Microsoft sniffed blogger's Hotmail account to trace leak(news.cnet.com) The company's legal department determined that it had the right to go through a private email account, citing a leak of proprietary Microsoft code |
Microsoft sniffed blogger's Hotmail account to trace leak(news.cnet.com) The company's legal department determined that it had the right to go through a private email account, citing a leak of proprietary Microsoft code |
Legally, Microsoft appears to be protected by its privacy policies. The policy for Outlook.com, formerly Hotmail, states that, "We may access information about you, including the content of your communications...to protect the rights or property of Microsoft."
This is the agreement that every user agreed to when they signed up for Hotmail or Outlook. It's not carte blanche for Microsoft to go through your email, but it seems to allow them to do it for a very particular purpose.
No they didn't. Over 99% of them clicked through without reading. Some of them suspected Microsoft might one day read their email, but somehow shrugged it off, then forgot about it.
If people were truly informed, most would not give consent. Make no mistake: using a hotmail or gmail account means giving away a good chunk of your private correspondence. It also affects whoever you're communicating with, even if they have their own private mail server.
We need those Freedom Boxes. Fast.
I strongly disagree. Most would bitch about it, then do it anyway, knowing it may be a shitty deal for them. That is consent.
http://www.ibtimes.com/microsoft-rips-email-snooping-google-...
Microsoft has, for example, the right to petition government without fear of reprisal. It could protect this right if Microsoft were to review any email accounts of lawmakers or regulators to ensure that they never express any animus against Microsoft based on past filings or appeals.
Microsoft may wish to protect its property by scanning every hotmail account for discussions of havens for illicit software, like torrents or newsgroups, trying to determine exactly what each user has downloaded and when.
Extreme examples are just for illustration. I don't think Microsoft will jump on those as next steps. But if the question is, "Could these user agreements justify things that would make us a little uncomfortable?" I think the answer is probably yes. Are we there just yet? Maybe, maybe not.
https://mail.google.com/mail/help/intl/en/terms.html
However I read very quickly so please correct me if I'm wrong.
We will share personal information with companies, organizations or individuals outside of Google if we have a good-faith belief that access, use, preservation or disclosure of the information is reasonably necessary to:
...
protect against harm to the rights, property or safety of Google ,our users or the public as required or permitted by law.
Essentially their job is dealing with things that border on being illegal. Determining how far you can get to illegality, while remaining technically inside legality.
For the first time the notion of "newspeak" in real life has clicked for me. I'd never grokked the idea from the novel, other than as some fear mongering fantasy that Orwell invented for the sake of compelling irony. But now I see, names actually make sense, from a certain angle. They weren't purely ironic devices.
For the record, I'm NOT comparing Microsoft to Big Brother. Just funny to draw that parallel in naming choices.
http://wmpoweruser.com/watch-what-you-store-on-skydriveyou-m...
This is why I think Microsoft's "privacy attack ads" against Google are done in really poor taste - not necessarily because some or most of them aren't true, but because I know the company doing those ads is just as bad or worse for the very same thing they're accusing Google of. I can't support that.
Here's Google nailing someone for child porn.
http://sacramento.cbslocal.com/2013/11/21/googles-role-in-wo...
AFAIK almost all online storage services use automatic scanners to screen out items violating the ToS.
>At least Google only mines the data algorithmically, but this is way worse.
Really? How do you even know if the Google CEO read your Gmail today? What recourse do you have? None.
http://gawker.com/5637234/gcreep-google-engineer-stalked-tee...
This is simply a risk you take with any company you become a customer of. You are willingly give that company certain power over you. Rogue employees will always be able to do things that are harmful.
There are many cases of rogue employees working for Comcast and AT&T who will look up someone's IP address and find their full name and address, and harass them or spread that information. Most of the time, some number of employees need access to information like that, and eventually one of them will end up going rogue or becoming mentally unstable.
I don't understand why in this case, MS couldn't have easily gotten a subpoena, anyways.
Heck they could provide a google-for-domains for the Post Service customers, and still have gmail interface.
With federal protection.
http://consumerist.com/2013/07/03/forget-the-nsas-hi-tech-sn...
"Microsoft may access and/or disclose your personal information if we believe such action is necessary to: (a) comply with the law or respond to legal process served on Microsoft; or (b) protect the rights or property of Microsoft (including the enforcement of our agreements)."
Note clause (b). I thought it was a little off that they can examine your health records to protect their rights and property. But it looks like they are not afraid to use it!
This ditty is still there. In fact if you go to the home page for Health Vault, it says:
"It's your HealthVault account You decide who can see, use, add, and share info, and which health apps have access to it. HealthVault won't provide your health information to any other app or service without your permission."
So as advertised it looks like you get to decide. You have to read pretty far down in their privacy policy before you find the clause I first mentioned. Now of course there are cases where your private information may be used without your permission, but most people would assume that requires some form of legal process... but not for Microsoft.
One might rephrase it as: 'The TOS allow us to read your data. We will choose to do so if it is sufficiently important to us. We can make this decision unilaterally.'
What Microsoft should have done is obvious: Get the case before a judge and get a search warrant. Use the search warrant to access the communications.
Just because you own the email servers doesn't mean you get to play judge and jury.
Microsoft: “Judge, we demand that Microsoft turn over these emails.” Judge: “???”
(that is, can you even procedurally attempt to force discovery against yourself?)
Not to mention that the EULA seems to pretty clearly cover exactly this scenario.
Judicial Mandate: Necessary or Superfluous?
Yes, there may be a distinction between private and company emails. But it seems like the lines are somewhat blurry, here.
Imagine if Ford motors said: Oh, we can look into the Ford cars that Ford employees have bought with their own money and drive to weekend outings with their families, because we made and service the cars.
I don't think this will fly very far.
Microsoft has no legal authority to make that call.
I have used PGP/GPG but it's not good enough. It fails the mom test (as in my mom couldn't use it, and by extension, it's not ready for the mass market).
If you designed a system from the ground up to be secure, you could do much better.
Oh wait.
This would be better phrased as 'how far can we go in pursuit of our employer's legitimate interests, but still remain within legal boundaries.' As phrased, you're treating illegality as a goal in itself, but this isn't the case. All companies have interests, but the most obvious and efficient means of pursuing those interests may be odds with any of the many regulations governing corporate activity. Compliance departments specialize in making sure firms stay on the right side of that line, and in a complex economy with complex regulatory regimes that's a full time job.
As far as naming choices go, 'compliance' is the standard term in industry for ensuring that a firm's behavior is lawful, and it doesn't carry any connotation of pushing boundaries or circumventing the law. There's no 'newspeak' here except in your own mind, unless you actually believe that companies aspire to illegal behavior as a matter of course.
Alternatively, the "office of Trustworthy Computing" over which Scott Charney[1] presides does sound creepy.
Note that "Trustworthy Computing (TWC)", by name and mission, is intentionally distinct from the "Trusted Computing" initiatives.
It's a subtle but essential distinction between trust meaning "to rely upon another party" and trustworthy meaning basically "reliable". (my own definitions)
I will: Microsoft is a big corporation who spies on its users to protect its interests. Incidentally, there are many other Big Brothers like them: Facebook, Google…
People should read some cyberpunk literature. Read William Gibson's Neuromancer, or play Android Netrunner. We're halfway there.
Nothing ever happened to either company, and you'd be hard pressed to find an article on it, but MS has been snooping on their users for a long, long time.
To give a common example, an invasion will often be talked about by the invading power as a "liberation". Yet the act of liberation by a foreign power always ends with that foreign power having significant local political influence and access to natural resources (and may involve permanent occupation).
Or take the "war on terror" for example. Superficially, a "war on terror" should make people LESS afraid. Yet, in practise the politicians engaged in the "war on terror" have actively tried to encourage fear (in order to justify granting extraordinary powers). The irony is so blatant it's right there in the name. Being at war makes people more afraid, so declaring war on terror is automatically ironic. It's like having an orgy to promote abstinence.
On the plus side, it shows that even Microsoft internal ennemies love Hotmail.
In a similar incident, a Google employee accessed personal information, but Google was never penalized for it.
http://gawker.com/5637234/gcreep-google-engineer-stalked-tee...
As usual, Stallman was right when he called cloud computing "careless computing" and a trap. http://www.theguardian.com/technology/blog/2010/dec/14/chrom...
How would you feel about the postal service opening the letters it transports in a similar scenario? Do you think it's morally a-okay for them to unilaterally decide to read your mail without a court order?
I suspect that most people would say "no", even though it all happens on the postal services own premises, using their own resources. At the same time, I wouldn't be surprised if most people would think like you expressed when it comes to e-mail.
Clearly, more thought needs to go into this to determine in a reasoned and consistent way whether Microsoft's action were morally right in this particular instance. Value judgments are going to play a role, too. Still, I think it's fairly clear that the answer must be the same for physical and electronic mail.
Edit: I know you were talking more about legality than morality. However, as the physical mail scenario shows, there is already a legal precedent for an actor being prohibited by law from acting in a way that is analogous to what Microsoft has done; and ultimately, the law should follow moral considerations, so those are the more interesting questions anyway.
At work, we use exchange. In the webmail settings, there's a list of plugins, many of which provide basic, necessary core features such as meeting invitations. All the microsoft plugins had a disclaimer along the lines of "This plugin may send your mail and data to a third-party server".
Not saying they're archiving it, but I'm not sure running microsoft software is a great idea if you're very worried about the security of your data.
Just because corporations have a Russia-in-Crimea style boots-on-the-ground advantage when it comes to the cloud doesn't mean you have to throw up your hands and give up when someone violates your rights.
The EULA in this case said they can spy if needed to protect their IP rights, but that doesn't fly in this case. The IP was already stolen, and spying on this journalist doesn't put the horse back in the barn and undo the leak. Catching the thief doesn't protect their rights, because the crime is already done.
But it seems they have their bases covered on that, so we'll see.
Whether the defendant has a separate civil claim against the violator is a different question, but it has no bearing on the admissibility of the evidence in the criminal prosecution.
1) Go to www.microsoft.com 2) Search "windows 8 eula" (http://search.microsoft.com/en-us/results.aspx?form=MSHOME&m...) 3) Click the top link to download the EULA
Same thing worked when I tried "windows 7 eula" (http://www.microsoft.com/en-us/search/results.aspx?form=MSHO...)
These are also top results when I try the same query on Google.
Did you even try to find it?
Should webmail and similar services be regulated so as to put the interests of consumers ahead of service providers? Perhaps, and in many ways this is the approach taken by European regulators in many industries. On the other hand, it has been argued that the rather onerous data protection regulations in the EU are partly to blame for the lesser competitiveness of European firms in that marketplace, by imposing overly burdensome regulatory regimes on entrepreneurs and thus making the barriers to marketplace entry far higher than in the US.
Microsoft automatically collects information identifying your installed Microsoft product, the operating system of the device, the CPU architecture of the operating system and data regarding the success or failure of the installation of the software, data identifying the cause of a crash in the product and information about the product license which is in use.
. . . .
Microsoft may use the computer and services information to improve its software and services. Microsoft may also share it with others, such as hardware and software vendors. They may use the information to improve how their products run with Microsoft software.
In principle, this could be interpreted quite broadly ("selling detailed information about our installed base to third-party marketing software firms helps us pay for improvements to our software").
1) If the advice is too conservative, and the company refrains from some action that it could have undertaken safely, then leadership blames the law.
2) If the advice is insufficiently conservative, and the company undertakes some action from which it should have refrained and it blows up in their face, then leadership blames Legal for blessing the action.
My point is being within the law is not quite enough. You want to be so far within the law that you can get most court cases thrown out without actual litigation.
Or as a rich friend of mine put it. I like paying a little extra in taxes every year. Sure, I could take every deduction but I like knowing if I am ever audited I will end up with a nice check.
If we assume there are no external legal modifiers, it seems pretty straightforward that the server owners should be able to search their own disks for any reason.
The entire premise of free modern email is that the provider will be automatically parsing the text of your emails, composing a profile of your behavior and interests from that text, and attempting to sell you products based on that profile. Wouldn't that be illegal if it's not legal to search your own disks? How come you can agree to ToS and privacy policies that allow that but not policies that say "we can also look at it if we suspect that you're trying to screw us over"?
Most countries have similar limitations for consumer protection. For example, Germany has a certain minimum warranty that a manufacturer must provide that cannot be waived away no matter what they try to write in the ToS-style contracts that exist for businesses here (AGB).
Contract law is not a physical law. It is shaped over time - ideally in a way that follows a consensus of all citizens in a democratic society. If we feel that morally, webmail providers should not have the right to do targeted investigations in their hosted mailboxes (which is easily distinguished from the kind of algorithmic scanning for marketing purposes), then that can (and should) be turned into law.
No-true-Scotsman? I don't care, this one is valid: we're talking about someone who has some distant relatives in Scotland, but never set a foot there, hardly speaks English, and lives in China.
I do get that the proper threshold is not allays the same. The threshold of consent for having sex for instance, is very high (or ought to be). Still, some things I say over email are just as private as my dick.
People often do foolish things, it doesn't mean other people have a moral right to take advantage of them. (Alas, they sometimes have the legal right.)
By the way, in this case, it seems Microsoft spied on the blogger's account, to know where the leak came from. The leaker may not have used hotmail at all. While it's easy to notice cloud spying when sending from a webmail, it is a bit less easy when you send to a webmail: you're not even legally expected to have read the TOS. I mean, you still have to be careless to make that blunder, just less so.
[1] http://arstechnica.com/tech-policy/2014/03/arrest-of-secret-...
If people really cared, then that market would exist today. "Get your $5/mo. much more private email from privateemail.com!!". This notional private email provider would be able to advertise Outlook.com, GMail, etc.'s privacy policies independently of those email providers to ensure that "click through" isn't the only reason people are unaware.
Your problem is not education. Your problem is your position is just a marginal one. Sad in some ways, but true.
The truth is, people have bigger fish to fry than this, and like a lot of things, they like to talk about some stuff, but when push comes to shove, "privacy" is just nowhere on the list of priorities, educated about it or not. The market would already exist otherwise.
Well, that's a good thing right? You're pretty much saying "I knew this person once who wanted to do something, knew it was illegal and so scaled back their plans to fit within the law. What a scumbag."
Wrong question.
Should be: "are we doing anything illegal here?".
Just because it's legal doesn't mean it's right. That's the whole point here.
If you have a Office of Legal Compliance whose job is strictly to decide whether something is within the law or not, a corporation might easily get the idea they can get away with doing all sorts of wrongs.
Is it legal? Possibly, apparently. But should you nose through somebody's private email without their consent? Is that ever the right thing to do? I'm gonna say no, almost always. There may be a few exceptions in some specific circumstances, but that is not for the Office of Legal Compliance to determine because ethics isn't their job.
(it might be nice if it was, but it's not)
Which means that companies are only going to want to hide, downplay, and pretend to prevent such spying. This sounds familiar..
> In December 2012, for instance, Microsoft emailed DITU a PDF invoice for $145,100, broken down to $100 per request for information, the documents appear to show. In August 2013, Microsoft allegedly emailed a similar invoice, this time for $352,200, at a rate of $200 per request. The latest invoice provided, from November 2013, is for $281,000.
from http://www.dailydot.com/news/microsoft-compliance-emails-fbi...
Furthermore, the NSA reading email is effectively a data breach, and many companies take the view that hiding a data breach is a good thing - no press about data breach means no bad press means no lost customers.
>“Outlook.com does not go through the contents of your sent and received email messages in order to display targeted ads. ... Outlook.com does not go through the contents of your incoming email from other email service for the purpose of targeting ads. ... Outlook.com does not go through the contents of your entire inbox for the purpose of targeting ads.”
Google does all of the above, are you claiming there is no difference between the two services?
The new lawsuit against Google for building profiles of children using its free Google Apps for Education service has even more info:
http://www.huffingtonpost.com/2014/03/17/google-data-mining-...
>A Google spokeswoman confirmed to Education Week that the company “scans and indexes” the emails of all Apps for Education users for a variety of purposes, including potential advertising, via automated processes that cannot be turned off--even for Apps for Education customers who elect not to receive ads.
http://www.google.com/intl/en/policies/privacy/
"protect against harm to the rights, property or safety of Google, our users or the public as required or permitted by law."
When it comes to "automated process goes through my email to decide which soda to offer me" ... I am not pleased, but not very worried. My bank does worse.
When it comes to "people go through my and other people's email to decide who to sue for what without legal oversight" that hits an 11 on the WTF scale.
I will NEVER trust Microsoft with one iota of my data again. They proved here that they will use it against me if it serves their business interest, or just snoop through it if they don't understand how something happened. At least the NSA claims they snoop through my email to "protect America". Microsoft clearly goes through my email to improve Microsofts bottom line. It wasn't even an employee's email they went through. It was an external hotmail customer that trusted them with this email.
This is akin to your bank going through the documents in your safe then use the found information to wire money to the Bank's CEO. This is way, way over the red line.
If they did this with physical mail, the minimum punishment for whoever in Microsoft did this would include jail time. We should have the same regulation for email.
The only viable privacy option is to host your mail at home. It doesn't have to be difficult. We "just" need a suitably tailored GNU/Linux distribution in a Sheeva Plug, or Raspberry Pi, that you just plug-in, then use as a web service. (Just one snag: your ISP must allow you to send and receive e-mail: many close off port 25, and some even ban home servers.)
Now to get your email, they need a search warrant and someone to knock on your door, which is inconvenient and costly.
These codes explicitly outline how I should expect my mail to be handled by the USPS. They also explicitly define how 3rd parties are handled when they violate your mail. It's all very clear in black & white.
We have expectations of the USPS because of a codified standard. Breaking those expectations is a totally different scenario than the MS scenario.
There's an interesting intersection-of-laws issue. Our email is actually hosted by Microsoft Office 365. When Microsoft performs searches like this, do they touch multiple email accounts? If they ran the equivalent of a grep across their whole email infrastructure, they might violate Danish law in doing so, if their grep touched our mailboxes. So how they access email inboxes in general is something they ought to be pretty careful of. At the very least I hope they're making sure only to search Americans' inboxes, hosted on American servers.
As a more general matter, do you think that's the way it should be? Do you feel that your information no longer being yours once it touches someone else's server is the right way to do things?
You don't enter into a contractual relationship with the USPS when you mail or receive a letter. When you sign up for a webmail account, you're doing so on the providing party's terms, and you can't really complain if said webmail provider chooses to enforce the contract that you signed up to.
and ultimately, the law should follow moral considerations, so those are the more interesting questions anyway.
Whose moral considerations would these be?
I would argue that that's a historical accident and in any case subject to change, especially in places where the mail system has been deregulated to allow mail service by private companies. For example, in Germany such companies could potentially have terms similar to a contractual agreement (called AGB) that apply as soon as you post a letter.
The underlying point is really this: the current status quo (good protection for physical mail, no protection for electronic mail) is not something that makes sense if you start reasoning from first principles. It simply developed this way for historical reasons (mainly: webmail providers were created in much more lawyer-happy times, and the rules for physical mail developed over a longer time, during which respect for privacy was valued higher for whatever reason).
I believe that it is a fairly safe bet that, if the internet still exists 100 years from now, most places that will be considered civilized in that future will have laws to protect their citizens' privacy no matter what companies would like to write in their contracts.
Whose moral considerations would these be?
In a democratic society? Everybody's. Yes, a consensus needs to be found, blah blah. The fact that you even felt the need the ask this question is a bit disturbing.
How do I guarantee I don't look at it when I literally have to look at it to provide the service?
There are services which avoid this by using thinner servers, but they are in the minority.
Morality is not legality. As a webmail provider, spying on your users is obviously very wrong. Thanks to a number of technicalities and loopholes however, it is also perfectly legal.
The medium tier is criticising all of google's failings does except for what they also do.
The highest tier is criticising google for something they also do.
I thought they were at the low tier, but they're actually at the medium tier. So 'more'.
If I criticize someone for talking loudly during class, and I haven't talked at all, that wouldn't be hypocritical, even if we were both browsing Facebook or something.