Microsoft has admitted to taking “extraordinary actions based on the specific circumstances” to access a user’s email account.
In a statement, John Frank, deputy general counsel and vice president of legal & corporate affairs at Microsoft, said that while it believes that Outlook and Hotmail email are and should be private, information it received indicated an employee was providing stolen intellectual property to a third party.
According to BBC news, Microsoft was alerted in 2012 to the theft and release of lines of code from the not-yet-released Windows 8 operating system. As part of the investigation, Microsoft looked into the blogger’s accounts to find out the name of the employee.
Microsoft said that the third party “had a history of trafficking for profit in this type of material” and as part of the investigation, it undertook a limited review of this third party’s Microsoft operated accounts. The blogger was a former Microsoft employee named Alex Kibkalo, a Russian national who was working in Lebanon.
“While Microsoft’s terms of service make clear our permission for this type of review, this happens only in the most exceptional circumstances,” he said. “We applied a rigorous process before reviewing such content. In this case, there was a thorough review by a legal team separate from the investigating team and strong evidence of a criminal act that met a standard comparable to that required to obtain a legal order to search other sites.”
Brendan Rizzo, technical director for EMEA at Voltage Security, said: “This story illustrates a fundamental challenge in putting sensitive data under the control of a third party. The safety of that information is now no longer under the control of the actual owner, and becomes subject to whatever prevailing paper policy is in place at the third party.
“For the average email user this is not usually an issue, but for a company this can have serious implications. Ultimately, from a data protection perspective, that information is now at risk. This is one of the main reasons companies have cited for not wanting to make a move to the cloud for their email infrastructure, despite the potential for dramatic cost savings involved. Companies are therefore turning to data-centric encryption to protect the emails themselves in order to still gain the efficiencies that the cloud has to offer.”
A copy of the complaint, hosted by The Register, revealed that the stolen code related to Windows 8 RT software updates and an Activation Server SDK.
Microsoft has now further strengthened its policies to resolve any future situations. These specifically state that it will not conduct a search of customer email and other services unless the circumstances would justify a court order, if one were available; it will rely in the first instance on a legal team separate from the internal investigating team to assess the evidence, and move forward only if that team concludes that there is evidence of a crime that would be sufficient to justify a court order, if one were applicable.
It also stressed that should a search take place, it is important that it be confined to the matter under investigation and not search for other inform
ation. “We therefore will continue to ensure that the search itself is conducted in a proper manner, with supervision by counsel for this purpose,” it said. Finally it will publish the data on the number of these searches that have been conducted and the number of customer accounts that have been affected as part of its bi-annual transparency report.
“The privacy of our customers is incredibly important to us. That is why we are building on our current practices and adding to them to further strengthen our processes and increase transparency,” Frank said.
Charlie Howe, director, EMEA at Skyhigh Networks, said that similar incidents of cloud service providers accessing our confidential data are far too common. “The problem is, this is a technically legal activity that we all agree to when we sign up to certain cloud services – whether knowingly or not,” he said.
“For instance, I would guess that most people don’t actually read the full Terms and Conditions before using a new application, and they would probably be surprised by what they are actually agreeing to when they click the ‘accept’ button on certain cloud services.”