Microsoft today announced a change to its email privacy policies that states the company will no longer scan email accounts over stolen property. Instead, Microsoft will refer all such cases to law enforcement so they can handle it.
Here’s the company’s statement:
Effective immediately, if we receive information indicating that someone is using our services to traffic in stolen intellectual or physical property from Microsoft, we will not inspect a customer’s private content ourselves. Instead, we will refer the matter to law enforcement if further action is required.
News blew up last week over a case some two years ago in which Microsoft’s investigators accessed the email content of a user who was trafficking in stolen source code (pre-release updates for Windows RT and a Microsoft-internal Activation Server SDK). The company initially defended itself by saying that its email policies (terms of services) allowed it to look inside Hotmail accounts (at that point, the service hadn’t been replaced by Outlook.com).
The details came to light after the ex-Microsoft employee, Alex Kibkalo, was charged with the theft of trade secrets in the US District Court for the Western District of Washington in Seattle after he allegedly sent intelligence about Microsoft products to an unnamed French blogger. While trying to track down the alleged leaker, who was upset over a poor performance review, Microsoft searched through the blogger’s e-mail account, before involving law enforcement, the court documents revealed.
After Kibkalo encouraged the blogger to seek a hacker’s guidance in using the activation SDK to create a fake activation server, the blogger allegedly asked a third party to verify the stolen SDK, but used a Hotmail account to send the query. That third party instead informed Microsoft senior executives of the leak, kicking off Microsoft’s own investigation in September 2012.
Microsoft’s Trustworthy Computer Investigations (TWCI) team then confirmed the source leak was authentic, and looked into the Hotmail account in an attempt to identify the blogger and his source. The team discovered emails from Kibkalo, interviewed him, and after he admitted to the leaks, the company fired him.
“Although our terms of service, like those of others in our industry, allowed us to access lawfully the account in this case, the circumstances raised legitimate questions about the privacy interests of our customers,” Brad Smith, Microsoft’s General Counsel & Executive Vice President of Legal & Corporate Affairs said in a statement.
It’s unfortunate that such a case was necessary for Microsoft to realize its stance needed to be changed, and other email providers (like Google and Yahoo) are unlikely to follow suit without their own “scandal.” Nevertheless, progress is progress, and the company should be applauded for realizing it was in the wrong.
Top Image Credit: Thinkstock