To Catch A Meaningless Leaker, Microsoft Made It Clear It Has No Concern For Your Privacy

from the cost-benefit dept

Yesterday, we wrote about the bizarre decision by Microsoft to search through a reporter’s Microsoft Hotmail email account, in an attempt to catch the Microsoft employee who had leaked that reporter a copy of Windows 8. While most of the initial stories about this had focused on the arrest of the employee, Alex Kibkalo, and had pushed the email snooping issue to the bottom of the story, it appears that the email snooping is quickly becoming the story. After all, the leak itself was basically meaningless. Some early screenshots of Windows 8 were never a big deal, and Microsoft has struggled to get adoption of Windows 8 not because of any leak, but because a variety of other issues. So capturing the leaker does little of benefit for Microsoft.

However, at the same time, revealing that the company has no problem snooping through users’ email accounts if it feels it is beneficial to Microsoft is hugely damaging to the company. People need to trust their email providers. A well-known venture capitalist I know has spoken repeatedly about how so many people use Gmail, even when doing things like negotiating deals with Google (or competitors!) because they actually trust Google not to abuse their privacy and snoop on those emails. In part, they do this because they know if Google was exposed for snooping on emails that way there would be a mass exodus from Gmail to alternative providers. Yet, Microsoft doesn’t seem to have considered just how astoundingly damaging it is to violate its own users privacy — whether permitted by Microsoft’s terms of service or not.

On a basic cost-benefit analysis it’s difficult to see how anyone at Microsoft thought this was a wise move. Absolutely wipe out any possible trust and privacy for all email users to track down one meaningless leaker? Instead, what this shows is how “piracy obsession” blinds companies. They seem to forget all about cost-benefit analysis and assume that “something must be done” at all costs, even if it basically destroys an entire business line for the company.

Microsoft is now desperately trying to minimize the damage as it’s realizing just how it’s wiped out all of its bogus talk about protecting your privacy. They’ve announced new policies concerning how and when they’ll violate your privacy, but this seems quite clearly to be a case of too little, too late.

Filed Under: , , , , , ,
Companies: microsoft

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “To Catch A Meaningless Leaker, Microsoft Made It Clear It Has No Concern For Your Privacy”

Subscribe: RSS Leave a comment

Re: Re:

Er, no, that requirement was removed before launch of the Xbox One… you can just unplug the Kinect and the console works fine.

As for the privacy thing… I wonder if anyone read what actually happened?

It’s also something that’s allowed in the ToS, and I’m sure it’s in the Google ToS as well. This was an investigation that led to someone being arrested, so it’s not like someone was bored one day and decided to look at a random user’s email account.

Also, it assumes Google has never done the same thing. Which no one knows. The only reason we know about this instance was because of a prosecutor’s filing, so clearly there was a legal ground for seeking the information… not some random searching.


Re: Re: Re: Re:

As for the privacy thing… I wonder if anyone read what actually happened?

Yeah, because as long as they tell you up front, nobody has any right to complain about their privacy being violated! And because someone was arrested, then obviously it was part of a law enforcement action, right?

It’s also something that’s allowed in the ToS

Of course! As long as it’s in the TOS, nobody has any right be be upset about Microsoft scroogling you, which last time I checked was exactly what they accuse others of doing.

and I’m sure it’s in the Google ToS as well.

I wish there was some way to actually verify that. Unfortunately, it’s obviously quite impossible to check. Maybe some sort of “engine” that would let you “search” for things?

it assumes Google has never done the same thing. Which no one knows.

Yes, we should be very Fearful of this. I mean there has never been anyone looking, so we should all express Uncertainty that there were no disgruntled employees, and we need to Doubt anything that hasn’t been proven.

John Fendersonsays:

Re: Re: Re: Re:

“As for the privacy thing… I wonder if anyone read what actually happened”

I did, and I’ll bet most of the people here did as well.

“This was an investigation that led to someone being arrested, so it’s not like someone was bored one day and decided to look at a random user’s email account.”

You say that as if it makes everything OK, then. It doesn’t. Nor does it make everything OK because it was allowed in the ToS.

“Also, it assumes Google has never done the same thing”

Huh? Outside of the one guy quoted in the article, who is assuming this?

This all underscores why it is really important to avoid using these services. You’re giving up too much control over really sensitive information about you. It doesn’t matter if it’s Microsoft, Yahoo, Google, whoever.

Baron von Robbersays:

Re: Re:

I remember reading about a patent that MS had filed to count the number of people in the room, watching TV.

Basically, after counting the number of people it sees in the room, it checks to see if you paid for the number of license of the current viewing program. If viewers > # of licenses, off goes the program.

no joke

Neat huh! /s


Re: Re: Re:2 Re: Re: Re: Re:

You are more fortunate than I. Now and then I have to reboot my router to restore my connection, and less commonly my ISP has a problem. I have never been unable to get to gmail. Also I’m sure this took more knowledge than what is required to get a webmail account. Those are all reasons not to do it.


Re: Re:

Wait a minute. There are actually people out there that think these accounts are secure? Seriously? If so, I will point out a person that has never read a ToS.

I don’t need that to point out a person that has never read a ToS. I just need to point to a random person and odds are pretty good I’ll be right. Terms of Service are full of legalese that takes immense amounts of time to read, and it’s difficult to pull anything relevant out of them, and easy to miss things even if you do read them. Given they tend to be fairly boiler plate about “we are not liable for etc., we may yada yada” it’s no surprise many people haven’t read them in depth and thought about the full implications.

G Thompsonsays:

Re: Re:

I’ll also point out AGAIN that a ToS/EULA/Contract has to also abide by overriding legislation & statutes ie: LAW

Just because a ToS states it can do something or that the company has all these rights to do whatever it thinks it can does not mean it has!

Look go read up on BASIC contract law and look at all the standard elements of ANY contract and then you might have an inkling of understanding about this.

Actually anyone anywhere who ever deals with any sorts of contracts daily (that means EVERYONE ON THE PLANET basically) ggo do a basic FREE course on contract law.. it will help you so much and also allow you to understand what companies can and cannot do.


While I am a huge fan of TD, this story is just flat out incorrect.

It wasn’t just an issue of “a couple of screenshots”, the leaker had stolen Windows 8 source code and was trying to help someone set up a fraudulent activation server to use it. That’s a pretty fucking huge deal and it’s simply wrong to present it as “just a couple screenshots”.

In addition, Microsoft has ALWAYS had a clause stating that they will examine your accounts if necessary to protect their intellectual property – which “activation server code” certainly qualifies as. Not only that, but due to the public backlash over this perceived injustice, Microsoft has stated they’re now going to make the whole process much more streamlined.

So, seriously – there’s plenty of real things to be pissed about, can we not embellish nonissues like this quite so much?


Re: Re:

In addition, Microsoft has ALWAYS had a clause stating that they will examine your accounts if necessary to protect their intellectual property

In the previous discussion, somebody said their TOS allowed them access “To protect the rights or property of Microsoft or our customers”.

Almost everyone is an MS customer, and “rights or property” is incredibly vague. If you use Windows and think your neighbor is bringing down the value of your house, MS would be allowed to provide their private data to you. When wouldn’t this allow access?


Re: Re:

Yes, because everyone is tripping over themselves in a mad rush to run Windows 8, which looks pretty much like AOL circa 1996. (Side-by-side comparison here:

So OMG possibly setting up an activation server would impact Microsoft revenue by interrupting the positively enormous flow generated by the stampede to Windows 8 when…oh…wait…

NOBODY, not even M$ fanboys, gives a hot shit about Windows 8. Everyone with the slightest sense knows it’s garbage. Which is why it’s dying in the marketplace. It’s worthless tripe that isn’t even worth stealing, which is why this leak truly is meaningless and M$’s best move would have been to just blow it off and forget about it. (They should have been flattered that someone would actually go through this much trouble to try that vomitous mass of code.)

John Fendersonsays:

Re: Re:

“there’s plenty of real things to be pissed about, can we not embellish nonissues like this quite so much?”

Just because you aren’t concerned about it doesn’t mean it’s a nonissue. The primary issue is that people trust these companies far too much, and they are trusting that when the companies store their information, the companies aren’t actually looking at it. This applies to webmail, anything cloud-based, facebook, etc.

Microsoft has done a big favor by underlying the fact that people need to stop trusting companies with their sensitive information.


Telling Example of Microsoft Culture

I worked at Microsoft for many years and, although I wasn’t in the room when Legal and others made this decision, I can easily imagine how the conversation likely went down based on my experience with Microsoft group-think and the typical manager’s posture there.

Microsoft wouldn’t have trawled through a user’s email if they weren’t as big as they are — that’s fact #1. And this proves that they actively throw their weight around even when the ethical standard, regardless of their privacy policy, begs otherwise. They are too big, they should have been broken up, the government dropped the ball on the anti-trust case. The consent decree DID NOTHING to alter behavior, it just forced behaviors into different manifestations, but the big, bad bully culture permeates every team in Redmond… it’s toxic and now it affects the hundreds of millions of users who innately trust them.


They're not the only ones

For example:

This is why outsourcing your email — in any way, shape or form — is suicidal. Running your own email server is EASY if you have even a minimally-competent IT staff. The entire software stack is open-source, there are multiple flavors to choose from, and defenses against threats like spam are extremely well-understood and simple to implement. Programs like Mailman make handling mailing lists of any size tractable, and programs like procmail and fetchmail help with plumbing into/out of such systems.

Anybody who has their email hosted at Microsoft or Yahoo or Gmail or any of others needs to yank it back TODAY, because you can bet that all of them can do, will do, and have done the exact same thing when it suited their purposes.

(Oh, you encrypt it? That’s very nice. But you probably don’t encrypt it very well, you probably facilitate plaintext attacks because of your poor discipline, and besides all that, traffic analysis will yield some highly useful metadata about you.)

Get your email the F*** out of the cloud. It should never have been there.


Why couldn't they get a court order?

In Microsoft’s updated policies release, they are claiming that they had enough evidence for a warrent, but no way to get a court to order a search.

If the evidence was “strong evidence of a criminal act that met a standard comparable to that required to obtain a legal order to search other sites”, Microsoft could have presented their evidence to the police (or FBI in this case) and have them open an investigation and request the court order.

Spying on customers is easier than getting the law involved. I have 2 old hotmail accounts, one is still periodically used for contract work. I should have retired both accounts long ago – Microsoft has finally convinced me to do it now instead of eventually.


Re: Re: Why couldn't they get a court order?

… apparently because (as MS claims) there is simply no such thing as a court order for a (e-)landlord to search a (e-)tenant:

“Courts do not, however, issue orders authorizing someone to search themselves, since obviously no such order is needed. So even when we believe we have probable cause, there?s not an applicable court process for an investigation such as this one relating to the information stored on servers located on our own premises”

So there. MS didn’t get a court order because court orders don’t even exist for such searches (apparently anywhere in the world). And anyway, it’s silly for people holding the keys to have to ask a court for permission to use them.

It’s the same kind of attitude that prompted many states to pass “tenants’ rights” laws many decades ago to rein-in abusive landlords.


Re: Re: Why couldn't they get a court order?

Microsoft issued a statement that they tried to obtain a search warrant but couldn’t because they already own the email. It’s like you suspect your child stole a dollar from you and hid it in his room from the courts perspective. You don’t need to ask the police for permission to search because you own the house.


Re: Re: Re: Re: Why couldn't they get a court order?

“Microsoft issued a statement that they tried to obtain a search warrant but couldn’t because they already own the email. It’s like you suspect your child stole a dollar from you and hid it in his room from the courts perspective. You don’t need to ask the police for permission to search because you own the house.”

Is it? Maybe it’s more like you have stuff in a safety deposit box at the bank. Since the bank “owns” the safety deposit box, then I suppose they can just go in and search it anytime without a warrant? And that a judge would not issue a warrant for said search because they “are searching themselves”?

I don’t think so…

The email wasn’t Microsoft’s to search. They weren’t “searching themselves”. They looked into someone else’s emails. It wasn’t even an employee on a “corporate” email account.

This incident re-proves what’s already been proven over and over again – you can’t trust these companies with sensitive data. No matter how they try to spin things.


Commenting on the article, why have a subject header?

The Windows 8 leaker also was selling server codes on Ebay and sent the blogger the full source code. I don’t have a big problem with Microsoft doing this but publicly exposing that they snooped on the email is stupid. If the leaker (A disgruntled Microsoft employee no less) was foolish enough to email an MSN account, he deserves what comes to him. All that said, I’ll never use Outlook again.


"Searching yourself"

That MS blog states “Courts do not, however, issue orders authorizing someone to search themselves, since obviously no such order is needed.”

Is that actually true? It seems like similar things would have come up long ago, e.g. in trust law. There are lots of circumstances where property is held for another person, and I assume there are legal restrictions on the trustee (which a court order could override).

G Thompsonsays:

Re: Re: "Searching yourself"

It’s true, though its also in the same breath absolute bullshit..

Reasoning being that if a company suspects that this has occurred they then go through the civil or criminal processes to allow discovery to take place. If criminal the LEO’s will obtain a warrant for the purpose of preservation and investigation since the company is classified as a victim in that instance and will be out of the loop of ANY investigation. In a civil capacity the court will grant a preservation order so that NO ONE can touch it until the court after all due process’s occur for BOTH sides of the matter agree that it is part of discovery..

Microsoft in this instance wanted to play prosecution, judge, jury and executioner mainly because they are egotistic enough to think (like most corporations of their size) that they have enough power, status and political pull not to worry about anything like law, ethics, or what the public might think.

AS I stated in the last article about this, the problem now for microsoft is that the ‘evidence’ they obtained is now highly unreliable since they themselves (a highly biased party with an axe to grind) obtained it by dubious means. The evidence might be a ‘smoking gun’ might be the truth but now reasonable doubt absolutely comes into play of.. well if they went and got it like that what guarantee is their that they haven’t changed it.. See its forensically tainted now.

Not to mention the fact that MS have now royally screwed themselves on a PR basis most likely forever!


This is actually a problem with the CFAA that makes your email sitting on a server the companies problem. I guarantee they are correct that there is no way to subpoena emails you legally own. Remember, in US cloud services the provider owns that data because of the antiquated law. Fix it! They shouldn’t, and MS should require a court order to search it.


This is also the company that for over 30 years has not cared about security for users, resulting in billions of dollars wasted on virus scanners and trying to fix compromised machines. They are truly evil greed in the flesh. And if you don’t believe me, just look at a picture of Steve Ballmer. Uncle Fester, is that you? Thankfully they are becoming irrelevant. It cannot happen too fast.


Re: Re:

What utter bollocks. Whilst it hasn’;t been as successful as MS wanted it to be, it’s still at 10% penetration on all gaming-capable machines. It’s actually pretty smooth once you adjust, and fairly simple.

Some things on it are a nightmare to find if you don’t know exactly where to look. There are definitely criticisms to be made of Windows 8 in the Desktop space, but those are (slowly) being resolved with each iteration.

John Fendersonsays:

Re: Re: Re:

You don’t have to have any specialized knowledge anymore — there are a number of easy-to-install setups that do all the hard stuff for you. It will take a little more time, maybe an hour or so.

You’re making a convenience argument, which is fair. Gmail is as convenient as it gets. But you pay a price for that convenience in the form of lack of control and privacy. That may be a price you’re OK with, which is also fair.

But if you’re concerned about these issues, running your own server isn’t a very onerous thing to do.

Mr. Applegatesays:

Re: Re: Re:

So your reason is “Lazy”???

I have run my own mail server for more than 15 years. I have had very few outages, only one that lasted 2+ days (due to a tornado taking down power lines and internet to my home).

Reliability isn’t normally a problem these days. If you have a decent provider, good power… shouldn’t really be an issue.

As far as time, knowledge and money. You can setup an email server in less than 5 minutes using a ready built VM (Virtual Machine); you don’t really need to know all that much about it; You will need to spend $5-10/ year to purchase a domain name.

So the only real reason not to host your own servers, assuming you have an always on internet connection is laziness. It isn’t complicated and only requires a bare minimum of knowledge time and expense. I run mine on an ultra low power server, so it is noiseless and uses very little power.

However, the real question is what good does that really do you? Chances are very high that your email is passing through some major internet backbones and / or is stored on major provider systems as well. So it can still be monitored and scoured by providers.

The answer is it is a little bit harder to ‘get it all’.

The other thing that you can do, which I do for anything of substance is encrypt the communication with GPG. Done properly, it then doesn’t really matter where your email is stored. But then again there is that personal responsibility thing.

G Thompsonsays:

Re: G Thompson

Forensics (especially digital of which I most likely know a LOT more about than you do) is the methodology of acquisition, examination, analysis, and preservation of information of relevance to whatever the matter at hand is. It’s about what is, not what isn’t.

And in the above context it is tainted. There is with MS doing it’s own investigation an absolute problem with reliability of that acquisition of information. The forensic methodology that they would show to the court is absolutely tainted and creates a huge barrier for it to be accepted by any trier of facts.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Report this ad??|??Hide Techdirt ads
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Older Stuff
12:25 Australian Privacy Commissioner Says 7-Eleven Broke Privacy Laws By Scanning Customers' Faces At Survey Kiosks (6)
10:50 Missouri Governor Doubles Down On 'View Source' Hacking Claim; PAC Now Fundraising Over This Bizarrely Stupid Claim (45)
10:45 Daily Deal: The All-in-One Microsoft, Cybersecurity, And Python Exam Prep Training Bundle (0)
09:43 Want To Understand Why U.S. Broadband Sucks? Look At Frontier Communications In Wisconsin, West Virginia (8)
05:36 Massachusetts College Decides Criticizing The Chinese Government Is Hate Speech, Suspends Conservative Student Group (71)
19:57 Le Tigre Sues Barry Mann To Stop Copyright Threats Over Song, Lights Barry Mann On Fire As Well (21)
16:07 Court Says City Of Baltimore's 'Heckler's Veto' Of An Anti-Catholic Rally Violates The First Amendment (15)
13:37 Two Years Later, Judge Finally Realizes That A CDN Provider Is Not Liable For Copyright Infringement On Websites (21)
12:19 Chicago Court Gets Its Prior Restraint On, Tells Police Union Head To STFU About City's Vaccine Mandate (158)
10:55 Verizon 'Visible' Wireless Accounts Hacked, Exploited To Buy New iPhones (8)
10:50 Daily Deal: The MacOS 11 Course (0)
07:55 Suing Social Media Sites Over Acts Of Terrorism Continues To Be A Losing Bet, As 11th Circuit Dumps Another Flawed Lawsuit (11)
02:51 Trump Announces His Own Social Network, 'Truth Social,' Which Says It Can Kick Off Users For Any Reason (And Already Is) (100)
19:51 Facebook AI Moderation Continues To Suck Because Moderation At Scale Is Impossible (26)
16:12 Content Moderation Case Studies: Snapchat Disables GIPHY Integration After Racist 'Sticker' Is Discovered (2018) (11)
13:54 Arlo Makes Live Customer Service A Luxury Option (8)
12:05 Delta Proudly Announces Its Participation In The DHS's Expanded Biometric Collection Program (5)
11:03 LinkedIn (Mostly) Exits China, Citing Escalating Demands For Censorship (14)
10:57 Daily Deal: The Python, Git, And YAML Bundle (0)
09:37 British Telecom Wants Netflix To Pay A Tax Simply Because Squid Game Is Popular (32)
06:41 Report: Client-Side Scanning Is An Insecure Nightmare Just Waiting To Be Exploited By Governments (35)
20:38 MLB In Talks To Offer Streaming For All Teams' Home Games In-Market Even Without A Cable Subscription (10)
15:55 Appeals Court Says Couple's Lawsuit Over Bogus Vehicle Forfeiture Can Continue (15)
13:30 Techdirt Podcast Episode 301: Scarcity, Abundance & NFTs (0)
12:03 Hollywood Is Betting On Filtering Mandates, But Working Copyright Algorithms Simply Don't Exist (66)
10:45 Introducing The Techdirt Insider Discord (4)
10:40 Daily Deal: The Dynamic 2021 DevOps Training Bundle (0)
09:29 Criminalizing Teens' Google Searches Is Just How The UK's Anti-Cybercrime Programs Roll (19)
06:29 Canon Sued For Disabling Printer Scanners When Devices Run Out Of Ink (41)
20:51 Copyright Law Discriminating Against The Blind Finally Struck Down By Court In South Africa (7)
More arrow