Microsoft tightens email privacy policy after taking fire over Hotmail incident

After revelations that it had inspected a Hotmail customer's email as part of an internal investigation, Microsoft announced new rules last week. This week, following "uncomfortable" criticism of that policy, the company announced new rules: no inspections without a warrant.
Written by Ed Bott, Senior Contributing Editor

Revelations in a Federal criminal complaint that Microsoft accessed the contents of a Hotmail account without a warrant brought a hailstorm of criticism down on the company last week. In response, Microsoft argued it was well within its rights under the terms of service and that the facts of the case were extraordinary. (See What's really behind Microsoft's investigation into software leaks? for details.)

But they also promised not to make one of those inspections again without calling in additional legal help.

Sorry, said the privacy and civil liberties community, that's not good enough. The most blistering critique came from the Electronic Frontier Foundation, which called Microsoft's announcement "Warrants for Windows."

Unfortunately, this new policy just doubles down on ... Microsoft’s indefensible and tone-deaf actions in the Kibkalo case. It begins with a false premise that courts do not issue orders in these circumstances because Microsoft was searching “itself,” rather than the contents of its user’s email on servers it controlled.

To the contrary, if Microsoft’s independent legal team concluded that there was probable cause, it could have passed the tipster’s information to the FBI to obtain a warrant and conduct the search under the auspices of the criminal justice system. The warrant protections enshrined in the Constitution would be preserved, ECPA would be satisfied, and Microsoft could have claimed the high moral ground. Instead, Microsoft has opted for an internal corporate shadow court.

This week, in response to the latest wave of criticism, Microsoft General Counsel Brad Smith admitted that the EFF was right and Microsoft was wrong. Here's the new policy, effective immediately:

Effective immediately, if we receive information indicating that someone is using our services to traffic in stolen intellectual or physical property from Microsoft, we will not inspect a customer's private content ourselves. Instead, we will refer the matter to law enforcement if further action is required.

In addition to changing company policy, in the coming months we will incorporate this change in our customer terms of service, so that it's clear to consumers and binding on Microsoft.

Smith acknowledged that the barrage of criticism was "uncomfortable," but also "thought-provoking and even helpful."

Although our terms of service, like those of others in our industry, allowed us to access lawfully the account in this case, the circumstances raised legitimate questions about the privacy interests of our customers.

In part we have thought more about this in the context of other privacy issues that have been so topical during the past year. We've entered a "post-Snowden era" in which people rightly focus on the ways others use their personal information. As a company we've participated actively in the public discussions about the proper balance between the privacy rights of citizens and the powers of government. We've advocated that governments should rely on formal legal processes and the rule of law for surveillance activities.

While our own search was clearly within our legal rights, it seems apparent that we should apply a similar principle and rely on formal legal processes for our own investigations involving people who we suspect are stealing from us. Therefore, rather than inspect the private content of customers ourselves in these instances, we should turn to law enforcement and their legal procedures.

Hmmm. Where have I heard that "post-Snowden" part before?

But that's certainly a relevant fact. If Microsoft's execs could jump in a time machine and go back to 2012 knowing what Ed Snowden would unleash a few months later, you can bet they'd have handled this situation differently.

The new policy means Microsoft's hands will be deliberately tied during internal investigations. The company can't go to court and demand a warrant to search its own servers, but the FBI and local law enforcement can inspect the evidence and ask a judge for permission to order Microsoft to produce content from a subscriber's email or cloud file storage. They can also decline to get a warrant and tell Microsoft's investigators to find other ways to get what they need.

For practical purposes, this announcement won't have much effect. Presumably any would-be pirates have learned their lesson and will avoid using Microsoft services to traffic in Microsoft's stolen property.

The change is extremely important, however. in the arena of public perceptions, where Microsoft has been absolutely pummeled over behavior that looked awful even if it was technically permitted. And of course there are the casual accusations of hypocrisy given the company's ongoing "Scroogled" ad campaign, which takes dead aim at Google's policy of scanning its customers' email for the purpose of serving ads.

It's unlikely that any large corporate customers will exit the Microsoft fold over this case. But the company might find it needs to work harder to prove that it deserves the trust of those customers.

The EFF responded almost immediately with praise: "We commend Microsoft for its willingness to reconsider its policies, and we think it made the right decision."

Editorial standards