Microsoft tightens email privacy policy after taking fire over Hotmail incident

Microsoft tightens email privacy policy after taking fire over Hotmail incident

Summary: After revelations that it had inspected a Hotmail customer's email as part of an internal investigation, Microsoft announced new rules last week. This week, following "uncomfortable" criticism of that policy, the company announced new rules: no inspections without a warrant.


Revelations in a Federal criminal complaint that Microsoft accessed the contents of a Hotmail account without a warrant brought a hailstorm of criticism down on the company last week. In response, Microsoft argued it was well within its rights under the terms of service and that the facts of the case were extraordinary. (See What's really behind Microsoft's investigation into software leaks? for details.)

But they also promised not to make one of those inspections again without calling in additional legal help.

Sorry, said the privacy and civil liberties community, that's not good enough. The most blistering critique came from the Electronic Frontier Foundation, which called Microsoft's announcement "Warrants for Windows."

Unfortunately, this new policy just doubles down on ... Microsoft’s indefensible and tone-deaf actions in the Kibkalo case. It begins with a false premise that courts do not issue orders in these circumstances because Microsoft was searching “itself,” rather than the contents of its user’s email on servers it controlled.

To the contrary, if Microsoft’s independent legal team concluded that there was probable cause, it could have passed the tipster’s information to the FBI to obtain a warrant and conduct the search under the auspices of the criminal justice system. The warrant protections enshrined in the Constitution would be preserved, ECPA would be satisfied, and Microsoft could have claimed the high moral ground. Instead, Microsoft has opted for an internal corporate shadow court.

This week, in response to the latest wave of criticism, Microsoft General Counsel Brad Smith admitted that the EFF was right and Microsoft was wrong. Here's the new policy, effective immediately:

Effective immediately, if we receive information indicating that someone is using our services to traffic in stolen intellectual or physical property from Microsoft, we will not inspect a customer's private content ourselves. Instead, we will refer the matter to law enforcement if further action is required.

In addition to changing company policy, in the coming months we will incorporate this change in our customer terms of service, so that it's clear to consumers and binding on Microsoft.

Smith acknowledged that the barrage of criticism was "uncomfortable," but also "thought-provoking and even helpful."

Although our terms of service, like those of others in our industry, allowed us to access lawfully the account in this case, the circumstances raised legitimate questions about the privacy interests of our customers.

In part we have thought more about this in the context of other privacy issues that have been so topical during the past year. We've entered a "post-Snowden era" in which people rightly focus on the ways others use their personal information. As a company we've participated actively in the public discussions about the proper balance between the privacy rights of citizens and the powers of government. We've advocated that governments should rely on formal legal processes and the rule of law for surveillance activities.

While our own search was clearly within our legal rights, it seems apparent that we should apply a similar principle and rely on formal legal processes for our own investigations involving people who we suspect are stealing from us. Therefore, rather than inspect the private content of customers ourselves in these instances, we should turn to law enforcement and their legal procedures.

Hmmm. Where have I heard that "post-Snowden" part before?

But that's certainly a relevant fact. If Microsoft's execs could jump in a time machine and go back to 2012 knowing what Ed Snowden would unleash a few months later, you can bet they'd have handled this situation differently.

The new policy means Microsoft's hands will be deliberately tied during internal investigations. The company can't go to court and demand a warrant to search its own servers, but the FBI and local law enforcement can inspect the evidence and ask a judge for permission to order Microsoft to produce content from a subscriber's email or cloud file storage. They can also decline to get a warrant and tell Microsoft's investigators to find other ways to get what they need.

For practical purposes, this announcement won't have much effect. Presumably any would-be pirates have learned their lesson and will avoid using Microsoft services to traffic in Microsoft's stolen property.

The change is extremely important, however. in the arena of public perceptions, where Microsoft has been absolutely pummeled over behavior that looked awful even if it was technically permitted. And of course there are the casual accusations of hypocrisy given the company's ongoing "Scroogled" ad campaign, which takes dead aim at Google's policy of scanning its customers' email for the purpose of serving ads.

It's unlikely that any large corporate customers will exit the Microsoft fold over this case. But the company might find it needs to work harder to prove that it deserves the trust of those customers.

The EFF responded almost immediately with praise: "We commend Microsoft for its willingness to reconsider its policies, and we think it made the right decision."

Topics: Cloud, Microsoft, Privacy, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Hmm...

    "if we receive information indicating that someone is using our services to traffic in stolen intellectual or physical property from Microsoft, we will not inspect a customer's private content ourselves."

    Is "from Microsoft" the key point and limitation of this announcement? Other companies intellectual and physical property is still up for snoops and grabs at any time?

    Why don't they completely remove the "from Microsoft" part of that statement?
    • Rember Thomas Jefferson?

      Microsoft speaks only for Microsoft.
    • Apart from

      banning the account, there probably isn't a lot they can do. It is up to the owner of the IP to contact the authorities and try and get a court order to look at the evidence.

      If MS go to the IP holder, they might be in breach of contract with the user of the service...
  • Scroogle

    Wasn't this the same company that was making fun of Google for reading people's emails and invading their privacy?

    Pot calling the kettle black perhaps??
    • Perhaps there is a difference?

      With Google, it's policy to scan e-mails in order to target e-mail customers with targeted advertising. Microsoft says they don't scan customers' e-mails. So, Google scans many millions of customers' email every day, while MS says they don't do that kind of scan.

      The kind of scan that MS did perform, was on "one" employee's e-mails. Not good anyway one wants to look at it, but, one especially targeted employee is not the same as scanning the entire set of e-mails from MS's e-mail customers.

      The "Scroogled" campaign still has merits.
      • Differences

        google scans is handled by a machine that looks for keywords to present ads.. (which could be encrypted after the automated scan)

        Microsoft had a human go in and check the email.. (which would by bypass any encryption they have in place).

        and microsoft scroogled campaign wants me to believe they google is the bad one ??
        Anthony E
        • google has had employees caught spying on customers emails

          I know people are going to say "well that indifferent", but that is exactly the point. The circumstances for each instance are important.

          Microsoft was involved in a criminal action that could have ended up costing them billions.
          It is google policy to scan their users personal data in order to make their billions.

          It isn't like either company is the NSA, but there is a pretty big difference.
          • Neither are exempt from contempt.

            Spying is one step away from exploitation. They are both quite bad. I am seriously struggling to find a decent email provider. MSN doesn't allow me to use 3rd party apps to get my email anymore. Yahoo Mail has been subject to spam attacks. Now Gmail via Google gets to spy on me just because they've forced a privacy policy that isn't actually private.

            Facebook have done much the same thing, and probably in league with the other two in some form or fashion. Google most certainly. You actually have to put a waiver on your page to deny Facebook the right to use anything on your page, without your permission. Having a 3rd party (like Google) send you targeted ads on Facebook, is a winner for both parties - and a burden on the rest of us.
            Michael Brabant
      • Scroogled speaks of the managment of Microsoft.

        Scrooged is one of the pathological indications from Microsoft that kind of game can backfire. Judge not least ye be judged. Merits? Doing something that was manifestly worse than they criticized Google for? Yea you bet they backpedaled.
      • re: Perhaps there is a difference?

        > Microsoft says they don't scan customers' e-mails.

        Imagine my surprise upon seeing evidence that you are susceptible to propaganda. :)
        none none
        • If going with the facts is the same as being susceptible to propaganda,

          then so be it.

          I prefer the truth to a perception, which can most of the time be false.

          You don't know the difference between facts and perceptions and propaganda. You need to take some classes on simple common sense.
          • re: If going with the facts is the same as being susceptible to propaganda,

            Going with the facts? Like "Microsoft says they don't scan customers' e-mails."?

            That's what you said. It is categorically, demonstrably untrue. Microsoft never said that. Anywhere. However it is the impression they try to leave with the Scroogled propaganda. You fell for it.

            MS does say it scans your email. In fact, MS demands, and you've given it, permission to scan your emails for any reason they can think of. That's a fact. Only a total fool would assume that MS is not scanning emails to monetize them. It's owners would expect it to do.

            I've read all your stupid posts below this, but I won't reply because at this point it feels like I'm picking on you. I hope you are being deliberately obtuse. If you are genuinely intellectually disabled, then I apologize for low regard I have for you.
            none none
      • Customer email

        the email account in question wasn't an employees account, but a so-called blogger in France. He had received information from an MS employee.
    • re: Scroogle

      > making fun of Google for reading people's emails

      Google "reads" people's emails looking for ad keywords in the same way that it "reads" people's emails looking for malware, phishing and spam. Probably in the same pass. I don't see what the big deal is.

      I'm certain that as soon as MS figures it out, Hotmail users will see keyed ads, too.
      none none
      • as soon as MS figures it out, Hotmail users will see keyed ads, too.

        I doubt it, due to the coverage of Google's patent on the process/system (US20040059712 A1).

        It looks like Microsoft has opted to point the finger instead as a PR move with Scroogle. If you don't have the patent, may as well point the finger at the other guy. We see this in political ad campaigns all the time. In fact the guy Microsoft hired to put Scroogle together was a Clinton campaign guy. That's why Scroogle strikes that "political mug sling" campaign feeling.

        Makes sense for Microsoft to not scan for keyword ads while scanning for other things that any mail provided must do today. Both Google and Microsoft do scan/read emails via machines but Google also scans for keyword for ads in order to provide a free service to the consumer.

        So I think it is more about intent, where Google intends to deliver keyword ads based on scans of your email while Microsoft points to that as bad and takes the high road. Either way your emails (in-coming and out-going) are scanned by any responsible email provider.
        • re: as soon as MS figures it out, Hotmail users will see keyed ads, too.

          >I doubt it, due to the coverage of Google's patent on the
          > process/system (US20040059712 A1).

          Thanks for the info. I don't follow MS or Google that closely. My point was MS would do the same thing if it could.
          none none
      • Microsoft does scan your Onedrive

        For er... (cough) nudity.

        Microsoft immediately made a petard for themselves the moment they started the scroogled campaign. It has all the hallmarks of the "Back to Basics" campaign of the British Conservative party of the late 1990s which spectacularly blew up in their faces with all the scandals that followed.
        Alan Smithie
    • Errr.

      You can't compare a SINGLE incident versus what Google has done for years.
  • Where is everyone?

    Where are those people that have been telling us for years now that only Google looks in emails?

    As I have been saying for years, "Read your EULAs" because EULAs from MS, Google, Apple, Sony, etc., all have pretty much the same privacy sections allowing them to do anything they want with any info they can gather.
    Maybe this confirmation straight from MS:

    "Although our terms of service, like those of others in our industry, allowed us to access lawfully the account in this case"

    will finally allow us to put the whole 'only some companies spy on users' thing out to pasture.
    • Comments

      There will be some bullcrap about MS listening to the needs of their customers, lol.