Microsoft reviews investigation policies after admitting search of customer email

But the company says its actions in trade secrets inquiry were compliant with applicable law

Microsoft promised to subject itself to a more rigorous process before searching through its customers' email accounts in the future after a recent legal case revealed that the company searched for evidence of theft of its trade secrets in a Hotmail account.

A former Microsoft employee named Alex Kibkalo was arrested Wednesday on charges related to alleged leaking of prerelease Windows RT updates and product activation software to a French blogger in July and August 2012.

Court filings revealed that Microsoft's internal investigation involved searching through the French blogger's Hotmail account where it found emails from Kibkalo. Hotmail has since been rebranded as Outlook.com.

"After confirmation that the data was Microsoft's proprietary trade secret, on September 7, 2012, Microsoft's Office of Legal Compliance (OLC) approved content pull of the blogger's Hotmail account," FBI Special Agent Armando Ramirez wrote in a criminal complaint filed with the U.S. District Court in Seattle.

Microsoft also searched through Kibkalo's instant messaging conversations and his account with SkyDrive, the company's cloud file hosting service that's now called OneDrive.

While it appears that the terms of service for Microsoft's online services allows the company to access users' content "to protect the rights and property of Microsoft," among other things, the incident drew criticism from privacy advocates and other users on social media.

"I can't wait for Microsoft's next Scroogled ad, slamming Google for violating the privacy of Gmail users," Christopher Soghoian, principal technologist at the American Civil Liberties Union, said on Twitter following the revelations. "Microsoft likes to brag that they have more 'trained privacy professionals' than any other company. What were they doing during HotmailGate?" he said in a separate message.

John Frank, Microsoft's deputy general counsel and vice president for legal and corporate affairs, defended the company's actions Thursday in a blog post, saying the company took "extraordinary actions based on the specific circumstances" and it "applied a rigorous process" before reviewing the content.

"Courts do not, however, issue orders authorizing someone to search themselves," Frank said. "So even when we believe we have probable cause, there's not an applicable court process for an investigation such as this one relating to the information stored on servers located on our own premises."

Microsoft had a dedicated legal team working separately from the internal investigation to review the evidence and meet "a standard comparable to that required to obtain a legal order to search other sites," Frank said, adding that the company's actions were within its policies and applicable law.

While Microsoft hasn't announced any plans to modify its terms of service to disallow this type of internal customer data searches in the future, the company does plan to make some changes to the process that governs this type of investigations.

"We will not conduct a search of customer email and other services unless the circumstances would justify a court order, if one were available," Frank said.

In addition to using separate teams for legal review and internal investigations, the company plans to send the evidence that it believes would otherwise justify a court order to an outside attorney who used to be a judge.

"We will conduct such a search only if this former judge similarly concludes that there is evidence sufficient for a court order," Frank said.

The company also plans to start including data about the number of internal searches and the number of accounts they affected in its bi-annual transparency reports that currently include data on searches conducted in response to government and court orders.

Despite the promise of external oversight in the form of approval from a former judge, some privacy advocates don't think such searches are appropriate to begin with.

"We believe that this behavior is in fundamental contradiction with the principles of the Global Network Initiative, of which Microsoft is a leading member," said Joe McNamee, executive director of European Digital Rights (EDRi), in email. EDRi is a pan-European association of digital rights organizations.

"How can they say that it is appropriate for a private company to grant itself arbitrary access to private communications and support the GNI principle that 'Everyone should be free from illegal or arbitrary interference with the right to privacy and should have the right to the protection of the law against such interference or attacks?" McNamee asked.

The Global Network Initiative is a multistakeholder group founded in 2008 whose stated mission is to advance privacy and freedom of expression online. Its members include human rights and press freedom groups, academics, investors, online services providers -- including Google, Microsoft, Facebook and Yahoo -- and other technology vendors.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Show Comments

Latest Videos

Conversations over a cuppa with CMO: Microsoft's Pip Arthur

​In this latest episode of our conversations over a cuppa with CMO, we catch up with the delightful Pip Arthur, Microsoft Australia's chief marketing officer and communications director, to talk about thinking differently, delivering on B2B connection in the crisis, brand purpose and marketing transformation.

More Videos

Hey there! Very interesting article, thank you for your input! I found particularly interesting the part where you mentioned that certain...

Martin Valovič

Companies don’t have policies to disrupt traditional business models: Forrester’s McQuivey

Read more

I too am regularly surprised at how little care a large swathe of consumers take over the sharing and use of their personal data. As a m...

Catherine Stenson

Have customers really changed? - Marketing edge - CMO Australia

Read more

The biggest concern is the lack of awareness among marketers and the most important thing is the transparency and consent.

Joe Hawks

Data privacy 2021: What should be front and centre for the CMO right now

Read more

Thanks for giving these awesome suggestions. It's very in-depth and informative!sell property online

Joe Hawks

The new rules of Millennial marketing in 2021

Read more

In these tough times finding an earning opportunity that can be weaved into your lifestyle is hard. Doordash fits the bill nicely until y...

Fred Lawrence

DoorDash launches in Australia

Read more

Blog Posts

Highlights of 2020 deliver necessity for Circular Economies

The lessons emerging from a year like 2020 are what make the highlights, not necessarily what we gained. One of these is renewed emphasis on sustainability, and by this, I mean complete circular sustainability.

Katja Forbes

Managing director of Designit, Australia and New Zealand

Have customers really changed?

The past 12 months have been a confronting time for marketers, with each week seemingly bringing a new challenge. Some of the more notable impacts have been customer-centric, driven by shifting priorities, new consumption habits and expectation transfer.

Emilie Tan

Marketing strategist, Alpha Digital

Cultivating engaging content in Account-based Marketing (ABM)

ABM has been the buzzword in digital marketing for a while now, but I feel many companies are yet to really harness its power. The most important elements of ABM are to: Identify the right accounts; listen to these tracked accounts; and hyper-personalise your content to these accounts to truly engage them. It’s this third step where most companies struggle.

Joana Inch

Co-founder and head of digital, Hat Media Australia

Sign in