Trouble is brewing for Microsoft over a controversy brought to light by the arrest of an ex-Microsoft employee named Alex Kibkalo. According to a criminal complaint sworn in a Seattle federal court, Kibkalo stole proprietary information from Microsoft, (including the Activation Server Software Development Kit SDK), and passed the code to a French blogger. Allegedly Kibkalo committed criminal trade secret theft.
What’s troubling is the FBI’s basis for the arrest. It was an open-ended, warrantless search of a Hotmail user’s account… not by the FBI, but rather conducted by Microsoft itself!
In September 2012, Microsoft’s internal security team received a tip that an anonymous blogger was in possession of the (SDK) source code. Conveniently for Microsoft, however, the French blogger, who has not been accused of any crime, communicated with Microsoft’s tipster using Hotmail. Since Microsoft runs Hotmail, it simply searched through the contents of that email account for evidence of the data (SDK) leak. Shocked yet? Even worse, the Kibkalo complaint filed in court last week states Microsoft’s Office of Legal Compliance approved this… “content pull.”
I’m not sure what that is, but I’m confident the language has been carefully crafted to slither past legal consequences. Microsoft’s unilateral decision to rifle through its user’s emails is a violation of the Electronic Communications Privacy Act, ECPA.
An initial statement by Microsoft explained its terms of service give clear permission for this type of “content pull.” Sorry this doesn’t cut it. Microsoft knows it too… so much so the company’s deputy general counsel subsequently announced a new policy for conducting searches without law enforcement involvement, a warrant or any legal oversight in the future:
Courts do not issue orders authorizing someone to search themselves, since obviously no such order is needed. So even when we believe we have probable cause, it’s not feasible to ask a court to order us to search ourselves. However, even we should not conduct a search of our own email and other customer services unless the circumstances would justify a court order, if one were available. In order to build on our current practices and provide assurances for the future, we will follow the following policies going forward:
To ensure we comply with the standards applicable to obtaining a court order, we will rely in the first instance on a legal team separate from the internal investigating team to assess the evidence. We will move forward only if that team concludes there is evidence of a crime that would be sufficient to justify a court order, if one were applicable. As an additional step, as we go forward, we will then submit this evidence to an outside attorney who is a former federal judge. We will conduct such a search only if this former judge similarly concludes that there is evidence sufficient for a court order.
Unfortunately, this new policy just doubles down on the Microsoft’s indefensible and tone-deaf actions. It begins with a false premise that courts do not issue orders in these circumstances because Microsoft was searching “itself,” rather than the contents of its user’s email on servers it controlled. If you use any Microsoft email or service be advised, this behemoth seems to think your data… emails, photos, contacts & calendar data… everything… is their data.
To the contrary, if Microsoft’s independent legal team concluded that there was probable cause, it could & should have passed the initial tipster’s information to the FBI like a law biding participant in our democratic society. Why didn’t they? If they had… it would have required a warrant signed by a judge to authorize & conduct the search… well within the auspices of the criminal justice system. At least that’s the way the laws are setup in the US. It’s in the constitution.
Again, warrant protections enshrined in the Constitution were shredded. Microsoft cannot claim a high moral ground, because the legal professional within Microsoft opted for an internal corporate shadow court of their own creation.
The monumental problem remains: the protections provided by our legal system do not extend to users of Microsoft products & services… in practice… as of this very moment. No matter how fairly a process they concoct… approval by an employee paid by Microsoft, no matter how well qualified, is not approval of a “neutral and detached magistrate,” as required by the Fourth Amendment. Similarly, the protections provided to criminal suspects by the Fifth and Sixth Amendments wouldn’t apply to Microsoft’s internal investigation.
Yet another colossal problem with Microsoft’s policy is its potential for abuse. Microsoft’s initial statement explained that the Microsoft Services Agreement (TOS) granted it “permission” to conduct the searches. But a brief check of these terms shows that Microsoft reserves the right to conduct search in far more scenarios than merely “exceptional circumstances.” That’s because Section 5.2 of the TOS states:
Microsoft may access, disclose, or preserve information associated with your use of the services, including (without limitation) your personal information and content . . . when Microsoft forms a good faith belief that doing so is necessary . . . . (b) to enforce this agreement or protect the rights or property of Microsoft or our customers[.]”
And according to Section 3.5, one of the ways users can violate the agreement and thus give Microsoft “permission” to access their content is to email content that violates the company’s Code of Conduct. Spoiler alert: the Code of Conduct is ridiculously broad.
A few examples of things that would violate the Code of Conduct and allow search and disclosure of Hotmail email content:
- Emailing “links to external sites that violate this Code of Conduct” such as by “depict[ing] nudity of any sort.” So you’re out of luck if you wanted to send your friend a link to Wikipedia… a link leading to nothing more innocent than chocolate chip cookies, because according to Code of Conduct, since Wikipedia contains a fair number of articles containing nudity… you’d still be in violation even if neither you or your friend viewed any nudity at all. You couldn’t even link a Peanuts cartoon, because Snoopy is eternally pantsless, and Microsoft specifically prohibits links to “nudity in non-human forms such as cartoons.”
- In the same way… linking to external content that violates the Code by “incit[ing] [or] express[ing] … profanity.” That means no YouTube, because it has, for example, clips of George Carlin’s Seven Dirty Words routine.
- “[P]romoting or otherwise facilitate[ing] the purchase and sale of ammunition or firearms.” Best to unsubscribe from that NRA mailing list.
We can safely assume Microsoft is using these sorts of violations as an excuse to help themselves to your data, violating your privacy & essentially stealing your intellectual property. Rifling through users’ emails is wrong. It doesn’t matter how they slice it, especially when it relies on permission from its own legal brigade to do so… Microsoft has engineered a defense that it reserves the right to abuse you & your rights.
The search in the Kibkalo case may have revealed criminal activity. This situation which is unrelated to any Snowden leak of any kind… plainly reveals unlawful, criminal conduct by Microsoft, stemming from its own self-interest. This is an exceedingly dangerous precedent. With the kangaroo court potential of the company taking matters into its own hands to act in place of legitmate courts… Microsoft is playing with fire.