Before anyone else comments that hasn't read the full article, here is the very end:
Legally, Microsoft appears to be protected by its privacy policies. The policy for Outlook.com, formerly Hotmail, states that, "We may access information about you, including the content of your communications...to protect the rights or property of Microsoft."
This is the agreement that every user agreed to when they signed up for Hotmail or Outlook. It's not carte blanche for Microsoft to go through your email, but it seems to allow them to do it for a very particular purpose.
> This is the agreement that every user agreed to when they signed up for Hotmail or Outlook.
No they didn't. Over 99% of them clicked through without reading. Some of them suspected Microsoft might one day read their email, but somehow shrugged it off, then forgot about it.
If people were truly informed, most would not give consent. Make no mistake: using a hotmail or gmail account means giving away a good chunk of your private correspondence. It also affects whoever you're communicating with, even if they have their own private mail server.
In the current situation, sure. Because we don't have real alternatives. (I maintain my own web server, but that's impossible for most users.) But if people were informed, that would create a market for privacy.
> But if people were informed, that would create a market for privacy.
If people really cared, then that market would exist today. "Get your $5/mo. much more private email from privateemail.com!!". This notional private email provider would be able to advertise Outlook.com, GMail, etc.'s privacy policies independently of those email providers to ensure that "click through" isn't the only reason people are unaware.
That market does exist today, Fastmail.fm is only one example I can think of off the top of my head (I surely got the ofs and offs wrong). I talk about them so much that I sometimes feel like a marketing goon ...
They're not a viable privacy option. And it has little to do with their ethics: they are still vulnerable to subpoenas, many of their users don't even live in the same country…
The only viable privacy option is to host your mail at home. It doesn't have to be difficult. We "just" need a suitably tailored GNU/Linux distribution in a Sheeva Plug, or Raspberry Pi, that you just plug-in, then use as a web service. (Just one snag: your ISP must allow you to send and receive e-mail: many close off port 25, and some even ban home servers.)
Now to get your email, they need a search warrant and someone to knock on your door, which is inconvenient and costly.
I care, but there's no way for me to state that I do not want my correspondence shared with Google/Microsoft ... so the people who don't care continue to drag the rest of us into the void.
I'm sorry, i've heard this argument for 15 years, and it's still as false now as it was then.
It's really just staunch privacy advocates thinking that their position is really right, and everyone would see the light if only they could be educated.
Everyone likes to think this about their position. It's not limited to privacy contexts.
Your problem is not education. Your problem is your position is just a marginal one. Sad in some ways, but true.
The truth is, people have bigger fish to fry than this, and like a lot of things, they like to talk about some stuff, but when push comes to shove, "privacy" is just nowhere on the list of priorities, educated about it or not. The market would already exist otherwise.
A no-true-Scotsman argument. Not everyone shares your views about where the boundaries of consent should lie or what conditions they consider acceptable in exchange for free service.
I don't care if "not everyone agrees". Their boundary is incredibly low. It is literally a Dark UI Pattern. I bet your own boundary is higher than that.
No-true-Scotsman? I don't care, this one is valid: we're talking about someone who has some distant relatives in Scotland, but never set a foot there, hardly speaks English, and lives in China.
I do get that the proper threshold is not allays the same. The threshold of consent for having sex for instance, is very high (or ought to be). Still, some things I say over email are just as private as my dick.
OK, but we're not talking about email here, we're talking about webmail in particular. I mean, it's rather foolish to think that you can trade MS's private IP over MS's free-as-in-beer webmail service when they explicitly tell you they're not willing to tolerate that in the TOS. Now if it were MS hacking into someone else's mailserver in pursuit of their stolen IP, I'd fully agree with you.
Yes, it is foolish, even if like everybody else, you haven't read the TOS. I know the analogy is unfair, but it is also very foolish for young women to dress lightly, then go walk out alone in dark streets. Yet sometimes, circumstances are such that people do it anyway, and it doesn't mean they're "asking for it". Drunk after a party? Used to using "your" webmail for all your communications?
People often do foolish things, it doesn't mean other people have a moral right to take advantage of them. (Alas, they sometimes have the legal right.)
By the way, in this case, it seems Microsoft spied on the blogger's account, to know where the leak came from. The leaker may not have used hotmail at all. While it's easy to notice cloud spying when sending from a webmail, it is a bit less easy when you send to a webmail: you're not even legally expected to have read the TOS. I mean, you still have to be careless to make that blunder, just less so.
>“Outlook.com does not go through the contents of your sent and received email messages in order to display targeted ads. ... Outlook.com does not go through the contents of your incoming email from other email service for the purpose of targeting ads. ... Outlook.com does not go through the contents of your entire inbox for the purpose of targeting ads.”
Google does all of the above, are you claiming there is no difference between the two services?
The new lawsuit against Google for building profiles of children using its free Google Apps for Education service has even more info:
>A Google spokeswoman confirmed to Education Week that the company “scans and indexes” the emails of all Apps for Education users for a variety of purposes, including potential advertising, via automated processes that cannot be turned off--even for Apps for Education customers who elect not to receive ads.
Well that's bad of google but doesn't improve microsoft's argument. If anything they becomes more hypocritical because "why isn't microsoft criticizing that part....oh"
Sorry but I completely disagree, by not criticising Google for doing something they do themselves they are literally not being hypocritical, by definition. You can still criticise them for the situation, just not with that word. You can still call them hypocritical for the overall situation too, just not by picking out a specific narrow case where they have avoided being hypocritical.
They did not perform the actions google did, but the criticism they made of google's actions could be applied to their actions too. They claimed a high ground on the issue of privacy. They have no such high ground. This is hypocrisy.
If I criticize someone for talking loudly during class, and I haven't talked at all, that wouldn't be hypocritical, even if we were both browsing Facebook or something.
If you criticize them for being too loud with their talking while you were repeatedly slamming books against each other, you're being hypocritical. It's not the same behavior but it's still an inappropriate loud behavior. In the microsoft/google case it's privacy invasion.
There is nothing limiting them from doing so. Just because they behave like this today doesn't mean they will still do so tomorrow. Heck, I wouldn't be surprised if they already did so today. It wouldn't be the first time marketing saying something the technicians don't agree with. :)
Wrong. Google hands your email to software agents that select ads you are most likely interested to see. Microsoft hands your email to lawyers who will later sue you.
I am not saying it's equivalent. I'm just saying it's hypocritical in the extreme.
When it comes to "automated process goes through my email to decide which soda to offer me" ... I am not pleased, but not very worried. My bank does worse.
When it comes to "people go through my and other people's email to decide who to sue for what without legal oversight" that hits an 11 on the WTF scale.
I will NEVER trust Microsoft with one iota of my data again. They proved here that they will use it against me if it serves their business interest, or just snoop through it if they don't understand how something happened. At least the NSA claims they snoop through my email to "protect America". Microsoft clearly goes through my email to improve Microsofts bottom line. It wasn't even an employee's email they went through. It was an external hotmail customer that trusted them with this email.
This is akin to your bank going through the documents in your safe then use the found information to wire money to the Bank's CEO. This is way, way over the red line.
If they did this with physical mail, the minimum punishment for whoever in Microsoft did this would include jail time. We should have the same regulation for email.
Maybe. The carte is as blanche as there are ways to interpret "protection of Microsoft's rights or property."
Microsoft has, for example, the right to petition government without fear of reprisal. It could protect this right if Microsoft were to review any email accounts of lawmakers or regulators to ensure that they never express any animus against Microsoft based on past filings or appeals.
Microsoft may wish to protect its property by scanning every hotmail account for discussions of havens for illicit software, like torrents or newsgroups, trying to determine exactly what each user has downloaded and when.
Extreme examples are just for illustration. I don't think Microsoft will jump on those as next steps. But if the question is, "Could these user agreements justify things that would make us a little uncomfortable?" I think the answer is probably yes. Are we there just yet? Maybe, maybe not.
The only potentially troubling thing I could find in the VS 2013 EULA relating to privacy is that
Microsoft automatically collects information identifying your installed Microsoft product, the operating system of the device, the CPU architecture of the operating system and data regarding the success or failure of the installation of the software, data identifying the cause of a crash in the product and information about the product license which is in use.
. . . .
Microsoft may use the computer and services information to improve its software and services. Microsoft may also share it with others, such as hardware and software vendors. They may use the information to improve how their products run with Microsoft software.
In principle, this could be interpreted quite broadly ("selling detailed information about our installed base to third-party marketing software firms helps us pay for improvements to our software").
We will share personal information with companies, organizations or individuals outside of Google if we have a good-faith belief that access, use, preservation or disclosure of the information is reasonably necessary to:
...
protect against harm to the rights, property or safety of Google ,our users or the public as required or permitted by law.
It would be interesting to see if Microsoft has or will disclose how often it has leveraged this clause to tap into its customers' personal emails 'to protect the rights or property of Microsoft'. It may be a bigger number that we think
Off topic: The name Office of Legal Compliance immediately made me think of 1984's Ministry naming. Similarly to how the Ministry of Truth's job is to spread propaganda and falsify history in the novel, this Office of Legal Compliance department's job is to ask themselves, "How far can we push the envelope toward being illegal, but still remain within legal boundaries?"
Essentially their job is dealing with things that border on being illegal. Determining how far you can get to illegality, while remaining technically inside legality.
For the first time the notion of "newspeak" in real life has clicked for me. I'd never grokked the idea from the novel, other than as some fear mongering fantasy that Orwell invented for the sake of compelling irony. But now I see, names actually make sense, from a certain angle. They weren't purely ironic devices.
For the record, I'm NOT comparing Microsoft to Big Brother. Just funny to draw that parallel in naming choices.
"How far can we push the envelope toward being illegal, but still remain within legal boundaries?"
This would be better phrased as 'how far can we go in pursuit of our employer's legitimate interests, but still remain within legal boundaries.' As phrased, you're treating illegality as a goal in itself, but this isn't the case. All companies have interests, but the most obvious and efficient means of pursuing those interests may be odds with any of the many regulations governing corporate activity. Compliance departments specialize in making sure firms stay on the right side of that line, and in a complex economy with complex regulatory regimes that's a full time job.
As far as naming choices go, 'compliance' is the standard term in industry for ensuring that a firm's behavior is lawful, and it doesn't carry any connotation of pushing boundaries or circumventing the law. There's no 'newspeak' here except in your own mind, unless you actually believe that companies aspire to illegal behavior as a matter of course.
Companies like Microsoft leave the legality of their actions to the compliance team. They have interest in pursuing both legal and illegal actions and their compliance department has the task of ensuring even the illegal stuff can be bent into comformance to the letter of the law. It's not aspiring to illegal behavior for the illegality of it. It's only that the closer you get to the edge, the more advantages you squeeze out of the situation.
I think you're pursuing a fantastical notion here. It's more like, "hey we can get a great business deal and corner a market by doing this, this and this - legal team: are we doing anything wrong here?" They aren't cackling in a corner somewhere thinking about opportunities to toe the line. They're legitimately trying to beat the competition and some of those ways might potentially be illegal, so they need to get the okay or not before fucking up publicly and majorly.
More than once I witnessed questions to the effect of "how far can we go before we break the law" be asked. The person who asked had full knowledge his/her plans were illegal. He/She just needed to know where to stop.
This statement is completely nonsensical. If the person had full knowledge that the plans were illegal, why would he/she ask how far they can go before breaking the law? He/she clearly didn't know where the boundaries were.
Huh? A person can have a plan to go from 0-100 miles an hour and ask where the speedlimit is. Stories similar in a business environment are reasonably normal. "Compliance" is strictly a legal CYA department (as is anything relating to HR or "Ethics", btw.)
This conversation between you and you is getting complicated. Maybe he/she (the parent post of my parent post) has credible information about he/she and does not want to expose the he/she's company or who he/she is referencing. I am a he, in case you would like to refer to me in your response. Please let me know your sex too.
Well, that's a good thing right? You're pretty much saying "I knew this person once who wanted to do something, knew it was illegal and so scaled back their plans to fit within the law. What a scumbag."
> "hey we can get a great business deal and corner a market by doing this, this and this - legal team: are we doing anything wrong here?"
Wrong question.
Should be: "are we doing anything illegal here?".
Just because it's legal doesn't mean it's right. That's the whole point here.
If you have a Office of Legal Compliance whose job is strictly to decide whether something is within the law or not, a corporation might easily get the idea they can get away with doing all sorts of wrongs.
Is it legal? Possibly, apparently. But should you nose through somebody's private email without their consent? Is that ever the right thing to do? I'm gonna say no, almost always. There may be a few exceptions in some specific circumstances, but that is not for the Office of Legal Compliance to determine because ethics isn't their job.
To be honest: Some enterprises can operate fully within the law without ever experiencing a conflict of interest (example: you sew clothes, and sell them).
Some enterprises operate completely without regard of the law (example: drug smuggling, extortion, slave trade), and correspondingly have to hide a very large part of their operations from law enforcement.
A third category of enterprises has goals that are at least partly in conflict with the goals of laws and regulations. This obviously happens very frequently when said laws and regulations are set up for the protection of employees, farm animals, the environment, customers, market entrants, etc. in their respective role, versus employers in general, mass-production of animal products, exploitation of natural resources, selling of legal stimulants such as alcohol and tobacco. This third kind of company usually only hide part of their operations from law enforcement or the public, because their business model is compatible with compatible goals, but they are often seen (i) suppressing information about certain parts of their business, (ii) practicing aggressive lobbying and (iii) relying heavily on legal counsel in order to stay within the law while pursuing their business activities.
Basic economic sense tells you that retaining lobbyists and legal counsel costs money, hence organizations that don't need it would never spend money on either. "Complex regulatory regimes" usually don't happen by themselves, but because the people making laws are driven (by private or public interests) to assume that it is necessary to influence what companies and individuals do.
(from regular Microsoft employee perspective):
this article does make them seem like that. Usually, in my interactions with Legal Compliance, they make sure everything we do is 100% legal, and prevent us from even coming close to the border of legality. They assume that we programmers don't think about complicated legal matters, so they go over a lot of the projects we work on and make us adhere to very strict privacy compliance that most of our competitors breeze over.
Thanks for chiming in. I'm sure that's how legal departments work in most companies, and I didn't mean to suggest otherwise. Yes, just in this case TFA is talking about an isolated situation where my comment happens to be pertinent.
I have no experience with Microsoft, but my experiences with equivalent legal departments in other big tech. companies matches his view - they play it safe to the point of being insanely anal about it. These guys aren't there to make sure the company can do as much as possible, they're there to make sure there's no way anything can go wrong legally, and given its their asses on the line if they take too big a risk, they'll always stray way away from the edge.
"Legal" and "compliance" offices are not unusual in large organizations; they do exactly what they sound like they do. Legal is the lawyers. Compliance is the group that audits the organization and ensures all relevant legal and industry regulations are being met.
Alternatively, the "office of Trustworthy Computing" over which Scott Charney[1] presides does sound creepy.
I think it goes beyond that: internal Legal Offices' advice tends to be even more conservative than that would explain because:
1) If the advice is too conservative, and the company refrains from some action that it could have undertaken safely, then leadership blames the law.
2) If the advice is insufficiently conservative, and the company undertakes some action from which it should have refrained and it blows up in their face, then leadership blames Legal for blessing the action.
My point is being within the law is not quite enough. You want to be so far within the law that you can get most court cases thrown out without actual litigation.
Or as a rich friend of mine put it. I like paying a little extra in taxes every year. Sure, I could take every deduction but I like knowing if I am ever audited I will end up with a nice check.
Note that "Trustworthy Computing (TWC)", by name and mission, is intentionally distinct from the "Trusted Computing" initiatives.
It's a subtle but essential distinction between trust meaning "to rely upon another party" and trustworthy meaning basically "reliable". (my own definitions)
> For the record, I'm NOT comparing Microsoft to Big Brother.
I will: Microsoft is a big corporation who spies on its users to protect its interests. Incidentally, there are many other Big Brothers like them: Facebook, Google…
People should read some cyberpunk literature. Read William Gibson's Neuromancer, or play Android Netrunner. We're halfway there.
There's probably quite a few people who are unfamiliar when back in the day, they were working with Prodigy to verify anybody using Prodigy didn't have a counterfeit MS license on their PC.
Nothing ever happened to either company, and you'd be hard pressed to find an article on it, but MS has been snooping on their users for a long, long time.
Orwell was pointing to a very real phenomenon with "newspeak". For the best examples look to how political leaders talk about military conflicts. Language regarding conflict is very well chosen and quite misleading. Terms like "collateral damage", "area denial weaponry", "enhanced interrogation", "enemy combatants" are not exactly ironic, but they do have true meanings and implications very far from what they superficially sound like. Examples of true ironic "newspeak" can also be readily found. You may have heard leaders talk about various military, police, and spying agencies protecting your "freedom", despite the obvious roles they have in restricting your freedom. Talk about freedom often actually means "freedom to do what we want", which is, of course, the opposite of freedom.
To give a common example, an invasion will often be talked about by the invading power as a "liberation". Yet the act of liberation by a foreign power always ends with that foreign power having significant local political influence and access to natural resources (and may involve permanent occupation).
Or take the "war on terror" for example. Superficially, a "war on terror" should make people LESS afraid. Yet, in practise the politicians engaged in the "war on terror" have actively tried to encourage fear (in order to justify granting extraordinary powers). The irony is so blatant it's right there in the name. Being at war makes people more afraid, so declaring war on terror is automatically ironic. It's like having an orgy to promote abstinence.
Might I recall that competing with foreign companies using Gmail accounts is silly too, but we still do it, betting they're not organized enough yet to find the information.
On the plus side, it shows that even Microsoft internal ennemies love Hotmail.
There are so many laws and regulations, and the larger a company is the more such applies. A staff is required to constantly review and make sure the law is complied with. Having good intentions is hardly sufficient.
This is not the first time Microsoft had actual employees look through their users' personal accounts. At least Google only mines the data algorithmically, but this is way worse.
This is why I think Microsoft's "privacy attack ads" against Google are done in really poor taste - not necessarily because some or most of them aren't true, but because I know the company doing those ads is just as bad or worse for the very same thing they're accusing Google of. I can't support that.
>Really? How do you even know if the Google CEO read your Gmail today? What recourse do you have? None.
This is simply a risk you take with any company you become a customer of. You are willingly give that company certain power over you. Rogue employees will always be able to do things that are harmful.
There are many cases of rogue employees working for Comcast and AT&T who will look up someone's IP address and find their full name and address, and harass them or spread that information. Most of the time, some number of employees need access to information like that, and eventually one of them will end up going rogue or becoming mentally unstable.
This is just on an official level. Years ago, an overseas Hotmail support employee confided that if needed they will snoop in a friend's gf's email account if asked as a favor.
Hopefully they instituted controls to halt this behavior since then.
So you might have to make some logical leaps to get to this one with me but. Would you be willing to pay to have a email address provided my the US Postal Service? Based on a reading of the law correspondence "delivered" by the postal service would be federally protected. Maybe its time for the mail service to go digital.
Well, yes you can...one branch of a company could legally compel (and would if there are separate privacy policies) another to give up information as part of an investigation.
Even if the branches aren't distinct legal entities? IANAL, but according to Microsoft Deputy Counsel John Frank, "Courts do not issue orders authorizing someone to search themselves" [1].
You're not asking for a search warrant, you're asking to be allowed ('compelled') to look at a specific business record that groupA made but isn't accessible to groupB without permission of record_creater, UserX, or court order. Basically you're asking the court to say its OK to go around privacy or contractual obligations in order to investigate something.
I think to meet the legal test it would have to hit servers controlled by the USPS so that it would be considered "delivered by USPS" but yeah pretty much...
I'm pretty sure the contract with Google would include "Google may not inspect the content of email except to insure proper operation of the system, upon penalty of... blablabla US Postal Code...blahblahblah ...fines ...felony... prison... etc..."
Opening is entirely different from scanning the front and back of every item of mail. The linked article is about scanning the front and back of every mail item, which is done domestically.
Is the protection still in effect if the email is handled by a third party? If the email goes to your ISP I would think it can be looked at there since it hasn't reached the Post Office yet.
Because they are both branches of the government. The USPS has no incentive to tell taxpayers the NSA is spying on them. At least with a private company there is a profit motive, and they could lose customers over bad press.
Furthermore, a private company can just bill the government.
> In December 2012, for instance, Microsoft emailed DITU a PDF invoice for $145,100, broken down to $100 per request for information, the documents appear to show. In August 2013, Microsoft allegedly emailed a similar invoice, this time for $352,200, at a rate of $200 per request. The latest invoice provided, from November 2013, is for $281,000.
And yet, RSA didn't come totally clean. Other companies can be served with gag orders preventing them from informing their customers of what's going on behind the scenes.
Furthermore, the NSA reading email is effectively a data breach, and many companies take the view that hiding a data breach is a good thing - no press about data breach means no bad press means no lost customers.
The USPS is answerable to Congress, and that makes it rather more accountable to the public than a firm that's only answerable to its shareholders (who, in the US at least, have virtually no input into the governance of a firm).
they seem to be having a pretty easy time right now... there are no laws protecting you where google is concerned but there are many protecting you where the post office is concerned.
I remember looking into Microsoft's Healthvault product a few years ago. I was astonished to find this:
"Microsoft may access and/or disclose your personal information if we believe such action is necessary to: (a) comply with the law or respond to legal process served on Microsoft; or (b) protect the rights or property of Microsoft (including the enforcement of our agreements)."
Note clause (b). I thought it was a little off that they can examine your health records to protect their rights and property. But it looks like they are not afraid to use it!
This ditty is still there. In fact if you go to the home page for Health Vault, it says:
"It's your HealthVault account You decide who can see, use, add, and share info, and which health apps have access to it. HealthVault won't provide your health information to any other app or service without your permission."
So as advertised it looks like you get to decide. You have to read pretty far down in their privacy policy before you find the clause I first mentioned. Now of course there are cases where your private information may be used without your permission, but most people would assume that requires some form of legal process... but not for Microsoft.
"The policy for Outlook.com, formerly Hotmail, states that, "We may access information about you, including the content of your communications...to protect the rights or property of Microsoft.""
Sure, but a policy doesn't change the law. If laws were broken - and I am hoping there were in accessing private communications of one of their users - then the policy is irrelevant.
That is correct.
From the Microsoft statement:
"As part of the investigation, we took the step of a limited review of this third party's Microsoft operated accounts. While Microsoft's terms of service make clear our permission for this type of review, this happens only in the most exceptional circumstances. We apply a rigorous process before reviewing such content. In this case, there was a thorough review by a legal team separate from the investigating team and strong evidence of a criminal act that met a standard comparable to that required to obtain a legal order to search other sites."
One might rephrase it as: 'The TOS allow us to read your data. We will choose to do so if it is sufficiently important to us. We can make this decision unilaterally.'
On what grounds? IANAL (and I am a Microsoft employee), but this makes no sense to me. As far as I know, warrants are for government agencies, not companies. And assuming a civil case where they were demanding that the provider turn over the emails, wouldn't their conversation with the judge go something like this?
Microsoft: “Judge, we demand that Microsoft turn over these emails.”
Judge: “???”
(that is, can you even procedurally attempt to force discovery against yourself?)
Not to mention that the EULA seems to pretty clearly cover exactly this scenario.
While the EULA may "clearly cover exactly this scenario" do you think it would be as easy to extract the information if it was a google or apple trade secret? I kind of think MS would go to the mat for user privacy in that circumstance.
Well, as I tried to allude to, in those cases Apple or Google would file a motion to compel Microsoft to disclose the info. Is it even possible under the rules of civil procedure for Microsoft to file a motion to compel itself to disclose something? Again, I'm not a lawyer, but my understanding is that a judge isn't going to hear the argument if there's no case, even if Microsoft did want the same level of scrutiny.
Would you rather have Google mine your emails to display ads without human involvement, or would you rather Microsoft personally read your emails? Don't get scroogled.
At the time of the search, was he a Microsoft employee? At first glance, it appears that he was. This is Microsoft ordering a search of the email of one of its own employees, on its own servers.
Yes, there may be a distinction between private and company emails. But it seems like the lines are somewhat blurry, here.
Microsoft didn't search their employee's email. They searched the blogger's email, the one who wrote about and published screen shots of Windows 8. This is how they found that their employee had leaked the info; they saw his email with the blogger.
Hotmail is a service offered to the public, and the person was accessing it as such. The hotmail account was his personal email account, not his company-provided email account.
Imagine if Ford motors said: Oh, we can look into the Ford cars that Ford employees have bought with their own money and drive to weekend outings with their families, because we made and service the cars.
Hotmail is a service offered to the public by a private entity, subject to certain terms and conditions - one of which is that the private entity (Microsoft) is allowed to put its own interests ahead of those of the user when those interests are threatened.
Should webmail and similar services be regulated so as to put the interests of consumers ahead of service providers? Perhaps, and in many ways this is the approach taken by European regulators in many industries. On the other hand, it has been argued that the rather onerous data protection regulations in the EU are partly to blame for the lesser competitiveness of European firms in that marketplace, by imposing overly burdensome regulatory regimes on entrepreneurs and thus making the barriers to marketplace entry far higher than in the US.
Actually they checked the blogger's account, so it's more like Ford saying they can look into any Ford car if they think an employee is hiding something in it. Of course in this analogy all Ford buyers claim to agree to that so who really knows.
I'd say investigating corporate trade secret leaks with substantial evidence pointing to an MS owned Hotmail account, to which the leaker agreed could be accessed by MS personnel would be deemed necessary.
I think in the end we just need an entirely different infrastructure for all this stuff. Email should never be stored on servers unencrypted.
I have used PGP/GPG but it's not good enough. It fails the mom test (as in my mom couldn't use it, and by extension, it's not ready for the mass market).
If you designed a system from the ground up to be secure, you could do much better.
I can't even fathom how it can be illegal. Those are Microsoft owned servers. Once your data is in someone else's cloud, you have no recourse. That's why it's better to have your business files under your own control with OpenOffice or even MS Office instead of Google Apps or Office Online. If MS patched Office to upload your local files to MS servers, you would have a very strong case against them for "stealing" your files. If you upload them to OneDrive/Google Drive, not so much.
In a similar incident, a Google employee accessed personal information, but Google was never penalized for it.
I can't even fathom how it can be illegal. Those are Microsoft owned servers.
How would you feel about the postal service opening the letters it transports in a similar scenario? Do you think it's morally a-okay for them to unilaterally decide to read your mail without a court order?
I suspect that most people would say "no", even though it all happens on the postal services own premises, using their own resources. At the same time, I wouldn't be surprised if most people would think like you expressed when it comes to e-mail.
Clearly, more thought needs to go into this to determine in a reasoned and consistent way whether Microsoft's action were morally right in this particular instance. Value judgments are going to play a role, too. Still, I think it's fairly clear that the answer must be the same for physical and electronic mail.
Edit: I know you were talking more about legality than morality. However, as the physical mail scenario shows, there is already a legal precedent for an actor being prohibited by law from acting in a way that is analogous to what Microsoft has done; and ultimately, the law should follow moral considerations, so those are the more interesting questions anyway.
I always hate when folks make comparisons like this to the USPS for the simple reason that the USPS has reams of laws, codes, and statutes it is bound to follow, full-stop.
These codes explicitly outline how I should expect my mail to be handled by the USPS. They also explicitly define how 3rd parties are handled when they violate your mail. It's all very clear in black & white.
We have expectations of the USPS because of a codified standard. Breaking those expectations is a totally different scenario than the MS scenario.
In some countries, email also has laws around it. My employer cannot read my email, even the email that sits on their servers in my employer-provided email account, except under specific circumstances dictated by law, with an oversight process dictated by law. YMMV. (There are exceptions for incidental access of email by technical staff for the purpose of making the email itself work, filtering spam, etc., vs. searching the contents and giving your boss a printout.)
There's an interesting intersection-of-laws issue. Our email is actually hosted by Microsoft Office 365. When Microsoft performs searches like this, do they touch multiple email accounts? If they ran the equivalent of a grep across their whole email infrastructure, they might violate Danish law in doing so, if their grep touched our mailboxes. So how they access email inboxes in general is something they ought to be pretty careful of. At the very least I hope they're making sure only to search Americans' inboxes, hosted on American servers.
Earlier in this thread someone said, "Once your data is in someone else's cloud, you have no recourse."
As a more general matter, do you think that's the way it should be? Do you feel that your information no longer being yours once it touches someone else's server is the right way to do things?
I don't think that should be the case, but the solution should be more awareness rather than regulation. People should realize that they're giving up something to get a free service or subsidized products like Chromebooks rather than government interfering. Restricting people from searching their own servers will solve nothing.
Edit: I know you were talking more about legality than morality. However, as the physical mail scenario shows, there is already a legal precedent for an actor being prohibited by law from acting in a way that is analogous to what Microsoft has done;
You don't enter into a contractual relationship with the USPS when you mail or receive a letter. When you sign up for a webmail account, you're doing so on the providing party's terms, and you can't really complain if said webmail provider chooses to enforce the contract that you signed up to.
and ultimately, the law should follow moral considerations, so those are the more interesting questions anyway.
You don't enter into a contractual relationship with the USPS when you mail or receive a letter.
I would argue that that's a historical accident and in any case subject to change, especially in places where the mail system has been deregulated to allow mail service by private companies. For example, in Germany such companies could potentially have terms similar to a contractual agreement (called AGB) that apply as soon as you post a letter.
The underlying point is really this: the current status quo (good protection for physical mail, no protection for electronic mail) is not something that makes sense if you start reasoning from first principles. It simply developed this way for historical reasons (mainly: webmail providers were created in much more lawyer-happy times, and the rules for physical mail developed over a longer time, during which respect for privacy was valued higher for whatever reason).
I believe that it is a fairly safe bet that, if the internet still exists 100 years from now, most places that will be considered civilized in that future will have laws to protect their citizens' privacy no matter what companies would like to write in their contracts.
Whose moral considerations would these be?
In a democratic society? Everybody's. Yes, a consensus needs to be found, blah blah. The fact that you even felt the need the ask this question is a bit disturbing.
True. Though the comparison I would make is with postcards, and there is still an expectation of privacy there. If somebody in the postal service were found to be reading postcards on purpose, there would be consequences. Intent matters.
> Do you think it's morally a-okay for [whoever] to [whatever]?
Morality is not legality. As a webmail provider, spying on your users is obviously very wrong. Thanks to a number of technicalities and loopholes however, it is also perfectly legal.
> If MS patched Office to upload your local files to MS servers, you would have a very strong case against them for "stealing" your files. If you upload them to OneDrive/Google Drive, not so much.
At work, we use exchange. In the webmail settings, there's a list of plugins, many of which provide basic, necessary core features such as meeting invitations. All the microsoft plugins had a disclaimer along the lines of "This plugin may send your mail and data to a third-party server".
Not saying they're archiving it, but I'm not sure running microsoft software is a great idea if you're very worried about the security of your data.
You do have recourse, and it certainly can be illegal.
Just because corporations have a Russia-in-Crimea style boots-on-the-ground advantage when it comes to the cloud doesn't mean you have to throw up your hands and give up when someone violates your rights.
What's the basis for this assertion? The privacy policies seem to have clauses that allow this type of access. The user wilfully enters an agreement to utilize Microsoft's email servers and that agreement explicitly allows this. Even if it didn't, I don't know of any body of law that would say "the text you're uploading to another person's server can't be read by the server's owners", but I'm not a lawyer. Telecomms are different because their infrastructure is a means of conveyance, not a destination, so they need to file the paperwork to tap the comms between the source and the destination. But in this case, there is no unannounced party in the transaction.
If we assume there are no external legal modifiers, it seems pretty straightforward that the server owners should be able to search their own disks for any reason.
The entire premise of free modern email is that the provider will be automatically parsing the text of your emails, composing a profile of your behavior and interests from that text, and attempting to sell you products based on that profile. Wouldn't that be illegal if it's not legal to search your own disks? How come you can agree to ToS and privacy policies that allow that but not policies that say "we can also look at it if we suspect that you're trying to screw us over"?
As a society, we put a limit on which kind of contracts are valid and enforceable. To give an extreme example, if you write into a contract that you sell yourself into slavery, that contract would be invalid and not enforced.
Most countries have similar limitations for consumer protection. For example, Germany has a certain minimum warranty that a manufacturer must provide that cannot be waived away no matter what they try to write in the ToS-style contracts that exist for businesses here (AGB).
Contract law is not a physical law. It is shaped over time - ideally in a way that follows a consensus of all citizens in a democratic society. If we feel that morally, webmail providers should not have the right to do targeted investigations in their hosted mailboxes (which is easily distinguished from the kind of algorithmic scanning for marketing purposes), then that can (and should) be turned into law.
Your landlord doesn't have the right to snoop in your personal files just because they own where they're stored.
The EULA in this case said they can spy if needed to protect their IP rights, but that doesn't fly in this case. The IP was already stolen, and spying on this journalist doesn't put the horse back in the barn and undo the leak. Catching the thief doesn't protect their rights, because the crime is already done.
doesn't matter. In a criminal prosecution, relevant evidence is only excluded if it was obtained by the government breaking the law -- not a private party. The exclusionary rule's entire justification is to chill over-zealous police, not private persons.
Whether the defendant has a separate civil claim against the violator is a different question, but it has no bearing on the admissibility of the evidence in the criminal prosecution.
How is this related to webmail? That's just a choice regarding email clients. The matter of privacy and access are related to who has access to your email server.
"Webmail" generally implies that a large company owns and administers the server, and messages are stored on it indefinitely - in other words, completely out of your control and subject to the inherent corruption that centralization brings. Remember back in the day when you wouldn't take someone with a @hotmail or @yahoo address seriously? We shouldn't have stopped just because the domain changed to @gmail.
Legally, Microsoft appears to be protected by its privacy policies. The policy for Outlook.com, formerly Hotmail, states that, "We may access information about you, including the content of your communications...to protect the rights or property of Microsoft."
This is the agreement that every user agreed to when they signed up for Hotmail or Outlook. It's not carte blanche for Microsoft to go through your email, but it seems to allow them to do it for a very particular purpose.