(I work for Microsoft, though not for Outlook.com)
Can we stop with the hyperboles and actually be realistic?
Quitting the use of Microsoft services won't really solve anything since, as has been made clear in other HN threads, the policies of other big players allow for the same (e.g. Gmail).
Arguing that "oh but Gmail hasn't actually proven they'll use this tactic" is absolutely absurd. They're saying they can, so nothing stops them from doing it tomorrow. If they really wouldn't ever do so then that clause would not be on any terms that users agree to. Ditto for all other major email providers.
Okay, so next we can say "aha! I'll just stand up my own email service!". Two reality checks...
--First: if you email anyone using a major email provider then you haven't really made much progress. Same even if they email you and you ignore them.
--Second: it seems completely unrealistic that this solution would scale to the entire world. NSA fiasco has proven to me that people value convenience more than privacy. Otherwise this "stand up your own email/cloud" trend would have started last summer. None of my friends (even tech friends) have switched away from gmail or whatever major provider they use.
This situation obviously sucks, but I don't see many reasonable responses to this. We're smart people here. Let's act like it.
I can't believe they're still running this crap - I it's been a year and a half now? My opinion of Microsoft took a complete nosedive after seeing this campaign.
I fail to see how the two are even remotely the same. Google continuously scans email content to sell ads; while Microsoft does it once and admits it so they can catch someone stealing trade secrets.
While I agree that the Scroogled campaign does tread slightly into the hyperbole, I can't agree that this the double-standard that most are making it out to be.
It doesn't matter if they're the same. The point of the Scroogled campaign is to say "the other companies read your emails, while we don't". Like every other MS marketing campaign, it doesn't take long to unravel.
Do they read your email? Your parent specifically debunked the point your trying to make. Microsoft selectively reading one persons mail who was leaking their activation technology, is not the same as reading their customers emails.
Hyperbole doesnt make your case stronger. In light of every other privacy issue happening in the world, this is a non story. I think it would be useful to prioritize outrage, and direct it to a spy agency or some other countries military.
I'm not entirely sure my previous posts were clear enough.
I'm not saying that Outlook / Hotmail is better or worse than competitors in terms of privacy. I'm saying that an MS Marketing campaign has helped create an unrealistic perception of MS email services for the public, which after this PR debacle has created yet another unrealistic perception of MS email services.
Fastmail is a pretty major mail provider, I've read their TOS and Privacy Policy, and don't seen any clauses that allow them to read my mail the way Microsoft and Gmail claim to.
> Otherwise this "stand up your own email/cloud" trend would have started last summer.
It did! Understandably, since it's not absolutely-zero-effort, there hasn't been 100% uptake, but Alex Payne started up a project that lets you run you own private cloud with surprisingly little configuration:
I've been using it for a few months now and have been quite happy with it. I'm in agreement with you, though, that it won't scale to the entire world, but I don't think that it needs to.
And use what alternative? Google, Apple, Facebook? Ubuntu cloud? Really? Is our data more save at Ubuntu services? You seem to be under the wrong impression that it's a problem we can solve by avoiding products of one company. As long as we're dealing with companies we're dealing with issues like that regardless of the image these companies try to create.
Use the internet as it was a public place. Remeber you can't even trust ssl connections (see Apple by mistake, NSA by purpose).
No they're actually saying "by using Hotmail the client agreed with these terms of service that in exceptional circumstances yadayadayada and we did what we were allowed to in this case".
So they shouldn't simply stop doing this (we don't really know how many times they did of course), they should start by getting rid of terms of service allowing such constructs - cause technically, they didn't do anything wrong and their defense seems justified (ianal)
I suppose it hinges on how intertwined you feel morality is with the law, and I don't mean to be insulting with this observation because it's a legitimate difference of opinion.
But "Just because you can doesn't mean you should" is another perspective some folks take on matters like this.
Which, btw, isn't this what Gmail has done since it's inception? I remember reading it plainly stated in the 1st paragraph of their EULA when it was beginning the long beta run, I appreciated their candor & also opted not* to use such a service. I assumed all free emails hid the same clause in varying depth inside their EULAs. Did we learn nothing from Excite@Home?
EDIT: *I had hotmail & excite accounts before the mergers and I retained them for years after for online catch-all accounts.
My 17yo hotmail locked me out when I refused to give MS my phone number awhile back. meh.
Agree entirely. In fact we need to stop using proprietary software full stop and stop using SaaS and hosted platforms to save cost and shift liability. They're all the same turd rolled in different coloured glitter.
The current company I'm working for are a little pissed off with this whole Microsoft reading their email thing and have started to plan moving their exchange installation on-site from Office 365.
Right, MS still wins. But for how long? American companies looking at difficult times due all this issues. Why should German or French companies rely on MS or Apple or Intel products when they have to face industrial spying. I don't even want to know the extent of the advantage american companies have gained due to NSA and othera spying.
… because American software is usually very competitive – going national usually results in using sub-par software at higher prices. And your clients usually will not pay for these increased costs – and your competition will mostly still use the best software available, i.e., usually American software.
how is that different from gmails privacy policy? do we know anything about googles behavior with law enforcement wrt gmail? even if gmails eula technically allows them to "read"/index all you have in your inbox, does that really legally allow searching for a specific thing? what if there are nlp based triggers?
also while the article deems this ironic:
> In a move that might be deemed ironic, Microsoft will now add its own internal searches to its biannual transparency reports on government surveillance. To top of page
i actually think it's a good idea. does google have anything like this? the real irony is that it reminds me of chinas quarterly human rights report on the united states.
that said i use gmail in spite of hotmail.
by the way, if you want a simple to setup email server, you can use atmail in a kvm. there's a whole host of free solutions, but for those who don't want to fiddle with mail configurations it's worth the 20 bucks
What Microsoft did here is different from the Google behavior they criticize in multiple ways:
Google's ad mechanism reads all emails sent and received by all gmail users, even in many cases people using paid Google Apps mail unless the administrator has opted out (I've encountered companies that left gmail ads enabled). This means that to a degree, the privacy and security of all your emails is compromised - though we would all hope that Google firewalls that stuff off carefully and ensures that no traces of the mails remain after they're scanned for ad keywords.
To say that Microsoft accessing one account based on evidence in order to gather more evidence for a civil suit - with explicit permission granted by the user during signup - is equivalent to Google's behavior is just blatantly wrong.
Both behaviors may be undesirable, but they are very, very different.
Google's ad mechanism reads all emails sent and received by all gmail users, even in many cases people using paid Google Apps mail unless the administrator has opted out (I've encountered companies that left gmail ads enabled).
Even when the administrator has switched off ads, e-mails are still mined to show ads in Google services that are not covered under Google Apps:
Since Google Apps for Business uses the same privacy policy, there is little reason to believe that anything is different when you are paying $5 per user per month. The privacy policy clearly states that Google can mine your data for ads. Ads can just be turned off for the services covered by Google Apps (but not Google+, Google Maps, Youtube, Google Search, etc.).
In any case, the article is wrong, on a number of fronts, actually. e.g. the DoubleClick and Google account cookies are never mixed (Google agreed to this in the wake of concerns over the merger, and it's called out explicitly in the Google privacy policy), the statement on Enterprise privacy policies and that testimony about the University of Hawaii don't contradict each other at all, and it's ridiculous to base a whole article on an entry on the University of Alaska's email FAQ. The entry is wrong anyway. Check out the "Data Processing Amendment"[1] that comes with Enterprise/Education accounts, which prohibits processing data in ways that aren't explicitly enumerated in that document. Advertising profiling is not included.
I have to add that it's not my intention to bash Google. I actually think their privacy policy is actually readable in comparison to many other services. Also, most other large services don't provide something akin to Google Dashboard.
> Google's ad mechanism reads all emails sent and received by all gmail users,
Exactly like Microsoft, Apple or Yahoo! does.
I don't know where has started that urban legend that only Google scan the emails, every email provider that does anti spam, auto categorizes or does full text search read all the emails.
Of course the emotional appeal that Microsoft was making was that a personified "Google" was poking through your e-mail. It seems very unlikely that they were spending money to make the banal point that the ads one sees on gmail are the result of an algorithm.
In this particular case human beings at Microsoft actually did paw through this individual's e-mail, to his detriment, as was their intent.
At the same time, it seems unlikely that anyone believes that Microsoft was actually advancing a principled criticism in an ad campaign as opposed to merely saying an expedient thing. I doubt that accusations of "hypocrisy" will hurt them, other than making coverage of "scroogled" in the press marginally more disdainful.
It seems very unlikely that they were spending money to make the banal point that the ads one sees on gmail are the result of an algorithm.
There is a fundamental difference. If you promise not to do content-based targeted advertising (as Microsoft claims), you have no interest to collect as much data from a user as possible. If you do content-based advertising, it's in your interest to collect data from as many sources as possible (from e-mails, to locations, to search queries) and combine them.
> If you promise not to do content-based targeted advertising (as Microsoft claims), you have no interest to collect as much data from a user as possible.
False. Microsoft is still hoovering up every scrap of data they can get. They'd be stupid not to, as data is insanely powerful. You don't need much data at all to do targetted advertising, by the way. Seriously, Google uses at most 1% of the data it gets from you for ad-related reasons, if that. No, Google's obsession with data is because data is tremendously powerful at building better products. Microsoft is just shooting themselves in the foot if they aren't doing the exact same thing.
It is clear (from reading HN) that some people exist who do not find this acceptable.
At the same time, the adoption rates for, say, Facebook show that "nearly everyone" are not actually concerned about such things in practice. There are those who might argue that people should be more concerned. I believe you may find that such conversations have occurred.
Regardless, it seems silly to pretend that Microsoft is making a principled claim, as opposed to mouthing what they hope are scary words.
Similarly, Microsoft isn't actually worried about the plight of young women who may be under the impression that they can pawn their chromebooks to fund a trip to LA.
> To say that Microsoft accessing one account based on evidence in order to gather more evidence for a civil suit - with explicit permission granted by the user during signup - is equivalent to Google's behavior is just blatantly wrong.
You are correct that the comparison is blatantly wrong. What Microsoft did is evil and a massive, massive violation of privacy and trust. What Google does can't even be classified as evil. Arguably it's creepy, but that's about the extent of it, and they have been clear about it from the start.
And bullshit on the "explicit permission" part. No where did anybody get a clear "you grant Microsoft the right to read your email whenever they bloody well want to if it suits an internal investigation with zero oversight" checkbox.
> Google's ad mechanism reads all emails sent and received by all gmail users
This is incorrect, as the word "read" requires some amount of comprehension. The automatic indexing algorithm has no comprehension of what it is scanning, ergo there is no "reading" going on.
Neither Google nor Microsoft has outright hurt me with their privacy policies in any way I can personally detect.
When it comes to this discussion, for me it's a matter of principles. The principles are being equally violated here, it doesn't matter if one does it more frequently than the other.
That's the reason anybody remotely cares about this. Given that you aren't hosting your own email servers it's a likely possibility that your privacy won't be respected, however in Microsoft's case they had an entire campaign to scare people away from Google and onto their services.
But the problem in this scenario is law enforcement wasn't involved. I'm unaware of any other email hosting company doing this so far. Not to say they haven't, just it hasn't surfaced.
I used to host email for a co-op I'm involved in, and I eventually decided I didn't want to anymore. I don't recall deliberately reading any, but having my friends' personal messages sitting on my server in plain text format just seemed weird and icky and wrong.
I'm sure people will object to this opinion, but I don't think it's reasonable to send your messages to a third party's server in a totally open, unobscured format and consider those messages private. I just can't really see the situation any other way. If you're going to do that, your only reasonable expectation of "privacy" is hoping that the server's admins aren't sufficiently interested in your messages to pay any attention to them.
> I don't recall deliberately reading any, but having my friends' personal messages sitting on my server in plain text format just seemed weird and icky and wrong.
It's not icky and wrong, it's part and parcel of the ethics of managing user's data. I've had access to corporate user's e-mail at various companies for decades, access to my entire family's e-mail (my wife, parents, siblings -- I host it for them), access to corporate instant messaging logs, and a whole slew of other data ...
... and I can definitively state that I've never read any of it without prior permission, and I've never been remotely tempted.
It's no different than having access to someone's mail, being handed the keys to a friend's house to house-sit their cats, or having someone hand you their mobile phone and then step away. As a matter of ethics, courtesy, and decorum, you simply don't look where you shouldn't.
Even for corporate e-mail, where we have an absolute legal right to look at e-mail, it's simply not something you do without a legal justification that outweighs the right to personal privacy -- which is why hosting your personal e-mail with a third-party corporation is a bad idea if you don't want them digging through it.
> I'm sure people will object to this opinion, but I don't think it's reasonable to send your messages to a third party's server in a totally open, unobscured format and consider those messages private.
The difference is that a third-party corporation like Microsoft or Google have very different ideas of ethics, courtesy, and decorum than your friends or even your employer.
In short, given the ability and even the legal right to engage in privacy-snooping behavior, everyone is not created equal, and not all relationships have the sort of constraints that we would (and I posit, should) expect.
Managing user email as sysadmin is different, in that you can do it with a total expectation of getting away with it. Not that a moral person would want to; but since electronic examination of unsecured data leaves no trace when read, temptation has no buffer.
So in "exceptional circumstances" - such as where your email is perceived to have content which may conflict with Microsoft's commercial interests - they will read your documents without court approval, and stress that their standard terms and conditions permit them to do so as your cloud-based email accounts are "their own property"
I find it hard to believe the commercial value of the IP allegedly being sold exceeds that of the commercial value of the "cloud" enterprise deals Microsoft is jeopardising here...
It seems to me that MS had every right to chase down this pair of nincompoops. Technically they had the right to scan the unnamed blogger's email, and surely they had the right and justification to check ex-employee Kibkalo's Skydrive account for traces of illegally obtained files.
Maybe there should be some kind of more normal procedure such as a court order rather than merely the "approval of Microsoft's lawyers", but either way they had justification. The blogger had obtained keys to a new server release and potentially he or his customers could use it to create highly insecure or spoofed installations, could they not?
Methinks the world is a safer place now that the leaker was caught.
By the way what's Microsoft doing employing some Russian guy living in Lebanon, anyway? The whole situation sounds a bit iffy.
It needs to be stressed that they did not just check the Hotmail of the leaker, but also the Hotmail the one the leaker emailed.
So for my Hotmail account to be opened and read by Microsoft's personnel without a warrant, all I need to be is the willing or unwilling recipient of an email from a person whose activities Microsoft deem to be illegal/bad?
What happens if some well known internet pirate sends me an email with an attachment? Will an justified Microsoft go on a fishing trip in my inbox to find any juicy illegal activities?
One could say that this is what I get for using Hotmail, but no way in hell can Microsoft maintain that "we are the good guys in privacy" that they have in their campaign against Google.
And did Microsoft read the recipients other messages? Do you think maybe they only looked at the ones from the leaker? Do you really think they had a person manually thumb through every one of the journalists messages?
There have always been concerns about the security of "the cloud"...but always in the sense of hackers breaking into the data. None of us ever considered that providers would simply give themselves permission to review our data.
After a story like this, how on earth could any corporation blindly trust a cloud provider with their data?
I know many people simply do not care about their rights and freedoms, but I find this latest development incredibly disturbing.
However, I see this as a great opportunity for a company of good character to make a name for itself by promoting services with the assurance that their databases are encrypted in such a way that even they can't access our data.
After a story like this, how on earth could any corporation blindly trust a cloud provider with their data?
By using an e-mail service that does not have such clauses in their terms of service, or even better, guarantee that they won't read your e-mail. Because if they do, it makes it a lot easier to sue them.
Of course, e-mail is inherently insecure. Even with PGP encryption, the metadata is visible by every SMTP server on a message's route. So, don't expect privacy when using e-mail.
> Maybe there should be some kind of more normal procedure such as a court order rather than merely the "approval of Microsoft's lawyers", but either way they had justification.
IANAL but I suspect that if MS had gone to a court seeking an order against itself, or if MS had set up some other legal entity to sue MS on MS' own behalf, they'd have been thrown out of court for timewasting.
I'm not a lawyer either, but I believe that normal due process procedures in the U.S. include going to the police or FBI who can then obtain a search warrant from the jurisdictional court, and they can then examine the contents of the suspect's account. Apparently, MS didn't do that, but they probably could have. In any event, they did involve the FBI as evidenced by the FBI report linked by the article.
Why should Microsoft have extrajudicial powers that exceed those of the NSA and the Police?
When I worked for BT if say some one in marketing had done that our internal security department would have fucking crucified them - read Bruces resignation letter and note how carefull he is to make nice with SD.
What the hell? Extrajudicial powers? Microsoft isn't a part of the executive branch of the government, and doesn't legally need anyone's permission to look at their own servers. We can have a discussion on whether it's ethical or not, but framing it as a legal matter is bonkers.
From the article: "Microsoft admitted in federal court documents that it forced its way into a blogger's Hotmail account to track down and stop a potentially catastrophic leak of sensitive software. The company says its decision is justified."
The telephone company does not have a right to listen to your phone calls. I know as there are lots of rules for line technicians when someone is on the line while they are working on it. So why is this true of email? Because of a EULA? You cannot sign away your rights, EULA or otherwise. That's why they are called rights.
You have no right to privacy in the US. You can't sign it away or have it violated, because it doesn't exist.
You have a reasonable expectation of privacy, or at least you would if you hadn't explicitly waived it by agreeing to the ToS.
The phone company is a special case, because the regulations for wire communications were written in an era when people cared about this sort of thing, and the zeitgeist wasn't manipulated by the spectre of terror.
I'm not defending Microsoft here. But you'll get no redress from government (the theoretical defenders of natural rights in a democratic society) in this case. Obviously.
This is accurate if viewing rights from a US legal perspective.
People who care deeply about privacy could make the case that this is unjust because there the legal system ought to recognize this as a natural human right.
Others, of a more philosophical bent, might note that the whole concept of "rights" is rather silly.
Email is not secure unless you and the recipient have carefully used encryption.
This has been true ever since email was invented.
It doesn't matter what the TOS /AUP is - that doesn't stop rogue employees creeping trough email. It doesn't matter if they advertise it as a secure sevice or if they use their competitor's advert serving in ads.
We can use words like "wrong", "unethical", "illegal" but that does nothing to make email more secure.
Stop giving your secrets to a 3rd party and being surprised when they know your secrets.
We hand our info to doctors and lawyers with an expectation of privacy. Full encryption is nice for some things but in the case of webmail it's a regressive option. Most of the utility of webmail services relies on trusting the provider which is fine. A good chunk of what makes modern life work is being able to trust in reasonable cooperation from others.
These tech companies have to grow up. They are consumer companies now. Just because you can do something does not mean you do it. The CEO should have made the call that some tech secrets are not worth the press and upset users.
I understand that it's not that simple, but having this guy shut up was not worth it.
And I want companies to value their customers more than some piece of code.
Perhaps microsoft would be on stronger ground if they had consulted an outside authority before deciding they had the right to look at their own data. Instead they simply decided on their own. It's like the police issuing themselves a search warrant — doesn't matter how correct the reasoning is, it's procedurally unacceptable.
They're not the government, they don't need warrants, and they can't sue themselves or ask the police to investigate something they're going to file a civil case about.
They had explicit permission to do exactly what they did (you grant that permission when you sign up for the service). It may be gross that they dug through someone's email, but they didn't violate any laws or ethical guidelines. If the people involved didn't want their emails read by Microsoft, they shouldn't have granted Microsoft permission to read their emails.
Some countries do have an agency to handle these kinds of issues, short of a court but more than just deciding to read the emails unilaterally. In Denmark if you as an ISP or a corporation wanted to read the email of your users and/or employees, you'd file a request with the Data Protection Agency (http://www.datatilsynet.dk/english/) outlining your case.
It does appear that the U.S. has no such provisions.
I'm not sure where this comes? Ed Bott? This is totally insane thinking. They can surely contact authorities to start investigation of the leaks. Police would then get a warrant to search evidence from Hotmail.
You send a letter to a friend with sensible information. The letter is transported by the post office from door to door. While in transit, the post office recognizes, from a 3rd party, that a letter exists, that contains sensible information about the post-office's business. Therefore the CEO of that company demands a internal investigation, which searches for a letter with the given senders/recipients address and then opens it.
IANAL, but at least where I come from, there exist laws that acknowledge the intimacy and privacy of these letters and would sentence this behavior.
So why on earth is everyone talking about policy, terms of service, the lack of alternatives a.s.o? Nobody sees the desperate need of legislation here?
> What? I think you did not understand what I meant by that.
I understand exactly what you mean. You don't, however.
> The only freedom that would be eliminated here is the freedom of a company to abuse data they do not own.
You would also eliminate my ability to agree to the status quo. These are rights I have now. Legislation as you suggest would eliminate that freedom that I have.
You aren't enforcing privacy. You are removing choice and freedom. If anything, your legislation goes so far as to say I'm not allowed to trade my data for a service.
So, why do you feel it's okay to legislate away freedoms I have now?
Very few people got upset when email providers started including clauses to let them do this. There was some mild backlash when gmail started automating ad delivery via email content but then people went crazy over the 1GB mailbox and forgot all about it. The lesson being that peoples greed far exceeds any sense of adherence to privacy principles. Google has used that lesson effectively to essentially turn Chrome into a key-logger.
If you allow a bomb to be placed in your house its not surprising that once in a while its going to go off.
To be harsh, I haven't learnt anything either. I use the ms live crap (only because of office 365) and gmail too.
There should be a technical solution to this problem. Emails should be saved encrypted on microsoft servers and microsoft should not have the key to decrypt them.
I can't believe it either. And it doesn't stop there. Car companies start putting Android in their cars and really think customer will like it. I wouldn't even buy an Oracle DB but use Postgres, even if this seems a bit too paraniod. Everything Open Source and no public services / hosting is the only answer.
Your summary is missing the most vital part of the puzzle, after the leak happened Microsoft invaded the hotmail account of the journalist who received the info, not the leaker.
