Hacker News new | comments | ask | show | jobs | submit login

Before anyone else comments that hasn't read the full article, here is the very end:

Legally, Microsoft appears to be protected by its privacy policies. The policy for Outlook.com, formerly Hotmail, states that, "We may access information about you, including the content of your communications...to protect the rights or property of Microsoft."

This is the agreement that every user agreed to when they signed up for Hotmail or Outlook. It's not carte blanche for Microsoft to go through your email, but it seems to allow them to do it for a very particular purpose.

> This is the agreement that every user agreed to when they signed up for Hotmail or Outlook.

No they didn't. Over 99% of them clicked through without reading. Some of them suspected Microsoft might one day read their email, but somehow shrugged it off, then forgot about it.

If people were truly informed, most would not give consent. Make no mistake: using a hotmail or gmail account means giving away a good chunk of your private correspondence. It also affects whoever you're communicating with, even if they have their own private mail server.

We need those Freedom Boxes. Fast.

"If people were truly informed, most would not give consent. "

I strongly disagree. Most would bitch about it, then do it anyway, knowing it may be a shitty deal for them. That is consent.

In the current situation, sure. Because we don't have real alternatives. (I maintain my own web server, but that's impossible for most users.) But if people were informed, that would create a market for privacy.

> But if people were informed, that would create a market for privacy.

If people really cared, then that market would exist today. "Get your $5/mo. much more private email from privateemail.com!!". This notional private email provider would be able to advertise Outlook.com, GMail, etc.'s privacy policies independently of those email providers to ensure that "click through" isn't the only reason people are unaware.

That market does exist today, Fastmail.fm is only one example I can think of off the top of my head (I surely got the ofs and offs wrong). I talk about them so much that I sometimes feel like a marketing goon ...

They're not a viable privacy option. And it has little to do with their ethics: they are still vulnerable to subpoenas, many of their users don't even live in the same country…

The only viable privacy option is to host your mail at home. It doesn't have to be difficult. We "just" need a suitably tailored GNU/Linux distribution in a Sheeva Plug, or Raspberry Pi, that you just plug-in, then use as a web service. (Just one snag: your ISP must allow you to send and receive e-mail: many close off port 25, and some even ban home servers.)

Now to get your email, they need a search warrant and someone to knock on your door, which is inconvenient and costly.

Could you host your mail on a VPN instead? I wouldn't mind doing this except for the fact that I'm 100% certain I'd get something wrong.

This makes you too vulnerable to various DOS attacks though.

I care, but there's no way for me to state that I do not want my correspondence shared with Google/Microsoft ... so the people who don't care continue to drag the rest of us into the void.

I'm sorry, i've heard this argument for 15 years, and it's still as false now as it was then. It's really just staunch privacy advocates thinking that their position is really right, and everyone would see the light if only they could be educated. Everyone likes to think this about their position. It's not limited to privacy contexts.

Your problem is not education. Your problem is your position is just a marginal one. Sad in some ways, but true.

The truth is, people have bigger fish to fry than this, and like a lot of things, they like to talk about some stuff, but when push comes to shove, "privacy" is just nowhere on the list of priorities, educated about it or not. The market would already exist otherwise.

A no-true-Scotsman argument. Not everyone shares your views about where the boundaries of consent should lie or what conditions they consider acceptable in exchange for free service.

I don't care if "not everyone agrees". Their boundary is incredibly low. It is literally a Dark UI Pattern. I bet your own boundary is higher than that.

No-true-Scotsman? I don't care, this one is valid: we're talking about someone who has some distant relatives in Scotland, but never set a foot there, hardly speaks English, and lives in China.

I do get that the proper threshold is not allays the same. The threshold of consent for having sex for instance, is very high (or ought to be). Still, some things I say over email are just as private as my dick.

OK, but we're not talking about email here, we're talking about webmail in particular. I mean, it's rather foolish to think that you can trade MS's private IP over MS's free-as-in-beer webmail service when they explicitly tell you they're not willing to tolerate that in the TOS. Now if it were MS hacking into someone else's mailserver in pursuit of their stolen IP, I'd fully agree with you.

Yes, it is foolish, even if like everybody else, you haven't read the TOS. I know the analogy is unfair, but it is also very foolish for young women to dress lightly, then go walk out alone in dark streets. Yet sometimes, circumstances are such that people do it anyway, and it doesn't mean they're "asking for it". Drunk after a party? Used to using "your" webmail for all your communications?

People often do foolish things, it doesn't mean other people have a moral right to take advantage of them. (Alas, they sometimes have the legal right.)

By the way, in this case, it seems Microsoft spied on the blogger's account, to know where the leak came from. The leaker may not have used hotmail at all. While it's easy to notice cloud spying when sending from a webmail, it is a bit less easy when you send to a webmail: you're not even legally expected to have read the TOS. I mean, you still have to be careless to make that blunder, just less so.

It's difficult to fault a company for parsing its own servers to stop corporate espionage against itself.

It isn't. Especially not when they did this first :


From your own link

>“Outlook.com does not go through the contents of your sent and received email messages in order to display targeted ads. ... Outlook.com does not go through the contents of your incoming email from other email service for the purpose of targeting ads. ... Outlook.com does not go through the contents of your entire inbox for the purpose of targeting ads.”

Google does all of the above, are you claiming there is no difference between the two services?

The new lawsuit against Google for building profiles of children using its free Google Apps for Education service has even more info:


>A Google spokeswoman confirmed to Education Week that the company “scans and indexes” the emails of all Apps for Education users for a variety of purposes, including potential advertising, via automated processes that cannot be turned off--even for Apps for Education customers who elect not to receive ads.

The problem is they criticize google while doing something far more invasive than letting robots look for keywords.

Google has the exact same wording in their EULA:


"protect against harm to the rights, property or safety of Google, our users or the public as required or permitted by law."

Well that's bad of google but doesn't improve microsoft's argument. If anything they becomes more hypocritical because "why isn't microsoft criticizing that part....oh"

They become more hypocritical for not criticising about something they do themselves?

The lowest tier of being hypocritical is criticising all of google's failings when they have related but different failings.

The medium tier is criticising all of google's failings does except for what they also do.

The highest tier is criticising google for something they also do.

I thought they were at the low tier, but they're actually at the medium tier. So 'more'.

Sorry but I completely disagree, by not criticising Google for doing something they do themselves they are literally not being hypocritical, by definition. You can still criticise them for the situation, just not with that word. You can still call them hypocritical for the overall situation too, just not by picking out a specific narrow case where they have avoided being hypocritical.

They did not perform the actions google did, but the criticism they made of google's actions could be applied to their actions too. They claimed a high ground on the issue of privacy. They have no such high ground. This is hypocrisy.

I don't think that makes any sense.

If I criticize someone for talking loudly during class, and I haven't talked at all, that wouldn't be hypocritical, even if we were both browsing Facebook or something.

If you criticize them for being too loud with their talking while you were repeatedly slamming books against each other, you're being hypocritical. It's not the same behavior but it's still an inappropriate loud behavior. In the microsoft/google case it's privacy invasion.

There is nothing limiting them from doing so. Just because they behave like this today doesn't mean they will still do so tomorrow. Heck, I wouldn't be surprised if they already did so today. It wouldn't be the first time marketing saying something the technicians don't agree with. :)

False equivalence. Microsoft doesn't snoop every single email hoping to protect their property. This was a very controlled situation.

Wrong. Google hands your email to software agents that select ads you are most likely interested to see. Microsoft hands your email to lawyers who will later sue you.

Did Google management order him to look into that data searching for something Google management wanted? No. Was he fired for that? Yes.

I am not saying it's equivalent. I'm just saying it's hypocritical in the extreme.

When it comes to "automated process goes through my email to decide which soda to offer me" ... I am not pleased, but not very worried. My bank does worse.

When it comes to "people go through my and other people's email to decide who to sue for what without legal oversight" that hits an 11 on the WTF scale.

I will NEVER trust Microsoft with one iota of my data again. They proved here that they will use it against me if it serves their business interest, or just snoop through it if they don't understand how something happened. At least the NSA claims they snoop through my email to "protect America". Microsoft clearly goes through my email to improve Microsofts bottom line. It wasn't even an employee's email they went through. It was an external hotmail customer that trusted them with this email.

This is akin to your bank going through the documents in your safe then use the found information to wire money to the Bank's CEO. This is way, way over the red line.

If they did this with physical mail, the minimum punishment for whoever in Microsoft did this would include jail time. We should have the same regulation for email.

Maybe. The carte is as blanche as there are ways to interpret "protection of Microsoft's rights or property."

Microsoft has, for example, the right to petition government without fear of reprisal. It could protect this right if Microsoft were to review any email accounts of lawmakers or regulators to ensure that they never express any animus against Microsoft based on past filings or appeals.

Microsoft may wish to protect its property by scanning every hotmail account for discussions of havens for illicit software, like torrents or newsgroups, trying to determine exactly what each user has downloaded and when.

Extreme examples are just for illustration. I don't think Microsoft will jump on those as next steps. But if the question is, "Could these user agreements justify things that would make us a little uncomfortable?" I think the answer is probably yes. Are we there just yet? Maybe, maybe not.

Do they have a similar agreement in the Windows EULA? Because that would scare me.

If you somehow knows what version of the Windows EULA applies to your installation (that's not easy), you should go read it.

Please don't spread FUD. I've never tried to find the EULA before, but it appears to be pretty simple.

1) Go to www.microsoft.com 2) Search "windows 8 eula" (http://search.microsoft.com/en-us/results.aspx?form=MSHOME&m...) 3) Click the top link to download the EULA

Same thing worked when I tried "windows 7 eula" (http://www.microsoft.com/en-us/search/results.aspx?form=MSHO...)

These are also top results when I try the same query on Google.

Did you even try to find it?

The Windows EULA is quite scary in many places however the worst thing is the dev tools EULAs.

How is the dev EULA scary? Don't leave us hanging.

The only potentially troubling thing I could find in the VS 2013 EULA relating to privacy is that

Microsoft automatically collects information identifying your installed Microsoft product, the operating system of the device, the CPU architecture of the operating system and data regarding the success or failure of the installation of the software, data identifying the cause of a crash in the product and information about the product license which is in use.

. . . .

Microsoft may use the computer and services information to improve its software and services. Microsoft may also share it with others, such as hardware and software vendors. They may use the information to improve how their products run with Microsoft software.

In principle, this could be interpreted quite broadly ("selling detailed information about our installed base to third-party marketing software firms helps us pay for improvements to our software").

I did not see similar language in Google's ToS or Privacy Policy:


However I read very quickly so please correct me if I'm wrong.

This bit maybe?

We will share personal information with companies, organizations or individuals outside of Google if we have a good-faith belief that access, use, preservation or disclosure of the information is reasonably necessary to:


protect against harm to the rights, property or safety of Google ,our users or the public as required or permitted by law.

[1] http://www.google.com/intl/en/policies/privacy/

It would be interesting to see if Microsoft has or will disclose how often it has leveraged this clause to tap into its customers' personal emails 'to protect the rights or property of Microsoft'. It may be a bigger number that we think

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact