Microsoft issues mea culpa in wake of Hotmail email probe, seeks to restore customer trust

Microsoft's criticisms of Google for scanning email to serve ads ring hollow with disclosures that the company probed a blogger's email account. Will Microsoft's TOS changes restore customer trust?


A former Microsoft employee, Alex Kibkalo, is facing criminal prosecution for allegedly leaking prerelease Windows 8 software to a French blogger. Kibkalo was arrested in Seattle on March 19, 2014 and charged with "theft of trade secrets" and is being held without bail. Reportedly, Kibkalo was angry over a poor performance evaluation (likely based on the stack-rank system, a widely criticized practice which Microsoft abolished late last year); however, the real story here is the way Microsoft identified Kibkalo as the alleged leaker.

A series of unfortunate events

The unnamed French blogger contacted a Microsoft employee via a Hotmail (now Outlook) account requesting verification that a program allegedly provided by Kibkalo was genuine. Upon confirmation that it was Microsoft property, an email from Kibkalo was found in the blogger's Hotmail account, along with an email notifying the blogger of files being shared with him via SkyDrive (now OneDrive). In addition, this activity was discussed on Windows Live Messenger (now discontinued), all of which is visible and searchable by Microsoft's Trustworthy Computing Investigations team.

Anyone will tell you that exchanging insider information about the company you work for using that company's own cloud infrastructure is a bad idea. At the time of the incident, Microsoft believed it had the right to read your email, as the Terms of Service state: "You consent and agree that Microsoft may access, disclose, or preserve information associated with your use of the services ... [to] protect the rights or property of Microsoft or our customers."

Without jumping into a protracted discourse about how contract law does not and cannot trump inalienable rights of an individual, the takeaway here is that Microsoft reserves the right to read the email in your Outlook account. After facing an intense level of public backlash and criticism, Microsoft has issued a mea culpa on the matter, claiming that it will refer such matters to law enforcement instead.

The initial PR response

Microsoft not reading your emails is the central focus of its "Scroogled" campaign, a jab at Google's placing of AdWords adverts on the Gmail website. Other topics of the Scroogled campaign include Google Shopping requiring online merchants to pay advertising fees to have their products offered in Shopping searches, criticizing Google for placing adverts in close proximity to search results (exactly as Bing, Microsoft's fledgling search engine does), and criticizing the Chromebook for not having Windows or Office. The Scroogled campaign also extends into apparel, for those that wish to express their corporate cheerleading with clothing.

Cognizant of the public relations disaster that this investigation has landed Microsoft in, the firm released a statement on March 21, 2014 with precisely worded statements that give the impression of "accountability theater" with reviews by "an outside attorney who is a former federal judge." In this same statement, John Frank, the deputy general counsel for Microsoft, offered a defense of Microsoft's searching the contents of a Hotmail account in the Kibkalo case. In addition, he noted that "courts do not... issue orders authorizing someone to search themselves, since obviously no such order is needed," a statement derided by Jennifer Granick of Stanford Law School's The Center for Internet and Society as "wrong... At best".

Microsoft's activity with the US federal government and law enforcement

The same day, hackers identifying themselves as members of the "Syrian Electronic Army" released documents apparently purloined from Microsoft servers detailing invoices to the US federal government for records of Microsoft account users at $50-$200 per request, totaling hundreds of thousands of dollars per month of taxpayer funds lining Microsoft's pockets.

In a statement to The Register, Microsoft dismissed the claims:

We've previously stated that Microsoft won't comment on the validity of any stolen emails or documents. Regarding law enforcement requests, there's nothing unusual here. Under U.S. law, companies can seek reimbursement for costs associated with complying with valid legal orders for customer data. As we state clearly in our Law Enforcement Requests Report, we attempt to recover some of the costs associated with any such orders. Please refer to our Trustworthy Computing blog posted on January 24, 2014 for more details.

The bit about law enforcement requests is true, and not an activity limited to Microsoft. Microsoft has the ability to read emails stored on Outlook, and requests compensation to provide this information under subpoena. In 2010, Microsoft didn't charge at all, a fact for which it was chided by the ACLU -- charging creates a paper trail for the request.

The mask of privacy

The issue at hand isn't that Microsoft is pursuing legal action against an ex-employee that may have been leaking binaries, or that it complies with subpoenas for information -- any company, faced with similar circumstances, would do the same. The issue is that Microsoft's public relations team sanctimoniously declared the company does not read your emails, when it's on the record as having done so, and -- until just recently -- insisted in its EULA that the company reserved the right to do so.

Does Microsoft's conduct in the Kibkalo case change your trust level in the company? If so, has your trust level gone up or gone down? Does it crush your confidence in cloud computing? Can cloud companies compensate for privacy and security concerns? Let us know your thoughts in the comments section.

Also read

Disclaimer: TechRepublic, ZDNet, and CNET are CBS Interactive properties.