The subject of customer privacy is one that has been in the spotlight for some time now. Recently, Microsoft has come under fire for accessing the email account of a user as part of an investigation into leaked data relating to Windows 8. Despite the fact that Microsoft has been voted on of the most ethical companies in the world year after year there were concerns that it was willing to access an email account without applying for a court order to do so.
The case has caused many people to question the morality of Microsoft’s actions, including the Electronic Frontier Foundation (EFF) — a non-profit organization “defending civil liberties in the digital world.” The group had previously awarded Microsoft a gold star for requiring a warrant before handing over data from or relating to customer accounts. After investigating the content of the Hotmail account, Microsoft suggests that “courts do not … issue orders authorizing someone to search themselves”. This upset a lot of people, although it is technically permitted by the terms of service.
Although the investigation was authorized by Microsoft’s Office of Legal Compliance, EFF suggests that the actions are “a violation of the Electronic Communications Privacy Act, ECPA.” The company’s statement issued in response to the criticism surrounding the affair has done little to calm the storm.
“Microsoft is playing with fire. It should have followed its own advice and asked the FBI to step in with a warrant.”
EFF, for instance, is not impressed, saying that it begins with a false premise that courts do not issue orders in these circumstances because Microsoft was searching “itself” rather than the contents of its user’s email on servers it controlled. The group goes on to suggest that when Microsoft’s own legal team determined that there was cause to investigate a particular user, it should have notified the FBI of its concerns before proceeding with the help of the criminal justice system.
Microsoft has said that as part of its new procedures, “an outside attorney who is a former federal judge” will be used. But EFF still has concerns that the procedures used by Microsoft do not enjoy the same protection as investigations carried out through the usual legal system, and points out that there “potential for abuse.”
I expressed concerns the other day that the Microsoft Service Agreement is wide open to interpretation meaning, ultimately, that Microsoft is free to choose when it pries into email accounts. EFF agrees, pointing out that customers grant permission for their accounts to be accessed in the event that Microsoft’s Code of Conduct is violated. As EFF points out, “the Code of Conduct is ridiculously broad.”
It is easy to argue that Microsoft was fully justified in looking at customer account in this particular instance as the case did revolve around a legal matter. But the concern is that many documents to which users have agreed during the account sign up process grants Microsoft access in an almost ridiculous number of circumstances. For instance, the Code of Conduct document says that users will not use Microsoft services in a way that “incites, advocates, or expresses pornography, obscenity, vulgarity, profanity, hatred, bigotry, racism, or gratuitous violence.” So write an email that includes a link to a site that features swearing, and you have broken the Code of Conduct and potentially opened your account up to investigation. It’s unlikely, but the possibility is there. This is the potential for abuse EFF refers to.
EFF sums things up very nicely in saying: “Microsoft is playing with fire. It should have followed its own advice and asked the FBI to step in with a warrant.”