Blogger PSA: Don’t Use Microsoft’s Web Mail to Receive Microsoft Leaks
Pro tip: When leaking or receiving leaks about a company, don’t use that company’s Web mail service.
One of the revelations in this week’s case of a Microsoft worker who leaked pre-release Windows 8 software was that Microsoft accessed the Hotmail account of the blogger to whom the data was leaked. And it did so without a court order.
Well, it turns out Microsoft was apparently within its rights to do so, having explicitly carved out the right to access communications to protect its own intellectual property. Note section b in the excerpt from the Terms of Service below:
We may access or disclose information about you, including the content of your communications, in order to: (a) comply with the law or respond to lawful requests or legal process; (b) protect the rights or property of Microsoft or our customers, including the enforcement of our agreements or policies governing your use of the Service; or (c) act on a good faith belief that such access or disclosure is necessary to protect the personal safety of Microsoft employees, customers, or the public.
Microsoft defended its actions in a statement late Wednesday:
During an investigation of an employee we discovered evidence that the employee was providing stolen IP, including code relating to our activation process, to a third party. In order to protect our customers and the security and integrity of our products, we conducted an investigation over many months with law enforcement agencies in multiple countries. This included the issuance of a court order for the search of a home relating to evidence of the criminal acts involved. The investigation repeatedly identified clear evidence that the third party involved intended to sell Microsoft IP and had done so in the past.
As part of the investigation, we took the step of a limited review of this third party’s Microsoft operated accounts. While Microsoft’s terms of service make clear our permission for this type of review, this happens only in the most exceptional circumstances. We apply a rigorous process before reviewing such content. In this case, there was a thorough review by a legal team separate from the investigating team and strong evidence of a criminal act that met a standard comparable to that required to obtain a legal order to search other sites. In fact, as noted above, such a court order was issued in other aspects of the investigation.