Microsoft reviews investigation policies after admitting search of customer email

But the company says its actions in trade secrets inquiry were compliant with applicable law

Microsoft promised to subject itself to a more rigorous process before searching through its customers' email accounts in the future after a recent legal case revealed that the company searched for evidence of theft of its trade secrets in a Hotmail account.

A former Microsoft employee named Alex Kibkalo was arrested Wednesday on charges related to alleged leaking of prerelease Windows RT updates and product activation software to a French blogger in July and August 2012.

Court filings revealed that Microsoft's internal investigation involved searching through the French blogger's Hotmail account where it found emails from Kibkalo. Hotmail has since been rebranded as

"After confirmation that the data was Microsoft's proprietary trade secret, on September 7, 2012, Microsoft's Office of Legal Compliance (OLC) approved content pull of the blogger's Hotmail account," FBI Special Agent Armando Ramirez wrote in a criminal complaint filed with the U.S. District Court in Seattle.

Microsoft also searched through Kibkalo's instant messaging conversations and his account with SkyDrive, the company's cloud file hosting service that's now called OneDrive.

While it appears that the terms of service for Microsoft's online services allows the company to access users' content "to protect the rights and property of Microsoft," among other things, the incident drew criticism from privacy advocates and other users on social media.

"I can't wait for Microsoft's next Scroogled ad, slamming Google for violating the privacy of Gmail users," Christopher Soghoian, principal technologist at the American Civil Liberties Union, said on Twitter following the revelations. "Microsoft likes to brag that they have more 'trained privacy professionals' than any other company. What were they doing during HotmailGate?" he said in a separate message.

John Frank, Microsoft's deputy general counsel and vice president for legal and corporate affairs, defended the company's actions Thursday in a blog post, saying the company took "extraordinary actions based on the specific circumstances" and it "applied a rigorous process" before reviewing the content.

"Courts do not, however, issue orders authorizing someone to search themselves," Frank said. "So even when we believe we have probable cause, there's not an applicable court process for an investigation such as this one relating to the information stored on servers located on our own premises."

Microsoft had a dedicated legal team working separately from the internal investigation to review the evidence and meet "a standard comparable to that required to obtain a legal order to search other sites," Frank said, adding that the company's actions were within its policies and applicable law.

While Microsoft hasn't announced any plans to modify its terms of service to disallow this type of internal customer data searches in the future, the company does plan to make some changes to the process that governs this type of investigations.

"We will not conduct a search of customer email and other services unless the circumstances would justify a court order, if one were available," Frank said.

In addition to using separate teams for legal review and internal investigations, the company plans to send the evidence that it believes would otherwise justify a court order to an outside attorney who used to be a judge.

"We will conduct such a search only if this former judge similarly concludes that there is evidence sufficient for a court order," Frank said.

The company also plans to start including data about the number of internal searches and the number of accounts they affected in its bi-annual transparency reports that currently include data on searches conducted in response to government and court orders.

Despite the promise of external oversight in the form of approval from a former judge, some privacy advocates don't think such searches are appropriate to begin with.

"We believe that this behavior is in fundamental contradiction with the principles of the Global Network Initiative, of which Microsoft is a leading member," said Joe McNamee, executive director of European Digital Rights (EDRi), in email. EDRi is a pan-European association of digital rights organizations.

"How can they say that it is appropriate for a private company to grant itself arbitrary access to private communications and support the GNI principle that 'Everyone should be free from illegal or arbitrary interference with the right to privacy and should have the right to the protection of the law against such interference or attacks?" McNamee asked.

The Global Network Initiative is a multistakeholder group founded in 2008 whose stated mission is to advance privacy and freedom of expression online. Its members include human rights and press freedom groups, academics, investors, online services providers -- including Google, Microsoft, Facebook and Yahoo -- and other technology vendors.

Join the CSO newsletter!

Error: Please check your email address.

Tags MicrosoftsecurityEuropean Digital Rightsdata protectionprivacy

More about FacebookFBIGoogleHotmailMicrosoftYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place