Microsoft reviews investigation policies after admitting search of customer email

Microsoft promised to subject itself to a more rigorous process before searching through its customers' email accounts in the future after a recent legal case revealed that the company searched for evidence of theft of its trade secrets in a Hotmail account.

A former Microsoft employee named Alex Kibkalo was arrested Wednesday on charges related to alleged leaking of prerelease Windows RT updates and product activation software to a French blogger in July and August 2012.

Court filings revealed that Microsoft's internal investigation involved searching through the French blogger's Hotmail account where it found emails from Kibkalo. Hotmail has since been rebranded as Outlook.com.

"After confirmation that the data was Microsoft's proprietary trade secret, on September 7, 2012, Microsoft's Office of Legal Compliance (OLC) approved content pull of the blogger's Hotmail account," FBI Special Agent Armando Ramirez wrote in a criminal complaint filed with the U.S. District Court in Seattle.

Microsoft also searched through Kibkalo's instant messaging conversations and his account with SkyDrive, the company's cloud file hosting service that's now called OneDrive.

While it appears that the terms of service for Microsoft's online services allows the company to access users' content "to protect the rights and property of Microsoft," among other things, the incident drew criticism from privacy advocates and other users on social media.

"I can't wait for Microsoft's next Scroogled ad, slamming Google for violating the privacy of Gmail users," Christopher Soghoian, principal technologist at the American Civil Liberties Union, said on Twitter following the revelations. "Microsoft likes to brag that they have more 'trained privacy professionals' than any other company. What were they doing during HotmailGate?" he said in a separate message.

John Frank, Microsoft's deputy general counsel and vice president for legal and corporate affairs, defended the company's actions Thursday in a blog post, saying the company took "extraordinary actions based on the specific circumstances" and it "applied a rigorous process" before reviewing the content.

"Courts do not, however, issue orders authorizing someone to search themselves," Frank said. "So even when we believe we have probable cause, there's not an applicable court process for an investigation such as this one relating to the information stored on servers located on our own premises."

Microsoft had a dedicated legal team working separately from the internal investigation to review the evidence and meet "a standard comparable to that required to obtain a legal order to search other sites," Frank said, adding that the company's actions were within its policies and applicable law.

While Microsoft hasn't announced any plans to modify its terms of service to disallow this type of internal customer data searches in the future, the company does plan to make some changes to the process that governs this type of investigations.

"We will not conduct a search of customer email and other services unless the circumstances would justify a court order, if one were available," Frank said.

In addition to using separate teams for legal review and internal investigations, the company plans to send the evidence that it believes would otherwise justify a court order to an outside attorney who used to be a judge.

"We will conduct such a search only if this former judge similarly concludes that there is evidence sufficient for a court order," Frank said.

The company also plans to start including data about the number of internal searches and the number of accounts they affected in its bi-annual transparency reports that currently include data on searches conducted in response to government and court orders.

Despite the promise of external oversight in the form of approval from a former judge, some privacy advocates don't think such searches are appropriate to begin with.

"We believe that this behavior is in fundamental contradiction with the principles of the Global Network Initiative, of which Microsoft is a leading member," said Joe McNamee, executive director of European Digital Rights (EDRi), in email. EDRi is a pan-European association of digital rights organizations.

"How can they say that it is appropriate for a private company to grant itself arbitrary access to private communications and support the GNI principle that 'Everyone should be free from illegal or arbitrary interference with the right to privacy and should have the right to the protection of the law against such interference or attacks?" McNamee asked.

The Global Network Initiative is a multistakeholder group founded in 2008 whose stated mission is to advance privacy and freedom of expression online. Its members include human rights and press freedom groups, academics, investors, online services providers -- including Google, Microsoft, Facebook and Yahoo -- and other technology vendors.