Microsoft took flak Thursday for reading emails from a blogger’s Hotmail account in the course of identifying a former employee who is being accused of stealing Microsoft trade secrets and leaking them to the blogger.
That Microsoft did so was revealed in a court complaint filed by federal prosecutors against Alex Kibkalo, a former Microsoft software architect.
Kibkalo, who was arrested Wednesday, is accused of stealing trade secrets related to pre-release software updates for Windows 8 and Microsoft’s “Activation Server Software Development Kit,” and giving that information to an unidentified tech blogger in France.
Microsoft found out about Kibkalo after searching the blogger’s Hotmail account, raising concerns Thursday over when and why Microsoft would be able to look at content from users of its services — Hotmail is a webmail service Microsoft owns that now goes by the name Outlook.com — and what legal processes the company followed in this case.
Microsoft said Thursday that it did not need a court order to read such content because its own terms of service allow for it under “exceptional circumstances.” Besides, Microsoft said, courts do not issue orders to companies to search themselves.
But the company also said Thursday that it was putting into place some new policies, including proceeding with such a search only after an outside attorney who is a former federal judge deems there’s sufficient evidence to justify a court order.
The complaint, filed in U.S. District Court in Western Washington earlier this week, says that on Sept. 3, 2012, an outside source who asked not to be identified contacted Microsoft, saying that he or she had been contacted by the blogger.
The blogger had sent the source the proprietary Microsoft code, asking the source to help the blogger understand it better, the complaint says.
“The source indicated that the blogger contacted the source using a Microsoft Hotmail email address that TWCI [Microsoft’s Trustworthy Computing Investigations department] had previously connected to the blogger,” according to the complaint. “After confirmation that the data was Microsoft’s proprietary trade secret, on September 7, 2012 Microsoft’s Office of Legal Compliance (OLC) approved content pulls of the blogger’s Hotmail account.”
The blogger’s Hotmail content subsequently revealed communication from Kibkalo establishing that Kibkalo had “shared confidential Microsoft information and data with the blogger through Kibkalo’s Windows Live Messenger account.”
Microsoft said in a statement issued Thursday that its investigation was conducted “over many months with law-enforcement agencies in multiple countries” and that the investigation included getting a court order for a search of the blogger’s home. It said the investigation “identified clear evidence that the third party involved intended to sell Microsoft IP [intellectual property] and had done so in the past.
“As part of the investigation, we took the step of a limited review of this third party’s Microsoft operated accounts,” Microsoft’s statement goes on to say.
“While Microsoft’s terms of service make clear our permission for this type of review, this happens only in the most exceptional circumstances. We apply a rigorous process before reviewing such content. In this case, there was a thorough review by a legal team separate from the investigating team and strong evidence of a criminal act that met a standard comparable to that required to obtain a legal order to search other sites.”
Indeed, Microsoft’s terms of service specify that the user agrees Microsoft may access, disclose or preserve users’ personal information and content when the company thinks that doing so is necessary to comply with the law, to prevent loss of life or serious physical injury to anyone, or to protect the rights or property of Microsoft or its customers.
“In this case, it does appear that Microsoft’s terms of service permit the company to have taken the action that it did,” said Nate Cardozo, an attorney with digital civil-liberties organization Electronic Frontier Foundation. “The terms of service is a contract. By opening a Hotmail account, all Hotmail users consent to Microsoft searching their emails for this sort of content.”
But “from our perspective, it was clearly not the right thing for Microsoft to have done this,” Cardozo said of the case. “The proper remedy for Microsoft would have been to have the government get a warrant to search this guy’s email.”
When Microsoft — or other companies such as Yahoo and Google, which have similar stipulations in their terms of service — reserve the right to access users’ content, “what they’re saying is: ‘Trust us. We will only use this right in extraordinary circumstances,’ ” Cardozo said. “That’s not enough because what that means is that any Microsoft account holder is leaving it up to Microsoft to decide when it’s appropriate to search your email.”
Microsoft issued a statement later Thursday outlining the policies it follows and detailing a few new ones.
“It’s not feasible to ask a court to order us to search ourselves,” but the company does not conduct a search of its own email and other customer services “unless the circumstances would justify a court order, if one were available,” John Frank, Microsoft’s deputy general counsel, said in the statement.
The company has a legal team, separate from the internal investigating team, that assesses evidence to see if there’s enough to justify a court order.
From now on, Frank said, the company will also submit any such evidence to an outside attorney who’s also a former federal judge and will move forward with a search only if that attorney agrees there’s sufficient evidence for a court order.
Any such searches will be limited to the matter under investigation and be conducted under supervision by legal counsel.
And the number of such searches will be published in the company’s twice-yearly transparency report on data it discloses to law-enforcement requests.