Microsoft has faced criticism over its privacy policy following news that the software giant went though a French blogger’s Hotmail email account to look for the source of a leaked Windows 8 code.
The searches proved fruitful for Microsoft, which managed to identify ex-Microsoft employee Alex Kibkalo as the source, which followed in his arrest in Seattle.
Kibkalo leaked screenshots and an activation code for Windows 8, which was at the time not yet released. The blogger, whose identity is not yet known, only posted the screenshots that were leaked to him, but Kibkalo has been charged with trying to get the blogger to post the activation code too.
The Guardian reported that Microsoft started the investigation after the blogger contacted the company to check whether or not the code was authentic.
Microsoft then trawled through the blogger’s Hotmail Outlook.com account to look for clues. Microsoft has issued a statement saying that its terms of service clearly allows for this type of action, but only when it is in "the most exceptional circumstances".
"Microsoft reserves the right to review materials posted to the Communication Services and to remove any materials in its sole discretion," reads the terms of service.
Microsoft has criticised Google in the past for going through customer email accounts to help it use targeted ads, but now Microsoft has changed its policy on dealing with such cases.
Microsoft said in a statement:
"During an investigation of an employee we discovered evidence that the employee was providing stolen IP, including code relating to our activation process, to a third party. In order to protect our customers and the security and integrity of our products, we conducted an investigation over many months with law enforcement agencies in multiple countries. This included the issuance of a court order for the search of a home relating to evidence of the criminal acts involved. The investigation repeatedly identified clear evidence that the third party involved intended to sell Microsoft IP and had done so in the past.
As part of the investigation, we took the step of a limited review of this third party’s Microsoft operated accounts. While Microsoft’s terms of service make clear our permission for this type of review, this happens only in the most exceptional circumstances. We apply a rigorous process before reviewing such content. In this case, there was a thorough review by a legal team separate from the investigating team and strong evidence of a criminal act that met a standard comparable to that required to obtain a legal order to search other sites. In fact, as noted above, such a court order was issued in other aspects of the investigation."
It then followed this statement up with an in-depth explainer on when exactly it will look through customers’ email accounts:
"We believe that Outlook and Hotmail email are and should be private. Today there has been coverage about a particular case. While we took extraordinary actions in this case based on the specific circumstances and our concerns about product integrity that would impact our customers, we want to provide additional context regarding how we approach these issues generally and how we are evolving our policies.
Courts do not issue orders authorizing someone to search themselves, since obviously no such order is needed. So even when we believe we have probable cause, it’s not feasible to ask a court to order us to search ourselves. However, even we should not conduct a search of our own email and other customer services unless the circumstances would justify a court order, if one were available. In order to build on our current practices and provide assurances for the future, we will follow the following policies going forward:
To ensure we comply with the standards applicable to obtaining a court order, we will rely in the first instance on a legal team separate from the internal investigating team to assess the evidence. We will move forward only if that team concludes there is evidence of a crime that would be sufficient to justify a court order, if one were applicable. As an additional step, as we go forward, we will then submit this evidence to an outside attorney who is a former federal judge. We will conduct such a search only if this former judge similarly concludes that there is evidence sufficient for a court order.
Even when such a search takes place, it is important that it be confined to the matter under investigation and not search for other information. We therefore will continue to ensure that the search itself is conducted in a proper manner, with supervision by counsel for this purpose.
Finally, we believe it is appropriate to ensure transparency of these types of searches, just as it is for searches that are conducted in response to governmental or court orders. We therefore will publish as part of our bi-annual transparency report the data on the number of these searches that have been conducted and the number of customer accounts that have been affected.
The only exception to these steps will be for internal investigations of Microsoft employees who we find in the course of a company investigation are using their personal accounts for Microsoft business. And in these cases, the review will be confined to the subject matter of the investigation.
The privacy of our customers is incredibly important to us, and while we believe our actions in this particular case were appropriate given the specific circumstances, we want to be clear about how we will handle similar situations going forward. That is why we are building on our current practices and adding to them to further strengthen our processes and increase transparency."
Microsoft’s response does seem to be appropriate, there has to be some failsafe in place for larger companies if this kind of leak is going to happen. But some privacy advocates still feel that Microsoft should not be allowed to carry out this kind of action. "What blogger will use that service now?" said Jennifer Granick to the NY TImes. Granwick is an attorney and director of civil liberties at the Stanford Center for Internet and Society.
Christian Toon, head of information risk at Iron Mountain, raised the issue of Microsoft’s security in the first place.
"The latest high profile incident of corporate espionage from an ex-Microsoft employee demonstrates just how critical it is to foster a culture of information responsibility within organisations," said Toon.
"This particular incident is a classic example of an employee taking confidential information in revenge for feeling wronged by the company they work for. Having received a poor performance review in 2012, Alex Kibkalo threatened to resign if it was not amended and subsequently passed trade secrets to a blogger. This highlights a particular failing in many information security strategies – where firms underestimate the risks staff pose to company data, especially if that member of staff has a grievance or is leaving their job.
"When it comes to employee behaviour towards information, it’s often a case of heart over minds, with personal feelings of disgruntlement leading to data revenge. Companies need to realise that responsibility for information security goes beyond guidelines and processes; it is also about improved people management and training."
Skyhigh Networks, a cloud visibility company which evaluates the security credentials of services like Hotmail, says that this case is a classic example of the hidden terms and conditions that exist within many cloud providers’ services. Charlie Howe, director, EMEA at Skyhigh Networks, said: "Though described as an ‘extraordinary action’, similar incidents of cloud service providers accessing our confidential data are far too common. The problem is, this is a technically legal activity that we all agree to when we sign up to certain cloud services – whether knowingly or not. For instance, I would guess that most people don’t actually read the full Terms and Conditions before using a new application, and they would probably be surprised by what they are actually agreeing to when they click the ‘accept’ button on certain cloud services.
"A bigger problem arises when these cloud services are used in a business capacity, posing a significant risk in terms of data ownership and confidentiality. Modern CIOs are struggling with a dilemma, as they are faced with requests from employees wanting to use agile and flexible cloud services for work purposes, while trying to manage the associated risk, security and privacy concerns. However, in spite of this, there is a growing trend for employees to take matters into their own hands, downloading and using a variety of user-friendly, intuitive applications which often fly under the radar of CIOs, CISOs and IT teams. This concept of Shadow IT is putting organisations at risk of cyber attack and data loss as organisations often lack the visibility and control required to manage risk, ensure cloud governance and confidently enable cloud services."
