In March 2014, Microsoft filed a court case accusing ex-employee Alex Kibkalo of stealing trade secrets, namely Windows 8 RT code and the Microsoft Activation Server SDK, uploading them to his SkyDrive (now called OneDrive) account and leaking the code to a blogger. The blogger then sold activation keys for Windows Server software on eBay. The case is less notable for the crime than it is for how Microsoft acquired its evidence. The company admitted in its court briefing it read the blogger’s email messages and spied on instant messages (IM) sent using his Hotmail account.
Microsoft didn’t do anything illegal. Its actions are covered by its terms and conditions, and they fall in the boundaries of the Electronic Communications Privacy Act. Some observers say by disclosing its spying in court, Microsoft may drive customers toward other email providers. Unfortunately, customers don’t get more privacy when using Gmail or Yahoo Mail. Most email users have no idea how much information their providers skim from their online interactions.
Microsoft’s Prying Eyes
Microsoft has changed its business model to emphasize cloud services after seeing PC sales plummet. It has focused on cloud-based business services, like Office 365, and on cloud storage products like OneDrive. Many Outlook users (the name of the service formerly known as Hotmail) use OneDrive to upload large files and to share them without creating large email attachments. However, along with questions about cloud security, Microsoft customers now have concerns about email privacy.
The Hotmail incident isn’t the only run-in Microsoft has experienced with privacy and security advocates. Last summer, Microsoft’s Xbox came under fire for its Kinect One camera, which theoretically could provide Microsoft with a 1080p view of users’ living rooms — plus views of whatever users choose to do in their living rooms — every moment the camera is connected to the Internet. Another Microsoft product, Skype, has been implicated as a tool for the National Security Agency’s (NSA) PRISM spying program.
Everyone’s Doing It
Microsoft isn’t the only company that has intrusive information collection practices. Google currently faces a class action lawsuit from Gmail users who argue that Google’s mining of every Gmail message violates federal wiretapping laws. Google argues it needs to read all Gmail messages to offer targeted advertising to its customers. Google also claims no emails are actually read by humans, since machines do all of the scanning. Still, a U.S. District Court judge in California disagreed Google had fully disclosed the nature of its email mining and had clearly obtained customer consent.
Yahoo’s latest version of its email service also has updated terms and conditions that allow Yahoo to scan email messages to offer targeted advertising. Yahoo’s terms and conditions also state the company scans email for the purpose of “abuse protection.” Potentially, if Yahoo algorithms tag language that labels a person as a bully or a threat, then that person could lose his or her email account without recourse.
Are Outlook Users Getting “Scroogled?”
Microsoft has issued some updates to its privacy policy to mollify outraged Outlook users. First, the company plans to add information about email spying to its biannual “transparency report” by releasing the number of email searches that happened over the prior six months and the number of user accounts affected by searches.
Second, before reading user email, all internal Microsoft investigations would be reviewed by a legal team separate from the internal investigations team. If the legal team agrees the investigation team has grounds for a search, then the legal team will refer the matter to “an outside attorney who is a former federal judge.” If the former judge affirms a search warrant would have been issued anyway, then Microsoft will read the user’s email. The company argues it doesn’t have to obtain an actual court order to search its email or customer services information.
Microsoft’s famous “Scroogled” ad campaign favorably compared Outlook to Gmail, arguing Outlook never mined user email for targeted advertising. However, in light of the spying revealed in its current court case, Microsoft may want to come down from the high road for a while. In the end, it’s the email user who gets “scroogled” — no matter who’s providing the email service.