
Microsoft defends its right to read your email - gphilip
http://money.cnn.com/2014/03/21/technology/security/microsoft-email/index.html
======
Kerrick
It's terribly ironic, considering the video they "leaked" a couple years ago
lambasting Gmail for reading your email.
[https://www.youtube.com/watch?v=9x4_dozWkq0](https://www.youtube.com/watch?v=9x4_dozWkq0)

------
rlu
(I work for Microsoft, though not for Outlook.com)

Can we stop with the hyperboles and actually be realistic?

Quitting the use of Microsoft services won't really solve anything since, as
has been made clear in other HN threads, the policies of other big players
allow for the same (e.g. Gmail).

Arguing that "oh but Gmail hasn't actually proven they'll use this tactic" is
absolutely absurd. They're saying they can, so nothing stops them from doing
it tomorrow. If they really wouldn't ever do so then that clause would not be
on any terms that users agree to. Ditto for all other major email providers.

Okay, so next we can say "aha! I'll just stand up my own email service!". Two
reality checks...

\--First: if you email anyone using a major email provider then you haven't
really made much progress. Same even if they email you _and you ignore them_.

\--Second: it seems completely unrealistic that this solution would scale to
the entire world. NSA fiasco has proven to me that people value convenience
more than privacy. Otherwise this "stand up your own email/cloud" trend would
have started last summer. None of my friends (even tech friends) have switched
away from gmail or whatever major provider they use.

This situation obviously sucks, but I don't see many reasonable responses to
this. We're smart people here. Let's act like it.

~~~
chaostheory
I feel that the problem is with MS marketing.

[http://www.scroogled.com/mail](http://www.scroogled.com/mail)

~~~
fname
I fail to see how the two are even remotely the same. Google continuously
scans email content to sell ads; while Microsoft does it once and admits it so
they can catch someone stealing trade secrets.

While I agree that the Scroogled campaign does tread slightly into the
hyperbole, I can't agree that this the double-standard that most are making it
out to be.

~~~
chaostheory
It doesn't matter if they're the same. The point of the Scroogled campaign is
to say "the other companies read your emails, while we don't". Like every
other MS marketing campaign, it doesn't take long to unravel.

~~~
basch
Do they read your email? Your parent specifically debunked the point your
trying to make. Microsoft selectively reading one persons mail who was leaking
their activation technology, is not the same as reading their customers
emails.

Hyperbole doesnt make your case stronger. In light of every other privacy
issue happening in the world, this is a non story. I think it would be useful
to prioritize outrage, and direct it to a spy agency or some other countries
military.

~~~
chaostheory
I'm not entirely sure my previous posts were clear enough.

I'm not saying that Outlook / Hotmail is better or worse than competitors in
terms of privacy. I'm saying that an MS Marketing campaign has helped create
an unrealistic perception of MS email services for the public, which after
this PR debacle has created yet another unrealistic perception of MS email
services.

------
eik3_de
_> From the company's point of view, desperate times call for desperate
measures._

So they're saying "the end justifies the means".

I'm saying: _no, stop and don 't_.

Stop using any Microsoft services (don't forget skype) and better yet any of
their products.

~~~
stinos
No they're actually saying "by using Hotmail the client agreed with these
terms of service that in exceptional circumstances yadayadayada and we did
what we were allowed to in this case".

So they shouldn't simply stop doing this (we don't really know how many times
they did of course), they should start by getting rid of terms of service
allowing such constructs - cause technically, they didn't do anything wrong
and their defense seems justified (ianal)

~~~
biff
I suppose it hinges on how intertwined you feel morality is with the law, and
I don't mean to be insulting with this observation because it's a legitimate
difference of opinion.

But "Just because you can doesn't mean you should" is another perspective some
folks take on matters like this.

------
rjzzleep
i'm genuinely curious.

how is that different from gmails privacy policy? do we know anything about
googles behavior with law enforcement wrt gmail? even if gmails eula
technically allows them to "read"/index all you have in your inbox, does that
really legally allow searching for a specific thing? what if there are nlp
based triggers?

also while the article deems this ironic:

> In a move that might be deemed ironic, Microsoft will now add its own
> internal searches to its biannual transparency reports on government
> surveillance. To top of page

i actually think it's a good idea. does google have anything like this? the
real irony is that it reminds me of chinas quarterly human rights report on
the united states.

that said i use gmail in spite of hotmail.

by the way, if you want a simple to setup email server, you can use atmail in
a kvm. there's a whole host of free solutions, but for those who don't want to
fiddle with mail configurations it's worth the 20 bucks

[https://atmail.com/](https://atmail.com/)

~~~
Drakim
I don't know, but Microsoft made a big deal out of saying they were better
than Google with their "Scroogled" campaign.

~~~
kevingadd
What Microsoft did here is different from the Google behavior they criticize
in multiple ways:

Google's ad mechanism reads _all emails_ sent and received by _all gmail
users_ , even in many cases people using paid Google Apps mail unless the
administrator has opted out (I've encountered companies that left gmail ads
enabled). This means that to a degree, the privacy and security of all your
emails is compromised - though we would all hope that Google firewalls that
stuff off carefully and ensures that no traces of the mails remain after
they're scanned for ad keywords.

To say that Microsoft accessing _one account_ based on evidence in order to
gather more evidence for a civil suit - with explicit permission granted by
the user during signup - is equivalent to Google's behavior is just blatantly
wrong.

Both behaviors may be undesirable, but they are very, very different.

~~~
danieldk
_Google 's ad mechanism reads all emails sent and received by all gmail users,
even in many cases people using paid Google Apps mail unless the administrator
has opted out (I've encountered companies that left gmail ads enabled)._

Even when the administrator has switched off ads, e-mails are still mined to
show ads in Google services that are not covered under Google Apps:

[http://safegov.org/2014/1/31/google-admits-data-mining-
stude...](http://safegov.org/2014/1/31/google-admits-data-mining-student-
emails-in-its-free-education-apps)

Since Google Apps for Business uses the same privacy policy, there is little
reason to believe that anything is different when you are paying $5 per user
per month. The privacy policy clearly states that Google can mine your data
for ads. Ads can just be turned off for the services covered by Google Apps
(but not Google+, Google Maps, Youtube, Google Search, etc.).

~~~
magicalist
Just so you're aware, safegov appears to be a Microsoft astrotufing site:
[http://readwrite.com/2013/01/03/googles-ftc-settlement-is-
an...](http://readwrite.com/2013/01/03/googles-ftc-settlement-is-an-epic-fail-
for-microsoft) though you can pretty much tell if you just look at their list
of articles.

In any case, the article is wrong, on a number of fronts, actually. e.g. the
DoubleClick and Google account cookies are never mixed (Google agreed to this
in the wake of concerns over the merger, and it's called out explicitly in the
Google privacy policy), the statement on Enterprise privacy policies and that
testimony about the University of Hawaii don't contradict each other at all,
and it's ridiculous to base a whole article on an entry on the University of
Alaska's email FAQ. The entry is wrong anyway. Check out the "Data Processing
Amendment"[1] that comes with Enterprise/Education accounts, which prohibits
processing data in ways that aren't explicitly enumerated in that document.
Advertising profiling is not included.

[1]
[https://www.google.com/intx/en/enterprise/apps/terms/dpa_ter...](https://www.google.com/intx/en/enterprise/apps/terms/dpa_terms.html)

------
Joeboy
I used to host email for a co-op I'm involved in, and I eventually decided I
didn't want to anymore. I don't recall deliberately reading any, but having my
friends' personal messages sitting on my server in plain text format just
seemed weird and icky and wrong.

I'm sure people will object to this opinion, but I don't think it's reasonable
to send your messages to a third party's server in a _totally_ open,
unobscured format and consider those messages private. I just can't really see
the situation any other way. If you're going to do that, your only reasonable
expectation of "privacy" is hoping that the server's admins aren't
sufficiently interested in your messages to pay any attention to them.

~~~
teacup50
> _I don 't recall deliberately reading any, but having my friends' personal
> messages sitting on my server in plain text format just seemed weird and
> icky and wrong._

It's not icky and wrong, it's part and parcel of the ethics of managing user's
data. I've had access to corporate user's e-mail at various companies for
decades, access to my entire family's e-mail (my wife, parents, siblings -- I
host it for them), access to corporate instant messaging logs, and a whole
slew of other data ...

... and I can definitively state that I've _never_ read _any_ of it without
prior permission, and I've never been remotely tempted.

It's no different than having access to someone's mail, being handed the keys
to a friend's house to house-sit their cats, or having someone hand you their
mobile phone and then step away. As a matter of ethics, courtesy, and decorum,
you simply don't look where you shouldn't.

Even for corporate e-mail, where we have an absolute legal right to look at
e-mail, it's simply not something you do without a legal justification that
outweighs the right to personal privacy -- which is why hosting your
_personal_ e-mail with a third-party _corporation_ is a bad idea if you don't
want them digging through it.

> _I 'm sure people will object to this opinion, but I don't think it's
> reasonable to send your messages to a third party's server in a totally
> open, unobscured format and consider those messages private._

The difference is that a third-party corporation like Microsoft or Google have
very different ideas of ethics, courtesy, and decorum than your friends or
even your employer.

In short, given the _ability_ and even the _legal right_ to engage in privacy-
snooping behavior, everyone is _not_ created equal, and not all relationships
have the sort of constraints that we would (and I posit, should) expect.

~~~
JoeAltmaier
Managing user email as sysadmin is different, in that you can do it with a
total expectation of getting away with it. Not that a moral person would want
to; but since electronic examination of unsecured data leaves no trace when
read, temptation has no buffer.

------
nolok
Managing to make their "Scroogled" anti-google campaign even more awkward than
it already was. Let's be honest, that's impressive.

------
notahacker
So in "exceptional circumstances" \- such as where your email is perceived to
have content which may conflict with Microsoft's commercial interests - they
will read your documents without court approval, and stress that their
standard terms and conditions permit them to do so as your cloud-based email
accounts are "their own property"

I find it hard to believe the commercial value of the IP allegedly being sold
exceeds that of the commercial value of the "cloud" enterprise deals Microsoft
is jeopardising here...

Then again, an article in the sidebar points out that the other big players
also reserve the right to do this:
[http://tech.fortune.cnn.com/2014/03/23/apple-icloud-email-
ki...](http://tech.fortune.cnn.com/2014/03/23/apple-icloud-email-
kibkalo/?iid=s_tech_mid)

------
blisterpeanuts
It seems to me that MS had every right to chase down this pair of nincompoops.
Technically they had the right to scan the unnamed blogger's email, and surely
they had the right and justification to check ex-employee Kibkalo's Skydrive
account for traces of illegally obtained files.

Maybe there should be some kind of more normal procedure such as a court order
rather than merely the "approval of Microsoft's lawyers", but either way they
had justification. The blogger had obtained keys to a new server release and
potentially he or his customers could use it to create highly insecure or
spoofed installations, could they not?

Methinks the world is a safer place now that the leaker was caught.

By the way what's Microsoft doing employing some Russian guy living in
Lebanon, anyway? The whole situation sounds a bit iffy.

~~~
skrebbel
> _By the way what 's Microsoft doing employing some Russian guy living in
> Lebanon, anyway?_

Seriously, what the fuck? Why can't Microsoft, or any company, employ Russian
expats in Lebanon? It's foreign (to you) so it's "iffy"?

~~~
blisterpeanuts
Yes.

------
gphilip
From the article: "Microsoft admitted in federal court documents that it
forced its way into a blogger's Hotmail account to track down and stop a
potentially catastrophic leak of sensitive software. The company says its
decision is justified."

------
snarfy
The telephone company does not have a right to listen to your phone calls. I
know as there are lots of rules for line technicians when someone is on the
line while they are working on it. So why is this true of email? Because of a
EULA? You cannot sign away your rights, EULA or otherwise. That's why they are
called rights.

~~~
quesera
You have no right to privacy in the US. You can't sign it away or have it
violated, because it doesn't exist.

You have a _reasonable expectation_ of privacy, or at least you would if you
hadn't _explicitly_ waived it by agreeing to the ToS.

The phone company is a special case, because the regulations for wire
communications were written in an era when people cared about this sort of
thing, and the zeitgeist wasn't manipulated by the spectre of terror.

I'm not defending Microsoft here. But you'll get no redress from government
(the theoretical defenders of natural rights in a democratic society) in this
case. Obviously.

~~~
msabalau
This is accurate if viewing rights from a US legal perspective.

People who care deeply about privacy could make the case that this is unjust
because there the legal system ought to recognize this as a natural human
right.

Others, of a more philosophical bent, might note that the whole concept of
"rights" is rather silly.

------
DanBC
Email is not secure unless you and the recipient have carefully used
encryption.

This has been true ever since email was invented.

It doesn't matter what the TOS /AUP is - that doesn't stop rogue employees
creeping trough email. It doesn't matter if they advertise it as a secure
sevice or if they use their competitor's advert serving in ads.

We can use words like "wrong", "unethical", "illegal" but that does nothing to
make email more secure.

Stop giving your secrets to a 3rd party and being surprised when they know
your secrets.

~~~
flogic
We hand our info to doctors and lawyers with an expectation of privacy. Full
encryption is nice for some things but in the case of webmail it's a
regressive option. Most of the utility of webmail services relies on trusting
the provider which is fine. A good chunk of what makes modern life work is
being able to trust in reasonable cooperation from others.

------
eiji
These tech companies have to grow up. They are consumer companies now. Just
because you can do something does not mean you do it. The CEO should have made
the call that some tech secrets are not worth the press and upset users. I
understand that it's not that simple, but having this guy shut up was not
worth it. And I want companies to value their customers more than some piece
of code.

------
Tloewald
Perhaps microsoft would be on stronger ground if they had consulted an outside
authority before deciding they had the right to look at their own data.
Instead they simply decided on their own. It's like the police issuing
themselves a search warrant — doesn't matter how correct the reasoning is,
it's procedurally unacceptable.

~~~
kevingadd
They're not the government, they don't need warrants, and they can't sue
themselves or ask the police to investigate something they're going to file a
civil case about.

They had explicit permission to do exactly what they did (you grant that
permission when you sign up for the service). It may be gross that they dug
through someone's email, but they didn't violate any laws or ethical
guidelines. If the people involved didn't want their emails read by Microsoft,
they shouldn't have granted Microsoft permission to read their emails.

~~~
_delirium
Some countries do have an agency to handle these kinds of issues, short of a
court but more than just deciding to read the emails unilaterally. In Denmark
if you as an ISP or a corporation wanted to read the email of your users
and/or employees, you'd file a request with the Data Protection Agency
([http://www.datatilsynet.dk/english/](http://www.datatilsynet.dk/english/))
outlining your case.

It does appear that the U.S. has no such provisions.

------
keule
So let's go back to the pre-electrified area.

You send a letter to a friend with sensible information. The letter is
transported by the post office from door to door. While in transit, the post
office recognizes, from a 3rd party, that a letter exists, that contains
sensible information about the post-office's business. Therefore the CEO of
that company demands a internal investigation, which searches for a letter
with the given senders/recipients address and then opens it.

IANAL, but at least where I come from, there exist laws that acknowledge the
intimacy and privacy of these letters and would sentence this behavior.

So why on earth is everyone talking about policy, terms of service, the lack
of alternatives a.s.o? Nobody sees the desperate need of legislation here?

~~~
jasonlotito
> Nobody sees the desperate need of legislation here?

Why do you feel the need to resort to using legislation to eliminate freedoms
and rights I currently have?

~~~
keule
What? I think you did not understand what I meant by that.

Legislation in this case does not eliminate your freedom, but protects it,
forcing companies to obey to privacy and data protection.

The only freedom that would be eliminated here is the freedom of a company to
abuse data they do not own.

~~~
jasonlotito
> What? I think you did not understand what I meant by that.

I understand exactly what you mean. You don't, however.

> The only freedom that would be eliminated here is the freedom of a company
> to abuse data they do not own.

You would also eliminate my ability to agree to the status quo. These are
rights I have now. Legislation as you suggest would eliminate that freedom
that I have.

You aren't enforcing privacy. You are removing choice and freedom. If
anything, your legislation goes so far as to say I'm not allowed to trade my
data for a service.

So, why do you feel it's okay to legislate away freedoms I have now?

------
ksk
Very few people got upset when email providers started including clauses to
let them do this. There was some mild backlash when gmail started automating
ad delivery via email content but then people went crazy over the 1GB mailbox
and forgot all about it. The lesson being that peoples greed far exceeds any
sense of adherence to privacy principles. Google has used that lesson
effectively to essentially turn Chrome into a key-logger.

If you allow a bomb to be placed in your house its not surprising that once in
a while its going to go off.

To be harsh, _I_ haven't learnt anything either. I use the ms live crap (only
because of office 365) and gmail too.

------
McKittrick
I wonder if this will effect their "gmail man" marketing? you know, the one
where they blast goog for probing in your
email...[https://www.youtube.com/watch?v=iMbQCom7VTY](https://www.youtube.com/watch?v=iMbQCom7VTY)

------
CurtMonash
Microsoft was wrong, and is tacitly admitting it even as they ostensibly claim
the opposite.

That said, their stated justifications probably suffice to get this
categorized as a "forgivable error".

------
dorgo
There should be a technical solution to this problem. Emails should be saved
encrypted on microsoft servers and microsoft should not have the key to
decrypt them.

------
teekert
Gmail man!
[https://www.youtube.com/watch?v=eFCSp23xl40](https://www.youtube.com/watch?v=eFCSp23xl40)

------
lispm
I wonder how stupid companies are that they use Microsoft's cloud service for
email, document exchange, etc...

~~~
JTenerife
I can't believe it either. And it doesn't stop there. Car companies start
putting Android in their cars and really think customer will like it. I
wouldn't even buy an Oracle DB but use Postgres, even if this seems a bit too
paraniod. Everything Open Source and no public services / hosting is the only
answer.

~~~
kllrnohj
Psst, Android is open source. So if you want everything open source, Android-
powered car infotainment should make you very happy.

~~~
JTenerife
Actually, Android is not entirely open source. Some key components are closed
source, that's why project like cyanogenmod exist.

------
danbmil99
TL; DR: idiot ex-MS employee leaks sensitive Microsoft secrets using Hotmail.

~~~
Drakim
Your summary is missing the most vital part of the puzzle, after the leak
happened Microsoft invaded the hotmail account of the journalist who received
the info, not the leaker.

------
jcfrei
it's funny that microsoft aired this ad not long ago:
[https://www.youtube.com/watch?v=63u-RG-31B0](https://www.youtube.com/watch?v=63u-RG-31B0)

