Privacy is of the utmost importance to all of us these days -- it's one of the reasons we password-protect all of our online accounts, after all. As you've probably heard, a Microsoft employee has been arrested for leaking information about Windows to a third party as well as the activation SDK. There has been something of a furore following the revelation that Microsoft was able to hone in one the source of the leaks by accessing the email account of the third party ("the third party’s Microsoft operated accounts").
Ordinarily it would be reasonable to expect a court order to be required for such action to be taken, but Microsoft has made it clear that it feels this is not the case. Whilst maintaining that "we believe that Outlook and Hotmail email are and should be private," the company explains that it "took extraordinary actions based on the specific circumstances [in this case]".
But this does little to assuage the fears of those who now have concerns that their accounts could be accessed at any time; the revelations about the activities of the NSA have put many people in a state of high alert. Microsoft says that "our actions were within our policies and applicable law"
The statement goes onto say that "courts do not ... issue orders authorizing someone to search themselves," -- the implication being that searching through the emails stored in a Hotmail or Outlook.com account equates to Microsoft searching through its own data as these are both Microsoft services. This is the part that many people have a problem with, as it opens up the possibility that anyone's account could be accessed in the same way. Microsoft explains that its "terms of service make clear our permission for this type of review".
To help allay these concerns, there is the caveat that this happens "only in the most exceptional circumstances". It is possible to understand where Microsoft is coming from here. Just as the NSA can justify some of its actions by saying that surveillance was only carried out with a view to preventing crime and catching terrorists, so Microsoft is able to fall back on its terms of service documentation and the fact that user accounts were only accessed with a view to obtaining legal redress.
But while Microsoft's position is something many people will be able to empathize with, there will still be ongoing concerns. The defence that: "In this case, there was a thorough review by a legal team separate from the investigating team and strong evidence of a criminal act that met a standard comparable to that required to obtain a legal order to search other sites" is slightly difficult for some to digest. It almost sounds as though Microsoft has taken the law into its own hands.
Microsoft is keen to be seen to do the right thing, and to this end the company has announced four procedures and promises that will be implemented:
- Customer accounts will not be searched unless it could be justified by a court order.
- A separate legal team will be used to assess the evidence collected by the investigating team. The skills of an outside attorney who is a former federal judge will also be called upon.
- If searches are conducted, only data relevant to the investigation will be included.
- The number of account searches that are performed will be published in Microsoft's bi-annual transparency report.
What do you think of Microsoft's actions? Is the terms of service documentation sufficient to permit search user data without a court order? Have you even read through the policy documents that grant Microsoft permission to access your data when circumstances demand it?
It is, of course, worth pointing out that Microsoft is far from being alone in having these clauses in their policies. If you were to take the time to sift through the policies of other companies' services, you will find numerous similar paragraphs in the user agreements you have signed up to.