Kudos: Microsoft Changes Policy, Promises Not To Inspect Customers' Content
from the good-move dept
Last week, we wrote about Microsoft’s ridiculous decision to search through a reporter’s Hotmail email account after realizing that reporter had an unauthorized copy of Windows 8. The whole thing seemed like a huge overreaction by the company — in trying to track down an almost meaningless leak that was unlikely to have any real impact on anything, the company effectively alerted the world that you had no real privacy in your email. The move was even more ridiculous since Microsoft has more or less bet its email farm on a marketing campaign about how it respects your privacy more than others. Microsoft’s first response to this was exceptionally weak. While it announced a “change” in policies, it was still the same basic policy, that effectively (and misleadingly) claimed that it could and would continue to search anyone’s email if the company had evidence that you might reveal a leaker.
Apparently — and somewhat surprisingly — it appears that Microsoft and its legal team took the criticism seriously. Microsoft’s General Counsel Brad Smith has now put out a new blog post announcing a complete change in policy, promising that it will not unilaterally look through any Microsoft user’s content in search of “stolen” intellectual property:
Effective immediately, if we receive information indicating that someone is using our services to traffic in stolen intellectual or physical property from Microsoft, we will not inspect a customer’s private content ourselves. Instead, we will refer the matter to law enforcement if further action is required.
Furthermore, the company will officially change its terms of service to reflect that change in policy. On top of that, it is starting a (somewhat undefined) project with EFF and CDT to work on “best practices” concerning privacy. Smith’s apology is quite heartfelt, which is also rare from a big company:
It’s always uncomfortable to listen to criticism. But if one can step back a bit, it’s often thought-provoking and even helpful. That was definitely the case for us over the past week. Although our terms of service, like those of others in our industry, allowed us to access lawfully the account in this case, the circumstances raised legitimate questions about the privacy interests of our customers.
In part we have thought more about this in the context of other privacy issues that have been so topical during the past year. We’ve entered a “post-Snowden era” in which people rightly focus on the ways others use their personal information. As a company we’ve participated actively in the public discussions about the proper balance between the privacy rights of citizens and the powers of government. We’ve advocated that governments should rely on formal legal processes and the rule of law for surveillance activities.
While our own search was clearly within our legal rights, it seems apparent that we should apply a similar principle and rely on formal legal processes for our own investigations involving people who we suspect are stealing from us. Therefore, rather than inspect the private content of customers ourselves in these instances, we should turn to law enforcement and their legal procedures.
Personally, I wish the announcement and policy change went a bit further — beyond just “intellectual or physical property,” but making it clear across the board that, absent a reasonable warrant signed by a judge, Microsoft will not allow anyone to access anyone’s content. But, perhaps we’ll get there some day. In the meantime, Microsoft does deserve some kudos for changing positions. Most large companies would try to just let this issue fade away rather than proactively address it.
Filed Under: brad smith, email, policies, privacy
Companies: microsoft
Comments on “Kudos: Microsoft Changes Policy, Promises Not To Inspect Customers' Content”
Recheck facts
Your read on this case, Mike, is a bit off. It had nothing to do with a copy of Windows 8, but source code relating to the Volume Activation mechanics in Windows 8/Server 2012. This is a REALLY BIG DEAL to people like me running open activation systems that would then be exploitable. They made a promise to other customers, paying customers, that they would do everything in their power to keep that code secure.
How they did it is one thing, and you can be against that, but claiming that they did not have a VERY good reason for doing so is intellectually dishonest.
Re: Recheck facts
Thanks for saying that. Past Techdirt posts have claimed the leak was only “screenshots”. Source code is a very different than screenshots.
[Not that I endorse MS Actions in this case]
Re: Recheck facts
If a crime was committed, they had legal options. They threw those options to the wind and went off on their own hunt.
Taking the law into ones own hands is frowned upon.
I have a very good reason for breaking into that guys house, because I promised my mom I would find the guy who let his dog shit in the yard. Sounds silly in that context doesn’t it?
Re: Re: Recheck facts
They had no legal options, they did explore them and described them in detail. Because of the CFAA, email on a server belongs to the company that owns the server, not the user or any 3rd party. You cannot legally subpoena property or information that you yourself own.
This is a MAJOR flaw in the US legal system, and Google/Apple/Facebook would be forced to do this the same way in similar circumstances. Except they don’t have enterprise customers that they have contracts with to secure their code, so they aren’t as worried about this issue and are using it to attack microsoft.
There is a techdirt article from years back of Google doing the same thing (to Gchat messages) when one of their engineers was abusing his access to communicate with minors. They had no issue looking through the mis-accessed accounts to confirm that.
Get your reps to change the CFAA and make information you create, stored at a 3rd party your own property. Otherwise, cloud storage providers will ALWAYS be forced to use only internal policies to decide these matters.
Re: Re: Re: Recheck facts
They had no legal options, they did explore them and described them in detail. Because of the CFAA, email on a server belongs to the company that owns the server, not the user or any 3rd party. You cannot legally subpoena property or information that you yourself own.
Now it is you who should recheck the facts. That was Microsoft’s story but it was misleading. What they could have done — and what they now admit they will do in the future — is simply hand over the basic info they have to law enforcement. Law enforcement absolutely can go seek a warrant for that information if it has credible evidence that the information will reveal criminal behavior.
Re: Re: Re:2 Recheck facts
Actually, for a change, I’m not sure that Microsoft actually intended to mislead on that point. However, at least they have admitted that they screwed up big-time here, and are showing some willingness to change here, which, if I’m honest, has surprised me.
We should continue to applaud positive interactions whilst denigrating those actions which lead to these situations.
Re: Re: Re:2 Recheck facts
Law enforcement absolutely can go seek a warrant for that information if it has credible evidence that the information will reveal criminal behavior.
But will Microsoft require a warrant if its an investigation that they instigated?
Re: Re: Re:3 Recheck facts
Microsoft don’t require the warrant if they send it to law enforcement.. LEO’s require the warrant to comply with all legal and evidential procedure and allow that evidence (if any) to be obtained via legal, unbiased and appropriate means.
The warrant is handed to the company but it is actually a warrant to AUTHORISE the acquirement of the evidence by the LEO’s not by the company.
Re: Re: Re:4 Recheck facts
Companies and people hand over evidence all the time without a warrant, so I’m not sure what your point is. A warrant is for an unauthorized search. This search was already authorized.
I really don’t understand why this group would rather have cops searching through Hotmail than MS. Seems that every other story about the government searching emails has this site up in arms, but when MS does it you run back to the government. So weird.
Re: Re: Re:5 Recheck facts
There is the small matter of probable cause and getting a warrant. This is a quaint old practice that requires whoever wants to carry out a search to explain why they want to carry out a search, what they are looking for, and getting the judge to approve the search.
Re: Re: Re:6 Recheck facts
Do you apply for a warrant before conducting a search of your own hard drive? Because legally that’s what MS did.
Re: Re: Re:7 Recheck facts
Legally maybe, but there is a difference between me searching my own data, and Microsoft searching other peoples data and using it against them. Their email business relies on a degree of trust, and what they did betrays that trust. Most people would accept the handing of the problem over to the LEOs. It is also different from an employer looking at emails sent by an employees using the companies system. That is one option that Microsoft could have exercised, despite it requiring looking at all their employees emails. Further what Microsoft did is different from Google’s algorithmic search of emails to decide what adverts to serve someone.
Re: Re: Re:5 Recheck facts
down below in reply to another of your posts I explained why this is wrongful in both a criminal and civil case.
The search was not authorised in any way whatsoever, it wasn’t even authorised under MS’s own WRITTEN policy and therefore is at minimum forfeiture of contract by themselves.
The reason why people want LEO’s searching through things for criminal and civil tort purposes is called due process. It is designed to allow transparency and the use of un-biased parties that have no axe to grind.
Or do you in your practice as a Sys engineer go searching all logs for pertinent passwords and other identifiers of all clients that use your systems because your feelings might be hurt or you somehow assume that something wrongful might of occurred? If so you should be sacked and criminally prosecuted if not.. well why are you so aghast at people questioning MS doing nearly exactly the same thing.
Re: Re: Re:2 Recheck facts
That’s a fair point, but I’m not 100% sure its a better solution. I think they already hand over too much information to law enforcement. Microsoft at least has an incentive to only look at pertinent information and to scrub it when they’re done. Law enforcement has no such incentive. I think the obvious solution is a neutral 3rd party or a Cloud Services regulatory board to handle sensitive issues like this.
I think a lot of the outrage towards this is because people don’t understand how big a deal this is to Microsoft’s biggest customers, both OEMs and EAs. They had to do something, and they did, they just didn’t have a good solution on hand and guessed wrong.
Re: Re: Recheck facts
I feel like im in the bad position of defending Microsoft, but simply attacking them for what is a VERY nuanced problem is counter-productive to solving the problem.
Show me a legal US method of subpoenaing information YOU legally own, and I will retract my defense of them. But until you can, you are arguing the wrong point.
Re: Re: Re: Recheck facts
If the information is going to be used in a criminal matter where you are classified as the victim then THE ONLY way to do this is to allow LEO’s the ability to run the whole thing.
That’s what criminal investigations are for. That’s why Victims and witness’s play no part in investigations other than giving statements and facts that are requested. If they give information on their own behest then that information if it is to become evidence has to be verified as correct. The informant (in this regard the victim) has too much of a bias for this to not occur.
A warrant/subpoena is not just to obtain evidence. It is the procedural correct way of allowing that evidence to be properly obtained by the appropriate parties for ALL sides. Otherwise anarchy reigns and rules of evidence goes out the window and hearsay is fully allowed in criminal matters.
Civil cases on the other hand are different though the same problems of bias, relevance, authenticity and probity also crop up with discovery. This is why it is always best practice to allow outside third parties that have no other interests in analysing, obtaining, and preserving this sort of volatile data.
Microsoft were trying to enact a criminal investigation internally being judge, jury and executioner. That’s wrong both legally and ethically anywhere.
As for their statement of “While our own search was clearly within our legal rights”, that is blatantly false in the context of what they were planning to use that evidence from the search for.
Re: Recheck facts
You statement suggests that you are relying on the trustworthiness of a company that demonstrated that trust may be misplaced.
Security via obscurity is no security, and allows NSA back-doors to be built in.
Re: Re: Recheck facts
That’s a BS argument. Exploits come from bugs, having access to source allows you to find bugs. Or workarounds. And yes, we are reliant on Microsoft OS’s in the enterprise because there isn’t another option. I know you are about to explain to me how Linux can do it, but I’m an Enterprise Architect and you aren’t, and you’re wrong.
Re: Re: Re: Recheck facts
Lol, you pay a lot for your Microsoft certificates so your just massaging your ego there because you were a fool to go along the ms path as was 90% of the world. If you want secure you use Unix/BSD and not Linux, your right!
Windows sucks and always as done from 95… I didn’t find 3.11 too bad but I didn’t move from dos for a long time because I didn’t like the direction things were going. Since then I’ve been proven tight year after year!
Sheeple
Re: Re: Re: Recheck facts
Exploits come from bugs, having access to source allows you to find bugs. Or workarounds.
The other side of that coin is that having access to the source also allow you to discover the nefarious “features” that a self-serving corporation might put into their proprietary code.
I know you are about to explain to me how Linux can do it, but I’m an Enterprise Architect and you aren’t, and you’re wrong.
It is possible though – just ask the folks over at Ernie Ball.
But I am curious why you claim that open source couldn’t replace MS in the enterprise. What’s missing?
Re: Re: Re:2 Recheck facts
This is a VERY long conversation, but a lot of it comes down to 3 things: Manageability, supportability, and cost to confirm (testing).
Manageability: making environment wide changes (and confirming they were successful) is very difficult in an enterprise linux environment, and prone to failure. Getting better every day, but not there yet and the least of the issues.
Supportability: Not that its necessarily harder, but it is WAY more expensive to pay a Linux systems analyst to do workstation support than it is to pay a tech support monkey with a HS education. Scale that out to 1000+ IT people, and its a multi-million dollar problem.
Confirmation/Testing: This is a lot more nuanced, and really only affects the ultra-large enterprises, but having a consistent code base among your 100 000+ computers in a large enterprise has economies of scale when testing new rollouts that is impossible to replicate in a package-based environment. It comes down to man-hours required to test changes under an ITIL/COBIT managed environment. Again, efforts are being made (successfully) to nullify this problem, but it still exists.
Re: Re: Re:3 Recheck facts
Fair enough.
I’ll defer to your apparent knowledge on the 1st and 3nd points. Those sound like reasonable concerns.
On the second one concerning supportability though, isn’t that really just a matter of developing tools and training for Linux that are equivalent to what the first line guys are using now?
Re: Re: Re:4 Recheck facts
Basically, yes, but its a massive gulf right now. Some organizations can get away with it because of their skillsets, but its hard to sustain and they have trouble hiring.
The U of A where I worked has a large OSS infrastructure, that I helped manage, and its hard to hire good people to support it. They manage it, but it would be impossible to scale it out to the desktop for 800 end user IT people, 10 000 staff and 45 000 students in the computer labs. In contrast, the EA agreement is only low 7 figures for all their MS licensing.
Its changing, and it will likely be a completely different ballgame in 10 years, but its not really a contest at my level.
Re: Re: Re:5 Recheck facts
Ah, you mainly train people on Microsoft products and then wonder why few people know how to maintain other systems.
Re: Re: Re:6 Recheck facts
You missed the point – that, for the longest time, it was far easier, both in economic and in training-hours terms, to train people up for Enterprise Windows solutions. This is changing, to be sure, but it’s not quite at the tipping point.
Remember that Linux was, and still is to a degree, not as user-friendly as Windows to the layperson. You can put a person down in front of Windows (even Windows 8) and talk them through how it works, then leave them to it and get the work done. IF something goes wrong, you can call for help from most people relatively easily. For Linux, sadly, not so much.
Re: Re: Re:3 Recheck facts
One other thought.
Wouldn’t the cost of extra training, developing, and whatnot be offset by a huge degree by not having to fork over a fortune in licenses every year for proprietary software?
On the scale you are dealing with, even just the switch from MS Office to LibreOffice would be a significant savings.
Re: Re: Re:4 Recheck facts
This would be true if software licensing was anything but a drop in the bucket for an organization’s IT budget. Also, Microsoft at least gives a ton of free consulting hours with large EAs. Every organization has a mix of open and closed source stuff but the licensing costs don’t determine what’s most expensive, ease of update is. We get dinged by our auditors if our software isnt up to date, and the ease of transition that closed source stuff usually has (except ERP stuff and Oracle) offsets the cost of the license.
Its complicated, but man hours, power, user hardware, user training and consulting make up the bulk of an IT budgets. Training 100 000 users on something new costs WAY more than licensing 100 000 windows workstations at 60 bucks a pop. And don’t get me started on migrating from Office…..
Re: Re: Re: Recheck facts
Appealing to your own authority without evidence, why should anyone believe you.
Re: Re: Re:2 Recheck facts
My Linkedin is on my profile.
Re: Re: Re:3 Recheck facts
That is not evidence that your opinions are correct.
Re: Re: Re: Recheck facts
Which is how all those exploits used to attack Windows systems have been found!!.
Almost all exploits are found by calling routines with bad parameters, such as overlong strings, out of range indexes etc. If the program crashes, they can then try the various ways of using the bug. Very few exploits are found by either access to the source code, or reverse engineering the binaries.
Re: Recheck facts
How they did it is one thing, and you can be against that, but claiming that they did not have a VERY good reason for doing so is intellectually dishonest.
We can disagree over that. There is little evidence that there was a significant real threat here. Code gets leaked all the time. The full impact of that leak was minimal.
Re: Re: Recheck facts
I have to disagree, and I’m a lot more qualified to make that argument. If VLM code gets into the wild that has MASSIVE implications for all of their biggest customers. I run a 150k user AD environment right now, and we would have had to make large, high impact changes to our activation model if the activation code was under threat.
Its my job to be VERY aware of whats going on here, and even though I personally hate that they did this, professionally i have to stand with them, and thats why they did it.
Re: Re: Re: Recheck facts
” I’m a lot more qualified to make that argument”
I just have to chime in here, since this is at least the second time you’ve mentioned how much more qualified you are than everyone else here. First, I doubt that’s true — there are a lot of commenters here that have quite a lot of experience in this exact thing.
Regardless, you are engaging in a logical fallacy — appeal to authority. It means absolutely nothing, and gains you no credibility. You’d be better off actually explaining the facts and reasoning behind your opinion rather than simply saying “I’m an expert, so everything I say must be true.”
Re: Re: Recheck facts
To further obfuscate, a better solution might be to go back to the honor-system activation model and then this wouldn’t be such a big problem, but that’s a completely separate argument that I think you and I would agree on.
But will they ask for a warrant?
How is this a change if they are still extra-helpful to law enforcement when they are an interested party in a case.
MS : Officer, a reporter with an hotmail account has reported on secret stuff. Will you look in his account for us? We promised we wouldn’t.
Officer : Shall I get a warrant?
MS : No need. Here’s all her email messages. Would you mind telling us what they say?
Anybody who believes that Microsoft will actually change their attitudes about independently searching your email, raise your hand.
If you didn’t notice, I was being sarcastic.
Nobody should ever trust Microsoft again because if they were willing to do it once, they are more likely to do so again.
Kudos: Microsoft Changes Policy, Promises Not To Inspect Customers’ Content
Great, maybe your friends at Google will pay heed.
Re: Re:
Great, maybe your friends at Google will pay heed.
Not sure what kind of “gotcha” you think you’re making here, but I agree that I hope Google does the same. I hope that all tech companies that offer cloud-like services will make this sort of thing standard and think its ridiculous that they did not do so from the beginning.
Re: Re:
After attacking Mike over one thing, I have to step in here and defend him. He is a friend of the general public, not Google. It’s just that in a lot of ways Google has aligned incentives with the public because their business model is public trust (to a large degree). Microsoft’s interests are aligned with their Enterprise customers and OEMs where the bulk of their revenues come from. So it might look like he’s a Google supporter, but really issue by issue he agrees with them more often than MS.
This is changing as Google becomes more attracted to Enterprise revenues (very stable), and MS becomes more consumer focused. As their incentives drift towards each other their behavior will become more similar and Mike will hate on them equally (or cash twice the shill checks as you seem to think)
"Post-Snowden"
Is this the new “post-9/11”?
Once bitten, twice shy
have to agree with blacktron
While it rather pains me to say so. I have to agree with blaktron on the management issue. MS products have a huge support base irregardless of the degree of skill. Alternative systems, yes including Mac, do not have the same pool of workers to choose from. That large pool keeps the salaries lower than skilled Unix and Linux support which has a *much* smaller group to hire from.
There’s one other problem that no one has touched so far, business or logistical software. Often times these products are platform specific, usually Windows, and there *is* no alternative to them.
Whether or not your business IT people ‘trust’ Microsoft or not is no longer a question in that situation. You lock down as much as you can and hope it’s enough to keep out *most* prying eyes.
Re: have to agree with blacktron
There is the problem that staying with Microsoft only lets them increases the lock in they have on your computer systems, and the control that they exercise on the software that you can run. The more they can lock you in to their software in the more they can charge you to allow you to run your business.
Is this one of those Terms of Service that they can just change anytime they want (such as how they are doing that here and now)?
If yes, then I would not put too much faith into the fact that this will now be included in those ToS, as they can just modify or take it out later (after this blows over and the dust settles).
Actions speak louder than words.
Any port in a shit storm
Kudos my ass. This is Microsoft remember….
As sincere as the statement sounds, it is still Microsloth and I’m certain that the only thing that has changed is the manner in which they lie to the public.
Its more sincere sounding now.
But, its still a lie.
MS will always do as it pleases first and attempt PR afterwards, but only if it feels the PR skit might have some chance of successfully fooling the public, or if it thinks its absolutely necessary – like this time, since they’re hoping to prevent a mass customer exodus.
Normally it would just weather this shit storm for the period of consumer memory – a couple weeks – and then pretend it never happened, but the off-hand manner in which they violated their own privacy agreement, as if it simply did not exist, really spooked the public.
Drastic measures were necessary.
In this case Pseudo-Sincerity!
Nothing is free..... except ignorance
if ignorance was expensive, it wouldn’t be spread around.
Any freemail is open data mining, your data available for sale to the highest bidder.
Privacy costs money. (It costs to keep it and lose it)
I don’t believe it. M$ lost its credibility. I’m hoping Linux gets enough momentum so I can ditch Windows completely. There is no trust left.
Re: Re:
I ditched Windows for Linux completely about 10 years ago. The transition period was a little painful then, but once you’ve made the move, there are no issues. Even that transition is much easier now I’ve guided a number of non-techie people away from Windows recently, and nobody had any problem.
The one exception remains gaming, but even that is getting to be a smaller and smaller exception as time goes by.
And in further news Outlook & family’s thirty-day random lockouts will probably be the actual reason Hotmail use drops like a brick (& virally). People will move on to Google or something by then.
SEO Services
That was a illegal decision and it’s wise if they have gone back as it’s the clear interference in the privacy of the users.
SEO gloucester
Given the details of the Electronic Communications Privacy Act, no US company can give you the same rights over your email that you would have if you keep it yourself in your own server. The ECPA does not apply to companies in other countries, but you probably have even less rights with those governments.
Happy to find your blog
This blog is awesome, I like this post. It’s really a great and helpful piece of info. I am glad that you shared this helpful info with us. You can also visit Enterprise Architecture Consulting Services for consulting services.
Really Informative Knowledge you have shared
Really good information Mike Masnick. I am really happy to read your article in significant way. Recently, I was searching for <a href="https://risingmax.com“> IT Consulting Companies in New York</a> and I found the great one. I hope all your reader will like it and trust me you are doing very well. Keep it up Mike. I can believe that you will do something amazing.