Microsoft Looked Through Reporter's Hotmail And MSN Chat Accounts To Identify Windows 8 Leaker

from the scroogled? dept

Apparently, Microsoft's desire to track down someone who leaked screenshots of Windows 8 is so strong that it's willing to violate its own privacy guidelines and promises to the public -- even if it means undermining Microsoft's main promotional campaign for email services.

A few weeks ago, Microsoft promoted Mark Penn to chief strategy officer. Penn is most famous as a PR man and political pollster who was the driving force behind Hillary Clinton's failed campaign for President in 2008. He's known for his negative attack ads and his claims to do everything based on data -- though, people who have explored some of his techniques say it's a lot more flimflam than actual statistical analysis. His main contribution to Microsoft over the past few years seems to be its ridiculous "Scroogled" campaign, in which Microsoft -- a company not at all known for its privacy protections -- attempts to portray Google as being bad on privacy. The campaign has been a colossal and expensive flop according to most.

Either way, you'd think that for a company who's main marketing strategy these days is all about how it protects the privacy of your email account wouldn't then break into a user's email account. But that's exactly what Microsoft apparently did in tracking down the guy who leaked Windows 8 to a reporter. Alex Kibkalo, a software architect for Microsoft, sent a French blogger some Windows 8 code and the way to get around its anti-piracy measures. The French blogger posted screenshots and also emailed Microsoft for comment -- and that's when Microsoft apparently decided to throw its privacy promises out the window:
The engineer was caught after the blogger emailed Microsoft to confirm the authenticity of the leaked Windows 8 code. Investigators at the firm then reportedly looked through the blogger’s hotmail account and instant messenger chats to identify the source of the leak, and found an email from Kibaklo.
Of course, Hotmail today has morphed into Outlook.com, and the current ad campaign about it states: "Outlook.com prioritizes your privacy!" and "Your email is nobody else's business." Oh really? I guess Microsoft considers it their business. It's kind of astounding, first, that Microsoft did this, and second that they appear to openly admit that you have no privacy at all in your email if Microsoft suddenly decides it wants to dig through and dig up something.

Update: And, from the criminal complaint we see, indeed, that Microsoft figured it was fine to violate this journalist's privacy:

Reader Comments (rss)

(Flattened / Threaded)

  1.  
    icon
    kenichi tanaka (profile), Mar 20th, 2014 @ 12:03pm

    This is exactly why Microsoft cannot be trusted. They are all for protecting your privacy from other companies when when it comes to the government or Microsoft violating your privacy, they are more than happy to stand up, cheering, "I'm violating your privacy, look over here".

     

    reply to this | link to this | view in thread ]

  2.  
    icon
    kenichi tanaka (profile), Mar 20th, 2014 @ 12:04pm

    I meant to say "but when it comes to the government" not "when when it comes to the government ".

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Anonymous Coward, Mar 20th, 2014 @ 12:11pm

    I am shocked

    Shocked, I say, that there is gambling going on in this casino!

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Anonymous Coward, Mar 20th, 2014 @ 12:23pm

    Wait, people still use hotmail these days?

    I haven't even signed into my hotmail account for 6+ years. And I haven't even installed MSN messenger in my last 2 computers.

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Glen, Mar 20th, 2014 @ 12:26pm

    Re:

    I only use mine if I believe it will lead to spam.

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    Anonymous Coward, Mar 20th, 2014 @ 12:34pm

    Re:

    the "Scroogled" campaign has absolutely nothing to do with privacy, and everything to do with driving accounts to Microsoft so that they can do the same with the data as Google does.

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    Anonymous Coward, Mar 20th, 2014 @ 12:38pm

    I used to have a hotmail account. M$ in it's infinite wisdom decided after 10 years of using the account that suddenly it was possibly hacked and needed personal identifying information to keep it open. In all the time prior to this, they never needed that. I said goodbye to them and never looked back. I think I read somewhere that NSA has an access allowance into email provided they have your name and account details without having to go through FISA.

    No matter, M$ didn't need personal info to open the account, didn't need it for years and years and then suddenly decides it does. I call BS on that one.

    This is one of the prime reasons I won't use Google stuff either. You can no longer trust major companies anymore than you can the security agencies of this country. Call it Snowden fallout, though the bit about the email happened before his appearance on the public scene.

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    vastrightwing, Mar 20th, 2014 @ 12:41pm

    Trolling

    as they say, if you have nothing to hide...


    I do question why an employee at M$ would use an account operated by his own company to do such a thing. Did he want to get caught? Was this bait in order to inflict some other punishment to his employer? I wonder. Maybe he wanted to find out if M$ would do what they did and now he'll out them on it. Who knows. We live in truly bizarre times.

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    Anonymous Coward, Mar 20th, 2014 @ 12:48pm

    Re:

    Dear Hotmail,
    My name is Jean-Luc Picard, I live at 1701 E enterprise lane, Beverly Hills California, 90210.

    What else do they need?

     

    reply to this | link to this | view in thread ]

  10.  
    icon
    B's Opinion Only (profile), Mar 20th, 2014 @ 12:49pm

    Employment Contract

    I'm certainly no fan of Microsoft, but the key issue that seems to be overlooked here is that Microsoft looked at the emails of a Microsoft Employee.

    It is exceptionally common for one's Conditions of Employment to indicate very clearly that any and all emails sent and received through the employer's facilities will be monitored.

    There is no story here.

     

    reply to this | link to this | view in thread ]

  11.  
    icon
    Mikael (profile), Mar 20th, 2014 @ 12:50pm

    Re: Trolling

    They didn't look at the employee's email. They looked at the blogger's email and found the emails FROM the employee.

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    Anonymous Coward, Mar 20th, 2014 @ 12:53pm

    Re: Re:

    Yep, ALWAYS give a false name and info.

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    Anonymous Coward, Mar 20th, 2014 @ 12:57pm

    Re: Employment Contract

    Investigators at the firm then reportedly looked through the blogger’s hotmail account and instant messenger chats

    The Microsoft employee emailed a blogger who happened to use a hotmail account. When the blogger sought confirmation from Microsoft they searched the email account of the blogger.

    I'll repeat that. Microsoft did not search the emails of their employees, they searched the email account of a random blogger who happened to being using their email service.

     

    reply to this | link to this | view in thread ]

  14.  
    icon
    Mike Masnick (profile), Mar 20th, 2014 @ 12:57pm

    Re: Trolling

    I do question why an employee at M$ would use an account operated by his own company to do such a thing.

    It wasn't the employee's account they looked at (which might even be defensible). It was *the reporter's*

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    Anonymous Coward, Mar 20th, 2014 @ 1:00pm

    Wow, anybody who didn't click on that "flimflam" link should do so. That's a pretty stunning article showing how Penn interprets numbers.

    For example, they talk about his theory that left-handed people make great military thinkers because Colin Powell and Norman Schwartzkopf were both lefties. I'm not exaggerating, that really is in the article.

     

    reply to this | link to this | view in thread ]

  16.  
    icon
    John Fenderson (profile), Mar 20th, 2014 @ 1:00pm

    Re:

    Oh, now, be fair. No third party can be trusted with your information (or at least, it's literally impossible to know which ones can, which amounts to the same thing).

    Stories like this have been around for as long as companies have been keeping records on their customers. Even things like those supermarket affinity cards are used against you: customers suing stores have found that the supermarkets aren't above digging out their purchase history and using it to defame or embarrass them.

     

    reply to this | link to this | view in thread ]

  17.  
    icon
    t3rminus (profile), Mar 20th, 2014 @ 1:01pm

    Re: Re:

    You should try Mailinator (.com). You don't have to pre-register for your account, you just make one up on the spot, and can check it later.

    Great for disposable forum sign-ups that require you to validate your address.

     

    reply to this | link to this | view in thread ]

  18.  
    identicon
    Anonymous Coward, Mar 20th, 2014 @ 1:06pm

    Re:

    For example, they talk about his theory that left-handed people make great military thinkers because Colin Powell and Norman Schwartzkopf were both lefties. I'm not exaggerating, that really is in the article.


    Everyone knows that's 100% true. And I'm absolutely not saying that just because I'm left-handed.

     

    reply to this | link to this | view in thread ]

  19.  
    identicon
    Anonymous Coward, Mar 20th, 2014 @ 1:17pm

    Re: Re:

    You may be on to something here. I'm right handed and have no military thinking skills at all.

     

    reply to this | link to this | view in thread ]

  20.  
    icon
    John Fenderson (profile), Mar 20th, 2014 @ 1:30pm

    Re: Re: Re:

    I use Mailinator frequently. It's one of the most useful services on the internet. No signup, no fee, no nothing. Brain-dead easy to use.

    Some sites, however, do disallow using a mailinator address to register.

     

    reply to this | link to this | view in thread ]

  21.  
    identicon
    zip, Mar 20th, 2014 @ 1:31pm

    United States v. Councilman

    Other than just plain pissing people off, a key question is whether Microsoft's snooping is a direct violation of the The Electronic Communications Privacy Act or the Wiretap Act. I suspect it might be. Let's not forget the audacity of online bookseller Interloc (now Alibris) who claimed that there was absolutely nothing wrong -or illegal- about spying inside customer's email accounts ... and actually got a court to agree.

    http://epic.org/privacy/councilman/

     

    reply to this | link to this | view in thread ]

  22.  
    icon
    John Fenderson (profile), Mar 20th, 2014 @ 1:32pm

    Re: Re: Re:

    a thousand times this. Excepting for sites where I'm actually paying money for something, there isn't a single site that I have ever given the correct information to, and the events over the past few years have only underlined the wisdom of this practice.

     

    reply to this | link to this | view in thread ]

  23.  
    identicon
    Anonymous Coward, Mar 20th, 2014 @ 1:32pm

    They should follow the excempt example our governments are setting........oh wait

     

    reply to this | link to this | view in thread ]

  24.  
    icon
    mr. sim (profile), Mar 20th, 2014 @ 1:40pm

    i'm no legal scholar but since microsoft found the leaker through violating The Electronic Communications Privacy Act or the Wiretap Act can the leaker be prosecuted since all evidence is fruit of a posionious tree

     

    reply to this | link to this | view in thread ]

  25.  
    identicon
    Scote, Mar 20th, 2014 @ 2:02pm

    False sense of security

    Unless you use perfect digital hygiene doing that will only protect you from the most casual investigation. Even with cookies off, just your browser configuration can be cross indexed with a high degree of reliability to you.

     

    reply to this | link to this | view in thread ]

  26.  
    icon
    btr1701 (profile), Mar 20th, 2014 @ 2:13pm

    Re:

    The "fruit of the poisonous tree" doctrine only applies to government (mis)behavior. Evidence obtained by private parties through violation of law is still admissible.

    If I break into your house to get evidence that you killed someone, that evidence will be admissible against you in court. I might *also* be arrested and charged with breaking/entering and burglary, but my crime doesn't change the admissibility of the evidence against you.

     

    reply to this | link to this | view in thread ]

  27.  
    icon
    Who Cares (profile), Mar 20th, 2014 @ 2:26pm

    Re:

    Nope. Just checked their ToS and they reserve the right to do what they did. It isn't privacy (or user)friendly but at least in the USA what MS did it legal.

     

    reply to this | link to this | view in thread ]

  28.  
    identicon
    Lurker Keith, Mar 20th, 2014 @ 2:29pm

    Re:

    MSN/ WLM Messenger is dead. A while ago they scrapped it completely & forced everyone to switch to Skype. The transition had a ton of problems.

     

    reply to this | link to this | view in thread ]

  29.  
    icon
    John Fenderson (profile), Mar 20th, 2014 @ 2:36pm

    Re: False sense of security

    Absolutely true. So? It's good enough to mess with most marketers.

     

    reply to this | link to this | view in thread ]

  30.  
    icon
    John Fenderson (profile), Mar 20th, 2014 @ 2:37pm

    Re: Re:

    I checked the ToS as well, and missed the part where they allow for this. Can you supply a quote?

     

    reply to this | link to this | view in thread ]

  31.  
    identicon
    Anonymous Coward, Mar 20th, 2014 @ 2:40pm

    Re:

    It isn't just hotmail though

    I'm certain Microsoft would have gladly began hiring contractors to install spyware if the journalists were insightful enough to have not done business on a microsoft service.

    Microsoft knows it's large enough to lie on every policy and take back every word they've ever said on agreements and be basically untouchable to those journalists.

    All megacorps are the same.

     

    reply to this | link to this | view in thread ]

  32.  
    icon
    Dave Miller (profile), Mar 20th, 2014 @ 2:54pm

    Re: Re: Re:

    http://www.microsoft.com/privacystatement/en-us/core/default.aspx?Componentid=pspOtherInformationMod ule&View=Description
    We also may share or disclose personal information, including the content of your communications: ... To protect the rights or property of Microsoft or our customers, including enforcing the terms governing your use of the services.


    Reading your personal information is a given, sharing it is what they explicitly give themselves permission to do.

     

    reply to this | link to this | view in thread ]

  33.  
    identicon
    Anonymous Coward, Mar 20th, 2014 @ 3:09pm

    Wait... a blogger doing a story on a Microsoft product was using a Microsoft email account to 'hide' their covert dealings with said Microsoft leaker? BAHAHAHA

    I don't know which is worse.. The blogger's stupidity for not using another email service or Microsoft's predictable evil blatantly violating an expectation of consumer privacy before one can even use their service.

     

    reply to this | link to this | view in thread ]

  34.  
    icon
    JMT (profile), Mar 20th, 2014 @ 4:59pm

    Re: Employment Contract

    "There is no story here."

    If you actually read the story you'll find there is...

     

    reply to this | link to this | view in thread ]

  35.  
    icon
    nasch (profile), Mar 20th, 2014 @ 6:14pm

    Re: Re: Re: Re:

    Excepting for sites where I'm actually paying money for something, there isn't a single site that I have ever given the correct information to, and the events over the past few years have only underlined the wisdom of this practice.

    From now on I'm registering as "John Fenderson" everywhere.

     

    reply to this | link to this | view in thread ]

  36.  
    icon
    KevinEHayden (profile), Mar 20th, 2014 @ 7:30pm

    He was a 'French' blogger

    Since the blogger was French, EU privacy laws may come into play here. Does anyone know if MS looking through this guy's data violates any laws over there? If I were MS I really wouldn't want any more trouble with the EU considering what happened the last time.

     

    reply to this | link to this | view in thread ]

  37.  
    icon
    G Thompson (profile), Mar 20th, 2014 @ 9:02pm

    Re: False sense of security

    Go do the test either at the EFF's panopticlick site [ https://panopticlick.eff.org/ ]

    or better still here http://fingerprint.pet-portal.eu/ and then if running firefox grab there firegloves randomizer plugin (on top menu in yellow).. It works very well

     

    reply to this | link to this | view in thread ]

  38.  
    icon
    G Thompson (profile), Mar 20th, 2014 @ 9:12pm

    Re: Re:

    Agreed, though I'd be very much also looking at the reliability of that evidence since a highly biased legally unauthorised party (and remember this also comes under EU privacy data laws since the blogger sent data from EU and is a EU resident) has entered and gathered 'evidence' that though damning until independently verified under criminal evidence rules could only be used as probable cause.

    Either Way Microsoft have allegedly committed criminal acts here under EU statutes and have created an absolute PR nightmare (especially in the currently volatile privacy environment we re now in worldwide) and anyone in anyway who uses Microsoft's email accounts for personal or business use should destroy them and go elsewhere.

    It begs the question what other times have they allowed this to occur and have they used it for their own personal/business gain in other matters. ie:corporate espionage, unfair trading, legal privilege.. the list is huge

     

    reply to this | link to this | view in thread ]

  39.  
    identicon
    Anonymous Coward, Mar 20th, 2014 @ 9:14pm

    Re: Employment Contract

    Sorry to disappoint you, my little apologist friend, but the reporter was not a Microsoft employee.

     

    reply to this | link to this | view in thread ]

  40.  
    icon
    G Thompson (profile), Mar 20th, 2014 @ 9:19pm

    Re: Re: Re: Re:

    Sorry i missed the part where a ToS or EULA or any contract gives them the right to circumvent any and all regulations, statutes, civil actions, and other varied unlawful/illegal situations.

    oh wait... it doesn't

     

    reply to this | link to this | view in thread ]

  41.  
    icon
    That One Guy (profile), Mar 21st, 2014 @ 1:43am

    Re: Re: Re: Re: Re:

    It does if you 'donate' enough to the right politicians.

     

    reply to this | link to this | view in thread ]

  42.  
    identicon
    ray, Mar 21st, 2014 @ 6:07am

    Re: Employment Contract

    They pulled the email of the blogger as well.

     

    reply to this | link to this | view in thread ]

  43.  
    icon
    John Fenderson (profile), Mar 21st, 2014 @ 6:59am

    Re: Re: Re: Re: Re:

    I encourage this! I'm already not the only "John Fenderson" around. The name has a special meaning and history in certain Discordian circles.

     

    reply to this | link to this | view in thread ]

  44.  
    icon
    John Fenderson (profile), Mar 21st, 2014 @ 7:00am

    Re: Re: Re: Re:

    Missed that. Yep, seems to cover it!

     

    reply to this | link to this | view in thread ]

  45.  
    identicon
    GEMont, Mar 23rd, 2014 @ 11:56am

    Oh wutta surprise!!

    Don't know what all the fuss is about.

    When it comes to MS, I would expect absolutely no less.

    If Microsloth says it honors client privacy, then its certain that Microsloth does not honor client privacy.

    Like Government, if MS speaks, it lies.

     

    reply to this | link to this | view in thread ]

  46.  
    identicon
    Anonymous Coward, Mar 23rd, 2014 @ 10:47pm

    Re: Re: False sense of security

    [quote]Go do the test either at the EFF's panopticlick site [ https://panopticlick.eff.org/ ][/quote]

    If you're surfing like me with Javascript disabled (cookies enabled) for most sites, Firegloves actually makes you more identifiable - whether or not you "randomise" certain values like User Agent - it seems to default to FF 6.0. ;)

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
Advertisement
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
Advertisement
Recent Stories
Advertisement
Support Techdirt - Get Great Stuff!

Close

Email This

This feature is only available to registered users. Register or sign in to use it.