Microsoft took a lot of criticism last week after it was revealed that the company looked at the email content of one of its customers in the course of tracking down someone suspected of stealing trade secrets from the company.
Now Microsoft is changing its policy, saying that, in such circumstances, it will call in law enforcement to inspect a customer’s content, rather than doing so itself.
Brad Smith, Microsoft’s general counsel, wrote in a blog post today:
Effective immediately, if we receive information indicating that someone is using our services to traffic in stolen intellectual or physical property from Microsoft, we will not inspect a customer’s private content ourselves. Instead, we will refer the matter to law enforcement if further action is required.
In addition to changing company policy, in the coming months we will incorporate this change in our customer terms of service, so that it’s clear to consumers and binding on Microsoft.
The policy change stems from a case in which former Microsoft employee Alex Kibkalo is accused of stealing trade secrets.
Kibkalo, a former Microsoft software architect who worked for the company in Lebanon, was arrested last Wednesday. He is charged with stealing trade secrets related to pre-release software updates for Windows 8 and Microsoft’s “Activation Server Software Development Kit,” and giving that information to an unidentified tech blogger in France.
Microsoft found out about Kibkalo after searching the blogger’s Hotmail account, raising concerns over when and why Microsoft would be able to look at content from users of its services and what legal processes the company followed in order to do so.
The company said last week that it did not need a court order to read such content because its own terms of service allow for it under “exceptional circumstances.” Plus, Microsoft said, courts do not issue orders to companies to search themselves.
It also said last week that it was putting into place some new policies, including proceeding with such searches only after an outside attorney who is a former federal judge deems there’s sufficient evidence to justify a court order.
Today’s policy change goes further in that Microsoft says it now will not conduct such searches itself. Instead, it will refer such cases to law enforcement — something that digital civil rights organizations such as Electronic Frontier Foundation had advocated.
Following the relevations from whistleblower Edward Snowden about the U.S. government’s national surveillance programs and tech companies’ involvement, Microsoft and other companies have been pushing the U.S. government for more transparency and reliance on legal processes to conduct its searches.
Smith said in his blog post today:
We’ve advocated that governments should rely on formal legal processes and the rule of law for surveillance activities. While our own search was clearly within our legal rights, it seems apparent that we should apply a similar principle and rely on formal legal processes for our own investigations involving people who we suspect are stealing from us.
In addition, Smith said, the company is taking part in a project that includes groups such as Electronic Frontier Foundation and Center for Democracy to “help us all identify potential best practices from other industries and consider the best solutions for the future of digital services.”