When charges were filed Wednesday against a former Microsoft employee suspected of leaking trade secrets to a blogger, the complaint filed in the case also disclosed that Microsoft looked at the content of the blogger’s Hotmail emails in order to find the identity of that former employee.
That raised privacy concerns over when and why Microsoft would be able to look at content from users of its services, and what legal process the company followed in this case.
Microsoft said today that it did not need a court order to pull such content because its own terms of service allowed for it under “exceptional circumstances.”
Federal prosecutors are accusing Alex A. Kibkalo of stealing trade secrets related to pre-release software updates for Windows 8 and Microsoft’s “Activation Server Software Development Kit,” and giving that information to a tech blogger in France.
Microsoft found out about Kibkalo when on Sept. 3, 2012, an outside source who asked not to be identified contacted Microsoft saying that he/she had been contacted by the blogger. The blogger had sent the source the proprietary Microsoft code, asking the source to help the blogger understand it better, the complaint says.
“The source indicated that the blogger contacted the source using a Microsoft Hotmail e-mail address that TWCI [Microsoft’s Trustworthy Computing Investigations department] had previously connected to the blogger,” according to the complaint. “After confirmation that the data was Microsoft’s proprietary trade secret, on September 7, 2012 Microsoft’s Office of Legal Compliance (OLC) approved content pulls of the blogger’s Hotmail account.”
The blogger’s Hotmail content revealed email from Kibkalo’s Windows Live Messenger account to the blogger which included the Windows 8 hotfixes, according to the complaint.
Microsoft issued a statement today saying:
As part of the investigation, we took the step of a limited review of this third party’s Microsoft operated accounts. While Microsoft’s terms of service make clear our permission for this type of review, this happens only in the most exceptional circumstances. We apply a rigorous process before reviewing such content. In this case, there was a thorough review by a legal team separate from the investigating team and strong evidence of a criminal act that met a standard comparable to that required to obtain a legal order to search other sites. In fact, as noted above, such a court order was issued in other aspects of the investigation.
Indeed, Microsoft’s terms of service (in section 5.2) states:
You consent and agree that Microsoft may access, disclose, or preserve information associated with your use of the services, including (without limitation) your personal information and content, or information that Microsoft acquires about you through your use of the services (such as IP address or other third-party information) when Microsoft forms a good faith belief that doing so is necessary (a) to comply with applicable law or to respond to legal process from competent authorities; (b) to enforce this agreement or protect the rights or property of Microsoft or our customers; or (c) to help prevent a loss of life or serious physical injury to anyone.
Microsoft’s statement today also says, in regards to a search of the blogger’s home:
During an investigation of an employee we discovered evidence that the employee was providing stolen IP, including code relating to our activation process, to a third party. In order to protect our customers and the security and integrity of our products, we conducted an investigation over many months with law enforcement agencies in multiple countries. This included the issuance of a court order for the search of a home relating to evidence of the criminal acts involved. The investigation repeatedly identified clear evidence that the third party involved intended to sell Microsoft IP and had done so in the past.
“In this case, it does appear that Microsoft’s terms of service permit the company to have taken the action that it did,” said Nate Cardozo, an attorney with digital civil liberties organization Electronic Frontier Foundation. “The terms of service is a contract. By opening a Hotmail account, all Hotmail users consent to Microsoft searching their emails for this sort of content.”
But “from our perspective, it was clearly not the right thing for Microsoft to have done this without the legal process,” Cardozo said. “The proper remedy for Microsoft would have been to have the government get a warrant to search this guy’s email.”
When Microsoft — or other companies such as Yahoo and Google, which have similar stipulations in their terms of service — reserve the right to access users’ content, “what they’re saying is: ‘Trust us. We will only use this right in extraordinary circumstances,’ ” Cardozo said. “That’s not enough because what that means is that any Microsoft account holder is leaving it up to Microsoft to decide when it’s appropriate to search your email.”
Microsoft also issued another statement later today, from John Frank, vice president and deputy general counsel, outlining the policies it follows in such cases and detailing some new ones:
We believe that Outlook and Hotmail email are and should be private. Today there has been coverage about a particular case. While we took extraordinary actions in this case based on the specific circumstances and our concerns about product integrity that would impact our customers, we want to provide additional context regarding how we approach these issues generally and how we are evolving our policies.
Courts do not issue orders authorizing someone to search themselves, since obviously no such order is needed. So even when we believe we have probable cause, it’s not feasible to ask a court to order us to search ourselves. However, even we should not conduct a search of our own email and other customer services unless the circumstances would justify a court order, if one were available. In order to build on our current practices and provide assurances for the future, we will follow the following policies going forward:
• To ensure we comply with the standards applicable to obtaining a court order, we will rely in the first instance on a legal team separate from the internal investigating team to assess the evidence. We will move forward only if that team concludes there is evidence of a crime that would be sufficient to justify a court order, if one were applicable. As an additional step, as we go forward, we will then submit this evidence to an outside attorney who is a former federal judge. We will conduct such a search only if this former judge similarly concludes that there is evidence sufficient for a court order.
• Even when such a search takes place, it is important that it be confined to the matter under investigation and not search for other information. We therefore will continue to ensure
that the search itself is conducted in a proper manner, with supervision by counsel for this purpose.
• Finally, we believe it is appropriate to ensure transparency of these types of searches, just as it is for searches that are conducted in response to governmental or court orders. We therefore will publish as part of our bi-annual transparency report the data on the number of these searches that have been conducted and the number of customer accounts that have been affected.
The only exception to these steps will be for internal investigations of Microsoft employees who we find in the course of a company investigation are using their personal accounts for Microsoft business. And in these cases, the review will be confined to the subject matter of the investigation.
The privacy of our customers is incredibly important to us, and while we believe our actions in this particular case were appropriate given the specific circumstances, we want to be clear about how we will handle similar situations going forward. That is why we are building on our current practices and adding to them to further strengthen our processes and increase transparency.
[Update 3/21: The print story on this issue, running in the March 21 edition of The Seattle Times, is here.]