

Microsoft sniffed blogger's Hotmail account to trace leak - mglauco
http://news.cnet.com/8301-10805_3-57620658-75/microsoft-sniffed-bloggers-hotmail-account-to-trace-leak/?part=rss&tag=feed&subj=News-Microsoft&utm_source=twitterfeed&utm_medium=twitter
The company&#x27;s legal department determined that it had the right to go through a private email account, citing a leak of proprietary Microsoft code
======
300bps
Before anyone else comments that hasn't read the full article, here is the
very end:

 _Legally, Microsoft appears to be protected by its privacy policies. The
policy for Outlook.com, formerly Hotmail, states that, "We may access
information about you, including the content of your communications...to
protect the rights or property of Microsoft."_

This is the agreement that every user agreed to when they signed up for
Hotmail or Outlook. It's not carte blanche for Microsoft to go through your
email, but it seems to allow them to do it for a very particular purpose.

~~~
loup-vaillant
> _This is the agreement that every user agreed to when they signed up for
> Hotmail or Outlook._

No they didn't. Over 99% of them clicked through without reading. Some of them
suspected Microsoft might one day read their email, but somehow shrugged it
off, then forgot about it.

If people were truly informed, most would not give consent. Make no mistake:
using a hotmail or gmail account means giving away a good chunk of your
private correspondence. It also affects whoever you're communicating with,
even if they have their own private mail server.

We need those Freedom Boxes. Fast.

~~~
DannyBee
"If people were truly informed, most would not give consent. "

I strongly disagree. Most would bitch about it, then do it anyway, knowing it
may be a shitty deal for them. That is consent.

~~~
loup-vaillant
In the current situation, sure. Because we don't have real alternatives. (I
maintain my own web server, but that's impossible for most users.) But if
people were informed, that would create a market for privacy.

~~~
mpyne
> But if people were informed, that would create a market for privacy.

If people really cared, then that market would exist today. "Get your $5/mo.
_much more private_ email from privateemail.com!!". This notional private
email provider would be able to advertise Outlook.com, GMail, etc.'s privacy
policies independently of those email providers to ensure that "click through"
isn't the only reason people are unaware.

~~~
Aoyagi
That market does exist today, Fastmail.fm is only one example I can think of
off the top of my head (I surely got the ofs and offs wrong). I talk about
them so much that I sometimes feel like a marketing goon ...

~~~
loup-vaillant
They're not a viable privacy option. And it has little to do with their
ethics: they are still vulnerable to subpoenas, many of their users don't even
live in the same country…

The only viable privacy option is to host your mail at home. It doesn't have
to be difficult. We "just" need a suitably tailored GNU/Linux distribution in
a Sheeva Plug, or Raspberry Pi, that you just plug-in, then use as a web
service. (Just one snag: your ISP must allow you to send and receive e-mail:
many close off port 25, and some even ban home servers.)

Now to get your email, they need a search warrant and someone to knock on your
door, which is inconvenient and costly.

~~~
bentcorner
Could you host your mail on a VPN instead? I wouldn't mind doing this except
for the fact that I'm 100% certain I'd get something wrong.

------
talklittle
Off topic: The name _Office of Legal Compliance_ immediately made me think of
_1984_ 's Ministry naming. Similarly to how the Ministry of Truth's job is to
spread propaganda and falsify history in the novel, this Office of Legal
Compliance department's job is to ask themselves, "How far can we push the
envelope toward being illegal, but still remain within legal boundaries?"

Essentially their job is dealing with things that border on being illegal.
Determining how far you can get to illegality, while remaining technically
inside legality.

For the first time the notion of "newspeak" in real life has clicked for me.
I'd never grokked the idea from the novel, other than as some fear mongering
fantasy that Orwell invented for the sake of compelling irony. But now I see,
names actually make sense, from a certain angle. They weren't purely ironic
devices.

For the record, I'm NOT comparing Microsoft to Big Brother. Just funny to draw
that parallel in naming choices.

~~~
anigbrowl
_" How far can we push the envelope toward being illegal, but still remain
within legal boundaries?"_

This would be better phrased as 'how far can we go in pursuit of our
employer's legitimate interests, but still remain within legal boundaries.' As
phrased, you're treating illegality as a goal in itself, but this isn't the
case. All companies have interests, but the most obvious and efficient means
of pursuing those interests may be odds with any of the many regulations
governing corporate activity. Compliance departments specialize in making sure
firms stay on the right side of that line, and in a complex economy with
complex regulatory regimes that's a full time job.

As far as naming choices go, 'compliance' is the standard term in industry for
ensuring that a firm's behavior is lawful, and it doesn't carry any
connotation of pushing boundaries or circumventing the law. There's no
'newspeak' here except in your own mind, unless you actually believe that
companies aspire to illegal behavior as a matter of course.

~~~
rbanffy
Companies like Microsoft leave the legality of their actions to the compliance
team. They have interest in pursuing both legal and illegal actions and their
compliance department has the task of ensuring even the illegal stuff can be
bent into comformance to the letter of the law. It's not aspiring to illegal
behavior for the illegality of it. It's only that the closer you get to the
edge, the more advantages you squeeze out of the situation.

~~~
bennyg
I think you're pursuing a fantastical notion here. It's more like, "hey we can
get a great business deal and corner a market by doing this, this and this -
legal team: are we doing anything wrong here?" They aren't cackling in a
corner somewhere thinking about opportunities to toe the line. They're
legitimately trying to beat the competition and some of those ways might
potentially be illegal, so they need to get the okay or not before fucking up
publicly and majorly.

~~~
rbanffy
More than once I witnessed questions to the effect of "how far can we go
before we break the law" be asked. The person who asked had full knowledge
his/her plans were illegal. He/She just needed to know where to stop.

~~~
hueving
This statement is completely nonsensical. If the person had full knowledge
that the plans were illegal, why would he/she ask how far they can go before
breaking the law? He/she clearly didn't know where the boundaries were.

~~~
001sky
Huh? A person can have a plan to go from 0-100 miles an hour and ask where the
speedlimit is. Stories similar in a business environment are reasonably
normal. "Compliance" is strictly a legal CYA department (as is anything
relating to HR or "Ethics", btw.)

------
higherpurpose
This is not the first time Microsoft had _actual employees_ look through their
users' personal accounts. At least Google only mines the data algorithmically,
but this is way worse.

[http://wmpoweruser.com/watch-what-you-store-on-
skydriveyou-m...](http://wmpoweruser.com/watch-what-you-store-on-skydriveyou-
may-lose-your-microsoft-life/)

This is why I think Microsoft's "privacy attack ads" against Google are done
in really poor taste - not necessarily because some or most of them aren't
true, but because I know the company doing those ads is just as bad or _worse_
for the very same thing they're accusing Google of. I can't support that.

~~~
ntakasaki
How do you figure actual employees were trawling through emails in that
incident?

Here's Google nailing someone for child porn.

[http://sacramento.cbslocal.com/2013/11/21/googles-role-in-
wo...](http://sacramento.cbslocal.com/2013/11/21/googles-role-in-woodland-
child-pornography-arrest-raises-privacy-concerns/)

AFAIK almost all online storage services use automatic scanners to screen out
items violating the ToS.

>At least Google only mines the data algorithmically, but this is way worse.

Really? How do you even know if the Google CEO read your Gmail today? What
recourse do you have? None.

[http://gawker.com/5637234/gcreep-google-engineer-stalked-
tee...](http://gawker.com/5637234/gcreep-google-engineer-stalked-teens-spied-
on-chats)

~~~
meowface
>Really? How do you even know if the Google CEO read your Gmail today? What
recourse do you have? None.

This is simply a risk you take with any company you become a customer of. You
are willingly give that company certain power over you. Rogue employees will
always be able to do things that are harmful.

There are many cases of rogue employees working for Comcast and AT&T who will
look up someone's IP address and find their full name and address, and harass
them or spread that information. Most of the time, some number of employees
need access to information like that, and eventually one of them will end up
going rogue or becoming mentally unstable.

------
batoure
So you might have to make some logical leaps to get to this one with me but.
Would you be willing to pay to have a email address provided my the US Postal
Service? Based on a reading of the law correspondence "delivered" by the
postal service would be federally protected. Maybe its time for the mail
service to go digital.

~~~
jdreaver
And then the NSA would have an easier time reading our email. No thanks.

~~~
teraflop
Why would it be easier for the NSA to monitor the USPS than to monitor a
private company?

~~~
jdreaver
Because they are both branches of the government. The USPS has no incentive to
tell taxpayers the NSA is spying on them. At least with a private company
there is a profit motive, and they could lose customers over bad press.

~~~
anigbrowl
The USPS is answerable to Congress, and that makes it rather more accountable
to the public than a firm that's only answerable to its shareholders (who, in
the US at least, have virtually no input into the governance of a firm).

~~~
shaggyfrog
The CIA is answerable to your Congress, too. How's _that_ accountability
working out for you?

~~~
anigbrowl
Rather better than it is for the CIA, apparently.

------
jis
I remember looking into Microsoft's Healthvault product a few years ago. I was
astonished to find this:

"Microsoft may access and/or disclose your personal information if we believe
such action is necessary to: (a) comply with the law or respond to legal
process served on Microsoft; or (b) protect the rights or property of
Microsoft (including the enforcement of our agreements)."

Note clause (b). I thought it was a little off that they can examine your
health records to protect their rights and property. But it looks like they
are not afraid to use it!

This ditty is still there. In fact if you go to the home page for Health
Vault, it says:

"It's your HealthVault account You decide who can see, use, add, and share
info, and which health apps have access to it. HealthVault won't provide your
health information to any other app or service without your permission."

So as advertised it looks like you get to decide. You have to read pretty far
down in their privacy policy before you find the clause I first mentioned. Now
of course there are cases where your private information may be used without
your permission, but most people would assume that requires some form of legal
process... but not for Microsoft.

------
jasonlotito
"The policy for Outlook.com, formerly Hotmail, states that, "We may access
information about you, including the content of your communications...to
protect the rights or property of Microsoft.""

~~~
nikster
Sure, but a policy doesn't change the law. If laws were broken - and I am
hoping there were in accessing private communications of one of their users -
then the policy is irrelevant.

------
zaroth
The way I understand it, this is a story about a reporter who had their
personal email hacked in order to uncover the identity of a protected source.

~~~
bainsfather
That is correct. From the Microsoft statement: "As part of the investigation,
we took the step of a limited review of this third party's Microsoft operated
accounts. While Microsoft's terms of service make clear our permission for
this type of review, this happens only in the most exceptional circumstances.
We apply a rigorous process before reviewing such content. In this case, there
was a thorough review by a legal team separate from the investigating team and
strong evidence of a criminal act that met a standard comparable to that
required to obtain a legal order to search other sites."

One might rephrase it as: 'The TOS allow us to read your data. We will choose
to do so if it is sufficiently important to us. We can make this decision
unilaterally.'

------
nikster
I hope he can sue them and win.

What Microsoft should have done is obvious: Get the case before a judge and
get a search warrant. Use the search warrant to access the communications.

Just because you own the email servers doesn't mean you get to play judge and
jury.

~~~
kvb
On what grounds? IANAL (and I am a Microsoft employee), but this makes no
sense to me. As far as I know, warrants are for government agencies, not
companies. And assuming a civil case where they were demanding that the
provider turn over the emails, wouldn't their conversation with the judge go
something like this?

Microsoft: “Judge, we demand that Microsoft turn over these emails.” Judge:
“???”

(that is, can you even procedurally attempt to force discovery against
yourself?)

Not to mention that the EULA seems to pretty clearly cover exactly this
scenario.

~~~
itsdrewmiller
While the EULA may "clearly cover exactly this scenario" do you think it would
be as easy to extract the information if it was a google or apple trade
secret? I kind of think MS would go to the mat for user privacy in that
circumstance.

~~~
kvb
Well, as I tried to allude to, in those cases Apple or Google would file a
motion to compel Microsoft to disclose the info. Is it even possible under the
rules of civil procedure for Microsoft to file a motion to compel _itself_ to
disclose something? Again, I'm not a lawyer, but my understanding is that a
judge isn't going to hear the argument if there's no case, even if Microsoft
did want the same level of scrutiny.

~~~
pionar
Yeah, the general rule is that you can't sue yourself, since you can't collect
any damages.

------
ChrisGaudreau
Would you rather have Google mine your emails to display ads without human
involvement, or would you rather Microsoft personally read your emails? Don't
get scroogled.

------
ABS
existing thread:
[https://news.ycombinator.com/item?id=7434584](https://news.ycombinator.com/item?id=7434584)

------
mglauco
"The company's legal department determined that it had the right to go through
a private email account, citing a leak of proprietary Microsoft code."

Judicial Mandate: Necessary or Superfluous?

~~~
rossjudson
At the time of the search, was he a Microsoft employee? At first glance, it
appears that he was. This is Microsoft ordering a search of the email of one
of its own employees, on its own servers.

Yes, there may be a distinction between private and company emails. But it
seems like the lines are somewhat blurry, here.

~~~
chris_mahan
Hotmail is a service offered to the public, and the person was accessing it as
such. The hotmail account was his personal email account, not his company-
provided email account.

Imagine if Ford motors said: Oh, we can look into the Ford cars that Ford
employees have bought with their own money and drive to weekend outings with
their families, because we made and service the cars.

I don't think this will fly very far.

~~~
anigbrowl
_Hotmail is a service offered to the public_ by a private entity, subject to
certain terms and conditions - one of which is that the private entity
(Microsoft) is allowed to put its own interests ahead of those of the user
when those interests are threatened.

Should webmail and similar services be regulated so as to put the interests of
consumers ahead of service providers? Perhaps, and in many ways this is the
approach taken by European regulators in many industries. On the other hand,
it has been argued that the rather onerous data protection regulations in the
EU are partly to blame for the lesser competitiveness of European firms in
that marketplace, by imposing overly burdensome regulatory regimes on
entrepreneurs and thus making the barriers to marketplace entry far higher
than in the US.

------
aiiane
Scroogled!

------
nikster
I think in the end we just need an entirely different infrastructure for all
this stuff. Email should never be stored on servers unencrypted.

I have used PGP/GPG but it's not good enough. It fails the mom test (as in my
mom couldn't use it, and by extension, it's not ready for the mass market).

If you designed a system from the ground up to be secure, you could do much
better.

------
mikevm
For those wondering, this is probably the guy behind the wzor.net site:
[http://www.computerworld.com/s/article/9247091/Windows_leak_...](http://www.computerworld.com/s/article/9247091/Windows_leak_site_Wzor_goes_dark_a_day_after_feds_arrest_Microsoft_mole)

------
Aoyagi
Slightly OT: I see a lot of people here talking about EULAs. What about EULAs
and Europan law, EU or national? I don't think they're compatible.

------
jgalt212
If someone stole from me, and I knew how to find the thief, regardless, of the
legality of the methods, I'd probably do it.

------
benguild
Other email providers do this as well.

------
dmix
I'm sure his lawyers will pick this apart and the judge/jury will determine
its legality.

~~~
ntakasaki
I can't even fathom how it can be illegal. Those are Microsoft owned servers.
Once your data is in someone else's cloud, you have no recourse. That's why
it's better to have your business files under your own control with OpenOffice
or even MS Office instead of Google Apps or Office Online. If MS patched
Office to upload your local files to MS servers, you would have a very strong
case against them for "stealing" your files. If you upload them to
OneDrive/Google Drive, not so much.

In a similar incident, a Google employee accessed personal information, but
Google was never penalized for it.

[http://gawker.com/5637234/gcreep-google-engineer-stalked-
tee...](http://gawker.com/5637234/gcreep-google-engineer-stalked-teens-spied-
on-chats)

As usual, Stallman was right when he called cloud computing "careless
computing" and a trap.
[http://www.theguardian.com/technology/blog/2010/dec/14/chrom...](http://www.theguardian.com/technology/blog/2010/dec/14/chrome-
os-richard-stallman-warning)

~~~
nhaehnle
_I can 't even fathom how it can be illegal. Those are Microsoft owned
servers._

How would you feel about the postal service opening the letters it transports
in a similar scenario? Do you think it's morally a-okay for them to
unilaterally decide to read your mail without a court order?

I suspect that most people would say "no", even though it all happens on the
postal services own premises, using their own resources. At the same time, I
wouldn't be surprised if most people would think like you expressed when it
comes to e-mail.

Clearly, more thought needs to go into this to determine in a reasoned and
consistent way whether Microsoft's action were morally right in this
particular instance. Value judgments are going to play a role, too. Still, I
think it's fairly clear that the answer must be the same for physical and
electronic mail.

Edit: I know you were talking more about legality than morality. However, as
the physical mail scenario shows, there is already a legal precedent for an
actor being prohibited by law from acting in a way that is analogous to what
Microsoft has done; and ultimately, the law should follow moral
considerations, so those are the more interesting questions anyway.

~~~
Domenic_S
I always hate when folks make comparisons like this to the USPS for the simple
reason that _the USPS has reams of laws, codes, and statutes it is bound to
follow, full-stop._

These codes explicitly outline how I should expect my mail to be handled by
the USPS. They also explicitly define how 3rd parties are handled when they
violate your mail. It's all very clear in black & white.

We have expectations of the USPS because of a codified standard. Breaking
those expectations is a totally different scenario than the MS scenario.

~~~
rfrank
Earlier in this thread someone said, "Once your data is in someone else's
cloud, you have no recourse."

As a more general matter, do you think that's the way it should be? Do you
feel that your information no longer being yours once it touches someone
else's server is the right way to do things?

~~~
wetafur
I don't think that should be the case, but the solution should be more
awareness rather than regulation. People should realize that they're giving up
something to get a free service or subsidized products like Chromebooks rather
than government interfering. Restricting people from searching their own
servers will solve nothing.

~~~
esrauch
It seems like it would solve at least one thing.

------
EGreg
What did they smell in there?

------
nullc
GMail Man!

Oh wait.

------
Fasebook
Excellent cover story. They really pulled out all the tops.

------
mindslight
Why would you ever think they wouldn't? One of the many reasons that webmail
is for jokers.

~~~
andybak
How is this related to webmail? That's just a choice regarding email clients.
The matter of privacy and access are related to who has access to your email
server.

~~~
mindslight
"Webmail" generally implies that a large company owns and administers the
server, and messages are stored on it indefinitely - in other words,
completely out of your control and subject to the inherent corruption that
centralization brings. Remember back in the day when you wouldn't take someone
with a @hotmail or @yahoo address seriously? We shouldn't have stopped just
because the domain changed to @gmail.

