What's really behind Microsoft's investigation into software leaks?

What's really behind Microsoft's investigation into software leaks?

Summary: Microsoft is under fire for allegedly violating the privacy of a "French blogger" in the investigation of a 2012 leak of some of its most valuable trade secrets. Here's the side of the story critics are missing.


Most of the coverage I’ve seen of the indictment of former Microsoft employee Alex A. Kibkalo treats the circumstances of the offense as a curious sidebar, a detail barely worth dwelling on. "Isn’t it stupid that the accused would use Microsoft services to commit this crime?" they ask. That’s followed by hearty laughter and then outrage at Microsoft’s assault on a customer’s privacy.

Those stories are completely missing the point.

Microsoft's investigators weren't trawling through private email messages as part of a fishing investigation to track down a leaker. They were interrupting a crime in progress.

The specific facts are all that matters in this case, and the circumstances were truly extraordinary. Microsoft’s lawyers did not order a “content pull” of one suspect’s Hotmail account because they are ethics-challenged snoops or because they were looking for evidence of a crime being committed elsewhere.

They accessed the contents of his Microsoft account because that’s where the crime was happening. And they kept a detailed trail of their actions, precisely because they knew how unusual this action was and how likely it was to end up in a criminal courtroom.

The entire series of events is reminiscent in some ways of that time San Mateo County Sheriffs knocked down a blogger's door and confiscated "three Apple laptops, a Samsung digital camera, a Seagate 500 GB external hard drive, USB flash drives, a HP MediaSmart server, a 32GB Apple iPad, an 16GB iPhone, and an IBM ThinkPad."

Apple had called the cops because they believed (correctly) that the blogger had their property, a prototype iPhone that an engineer had lost in a bar and which Apple considered a "trade secret."

There's one crucial difference between that case and this one, however. Unlike Apple, Microsoft didn't need to get a search warrant, because the stolen property was being stored in a place they owned and controlled.

A crime in progress

Let’s be clear: Stolen Microsoft code, part of the company’s carefully guarded anti-piracy technology, was being stored and accessed by an unauthorized person using Microsoft’s own SkyDrive servers. The person who allegedly stole that code, who was a Microsoft employee at the time, and the person who received the stolen property (identified by the FBI as a “French blogger”) were exchanging those files in real time. They were using Microsoft’s Hotmail and Messenger services to facilitate those transfers when the incidents came to light.

Microsoft's investigators weren't trawling through private email messages as part of a fishing investigation to track down a leaker. They were interrupting a crime in progress. The files being exchanged via SkyDrive were stolen property. The messages themselves were the means of transportation carrying that stolen property across state lines and beyond international borders, making it a genuine Federal case.

This case is not about a run-of-the-mill leak of a pre-release Windows version. Those happen all the time, because there are just too many people, inside and outside Microsoft, who have legitimate access to those early builds. As maddening as those leaks throughout 2011 and the first half of 2012 must have been to Steven Sinofsky and his lieutenants, there is no evidence that anyone even considered using the contents of the French connection’s Hotmail account to identify him.

No, the leaked code that was included in the September 3, 2012 email from the French blogger to a mysterious contact in Redmond (allegedly not a Microsoft employee, but one who knew Sinofsky well enough to forward the hot potato to him) was much more important.

The Microsoft Activation Server is one of Microsoft’s crown jewels, the internal code that validates product keys for activation. A hacker with access to its source could, conceivably, reverse-engineer the algorithms for generating and testing product keys. In the wrong hands, that would undo more than a decade of steady progress in stamping out pirated copies of Microsoft Windows and Office.

The "journalist" distraction

Several commentators have inaccurately characterized the person who received the stolen property as a “journalist.” That’s nonsense, as any actual journalist who covers Microsoft will gladly tell you. Those of us who were working in this space in 2011 and 2012 know the unnamed French blogger and his website all too well. He was not a journalist. Full stop. He was a reasonably skilled software pirate with good connections, a penchant for tweaking authority, and appallingly bad operational security skills.

And anyway, it doesn’t matter. The “journalist” label is a distraction, trotted out to support an agenda, to argue that Microsoft is picking on a critic or gadfly. Using that term allows a commentator to plant the suspicion that the company could easily target other “journalists” for the same treatment. That’s nonsense, too.

This code was leaked for the express purpose of making it easier to crack Microsoft’s product activation technologies. If someone can do that, the potential loss to Microsoft would be measured in billions of dollars. There’s no journalistic justification for leaking the code to a community that has a history of creating key generators and phony activation tools.

And based on the chat transcripts made public by the FBI, there's no question that was the intent of the principals in this criminal case. I've highlighted the relevant parts in the snippet below. (The "hacker friend" referred to in the first line is, presumably, the person who received the email containing samples of the stolen code and forwarded the note to Microsoft's Steven Sinofsky.)


The decision by Microsoft’s top lawyers to approve “content pulls of the blogger’s Hotmail account” was a direct response to a potential crisis. Someone outside Microsoft had access to very sensitive secrets, and they had raised the stakes substantially with this leak. At the time, there was no way of knowing whether this first leak was just the tip of the iceberg. Under those circumstances, there was absolutely reasonable justification for a direct response.

Could this happen to you or me?

Virtually everything I’ve read about this case so far tries to force its facts into one of two narratives:

“Microsoft should have called in the FBI before it poked through this guy’s email.” I think that’s a naïve conclusion. The first response of any for-profit company is to safeguard its most valuable assets. For a multi-billion-dollar global software company, that includes trade secrets like its activation technology. The Federal charges listed in the complaint against Kibkalo confirm that the stolen property was being transferred using Microsoft’s own servers.

 “Microsoft was willing to go through this guy’s email. Who’s to say you’re not next?” As far as I can tell, this is the first time in 18 years that Microsoft has “pulled content” from a customer’s Hotmail account without a search warrant. Like its competitors, Microsoft has strict institutional controls in place to prevent a rogue employee from accessing database files without setting off alarms and leaving a record. The fact we are talking about this case is testimony to just how rare the circumstances are.

If, several years ago, you had asked one of Microsoft’s lawyers to describe the set of facts that would allow this sort of extraordinary access, I doubt they would have come up with this chain of events. In fact, if a screenwriter had suggested this as the plot of a movie or TV show, it would have been rejected it as totally unrealistic. And yet here we are, with a pair of main actors who look like they stepped out of Dumb and Dumber.

Are there are other, less clear-cut examples of unwarranted searches of Microsoft accounts in the past 18 years? I’m eagerly awaiting the whistle-blower within Microsoft who points them out. (Pro tip: send me the details on my Yahoo account, OK?)

Waiting for the other shoe to drop

I think there are several bombshells yet to drop in this case. The original FBI affidavit supporting Kibkalo’s arrest notes, quite pointedly, that it “does not detail each and every fact and circumstance of the investigation or all the information known to the investigative participants.”

In fact, the questions raised by the original complaint could keep a conspiracy theorist going for several years. Here are a few of my questions:

  • Microsoft’s initial statement on this case claims it “conducted an investigation over many months with law enforcement agencies in multiple countries. This included the issuance of a court order for the search of a home relating to evidence of the criminal acts involved.” The French blogger reportedly signed a confidentiality agreement with Microsoft. Was that part of a plea deal? Did that individual voluntarily turn over the contents of his email and online file storage to Microsoft investigators? As part of that deal, was he acting as an informant to avoid being charged himself?
  • Why bring charges now? The alleged leaker, Kibkalo, had left Microsoft’s employ and was presumably no longer able to access sensitive code. Why bring these charges in March 2014, 18 months after the initial events occurred?
  • Microsoft allowed its wayward employee, Kibkalo, to resign in September 2012, after which he relocated to Russia, where extradition is, how you say, awkward. As recently as March 13, 2014, Kibkalo was identifying himself as a Microsoft partner and contributing to Microsoft’s TechNet blog network. What brought him back to Seattle, where he was arrested?
  • The French blogger shut down his website and deleted his most notorious Twitter account in early 2013. That’s not surprising. But my eyebrow hits the ceiling when I note that last month, just before all this madness happened, the same individual stopped posting on his personal Twitter account (one that wasn’t so widely known). On March 18 or 19, shortly after Kibkalo was arrested, he deleted that account completely. Why?

In some respects, this case reminds me of several high-profile investigations involving members of the Anonymous network. Investigators had the opportunity to throw the book at the first few targets they arrested. Instead, they turned those targets into confidential informants who proceeded to help take down the rest of the network.

Is the Windows Underground about to suffer a similar fate?

Topics: Security, Microsoft, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • They did not follow proper legal procedures.

    None of the evidence seen so far shows that they followed legal procedures. And not following legal procedures is possibly going to get some or all of their evidence thrown out. By not involving the appropriate authorities, they have contaminated the evidence, at a minimum by not having an independent monitor. This may only affect the criminal aspect of the case, and not a civil case.

    "The messages themselves were the means of transportation carrying that stolen property across state lines and beyond international borders"...

    Sorry, the files are not a means of transportation. They are a means of grouping data for STORAGE. The means of transportation would be the internet...

    “Microsoft should have called in the FBI before it poked through this guy’s email.”

    Yes, Microsoft should have. Even the government calls the FBI when something like this happens on their servers. Been there, helped out - but only after verifying that the FBI was involved (the agent identified himself). Anything else is an improper search - and may violate the law, EVEN THOUGH the agency owned the servers. In one of the cases I was involved with an Email issue - a bounced mail message was forwarded to me as administrator. Since it was an odd bounce and I was supposed to make sure things worked I looked at the message... And promptly reported to the security team. Their contact with the legal department brought in the FBI for consultation (in this case it resulted only in a reprimand).

    ” As far as I can tell, this is the first time in 18 years that Microsoft has “pulled content” from a customer’s Hotmail account without a search warrant."

    No it isn't the first time. Any time one of their mail servers is crashed they will do a detailed analysis of that server to determine why it crashed, how, and in the process of doing so, WILL look at any users messages they think might be involved.

    Now "look at" is usually only examining the headers, but if the length of a message is unusual, or something else attracts their attention they will look at the contents of the users mail.
    • They don't have too

      Umm, the last time I checked Microsoft was a corporation not a law enforcement agency. Only the government (which law all law enforcement agencies are considered) are bound by any legal requirements to have a warrant before doing a search, and even more to the point Microsoft was gathering data from their own property. While Microsoft (and every other company that keeps information or data about or on your behalf) is bound only by their own policies to not look or snoop on your information. They are for the most part not under any legal obligation not to.

      As far as your specific case, I doubt very much that the FBI was consulted and if you had really broken any law you would have at a minimum been questioned by law enforcement. Companies take their internal privacy policies very seriously because the need to maintain trust with their customers, but they are not under any legal obligation to do so unless the specific data is protected by law such as HIPAA, or GLBA.
      • Stolen property

        yes, if I believe somebody might be using my cellar to store stolen property or for meetings to organize a crime, I don't have to get a court order to go down there and look.

        I can look and if I find any evidence, then I am duty bound to contact the police.

        MS were handed evidence that one email account on their servers was being used to organize a crime and took appropriate action. For me, that they consulted an indepenent lawyer team to see if it would stand up is their saving grace.

        If they had simply snooped on accounts, or done a general search across their whole email service for keywords, then I would be outraged.
        • Email search is more like searching your apartment.

          Yes, MS owns the device it is stored on, but you also have the right to privacy.

          The owner of the apartment can't search your apartment just because they think you might have stolen something.
          • Good thing there are no "free email privacy laws" then.

            I haven't read anywhere that using free email grants you the right to privacy from the company giving you that email.

            If a company has email, and their employee handbook states they can look through the email they allow you to use, no law will change that, as I don't think the law is there to give criminals the ability to undermine or destroy your company using tools the company owns.

            Renter laws do allow for the owner to enter into a rented property without permission if they have a busted pipe flooding the downstairs apartment, or some other issue that would damage the overall structure or personal property of the other renters or the building itself.

            Sort of like looking through email on a server they own for damaging information being leaked via those emails.
          • this is a stupid blog system

            The crime was committed when the originated email was sent from which was microsoft.com. Outlook.com was where the email was sent to. A crime was committed in Alabama but the criminal took the stolen goods to Tennessee. Microsoft did not search where the crime was committed. Microsoft searched outlook.com . No crime was committed there. Microsoft violated the public's trust by searching private email accounts of innocent people.
            Tim Jordan
          • William.Farrel converts to being double-scroggled

            Google's algorithm matches ads to content; no eyes see it - W.F screeches.

            Microsoft manually opens, reads and uses email content - W.F is happy.
          • You are good at putting words in people's mouths, Heenan73

            but only for those that aren't quick enough to catch onto that scheme.

            You must Hate that. :(

            Microsoft manually opens, reads and uses email content from those that all indications point out has stolen their code.

            Tell me why you think they looked at mine? That would be waste of time and resources, right?

            What? You can't?

            Too bad for you.

            Heenan73 is not happy. :(
          • Because an apartment is a legal residence and there are laws convering that

            The Microsoft servers are not the residence of anyone. Also, as they are property of Microsoft, which makes it all but impossible for Microsoft to ask for a warrant to search its own property.
          • You forget the "presumption of privacy".

            And that has been present for quite a while with Email.
          • there is no 'presumption of privacy' for email

            especially not in legal terms.
          • Bad Analogy

            In law (at least in Canada) where you live is considered your castle. So if it is a house, an apartment or even a tent. Law enforcement cannot access to your "castle" without a warrant, unless there is a risk of a loss of life. This is completely different, the persons in question do not live in the email servers so thusa that does not apply. Also If I was the owner of the house that I rented, I would have a clause stating I will do visits to check on the property, also since MS owns the servers your stuff is on, they cannot get a warrant for their own property.
          • Yes They Can.

            Your landlord has the right to enter the property he owns anytime he wishes, it's his property.
          • No they can't.

            There must be some form of emergency present first. And then they should also have the police present.
          • Not really

            There are plenty of reasons, such as when they feel their property is threatened, that a landlord can just enter the apartment. That's how it works in the US, generally.
            Michael Alan Goff
          • Yes they can, but...

            At least in Canada 24 hour notice must be given. A landlord cannot barge in on a tenant in the middle of the night out of the blue but they are still permitted to enter what is their own property. That's not important. I think this is evidence that there is truth to what Berners-Lee said about creating an internet Magna Carta. I don't necessarily think Microsoft was wrong in doing this, but the ease at which they obtained this data without any (at least known) involvement of law enforcement is frightening. A 'Bill of Rights' for the internet if you will may protect us in the case where an innocent person may get mixed up in a scenario such as this. This would force Microsoft to have to prove their case in front of local DA before using this data as evidence in court.
          • incorrect once again

            Really "jp", stop spouting what you think the system should be and look up what the laws and policies really are.
          • Every lease I have had

            Has stated that the landlord reserves the right to inspect the property at any time with 24 hours notice or immediately in case of emergcncies or suspected criminal activity. No, they cannot walk in unannounced, and if they suspect criminal activity they had better have a solid reason for such, but they do have the right to be certain that their property is not being damaged.
            Iman Oldgeek
          • They don't need the police present, jesse

            but it is a good thing to do when dealing with a structure with physical property present so that the renter can't come back and claim that the landlord took $1,000 out of his sock drawer while looking at the leak, as the officer would be a witness that he didn't.

            This is different because either way, with or without the FBI, MS already said they found the code, and the FBI would just say "yes they did".
          • Sorry, you're wrong. Only under very limited conditions may a

            landlord enter a rented or leased premises without first having the approval of a tenant. And in most cases they first need a signed court order to do so. That's in the Tenancy Laws.
            Deadly Ernest