Microsoft caught and fired an employee who leaked confidential software to a French blogger. That blogger then published screenshots of Windows 8 to the Internet before Microsoft’s official announcement. The employee also secretly released, without authorization, a tool that could have allowed for the unauthorized activation of copies of Windows, potentially harming Microsoft’s ability to derive revenue from its software products.
The manner in which the leaker was caught was detailed in a suit filed by the U.S. government against the employee. (Microsoft commented on the situation. Its comment is included below.) Included in the report was a note that Microsoft decided it was within its legal authority to tap into the Hotmail account of the external blogger tied to the leaks, and read email and instant messages.
The blogger had emailed Microsoft looking for clarification regarding some of the software that he had received from the internal source. Microsoft connected the blogger’s email address to the publication where the leaks had been published. So the company took a peek.
Was it legal for Microsoft to do so? Microsoft’s Terms of Service allow it to access information in the accounts that are stored on its “Communications Services,” a group of products that may include: “e-mail services, bulletin board services, chat areas, news groups, forums, communities, personal web pages, calendars, photo albums, file cabinets and/or other message or communication facilities designed to enable you to communicate with others.”
The Terms of Service is blunt: “Microsoft reserves the right to review materials posted to the Communication Services and to remove any materials in its sole discretion.” That statement is preceded by a tepid promise of some sort of privacy: “Microsoft has no obligation to monitor the Communication Services.” Here are just a few of things that you are not allowed to use Microsoft services for:
While Microsoft is within its legal right to access the emails in question, it is embarrassing for the company: It has spent untold sums attacking Google’s email service for its automatic scanning of email messages in order to better serve ad content against them.
Both Google and Microsoft scan email for viruses, making Microsoft’s contentions in the ‘Scroogled’ campaign tepid at best and asinine at worst. Thus, to have it become known that Microsoft is willing to enter accounts of a blogger — journalist, really — to plug their own hole is tinted with hypocrisy.
Microsoft won’t read your email unless they pretty much want to — then, too bad.
Microsoft provided TechCrunch with a statement regarding the situation and past actions:
During an investigation of an employee we discovered evidence that the employee was providing stolen IP, including code relating to our activation process, to a third party. In order to protect our customers and the security and integrity of our products, we conducted an investigation over many months with law enforcement agencies in multiple countries. This included the issuance of a court order for the search of a home relating to evidence of the criminal acts involved. The investigation repeatedly identified clear evidence that the third party involved intended to sell Microsoft IP and had done so in the past.
As part of the investigation, we took the step of a limited review of this third party’s Microsoft operated accounts. While Microsoft’s terms of service make clear our permission for this type of review, this happens only in the most exceptional circumstances. We apply a rigorous process before reviewing such content. In this case, there was a thorough review by a legal team separate from the investigating team and strong evidence of a criminal act that met a standard comparable to that required to obtain a legal order to search other sites. In fact, as noted above, such a court order was issued in other aspects of the investigation.
You can decide on the morality for yourself. Here are the pertinent sections of the suit:
Todd Bishop UNDER CC BY 2.0 LICENSE