the position, people still believe Microsoft are the bad guys. I can only hope that the tin foil hat wearers are still in the minority.
"So, judging by the comments here, despite Microsoft going out of their way to tighten up their privacy, that's still not good enough?"
Microsoft are not going out of their way at all, and they certainly aren't tightening privacy nearly enough. They also are one of the few major technology companies not out there fighting the good fight to the tune of a few billion to ensure that their lobbying might is used to pressure the government into reducing the instances where our mails can be read by busybodies or spooks to as near zero as is realistically possible.
In addition, Microsoft have the technology available to them to decouple their cloudy services from America, but choose not to. They have this "cloudOS" thing: install a private cloud on your own servers, on the servers of service providers, or use the Microsoft Azure public cloud. But they don't offer Office 365 for Service Providers. They don't offer the backend for Hotmail or many of the other "cloudy" services. If you want this stuff your only choice is an American company, and that is completely, utterly and totally unacceptable.
If I am going to shot my stuff int eh cloud it will be with a Canadian (or Swiss) company that hosts in Canada (or Switzerland) and has no American legal presence what soever. Zero legal attack surface in the USA is the only acceptable means to obtain privacy. Microsoft can choose to do this tomorrow. Until they do, they absolutely haven't done enough.
"Microsoft can't win because despite zero evidence to support the position, people still believe Microsoft are the bad guys."
Microsoft are the bad guys. Microsoft have repeatedly said "fuck you" to developers, customers and partners. It isn't ever any one thing with them...it's the hundreds and thousands of things over the years that ultimately boil down to their attempt to force the market to conform to their wishes instead of finding out what the market wants and providing that.
I could provide Microsoft with a list of over 100 specific action items that would not only rebuild trust amongst developers, partners and customers it would increase their profits and ultimately serve their long-term strategic interests. I have to believe that Microsoft, for all it's money, has people smarter than me working for them. Thus it is that I am absolutely Microsoft chooses not to implement any of the tactical changes required to rebuild trust. From that I deduce that they don't give a bent fuck about developer, partner or customer trust.
We are, to Microsoft, their chattel. We exist to serve them. They have forgotten that in markets where competition exists, the exact opposite is true.
Where is the "Applause" icon when you need it?
A thumbs up will have to do.
Microsoft seem now, on the third try, to have arrived at a reasonably correct position they really ought to have been able to figure out on the first.
Well said, indeed. However, while abandoning the US and US companies may give protection from untrustworthy companies and some protection from legal process, it is unlikely to bring much real protection from the signals intelligence activities of various governments, including yours and mine. Most of the attention has been on the NSA and, somewhat less, the UK GCHQ. However, Canada has the CSEC and its own FISC-like secret courts, and I expect that Australia and New Zealand are not much different. Germany, Iceland, and Switzerland seem like they might offer privacy protection against legal process. No matter where data are stored, however, they are potentially vulnerable to extralegal access - by governments, criminals, administrators (e. g., Edward Snowden), and others. Those connected to the internet are potentially vulnerable from anywhere on earth.
My personal conclusion is that information I wish to keep private is best kept on my premises, on either paper or systems that I maintain, protected by a combination of firewalls that I configure, air gaps, and encryption. And I know that if I become a target much of that may be worthless, whether because I have to choose between giving it up and jail or because someone who wants it badly enough (not necessarily my government or any government) can circumvent my technical protections. I think the same is true for companies.
Re: @Trevor Pott
"However, Canada has the CSEC and its own FISC-like secret courts"
Wrong. We have CSEC, but no secret courts. CSEC still works out in the open, and our Supreme Court has absolutely zero issue with slapping those bastards - or the conservative government - upside the head with a trout if they get out of line.
Besides, even if we did have secret courts, they'd be our secret courts, not American ones. The only laws in play with be those of my own nation. That's a huge difference, especially as regards my legal, moral and ethical obligations to protect the data of my clients.
As for Switzerland, their legal processes regarding privacy are far better than anywhere else. I trust them more than any other country on earth, and far more than I trust America or Americans.
It isn't about keeping the information secret, it's about due diligence. It is about doing everything I can to keep that information away from those who would misuse and abuse it. America has misused information, is misusing information and will misuse information in the future. That country nor her people can be trusted. They conduct economic espionage even against their allies, and they spy on innocent civilians (even amongst their allies) and then hand that data off to people like their bottom-of-the-barrel border patrol. There, power corrupts quickly and absolutely.
So even if Canada's spooks are just as secretive (and I don't believe that for a second), Canadians and Canadian data have a path to address any issues within the framework of Canadian law. We have no rights and now powers to address abuse by Americans...and abusing information is simply what they do down there.
"they don't offer Office 365 for Service Providers"
BT use it for their 'btconnect' email - is that not the same thing?
Re: @Trevor Pott
Canada has "designated judges" who meet in secret (in a bunker, according to the CBC program aired in Utah last Saturday) and issue decisions as secret as those of the US FISC. It appears to me that Canada has pretty much the same types of control on CSEC as we have on the NSA.
and http://www.cbc.ca/day6/popupaudio.html?clipIds=2445314567 for the audio.
The first ~half is about FISA, and the remainder about the Canadian analogue.
Governments will be governments.
Re: @Trevor Pott
So far as I understand, the judges who review national security issues have an extremely limited mandate, and their decisions can be challenged in the Supreme Court. (Though the hearing will be sealed until the court makes a decision.) The laws they implement aren't secret, nor are the legal interpretations they arrive at. What is kept secret (for obvious reasons) are the details of cases involving national security.
What should be pointed out is that these judges don't exist simply to rubber stamp requests for spying. They handle all cases involving national security. In any rational world, it makes perfect sense for such a panel of judges to exist, so long as there exist concepts such as "national security."
I've never had an issue with the concept of a court that handles secret things. I've had all sorts of issues with how those courts are run, specifically, the ability to challenge decisions and the ability to even gain access to the results of past judgements. I.E. are the people expected to be held to the standards of what amount to secret laws?
There are lawyers in this country with security clearance. Even if their clients cannot be party to a a suit, they can be represented appropriately.
Have the conservatives done a shitload of damage to our rights and freedoms since taking over? Yes...but the difference between Canada and the US is that we can (and do!) challenge this crap in court...and win. The conservatives try to give sweeping powers to CESC and CSIS; the Supreme Court kills the laws on constitutional grounds and then makes the government go back to the drawing board and come up with something that's actually constitutional. It doesn't take decades here; it takes only a few years.
More to the point, to my knowledge there is no concept of "you aren't able to sue the government for that because you aren't clear to see the information about whether or not you have standing." If you believe there's something untowards going on, you can get a lawyer with clearance and the trial can be held, even if you cannot yourself participate. (Bizzare, but there it is.)
And if the government loses one of those...it isn't covered up. If the government does something unconstitutional then it must be declassified. At least, such is the theory. We are currently seeing how this will all play out in practice.
I agree wholeheartedly that governments will be governments, but the separation of powers still exists here in Canada, despite the PMO trying to eliminate it. The government can be as corrupt as it wants, the court will slap them down and the mounties will still haul their asses off to jail one asshole at a time.
Ultimately, there's the difference. I don't believe for a second in the American courts. I don't believe for a second that they will stand up for your rights or freedoms. Your government has gotten away with obliterating the fourth amendment of your constitution without a fight and they are working damn hard at obliterating the first.
My government would like to do the same thing. Our courts repeatedly deny them the option. For now, at least, there's the gap: we are still nominally in control of our government.
It's getting worse. Day by day. Conservative judicial appointment by conservative judicial appointment. But we're a long way from as corrupt as America. A long way.
Re: @Trevor Pott
The description here of the Canadian designated judges' actions is quite different from David Frazier's description on the CBC program I heard, of ex parte hearings, decisions as secret as those of the FISC, and CSEC opinion that it does not need court approval for metadata collection.
As I have no direct knowledge, I shall leave it at that except to note that Mr. Frazier is an attorney specializing in matters relating to the Internet, technology, and privacy.
Re: @Trevor Pott
My understanding of how this works comes from reading Michael Geist's blog (he's a PhD who makes it a business to know about such things) and talks with the OpenMedia.ca folks. (Digital media lobby here in Canada.)
You are 100% correct in that CSEC believes it does not need court approval for metadata collection. This, however, is in violation of our charter of rights and freedoms and is currently winding it's way through court. Unlike in the US, we can challenge activities of our spooks, even when they are "secret."
Again: hearings are indeed held in secret when national security is on the table, (as is logical) and the only folks in the room as those with security clearances, but the forms and rules of a proper trial are followed. It is not a deliberation by judges nor dictation by fiat.
How secret decisions are allowed to remain is currently under review by both politicians and the judiciary. There is an acknowledged requirement for some decisions to remain secret while national security interests remain active, however, pretty much everything about the rest of our laws says no judicial decisions should ever be private.
The generally agreed upon middle ground is that decisions will be reviewed regularly and declassified as soon as possible instead of kept classified for decades past any possible relevance. Who exactly sits on the review panel and the frequency of reviews are currently the subject of political manoeuvrings, but the government has been warned that the judiciary will brook no US-style "forever secrets" in order to cover up political blunders or breaches of law by the government.
So yes, things are not as open as I would ideally like, but our judges are still pretty firm on the concept that nobody - from spooks to politicians - is above the law. The spooks disagree, and the next two or three years of suits about this will be quite entertaining...but at least we can take the bastards to court here.
What's really interesting is the push from many politicians - and several members of the judiciary - to have foreign data stored within Canada given the same rights and protections as data belonging to Canadian citizens. America barely acknowledges that non-Americans deserve basic human rights; There is basically zero chance that within my lifetime the USA is going to declare that I, a dirty furriner, have the same rights to privacy, due process and so forth as an American citizen.
So yeah, Canada has a ways to go to clean this up, but I think we're on the right track towards a more free and equitable society. Unlike the US, I think the worst of this big brother bullshit is behind us here.
I don't believe that this is being done (from the political side) because of morality and goodwill. I think that politicians are biting on this because they see a real economic advantage to cultivating high privacy standards here in Canada. "Put your data on this side of the border, eh? We're close enough to the yanks that you can suck the money out of 'em, but our laws are ever so slightly less asstastic."
I see that this isn't going to be a popular view but I'm not sure I see where the problem is.
A Microsoft employee used a Microsoft-owned mail service to leak Microsoft-owned IP. Microsoft later found out this now ex-Microsoft employee had done this, so they reached into the Microsoft-owned mail storage to obtain evidence of the leak. Once Microsoft had isolated the mails stored in the Microsoft-owned mail service, they handed them over to law-enforcement for laws to be enforced.
I don't see any need to complicate things here. An employee acting in violation of their employer's policies who uses their employer's resources to do so shouldn't have any expectation that the employer won't use every resource they have ownership of to deal with them.
This isn't about your e-mails to your grandmother. This isn't about you at all. This isn't even about privacy. It's about a moron who used a VoIP-provider's VoIP service to phone in death-threats to his boss. Even if he was paying for said VoIP service, if his boss recognizes his voice, he should expect the logs to be pulled and (if such a thing were done) recordings to be listened-to.
- iPad? More like iFAD: Now we know why Apple ran off to IBM
- Apple orders huge MOUNTAIN of 80 MILLION 'Air' iPhone 6s
- +Analysis Microsoft: We're building ONE TRUE WINDOWS to rule us all
- Climate: 'An excuse for tax hikes', scientists 'don't know what they're talking about'
- Analysis Nadella: Apps must run on ALL WINDOWS – on PCs, slabs and mobes