This week Microsoft revealed that, without a warrant, it accessed the Hotmail account of a French blogger in order to track down an employee leaking source code to some of its products, ultimately leading to that employee’s arrest. Microsoft’s actions created an uproar among users, causing it to spell out both its means, and its justification. Microsoft claims it needs to establish if “there is evidence sufficient for a court order” before conducting any searches, as allowed under its terms of service (the ones you read and agreed to). In response, Electronic Frontier Foundation fellow Andrew Crocker calls Redmond’s claim that it can’t obtain a warrant on itself a false premise with massive potential for abuse. Instead of “Warrants for Windows,” he argues that bringing in the FBI and obtaining a warrant is not only possible, but that it would be in line with Microsoft’s policy to require a warrant before revealing user info to others.
Though the process may be legal, a larger queasiness arises because, as worded, Microsoft’s TOS could submit a user’s inbox to those searches merely by violating its Code of Conduct. That could happen by (for example) emailing links that depict nudity, incite or express profanity, or facilitate the sale of firearms. Crocker himself states that, presumably, Microsoft isn’t using these standards as an excuse to dig through Outlook.com inboxes. His problem with its actions is more that by relying only on permission given by internal and external legal teams and its TOS, but not the actual court system, a potential for abuse exists.
As The Guardian details, other providers like Apple, Google and Yahoo (or likely AOL, which owns this blog) have similarly worded policies that could be used to access user data in order to protect their property. We asked Crocker about those, and he states that the EFF’s criticism stands in regards to similar policies, and that, while this particular case likely arose from an unusual set of circumstances, the fact we have no way of knowing if a company accessed our data is troubling (In the update on its policies, Microsoft said it would include data on the number of these types of searches in its bi-annual transparency report). In one case, TechCrunch founder Mike Arrington even claimed that while he cannot be sure, he’s “nearly certain” Google may have accessed his Gmail inbox to sniff out a leaker. Whatever the case, we suddenly have some weekend reading time set aside for the topic of end-to-end encryption with GNU Privacy Guard and “how to setup your own email server.”