March 21st, 2014, 22:11 PM
Microsoft to review policies after admitting it searched customer email
Microsoft promised to subject itself to a more rigorous process before searching through its customers' email accounts in the future after a recent legal case revealed that the company searched for evidence of theft of its trade secrets in a Hotmail account.
A former Microsoft employee named Alex Kibkalo was arrested Wednesday on charges related to alleged leaking of prerelease Windows RT updates and product activation software to a French blogger in July and August 2012.
Court filings revealed that Microsoft's internal investigation involved searching through the French blogger's Hotmail account where it found emails from Kibkalo. Hotmail has since been rebranded as Outlook.com.
"After confirmation that the data was Microsoft's proprietary trade secret, on September 7, 2012, Microsoft's Office of Legal Compliance (OLC) approved content pull of the blogger's Hotmail account," FBI Special Agent Armando Ramirez wrote in a criminal complaint filed with the U.S. District Court in Seattle.
Microsoft also searched through Kibkalo's instant messaging conversations and his account with SkyDrive, the company's cloud file hosting service that's now called OneDrive.
While it appears that the terms of service for Microsoft's online services allows the company to access users' content "to protect the rights and property of Microsoft," among other things, the incident drew criticism from privacy advocates and other users on social media.
"I can't wait for Microsoft's next Scroogled ad, slamming Google for violating the privacy of Gmail users," Christopher Soghoian, principal technologist at the American Civil Liberties Union, said on Twitter following the revelations. "Microsoft likes to brag that they have more 'trained privacy professionals' than any other company. What were they doing during HotmailGate?" he said in a separate message.
John Frank, Microsoft's deputy general counsel and vice president for legal and corporate affairs, defended the company's actions Thursday in a blog post, saying the company took "extraordinary actions based on the specific circumstances" and it "applied a rigorous process" before reviewing the content.
"Courts do not, however, issue orders authorizing someone to search themselves," Frank said. "So even when we believe we have probable cause, there's not an applicable court process for an investigation such as this one relating to the information stored on servers located on our own premises."
Microsoft had a dedicated legal team working separately from the internal investigation to review the evidence and meet "a standard comparable to that required to obtain a legal order to search other sites," Frank said, adding that the company's actions were within its policies and applicable law.
While Microsoft hasn't announced any plans to modify its terms of service to disallow this type of internal customer data searches in the future, the company does plan to make some changes to the process that governs this type of investigations.