Does Microsoft Have the Right To Search Your Email?

cote / Foter / CC BYcote / Foter / CC BYMicrosoft has long run a campaign to convince people that its email service, Outlook, is safe. They assure that “Outlook.com prioritizes your privacy” and “your email is nobody else's business.” That privacy ends, though, if Microsoft itself says it has a good reason to snoop through your emails or chat logs.

Last week, the company accused one of its former employees, Alex Kibkalo, of leaking trade secrets. The Seattle Post-Intelligencer wrote last Wednesday that “Kibkalo is alleged to have leaked Windows 8 code to a French technology blogger in mid-2012, prior to the software’s release.” The blogger is unnamed in the court complaint, and the leaks amounted to “screenshots of a pre-release version” of the operating system.

How'd Microsoft figure all this out? Company investigators went snooping through private messages of the blogger, who used Outlook, in order to hunt down Kibkalo.

John Frank, Microsoft's general counsel, argues that this is no big deal because:

courts do not... issue orders authorizing someone to search themselves, since obviously no such order is needed.  So even when we believe we have probable cause, there’s not an applicable court process for an investigation such as this one relating to the information stored on servers located on our own premises.

He also assures that the company's terms and services allow them to do this.

Harry McCracken of TIME expresses some sympathy for Microsoft, noting that among all other potential illegal deals transpiring over Outlook, “the one sort of case in which we know that Microsoft thinks it’s OK for it to spy on your e-mail without a warrant is when you might be stealing its own stuff.”

Others are more skeptical. Edward Wasserman, the dean of the Graduate School of Journalism at University of California, Berkeley, told The New York Times, “I have never seen a case like this. Microsoft essentially decided that whatever privacy expectation that its own customers supposedly had was basically a dead letter.”

"Microsoft clearly believes that the users' personal data belongs to Microsoft, not the users themselves,” Ginger McCall of the Electronic Privacy Information Center said to CNN.

Mike Masnick of Techdirt predicts that this “is hugely damaging to the company,” more so than just letting the leaks just pass.

Either way, Microsoft is now doing damage control. They're revamping their privacy policy and issued a statement that they "vow to go through a more stringent process" before reading people's emails again.

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  • Pro Libertate||

    It's certainly actionable if Microsoft tells consumers one thing and does something else.

  • Sigivald||

    Depends.

    If it tells customers it's petting a kitten on their behalf, and isn't, that's not actionable.

    Actionable requires, as a tort, some harm done, not just not doing what they say.

    And I'm not sure what the harm here is supposed to be, other than to Microsoft for scaring off notional customers.

  • Pro Libertate||

    There's ample law out there that says that statements like privacy policies are binding on those who issue them.

  • Michael S. Langston||

    ProL -

    I agree.. but what about this scenario... I know it seems unlikely, but what if...

    Company X only violated their privacy policy because some government agency forced them to do, while simultaneously telling said company that they weren't allowed to tell anyone it was happening under penalty of law?

  • Paul.||

    Putting aside whether or not this is within Microsoft's rights, when you use an online service for your email, always assume an employee named Chad is reading your email. Always. Assume it. Forever. And ever. Amen.

    If you want the content/body of the email to be protected and you must use an online service, encrypt it with PGP or some other external encryption tool. Don't use any company internal tools. If it's readable on the server, it's readable to Chad. Remember people, IT'S THE ENDPOINTS, STUPID!

  • ||

    I pay a company to provide me with a medium for communication. How would that give that company a right to snoop on those communications? If it does, then why not apply that to paper, pen and envelope manufacturers?

  • sarcasmic||

    Well, if you physically went to the company that made those things, wrote and stored all your correspondence on a desk at their location, and relied upon them to deliver and receive everything for you, then you might have a good comparison.

  • ||

    I was being a little over the top there, but my point is this:

    I purchase a medium from a company on which to record communications. I do it with an expectation of privacy and with 4th amendment protections for that privacy.

    The nature of the medium itself, the location where I store it and the means by which I deliver it have no effect on those conditions.

  • kinnath||

    I purchase a medium from a company on which to record communications. I do it with an expectation of privacy and with 4th amendment protections for that privacy.

    Only if the Ts & Cs say that. You are renting space on their physical property. Your rental agreement has to specify what your rights are and what their rights are. So read the fucking Ts & Cs when you sign up for an online service.

  • ||

    You and Sarc are both right. I was just lamenting about the loss of privacy really.

    I never write anything with any expectation that Paul's evil Chad won't read it.

  • kinnath||

    Yeah, fuck that Chad guy.

  • JW||

    I do it with an expectation of privacy and with 4th amendment protections for that privacy.

    From the company which owns the servers? No such right exists.

  • ||

    What I am trying poorly to say is that no matter the medium, the communication itself is mine and thus I get the say as to who can read it.

    I believe my argument is destroyed already so I will give it up.

  • entropy||

    That's not really true.

    If you choose a billboard in Times square as your medium, you don't get to choose who can read it. There are many other examples demonstrating the same principle. You can only assume privacy if you own the medium.

  • Zeb||

    It is a shame that you can't assume privacy there. It is a shame that instead of extending the privacy protection that was given to telephone communications (which didn't turn out all that great in the end, but it was something) to other things like email and other electronic communications the government has done everything it can to do just the opposite.

  • Paul.||

    Putting aside whether or not this is within Microsoft's rights, when you use an online service for your email, always assume an employee named Chad is reading your email. Always. Assume it. Forever. And ever. Amen.

    If you want the content/body of the email to be protected and you must use an online service, encrypt it with PGP or some other external encryption tool. Don't use any company internal tools. If it's readable on the server, it's readable to Chad. Remember people, IT'S THE ENDPOINTS, STUPID!

    Squirrels, I predict this post shows twice...

  • Paul.||

    *sigh*

  • ||

    Why all the Chad hate?

  • JW||

    Chad's a dick.

  • Paul.||

    Chad has a sweater tied around his neck.

  • JW||

    WHICH MAKES HIM A DICK.

  • Paul.||

    You called him a dick, I illustrated why. We're like the Siegfried and Roy of dick exposition.

  • JW||

    Wait, which is the gayer one?

  • gimmeasammich||

    The one with the dick in his ass?

  • entropy||

    "Microsoft clearly believes that the users' personal data belongs to Microsoft, not the users themselves,”

    Looks like someone finally read their EULA. In 60,000 words it basically states 'all your base are belong to us'.

  • Paul.||

    Online services of all types almost universally believe the data you stick on their servers is theirs. Remember when people went apeshit when Facebook said all your data are belong to them?

  • entropy||

    Yup. But with MS it's not just data you stick on their servers, it's more like data on any machine running any of their software, which you are only leasing the right to use.

  • thatsright||

    You're confusing Outlook.com w/ Exchange/Outlook. They're totally different. Outlook.com is the new name for Hotmail and is what MS searched.

  • Tman||

    ^^^this.

    Every EULA is basically a "hold harmless" guarantee to the vendor providing the services that by agreeing to use said services you are relinquishing your rights to whatever degree the vendor decides is necessary.

    Everyone whines about Facebook and their security settings but they realize that when they signed up -for free I might add- they agreed to share their personal info and pictures with Facebook and they retain the rights once it's used on their site.

    Same thing with email services EULA's. Don't like it? Don't use it.

  • Zeb||

    Whining about Facebook is stupid. They are giving you a free service in exchange for being able to do whatever they want with your information and target ads at you. Same with Google.

    But with Outlook, it is usually companies paying for a communications system. In those cases I think that the customer has a lot more cause to whine about it. Though I agree that ultimately it comes down to what is in the contract. But if several large companies told MS to get fucked if they didn't change the terms of using Outlook, I bet they would change it.

  • Paul.||

    But with Outlook, it is usually companies paying for a communications system. In those cases I think that the customer has a lot more cause to whine about it

    I agree, they do. The average consumer has a higher expectation of privacy with email communications than they do of Facebook wall posts-- putting aside any laws or court precedent.

    I hope that the higher expectation of privacy will force Microsoft to do the right thing.

  • thatsright||

    You're confusing Outlook.com w/ Exchange/Outlook. They're totally different. Outlook.com is the new name for Hotmail and is what MS searched.

  • Paul.||

    No, I'm not.

  • thatsright||

    ok

  • John||

    It seems to me that microsoft accessing people's email accounts without authorization is a violation of the Electronics Communications' Privacy Act. There is no "but we wrote the software and are hunting down a patent violator" exception to the statute.

    If we had an honest DOJ that wasn't in the pocket of the tech oligarchs, there would be criminal charges pending against both Microsoft Corporation and the employees who did this.

  • JW||

    Your free email on their servers? Yes.

    Next question?

  • Zeb||

    Outlook is not usually free as far as I know.

    You are an idiot if you expect privacy from Google or Facebook or whatever. But when you pay for a service, you don't expect that so much.

    But yes, read the contract and you will know.

  • KDN||

    I believe this is about Outlook.com, not the Outlook you use at work.

    To be honest, I'm not even sure how MS could view the latter since it never routes through their environment. I'm no expert here, though.

  • JW||

    It's Outlook.com, which is a free service competing with Gmail.

  • kinnath||

    http://www.nbcnews.com/tech/se.....ail-n60561

    A digital rights advocacy group slammed Microsoft for accessing the Hotmail emails of a blogger who allegedly received stolen Windows information leaked by an employee.

    Hotmail is not equal to Outlook.

    1) I don't expect that the Ts and Cs of the Hotmail service say that Microsoft can search your email if they think you release MS proprietary data.

    2) You have to be completely fucking stupid to release MS proprietary data through an email account provided by Microsoft.

  • kinnath||

    fucking tags

  • ||

    Hotmail is Outlook.com now.

  • kinnath||

    All the articles I've read to date said the doofus used an old hotmail account. So I've clearly missed the connection to the new service name.

  • Lord Humungus||

    yep, I have an ancient hotmail account* that still putters around - it was transferred to outlook.com

    *I now only use it for record label registration when downloading MP3s via the coupon that came with the record.

  • ||

    Funnily enough the transition happened in July 2012, so right around the time this was going on.

  • Zeb||

    So Outlook is their free mail now?

    What am I thinking of? Exchange?

  • Paul.||

    Outlook is Microsoft's name for its email client. Exchange is Microsoft's enterprise email system software. Outlook.com is now the public face of their free online email service which transitioned from Hotmail.

  • Paul.||

    And don't even ask me how this all connects with Microsoft Live. I have no idea, and hope to retire before I'm forced to know.

  • kinnath||

    Outlook.com is rebranding of Hotmail to take advantage of consumer familiarity with the Outlook desktop email application (god knows why cause Outlook sucks).

    Exhange is the server side email application that supports SMTP which is supported by many desktop email applications. (from vague memories).

  • kinnath||

    And Paul beats me to it.

  • JW||

    How'd Microsoft figure all this out? Company investigators went snooping through private messages of the blogger, who used Outlook, in order to hunt down Kibkalo.

    Kibkalo doesn't sound like the sharpest of all pencils.

  • Paul.||

    Clearly not. Why didn't he just post it on his Facebook wall for fuck's sake?

  • entropy||

    If we had an honest DOJ

    And if ifs and buts were candy and nuts we'd all have a merry inclusive non-denominated equinoctial celebration.

  • entropy||

    Sorry that was supposed to be a reply to John. Also sorry I forgot the trigger warning.

  • John||

    I meant the statement ironically.

  • JW||

    Company investigators went snooping through private messages of the blogger, who used Outlook, in order to hunt down Kibkalo.

    He should have used the tried and true Jimmy Carter method.

  • entropy||

    My next operating system will be Linux Mint.

  • William of Purple||

    how's it for gamez?

  • pan fried wylie||

    or netflix (aka MS Silverlight)...

    (hint: no)

  • Wasteland Wanderer||

    I don't use Netflix, so I haven't done it myself, but a quick Google search has dozens of tutorials for installing the Netflix app on Linux Mint, Ubuntu, Fedora, etc.

  • Michael S. Langston||

    I think almost all linux distros (mint, ubuntu for sure) can now deal easily with silverlight. Go here

  • Wasteland Wanderer||

    About the same as most Linux distros. You'll need Wine or an emulator to run games designed for Windows. You can also install the Steam app using the Software Manager tool.

  • entropy||

    I can't really say because I don't have it YET. I am in the process of organizing my hard drive and backing up before I move over. But I will try it.

    I think it will be fine. We'll see. I don't play a ton of games anymore but Steam has gone to linux now and a few more game projects as well. Plus there's emulators like WINE and Playonlinux. I'll find out eventually.

  • entropy||

    I've reached a point where I'm happy with roguelike games and old shit. All the new blockbuster $50 games have gotten boring for me, they're all so formulaic I rarely make it through a whole 40 hour play through anymore. And they offer pretty much zilch for re-playability after you've got 40-60 hours in them.

    But old games like nethack or Total War/Civ games and old NES games, that have like 5 minutes of content total but somehow are basically evergreen because the gameplay is actually fun since they didn't blow the whole dev fund on shiny graphics.

  • Paul.||

    I've been looking at a new one called OpenNSA.

  • Sigivald||

    “the one sort of case in which we know that Microsoft thinks it’s OK for it to spy on your e-mail without a warrant is when you might be stealing its own stuff.”

    ...

    Someone doesn't understand what "warrants" are.

    Warrants are things the government gets for permission to look at something without exposing its agents to lawsuits, originally, and these days, to look without the results getting barred from evidence.

    No private party needs a warrant to do anything on its own initiative.

    For any number of other reasons, they might be liable for an action they perform, of course, but "warrants" are irrelevant to non-State actions.

    (Note that the Fourth Amendment does not say anything like "no search shall be performed without a warrant". Originally a warrant protected the searcher from personal liability; but since all State Agents have qualified immunity now, the rules got changed to evidence not being allowed in Court without a warrant. Roughly.)

  • John||

    No private party needs a warrant to do anything on its own initiative.

    Just because they don't need a warrant doesn't mean it is legal. If I break into your house, it is true that I haven't violated your 4th Amendment Rights like I would if I were a cop doing it. But I am still guilty of breaking and entering.

    Snooping into someone's email is a federal crime. Microsoft seems to have committed such a crime here.

  • Wasteland Wanderer||

    He addressed that point when he stated "For any number of other reasons, they might be liable for an action they perform, of course, but "warrants" are irrelevant to non-State actions."

  • John||

    They are liable alright, criminally.

  • JW||

    Snooping into someone's email is a federal crime.

    Nope. As the sysadmin for my company, I can go into anyone's account right now, and there isn't thing one, legally, they can do about it. It's our property and they have no expectation of privacy on company time. I wouldn't do it, because I have better things to do with my time and it ain't right (from a professional standpoint).

    Every now and then I do get requests from mgmt to go and check some employee (or ex-employee) to see what they've been up to. I always get that in writing. The best one was with an old boss, a brassy Brooklyn-Sicilian female lawyer, with some the biggest and most robust tits you'll ever see.

    So I go looking in this (gay) guy's mailbox and I'm about to give up,when I hit paydirt. I print it out and take it up to her in her office. She takes one look, pauses, and then, in the loudest indoor voice ever, with her door open, "OH MY GAWD, IS THAT JIMMY GIVING SOME GUY A BLOWJOB!?"

    It echoed through the halls, I swear to Zod.

  • Michael S. Langston||

    Nope. As the sysadmin for my company

    That is different from the law that disallows email hosting companies to read private emails of individuals.

    Corporations own the work product and email is used to perform their work - therefore the law and constraints are much different.

    Additionally note that even though corporations own it all and no one really disputes this, every company I've worked for or seen others login to all have a warning stipulating all email and other traffic is tracked/read/etc/etc/etc.

    Just to make sure.

    But if John is right, and as a lawyer I assume he is, about the federal law, that law is specific to email hosting companies and individual/group hackers (just as it's a federal law to read mail).

  • Andrew S.||

    Do they have the "right" to, as a private company, provided that they tell their customers in advance that they'll be doing it? Absolutely.

    Will I use this as another part of the long list of reasons why I will not use Microsoft products? Absolutely.

  • BBB||

    That Microsoft should not have accessed Outlook.com email for this purpose is undeniable. It violated all expectations for an email provider.

    What I want to question is the moron Kibkalo. The guy clearly knew he was transferring confidential Microsoft property to an unauthorized third party.

    So he uses WHOSE free email service? His employer's.

    He uses WHOSE free cloud storage service? His employer's.

    He uses WHOSE free messaging service? His employer's.

    The guy should've been fired for unparalleled stupidity. If he had died, he would have been a favorite for a Darwin Award.

  • Pinky||

    ...they "vow to go through a more stringent process" before reading people's emails again.

    See, nothing to worry about.

  • Stilgar||

    btw - any of the e-mail companies can do this as can other big names like... Apple! Remember, the iSteve knows what is best for you.

  • ConstitutionFirst||

    Unfortunately there is no explicit right to privacy on the net beyond what you and your ISP agree to.
    That 100 page terms and conditions document you never read before clicking "agree", yeah it was in there, you gave up your rights by clicking.
    The incestuous relationship that has metastasized between Government (read:NAS) and industry (read: Google[government+ogle], Apple, Microsloth) has caused the whole world to rightly distrust America and our control over the net.
    The Jumbotron rule apples here; if you don't want the whole world to know your thoughts, don't put them in cyberspace.
    If it's that sensitive, Use Snail Mail.

GET REASON MAGAZINE

Get Reason's print or digital edition before it’s posted online

  • Video Game Nation: How gaming is making America freer – and more fun.
  • Matt Welch: How the left turned against free speech.
  • Nothing Left to Cut? Congress can’t live within their means.
  • And much more.

SUBSCRIBE

advertisement