To Catch A Meaningless Leaker, Microsoft Made It Clear It Has No Concern For Your Privacy
from the cost-benefit dept
Yesterday, we wrote about the bizarre decision by Microsoft to search through a reporter’s Microsoft Hotmail email account, in an attempt to catch the Microsoft employee who had leaked that reporter a copy of Windows 8. While most of the initial stories about this had focused on the arrest of the employee, Alex Kibkalo, and had pushed the email snooping issue to the bottom of the story, it appears that the email snooping is quickly becoming the story. After all, the leak itself was basically meaningless. Some early screenshots of Windows 8 were never a big deal, and Microsoft has struggled to get adoption of Windows 8 not because of any leak, but because a variety of other issues. So capturing the leaker does little of benefit for Microsoft.
However, at the same time, revealing that the company has no problem snooping through users’ email accounts if it feels it is beneficial to Microsoft is hugely damaging to the company. People need to trust their email providers. A well-known venture capitalist I know has spoken repeatedly about how so many people use Gmail, even when doing things like negotiating deals with Google (or competitors!) because they actually trust Google not to abuse their privacy and snoop on those emails. In part, they do this because they know if Google was exposed for snooping on emails that way there would be a mass exodus from Gmail to alternative providers. Yet, Microsoft doesn’t seem to have considered just how astoundingly damaging it is to violate its own users privacy — whether permitted by Microsoft’s terms of service or not.
On a basic cost-benefit analysis it’s difficult to see how anyone at Microsoft thought this was a wise move. Absolutely wipe out any possible trust and privacy for all email users to track down one meaningless leaker? Instead, what this shows is how “piracy obsession” blinds companies. They seem to forget all about cost-benefit analysis and assume that “something must be done” at all costs, even if it basically destroys an entire business line for the company.
Microsoft is now desperately trying to minimize the damage as it’s realizing just how it’s wiped out all of its bogus talk about protecting your privacy. They’ve announced new policies concerning how and when they’ll violate your privacy, but this seems quite clearly to be a case of too little, too late.
Filed Under: copyright, cost benefit, email, leaks, overreaction, privacy, trust
Companies: microsoft
Comments on “To Catch A Meaningless Leaker, Microsoft Made It Clear It Has No Concern For Your Privacy”
Remember this is the same company that requires an always on Knect. Surely they wouldn’t turn on your camera without your consent, no?
Re: Re:
Er, no, that requirement was removed before launch of the Xbox One… you can just unplug the Kinect and the console works fine.
As for the privacy thing… I wonder if anyone read what actually happened?
It’s also something that’s allowed in the ToS, and I’m sure it’s in the Google ToS as well. This was an investigation that led to someone being arrested, so it’s not like someone was bored one day and decided to look at a random user’s email account.
Also, it assumes Google has never done the same thing. Which no one knows. The only reason we know about this instance was because of a prosecutor’s filing, so clearly there was a legal ground for seeking the information… not some random searching.
Re: Re: Re:
Hey, look over there. Google is scary! Ahbogabogaboga!
You’re so transparent.
Re: Re: Re:
Look, a distraction!
Re: Re: Re:
Yeah, because as long as they tell you up front, nobody has any right to complain about their privacy being violated! And because someone was arrested, then obviously it was part of a law enforcement action, right?
Of course! As long as it’s in the TOS, nobody has any right be be upset about Microsoft scroogling you, which last time I checked was exactly what they accuse others of doing.
I wish there was some way to actually verify that. Unfortunately, it’s obviously quite impossible to check. Maybe some sort of “engine” that would let you “search” for things?
Yes, we should be very Fearful of this. I mean there has never been anyone looking, so we should all express Uncertainty that there were no disgruntled employees, and we need to Doubt anything that hasn’t been proven.
Re: Re: Re:
“As for the privacy thing… I wonder if anyone read what actually happened”
I did, and I’ll bet most of the people here did as well.
“This was an investigation that led to someone being arrested, so it’s not like someone was bored one day and decided to look at a random user’s email account.”
You say that as if it makes everything OK, then. It doesn’t. Nor does it make everything OK because it was allowed in the ToS.
“Also, it assumes Google has never done the same thing”
Huh? Outside of the one guy quoted in the article, who is assuming this?
This all underscores why it is really important to avoid using these services. You’re giving up too much control over really sensitive information about you. It doesn’t matter if it’s Microsoft, Yahoo, Google, whoever.
Re: Re:
I remember reading about a patent that MS had filed to count the number of people in the room, watching TV.
Basically, after counting the number of people it sees in the room, it checks to see if you paid for the number of license of the current viewing program. If viewers > # of licenses, off goes the program.
no joke
Neat huh! /s
the new terms may get a little bit of the trust back for Microsoft, but it did more damage with this. this was not the only damage. think about the help that has been given by companies to the NSA before letting go of your trust again.
For a company betting so heavily on providing cloud services, this seems like it was an absolutely horrible thing to do.
Sounds like I’ll be hosting my own email from now on.
Re: Re:
You should. There’s literally no reason not to. You an even do this and still have access to webmail (that you run yourself).
Re: Re: Re:
There’s literally no reason not to.
How do you make your server and network connection as reliable as gmail’s without spending any extra money on them?
Re: Re: Re: Re:
This question always confuses me. I use my regular consumer network connection, and and old 486 computer that otherwise would have been scrapped for my server. Comparing my downtime with gmail shows them to be comparable.
Re: Re: Re:2 Re:
You are more fortunate than I. Now and then I have to reboot my router to restore my connection, and less commonly my ISP has a problem. I have never been unable to get to gmail. Also I’m sure this took more knowledge than what is required to get a webmail account. Those are all reasons not to do it.
Re: Re: Re:
Oh, and without spending any more time than it takes to set up an email account, and without having to know anything additional either.
Re: Re: Re: Re:
You don’t have to have any specialized knowledge anymore — there are a number of easy-to-install setups that do all the hard stuff for you. It will take a little more time, maybe an hour or so.
You’re making a convenience argument, which is fair. Gmail is as convenient as it gets. But you pay a price for that convenience in the form of lack of control and privacy. That may be a price you’re OK with, which is also fair.
But if you’re concerned about these issues, running your own server isn’t a very onerous thing to do.
Re: Re: Re: Re:
So your reason is “Lazy”???
I have run my own mail server for more than 15 years. I have had very few outages, only one that lasted 2+ days (due to a tornado taking down power lines and internet to my home).
Reliability isn’t normally a problem these days. If you have a decent provider, good power… shouldn’t really be an issue.
As far as time, knowledge and money. You can setup an email server in less than 5 minutes using a ready built VM (Virtual Machine); you don’t really need to know all that much about it; You will need to spend $5-10/ year to purchase a domain name.
So the only real reason not to host your own servers, assuming you have an always on internet connection is laziness. It isn’t complicated and only requires a bare minimum of knowledge time and expense. I run mine on an ultra low power server, so it is noiseless and uses very little power.
However, the real question is what good does that really do you? Chances are very high that your email is passing through some major internet backbones and / or is stored on major provider systems as well. So it can still be monitored and scoured by providers.
The answer is it is a little bit harder to ‘get it all’.
The other thing that you can do, which I do for anything of substance is encrypt the communication with GPG. Done properly, it then doesn’t really matter where your email is stored. But then again there is that personal responsibility thing.
The admin always has access
Microsoft, Google, or even your company’s Exchange admin, they all have access to your data.
Only their good behavior keeps them from accessing it.
If you don’t want them to have it, then you have to encrypt it before it gets to them.
Wait a minute. There are actually people out there that think these accounts are secure? Seriously? If so, I will point out a person that has never read a ToS.
Re: Re:
I don’t need that to point out a person that has never read a ToS. I just need to point to a random person and odds are pretty good I’ll be right. Terms of Service are full of legalese that takes immense amounts of time to read, and it’s difficult to pull anything relevant out of them, and easy to miss things even if you do read them. Given they tend to be fairly boiler plate about “we are not liable for etc., we may yada yada” it’s no surprise many people haven’t read them in depth and thought about the full implications.
Re: Re:
I’ll also point out AGAIN that a ToS/EULA/Contract has to also abide by overriding legislation & statutes ie: LAW
Just because a ToS states it can do something or that the company has all these rights to do whatever it thinks it can does not mean it has!
Look go read up on BASIC contract law and look at all the standard elements of ANY contract and then you might have an inkling of understanding about this.
Actually anyone anywhere who ever deals with any sorts of contracts daily (that means EVERYONE ON THE PLANET basically) ggo do a basic FREE course on contract law.. it will help you so much and also allow you to understand what companies can and cannot do.
Scroogled?
What’s the M$ version of being scroogled, screwsoft? They’ve been attacking Google lately for having an algorithm that places ads in your Gmail based on words in your emails. A far cry from someone snooping in your inbox.
Re: Scroogled?
Microsoft’s version of screwgooled is just ‘Microsoft.’
Re: Just Plain Screwed
Re: Scroogled?
I’d say microscrewed, but it’s impolite to make fun of corporations with tiny penises.
Re: Scroogled?
You’ve been Microshafted…
While I am a huge fan of TD, this story is just flat out incorrect.
It wasn’t just an issue of “a couple of screenshots”, the leaker had stolen Windows 8 source code and was trying to help someone set up a fraudulent activation server to use it. That’s a pretty fucking huge deal and it’s simply wrong to present it as “just a couple screenshots”.
In addition, Microsoft has ALWAYS had a clause stating that they will examine your accounts if necessary to protect their intellectual property – which “activation server code” certainly qualifies as. Not only that, but due to the public backlash over this perceived injustice, Microsoft has stated they’re now going to make the whole process much more streamlined.
So, seriously – there’s plenty of real things to be pissed about, can we not embellish nonissues like this quite so much?
Re: Re:
In the previous discussion, somebody said their TOS allowed them access “To protect the rights or property of Microsoft or our customers”.
Almost everyone is an MS customer, and “rights or property” is incredibly vague. If you use Windows and think your neighbor is bringing down the value of your house, MS would be allowed to provide their private data to you. When wouldn’t this allow access?
Re: Re:
Yes, because everyone is tripping over themselves in a mad rush to run Windows 8, which looks pretty much like AOL circa 1996. (Side-by-side comparison here: http://obamapacman.com/wp-content/uploads/2012/05/AOL-1996-vs.-Microsoft-Windows-8.jpg)
So OMG possibly setting up an activation server would impact Microsoft revenue by interrupting the positively enormous flow generated by the stampede to Windows 8 when…oh…wait…
NOBODY, not even M$ fanboys, gives a hot shit about Windows 8. Everyone with the slightest sense knows it’s garbage. Which is why it’s dying in the marketplace. It’s worthless tripe that isn’t even worth stealing, which is why this leak truly is meaningless and M$’s best move would have been to just blow it off and forget about it. (They should have been flattered that someone would actually go through this much trouble to try that vomitous mass of code.)
Re: Re: Re:
What utter bollocks. Whilst it hasn’;t been as successful as MS wanted it to be, it’s still at 10% penetration on all gaming-capable machines. It’s actually pretty smooth once you adjust, and fairly simple.
Some things on it are a nightmare to find if you don’t know exactly where to look. There are definitely criticisms to be made of Windows 8 in the Desktop space, but those are (slowly) being resolved with each iteration.
Re: Re: Re:
Your link sucks. It doesn’t lead where you think it leads.
Re: Re: Re: Re:
It took me to the right thing. But that site has hotlinking blocked, so I had to think to click on the address bar & hit [enter], which then reloaded the page correctly, allowing me to see the pic.
Re: Re: Re:2 Re:
I think cold linking works though.
Re: Re:
“there’s plenty of real things to be pissed about, can we not embellish nonissues like this quite so much?”
Just because you aren’t concerned about it doesn’t mean it’s a nonissue. The primary issue is that people trust these companies far too much, and they are trusting that when the companies store their information, the companies aren’t actually looking at it. This applies to webmail, anything cloud-based, facebook, etc.
Microsoft has done a big favor by underlying the fact that people need to stop trusting companies with their sensitive information.
Telling Example of Microsoft Culture
I worked at Microsoft for many years and, although I wasn’t in the room when Legal and others made this decision, I can easily imagine how the conversation likely went down based on my experience with Microsoft group-think and the typical manager’s posture there.
Microsoft wouldn’t have trawled through a user’s email if they weren’t as big as they are — that’s fact #1. And this proves that they actively throw their weight around even when the ethical standard, regardless of their privacy policy, begs otherwise. They are too big, they should have been broken up, the government dropped the ball on the anti-trust case. The consent decree DID NOTHING to alter behavior, it just forced behaviors into different manifestations, but the big, bad bully culture permeates every team in Redmond… it’s toxic and now it affects the hundreds of millions of users who innately trust them.
They're not the only ones
For example: http://www.theguardian.com/technology/2014/mar/21/yahoo-google-and-apple-claim-right-to-read-user-emails?CMP=twt_gu
This is why outsourcing your email — in any way, shape or form — is suicidal. Running your own email server is EASY if you have even a minimally-competent IT staff. The entire software stack is open-source, there are multiple flavors to choose from, and defenses against threats like spam are extremely well-understood and simple to implement. Programs like Mailman make handling mailing lists of any size tractable, and programs like procmail and fetchmail help with plumbing into/out of such systems.
Anybody who has their email hosted at Microsoft or Yahoo or Gmail or any of others needs to yank it back TODAY, because you can bet that all of them can do, will do, and have done the exact same thing when it suited their purposes.
(Oh, you encrypt it? That’s very nice. But you probably don’t encrypt it very well, you probably facilitate plaintext attacks because of your poor discipline, and besides all that, traffic analysis will yield some highly useful metadata about you.)
Get your email the F*** out of the cloud. It should never have been there.
Why couldn't they get a court order?
In Microsoft’s updated policies release, they are claiming that they had enough evidence for a warrent, but no way to get a court to order a search.
If the evidence was “strong evidence of a criminal act that met a standard comparable to that required to obtain a legal order to search other sites”, Microsoft could have presented their evidence to the police (or FBI in this case) and have them open an investigation and request the court order.
Spying on customers is easier than getting the law involved. I have 2 old hotmail accounts, one is still periodically used for contract work. I should have retired both accounts long ago – Microsoft has finally convinced me to do it now instead of eventually.
Re: Why couldn't they get a court order?
… apparently because (as MS claims) there is simply no such thing as a court order for a (e-)landlord to search a (e-)tenant:
“Courts do not, however, issue orders authorizing someone to search themselves, since obviously no such order is needed. So even when we believe we have probable cause, there?s not an applicable court process for an investigation such as this one relating to the information stored on servers located on our own premises”
So there. MS didn’t get a court order because court orders don’t even exist for such searches (apparently anywhere in the world). And anyway, it’s silly for people holding the keys to have to ask a court for permission to use them.
It’s the same kind of attitude that prompted many states to pass “tenants’ rights” laws many decades ago to rein-in abusive landlords.
Re: Why couldn't they get a court order?
Microsoft issued a statement that they tried to obtain a search warrant but couldn’t because they already own the email. It’s like you suspect your child stole a dollar from you and hid it in his room from the courts perspective. You don’t need to ask the police for permission to search because you own the house.
Re: Re: Why couldn't they get a court order?
“Microsoft issued a statement that they tried to obtain a search warrant but couldn’t because they already own the email. It’s like you suspect your child stole a dollar from you and hid it in his room from the courts perspective. You don’t need to ask the police for permission to search because you own the house.”
Is it? Maybe it’s more like you have stuff in a safety deposit box at the bank. Since the bank “owns” the safety deposit box, then I suppose they can just go in and search it anytime without a warrant? And that a judge would not issue a warrant for said search because they “are searching themselves”?
I don’t think so…
The email wasn’t Microsoft’s to search. They weren’t “searching themselves”. They looked into someone else’s emails. It wasn’t even an employee on a “corporate” email account.
This incident re-proves what’s already been proven over and over again – you can’t trust these companies with sensitive data. No matter how they try to spin things.
Re: Re: Why couldn't they get a court order?
BS. Do you have a safe deposit box? Are you trying to tell me that bank can just open it, because it is in their building?
Commenting on the article, why have a subject header?
The Windows 8 leaker also was selling server codes on Ebay and sent the blogger the full source code. I don’t have a big problem with Microsoft doing this but publicly exposing that they snooped on the email is stupid. If the leaker (A disgruntled Microsoft employee no less) was foolish enough to email an MSN account, he deserves what comes to him. All that said, I’ll never use Outlook again.
Re: Commenting on the article, why have a subject header?
They would publicly disclose it as soon as they’d go to court.
"Searching yourself"
That MS blog states “Courts do not, however, issue orders authorizing someone to search themselves, since obviously no such order is needed.”
Is that actually true? It seems like similar things would have come up long ago, e.g. in trust law. There are lots of circumstances where property is held for another person, and I assume there are legal restrictions on the trustee (which a court order could override).
Re: "Searching yourself"
No it’s not true – it’s total bullshit. Most judges just rubber-stamp whatever search warrant requests are put on their desk, without even asking a single question.
Re: Re: "Searching yourself"
lol. You guys are a riot.
Re: "Searching yourself"
It’s true, though its also in the same breath absolute bullshit..
Reasoning being that if a company suspects that this has occurred they then go through the civil or criminal processes to allow discovery to take place. If criminal the LEO’s will obtain a warrant for the purpose of preservation and investigation since the company is classified as a victim in that instance and will be out of the loop of ANY investigation. In a civil capacity the court will grant a preservation order so that NO ONE can touch it until the court after all due process’s occur for BOTH sides of the matter agree that it is part of discovery..
Microsoft in this instance wanted to play prosecution, judge, jury and executioner mainly because they are egotistic enough to think (like most corporations of their size) that they have enough power, status and political pull not to worry about anything like law, ethics, or what the public might think.
AS I stated in the last article about this, the problem now for microsoft is that the ‘evidence’ they obtained is now highly unreliable since they themselves (a highly biased party with an axe to grind) obtained it by dubious means. The evidence might be a ‘smoking gun’ might be the truth but now reasonable doubt absolutely comes into play of.. well if they went and got it like that what guarantee is their that they haven’t changed it.. See its forensically tainted now.
Not to mention the fact that MS have now royally screwed themselves on a PR basis most likely forever!
Re: Re: G Thompson
“See it’s forensically tainted now” was a hilarious punchline for your fantastic attempt at playing internet lawyer. Good job.
Re: Re: Re: G Thompson
Forensics (especially digital of which I most likely know a LOT more about than you do) is the methodology of acquisition, examination, analysis, and preservation of information of relevance to whatever the matter at hand is. It’s about what is, not what isn’t.
And in the above context it is tainted. There is with MS doing it’s own investigation an absolute problem with reliability of that acquisition of information. The forensic methodology that they would show to the court is absolutely tainted and creates a huge barrier for it to be accepted by any trier of facts.
Re: Re: Re:2 G Thompson
So, Microsoft’s conduct of an investigation is about as competent as their implementation of an operating system, then?
“Microsoft has struggled to get adoption of Windows 8 not because of any leak, but because a variety of other issues.”
That’s a very diplomatic way of putting it. Kudos, Mike.
This is actually a problem with the CFAA that makes your email sitting on a server the companies problem. I guarantee they are correct that there is no way to subpoena emails you legally own. Remember, in US cloud services the provider owns that data because of the antiquated law. Fix it! They shouldn’t, and MS should require a court order to search it.
This is also the company that for over 30 years has not cared about security for users, resulting in billions of dollars wasted on virus scanners and trying to fix compromised machines. They are truly evil greed in the flesh. And if you don’t believe me, just look at a picture of Steve Ballmer. Uncle Fester, is that you? Thankfully they are becoming irrelevant. It cannot happen too fast.
Search warrant
Why didn’t Microsoft just go to the FISC?! They would have provided them a nice rubber stamp search warrant for all users accounts to find the connections.
The irony is that many people complaining about Micro$oft’s lack of privacy… are using Window$.
Drunk too much Google lately ?
… ‘because they actually trust Google not to abuse their privacy and snoop on those emails.’
Could you please cut down on the Google drooling ? This is not reporting stuff, this is plain and simple advertisment on how great Google is; not backed with any fact.