Kudos: Microsoft Changes Policy, Promises Not To Inspect Customers' Content

from the good-move dept

Last week, we wrote about Microsoft’s ridiculous decision to search through a reporter’s Hotmail email account after realizing that reporter had an unauthorized copy of Windows 8. The whole thing seemed like a huge overreaction by the company — in trying to track down an almost meaningless leak that was unlikely to have any real impact on anything, the company effectively alerted the world that you had no real privacy in your email. The move was even more ridiculous since Microsoft has more or less bet its email farm on a marketing campaign about how it respects your privacy more than others. Microsoft’s first response to this was exceptionally weak. While it announced a “change” in policies, it was still the same basic policy, that effectively (and misleadingly) claimed that it could and would continue to search anyone’s email if the company had evidence that you might reveal a leaker.

Apparently — and somewhat surprisingly — it appears that Microsoft and its legal team took the criticism seriously. Microsoft’s General Counsel Brad Smith has now put out a new blog post announcing a complete change in policy, promising that it will not unilaterally look through any Microsoft user’s content in search of “stolen” intellectual property:

Effective immediately, if we receive information indicating that someone is using our services to traffic in stolen intellectual or physical property from Microsoft, we will not inspect a customer’s private content ourselves. Instead, we will refer the matter to law enforcement if further action is required.

Furthermore, the company will officially change its terms of service to reflect that change in policy. On top of that, it is starting a (somewhat undefined) project with EFF and CDT to work on “best practices” concerning privacy. Smith’s apology is quite heartfelt, which is also rare from a big company:

It’s always uncomfortable to listen to criticism. But if one can step back a bit, it’s often thought-provoking and even helpful. That was definitely the case for us over the past week. Although our terms of service, like those of others in our industry, allowed us to access lawfully the account in this case, the circumstances raised legitimate questions about the privacy interests of our customers.

In part we have thought more about this in the context of other privacy issues that have been so topical during the past year. We’ve entered a “post-Snowden era” in which people rightly focus on the ways others use their personal information. As a company we’ve participated actively in the public discussions about the proper balance between the privacy rights of citizens and the powers of government. We’ve advocated that governments should rely on formal legal processes and the rule of law for surveillance activities.

While our own search was clearly within our legal rights, it seems apparent that we should apply a similar principle and rely on formal legal processes for our own investigations involving people who we suspect are stealing from us. Therefore, rather than inspect the private content of customers ourselves in these instances, we should turn to law enforcement and their legal procedures.

Personally, I wish the announcement and policy change went a bit further — beyond just “intellectual or physical property,” but making it clear across the board that, absent a reasonable warrant signed by a judge, Microsoft will not allow anyone to access anyone’s content. But, perhaps we’ll get there some day. In the meantime, Microsoft does deserve some kudos for changing positions. Most large companies would try to just let this issue fade away rather than proactively address it.

Filed Under: , , ,
Companies: microsoft

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Kudos: Microsoft Changes Policy, Promises Not To Inspect Customers' Content”

Subscribe: RSS Leave a comment
55 Comments
blaktron (profile) says:

Recheck facts

Your read on this case, Mike, is a bit off. It had nothing to do with a copy of Windows 8, but source code relating to the Volume Activation mechanics in Windows 8/Server 2012. This is a REALLY BIG DEAL to people like me running open activation systems that would then be exploitable. They made a promise to other customers, paying customers, that they would do everything in their power to keep that code secure.

How they did it is one thing, and you can be against that, but claiming that they did not have a VERY good reason for doing so is intellectually dishonest.

That Anonymous Coward (profile) says:

Re: Recheck facts

If a crime was committed, they had legal options. They threw those options to the wind and went off on their own hunt.
Taking the law into ones own hands is frowned upon.

I have a very good reason for breaking into that guys house, because I promised my mom I would find the guy who let his dog shit in the yard. Sounds silly in that context doesn’t it?

blaktron (profile) says:

Re: Re: Recheck facts

They had no legal options, they did explore them and described them in detail. Because of the CFAA, email on a server belongs to the company that owns the server, not the user or any 3rd party. You cannot legally subpoena property or information that you yourself own.

This is a MAJOR flaw in the US legal system, and Google/Apple/Facebook would be forced to do this the same way in similar circumstances. Except they don’t have enterprise customers that they have contracts with to secure their code, so they aren’t as worried about this issue and are using it to attack microsoft.

There is a techdirt article from years back of Google doing the same thing (to Gchat messages) when one of their engineers was abusing his access to communicate with minors. They had no issue looking through the mis-accessed accounts to confirm that.

Get your reps to change the CFAA and make information you create, stored at a 3rd party your own property. Otherwise, cloud storage providers will ALWAYS be forced to use only internal policies to decide these matters.

blaktron (profile) says:

Re: Re: Recheck facts

I feel like im in the bad position of defending Microsoft, but simply attacking them for what is a VERY nuanced problem is counter-productive to solving the problem.

Show me a legal US method of subpoenaing information YOU legally own, and I will retract my defense of them. But until you can, you are arguing the wrong point.

G Thompson (profile) says:

Re: Re: Re: Recheck facts

If the information is going to be used in a criminal matter where you are classified as the victim then THE ONLY way to do this is to allow LEO’s the ability to run the whole thing.

That’s what criminal investigations are for. That’s why Victims and witness’s play no part in investigations other than giving statements and facts that are requested. If they give information on their own behest then that information if it is to become evidence has to be verified as correct. The informant (in this regard the victim) has too much of a bias for this to not occur.

A warrant/subpoena is not just to obtain evidence. It is the procedural correct way of allowing that evidence to be properly obtained by the appropriate parties for ALL sides. Otherwise anarchy reigns and rules of evidence goes out the window and hearsay is fully allowed in criminal matters.

Civil cases on the other hand are different though the same problems of bias, relevance, authenticity and probity also crop up with discovery. This is why it is always best practice to allow outside third parties that have no other interests in analysing, obtaining, and preserving this sort of volatile data.

Microsoft were trying to enact a criminal investigation internally being judge, jury and executioner. That’s wrong both legally and ethically anywhere.

As for their statement of “While our own search was clearly within our legal rights”, that is blatantly false in the context of what they were planning to use that evidence from the search for.

Anonymous Coward says:

Re: Recheck facts

This is a REALLY BIG DEAL to people like me running open activation systems that would then be exploitable.

You statement suggests that you are relying on the trustworthiness of a company that demonstrated that trust may be misplaced.
Security via obscurity is no security, and allows NSA back-doors to be built in.

blaktron (profile) says:

Re: Re: Recheck facts

That’s a BS argument. Exploits come from bugs, having access to source allows you to find bugs. Or workarounds. And yes, we are reliant on Microsoft OS’s in the enterprise because there isn’t another option. I know you are about to explain to me how Linux can do it, but I’m an Enterprise Architect and you aren’t, and you’re wrong.

the truth says:

Re: Re: Re: Recheck facts

Lol, you pay a lot for your Microsoft certificates so your just massaging your ego there because you were a fool to go along the ms path as was 90% of the world. If you want secure you use Unix/BSD and not Linux, your right!

Windows sucks and always as done from 95… I didn’t find 3.11 too bad but I didn’t move from dos for a long time because I didn’t like the direction things were going. Since then I’ve been proven tight year after year!

Sheeple

Gwiz (profile) says:

Re: Re: Re: Recheck facts

Exploits come from bugs, having access to source allows you to find bugs. Or workarounds.

The other side of that coin is that having access to the source also allow you to discover the nefarious “features” that a self-serving corporation might put into their proprietary code.

I know you are about to explain to me how Linux can do it, but I’m an Enterprise Architect and you aren’t, and you’re wrong.

It is possible though – just ask the folks over at Ernie Ball.

But I am curious why you claim that open source couldn’t replace MS in the enterprise. What’s missing?

blaktron (profile) says:

Re: Re: Re:2 Recheck facts

This is a VERY long conversation, but a lot of it comes down to 3 things: Manageability, supportability, and cost to confirm (testing).

Manageability: making environment wide changes (and confirming they were successful) is very difficult in an enterprise linux environment, and prone to failure. Getting better every day, but not there yet and the least of the issues.

Supportability: Not that its necessarily harder, but it is WAY more expensive to pay a Linux systems analyst to do workstation support than it is to pay a tech support monkey with a HS education. Scale that out to 1000+ IT people, and its a multi-million dollar problem.

Confirmation/Testing: This is a lot more nuanced, and really only affects the ultra-large enterprises, but having a consistent code base among your 100 000+ computers in a large enterprise has economies of scale when testing new rollouts that is impossible to replicate in a package-based environment. It comes down to man-hours required to test changes under an ITIL/COBIT managed environment. Again, efforts are being made (successfully) to nullify this problem, but it still exists.

Gwiz (profile) says:

Re: Re: Re:3 Recheck facts

Fair enough.

I’ll defer to your apparent knowledge on the 1st and 3nd points. Those sound like reasonable concerns.

On the second one concerning supportability though, isn’t that really just a matter of developing tools and training for Linux that are equivalent to what the first line guys are using now?

blaktron (profile) says:

Re: Re: Re:4 Recheck facts

Basically, yes, but its a massive gulf right now. Some organizations can get away with it because of their skillsets, but its hard to sustain and they have trouble hiring.

The U of A where I worked has a large OSS infrastructure, that I helped manage, and its hard to hire good people to support it. They manage it, but it would be impossible to scale it out to the desktop for 800 end user IT people, 10 000 staff and 45 000 students in the computer labs. In contrast, the EA agreement is only low 7 figures for all their MS licensing.

Its changing, and it will likely be a completely different ballgame in 10 years, but its not really a contest at my level.

Anonymous Coward says:

Re: Re: Re:6 Recheck facts

You missed the point – that, for the longest time, it was far easier, both in economic and in training-hours terms, to train people up for Enterprise Windows solutions. This is changing, to be sure, but it’s not quite at the tipping point.

Remember that Linux was, and still is to a degree, not as user-friendly as Windows to the layperson. You can put a person down in front of Windows (even Windows 8) and talk them through how it works, then leave them to it and get the work done. IF something goes wrong, you can call for help from most people relatively easily. For Linux, sadly, not so much.

Gwiz (profile) says:

Re: Re: Re:3 Recheck facts

One other thought.

Wouldn’t the cost of extra training, developing, and whatnot be offset by a huge degree by not having to fork over a fortune in licenses every year for proprietary software?

On the scale you are dealing with, even just the switch from MS Office to LibreOffice would be a significant savings.

blaktron (profile) says:

Re: Re: Re:4 Recheck facts

This would be true if software licensing was anything but a drop in the bucket for an organization’s IT budget. Also, Microsoft at least gives a ton of free consulting hours with large EAs. Every organization has a mix of open and closed source stuff but the licensing costs don’t determine what’s most expensive, ease of update is. We get dinged by our auditors if our software isnt up to date, and the ease of transition that closed source stuff usually has (except ERP stuff and Oracle) offsets the cost of the license.

Its complicated, but man hours, power, user hardware, user training and consulting make up the bulk of an IT budgets. Training 100 000 users on something new costs WAY more than licensing 100 000 windows workstations at 60 bucks a pop. And don’t get me started on migrating from Office…..

Anonymous Coward says:

Re: Re: Re: Recheck facts

That’s a BS argument. Exploits come from bugs, having access to source allows you to find bugs.

Which is how all those exploits used to attack Windows systems have been found!!.
Almost all exploits are found by calling routines with bad parameters, such as overlong strings, out of range indexes etc. If the program crashes, they can then try the various ways of using the bug. Very few exploits are found by either access to the source code, or reverse engineering the binaries.

Anonymous Coward says:

But will they ask for a warrant?

How is this a change if they are still extra-helpful to law enforcement when they are an interested party in a case.

MS : Officer, a reporter with an hotmail account has reported on secret stuff. Will you look in his account for us? We promised we wouldn’t.

Officer : Shall I get a warrant?

MS : No need. Here’s all her email messages. Would you mind telling us what they say?

blaktron (profile) says:

Re: Re:

After attacking Mike over one thing, I have to step in here and defend him. He is a friend of the general public, not Google. It’s just that in a lot of ways Google has aligned incentives with the public because their business model is public trust (to a large degree). Microsoft’s interests are aligned with their Enterprise customers and OEMs where the bulk of their revenues come from. So it might look like he’s a Google supporter, but really issue by issue he agrees with them more often than MS.

This is changing as Google becomes more attracted to Enterprise revenues (very stable), and MS becomes more consumer focused. As their incentives drift towards each other their behavior will become more similar and Mike will hate on them equally (or cash twice the shill checks as you seem to think)

not_an_apologist says:

have to agree with blacktron

While it rather pains me to say so. I have to agree with blaktron on the management issue. MS products have a huge support base irregardless of the degree of skill. Alternative systems, yes including Mac, do not have the same pool of workers to choose from. That large pool keeps the salaries lower than skilled Unix and Linux support which has a *much* smaller group to hire from.

There’s one other problem that no one has touched so far, business or logistical software. Often times these products are platform specific, usually Windows, and there *is* no alternative to them.

Whether or not your business IT people ‘trust’ Microsoft or not is no longer a question in that situation. You lock down as much as you can and hope it’s enough to keep out *most* prying eyes.

Anonymous Coward says:

Re: have to agree with blacktron

There is the problem that staying with Microsoft only lets them increases the lock in they have on your computer systems, and the control that they exercise on the software that you can run. The more they can lock you in to their software in the more they can charge you to allow you to run your business.

Anonymous Coward says:

“Furthermore, the company will officially change its terms of service to reflect that change in policy.”

Is this one of those Terms of Service that they can just change anytime they want (such as how they are doing that here and now)?

If yes, then I would not put too much faith into the fact that this will now be included in those ToS, as they can just modify or take it out later (after this blows over and the dust settles).

GEMont (profile) says:

Any port in a shit storm

Kudos my ass. This is Microsoft remember….

As sincere as the statement sounds, it is still Microsloth and I’m certain that the only thing that has changed is the manner in which they lie to the public.

Its more sincere sounding now.

But, its still a lie.

MS will always do as it pleases first and attempt PR afterwards, but only if it feels the PR skit might have some chance of successfully fooling the public, or if it thinks its absolutely necessary – like this time, since they’re hoping to prevent a mass customer exodus.

Normally it would just weather this shit storm for the period of consumer memory – a couple weeks – and then pretend it never happened, but the off-hand manner in which they violated their own privacy agreement, as if it simply did not exist, really spooked the public.

Drastic measures were necessary.

In this case Pseudo-Sincerity!

John Fenderson (profile) says:

Re: Re:

I ditched Windows for Linux completely about 10 years ago. The transition period was a little painful then, but once you’ve made the move, there are no issues. Even that transition is much easier now I’ve guided a number of non-techie people away from Windows recently, and nobody had any problem.

The one exception remains gaming, but even that is getting to be a smaller and smaller exception as time goes by.

John Smith (profile) says:

Really Informative Knowledge you have shared

Really good information Mike Masnick. I am really happy to read your article in significant way. Recently, I was searching for <a href="https://risingmax.com“&gt; IT Consulting Companies in New York</a> and I found the great one. I hope all your reader will like it and trust me you are doing very well. Keep it up Mike. I can believe that you will do something amazing.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...