How Microsoft Scroogled Itself As The Defender Of Email Privacy Over Google

For just over a year, Microsoft has been attacking Google over email privacy. Consumers are getting “Scroogled” by a Google that doesn’t respect privacy, it has said. Microsoft can now retire that Scroogled campaign. After violating the privacy of a third-party’s email account, Microsoft’s not in a position to be taking the high-road, any longer.

The Privacy Invasion

This week, a case against a former Microsoft employee made the news. The employee is accused of passing trade secrets — software code and other information about Windows — to an unidentified blogger. Some argue he (we do know he’s a he) is also a journalist. Others disagree.

How did Microsoft track down the employee doing this? By going into the blogger’s Hotmail account and reading his email without the blogger’s permission. The blogger had contacted someone outside Microsoft for help verifying some of the information they were receiving. That person passed along the information — including the blogger’s Hotmail email address — so that Microsoft would learn of it.

Someone at Microsoft then had the idea that since they knew the blogger was using Hotmail — Microsoft’s free email system for consumers now called — why not just go into the person’s email and see if there was information linking that person to anyone at Microsoft.

Sworn testimony from an FBI agent who is part of the investigation explains all this:

Microsoft Email Privacy

In particular, Microsoft’s Office of Legal Compliance reviewed the situation, then decided that since Microsoft’s trade secrets were involved, it was OK to approve “content pulls” from the blogger’s account.

Microsoft Was Supposed To Respect Email Privacy

Let’s be very clear about what happened. Microsoft didn’t go into the email account of one of its employees, which many laws do allow. It went into the email account of one of its customers, one of those customers that it’s in a very public battle with Google to win over, with the value proposition that unlike Google, Microsoft respects email privacy:

Don't Get Scroogled

The screenshot above is the big opener to Microsoft’s Scroogled site, the section on email privacy that positions Gmail as bad, Outlook as good. The message is clear: Google doesn’t respect privacy.

That’s continued throughout the page. One section says:

Your email is nobody else’s business. But Google makes it their business.

Or from a video that’s on the site:

You need email that respects your privacy.

But as this week’s revelations make clear, Microsoft will respect your email privacy right up to the point where Microsoft’s own self-interests may be involved.

That Google Does It “More” Doesn’t Make It Better

Of course, Microsoft’s Scroogled campaign is all about how Google “reads” email to deliver ads, and there’s a fair point that Google’s automatic scanning of email impacts vastly more people (hundreds of millions) than this action by Microsoft, which seems a largely one-off incident (though there may be others we don’t know about).

Indeed, this should have been a big week for Microsoft to extend its Scroogled campaign. While Google won a victory when a “wiretapping” case involving Gmail was denied class-action status, it emerged that Google is creating long-term “Content Onebox” profiles based on the emails people get for targeting purposes.

That’s pretty disturbing. This isn’t just Google quickly targeting ads based on the content of a particular email. It’s profiling, and it’s happening even to people at schools using a version of Gmail that’s ad free. They might not get the ads but apparently they do get profiled for them in the future.

But people are also used to having ads targeted to them. In particular, they’re used to Google doing that in Gmail. It’s not new — Gmail turns 10 years old later next month. If it were a big privacy concern for consumers, it would have long ago killed Gmail. And all of Microsoft’s efforts over the past year to whip it back up as a concern have done, as best I can tell, nothing to gain consumers.

What consumers might be more concerned about is the idea that a human being at a company (rather than an automated program) might decide to read their email if the company feels there’s something in its own interest to protect. That’s what happened in the Microsoft situation — and it wasn’t just some rogue employee doing it but rather done with full corporate approval.

What next? If Microsoft suspects someone is using an illegally-obtained product key, and it knows that person is an Outlook user, will it go into their accounts for proof?

Taking such actions is a Pandora’s Box of bad potentials Microsoft really didn’t want to open. And opening that up involving someone considered journalist to some is one of the worst things it could have done. This now means any pitch Microsoft makes to journalists about it respecting privacy more than Google is going to immediately have them thinking “but what about how you went into that blogger’s account?”

Believe me, they’ll know about that. And they won’t forget.

The Microsoft “Had The Right” Is Beside The Point

Another key point in all this is that no one’s really questioning if Microsoft broke any laws. It probably didn’t. Microsoft, just like Yahoo, Google and Apple — as the Guardian points out – has broad terms allowing this.

Major companies all have Pandora’s Boxes. The issue is how often they open them. Google hasn’t come under fire for using its terms as permission to have actual human beings read third-party emails to serve its interests (though that might change, now that Michael Arrington writes being “almost certain” that someone at Google read his Gmail account after breaking a major story).

Microsoft has now, very publicly, gone into someone’s email with actual human readers to serve itself. Box opened, and hard-to-close.

Microsoft’s “We Can’t Be Ordered To Search Ourselves” Argument

In the fallout from all this, Microsoft is taking a “we had no other choice” type of argument, for the privacy violation it undertook. In a statement today, it writes:

Courts do not, however, issue orders authorizing someone to search themselves, since obviously no such order is needed. So even when we believe we have probable cause, there’s not an applicable court process for an investigation such as this one relating to the information stored on servers located on our own premises.

I’m looking forward to a few lawyers taking a harder look at this. I’m not a lawyer, so I could be way off base. But there’s a lot that feels more PR than legal in this.

Again, technically and legally, Microsoft doesn’t seem to need a court order to do anything with stuff on its servers. Terms are often so broad that companies can do whatever they want (which is why worrying about terms no one reads is often a waste-of-time — consumers depend on a reputation for trust).

But Microsoft also wasn’t searching itself. It was searching the contents of a third-party’s email account. It was searching someone else.

To say there’s no applicable court process in such a case seems absurd. I could own an apartment complex and think there’s wrong-doing in an apartment I rent. That doesn’t mean I have to walk in and investigate it myself. Rather, I could go to law enforcement and follow the instructions I’m given — which might include them asking for entry or determining that a court should give entry.

Microsoft did none of this, not that it has disclosed. It was doing an internal investigation, seemed to figure there was information within a third-party’s account and then, without apparently going to law enforcement, went into that account to gain more information. Law enforcement, as best I can tell, was contacted after this was done.

We’ll never know if a court actually couldn’t have ordered Microsoft to search the account or not. Or whether the FBI investigating the case might have requested that. We don’t know that, because as far as we know, Microsoft unilaterally made the decision to go in on its own.

I also don’t find this reassuring:

As part of the investigation, we undertook a limited review of this third party’s Microsoft operated accounts. While Microsoft’s terms of service make clear our permission for this type of review, this happens only in the most exceptional circumstances. We applied a rigorous process before reviewing such content. In this case, there was a thorough review by a legal team separate from the investigating team and strong evidence of a criminal act that met a standard comparable to that required to obtain a legal order to search other sites.

Do you know who really knows if there’s a standard met that’s comparable to a legal order? The legal system. I’d far rather trust the legal system to tell me if Microsoft is meeting legal standards rather than Microsoft itself saying that’s the case.

If I took that statement above and changed “Microsoft” to “Google,” Microsoft would have had a field day with Google reassuring that don’t worry, you can trust us, everything we did was just as good as any court would have done.

Going Forward

Microsoft says that in the future, it won’t do such things in the future unless “the circumstances would justify a court order.” If it really is the case that court orders are impossible, I’d encourage the company to step up further and say it won’t do such a thing until some legal process has also been involved, where applicable.

It is reassuring that, for the first time, the company is also pledging to reveal a count of how often it goes into people’s emails as part of internal investigations. That’s a standard we should see other companies meet, as well — including Google.

Overall, I do believe what Microsoft did is a relatively rare thing that should give most consumers little panic. But in terms of positioning itself as the protector of email privacy, I can’t see that Microsoft has anywhere near the high-ground now that it was trying to claim against Gmail and Google.

Postscript (March 28): A week later, kudos to Microsoft, which has done exactly what I hoped and will involve law enforcement before going into customer data. From a new blog post on the topic:

Effective immediately, if we receive information indicating that someone is using our services to traffic in stolen intellectual or physical property from Microsoft, we will not inspect a customer’s private content ourselves. Instead, we will refer the matter to law enforcement if further action is required.

Related Topics: Channel: Email Marketing | Google: Gmail | Legal: Privacy | Microsoft: Outlook | Microsoft: Scroogled | Top News


About The Author: is Founding Editor of Marketing Land. He’s a widely cited authority on search marketing and internet marketing issues, who has covered the space since 1996. Danny also serves as Chief Content Officer for Third Door Media, which publishes Search Engine Land and produces the SMX: Search Marketing Expo conference series. He has a personal blog called Daggle (and keeps his disclosures page there). He can be found on Facebook, Google + and microblogs on Twitter as @dannysullivan.

Connect with the author via: Email | Twitter | Google+ | LinkedIn

Marketing Day:

Get the top marketing stories daily!  


Other ways to share:

Read before commenting! We welcome constructive comments and allow any that meet our common sense criteria. This means being respectful and polite to others. It means providing helpful information that contributes to a story or discussion. It means leaving links only that substantially add further to a discussion. Comments using foul language, being disrespectful to others or otherwise violating what we believe are common sense standards of discussion will be deleted. You can read more about our comments policy here.
  • warcaster

    Here’s your #1 mistake. Your assumed Microsoft has EVER had high-ground on Google in terms of privacy. They never did. Maybe Microsoft never had such advanced data mining algorithms as Google, but in terms of protecting your privacy, and abusing your privacy through their own employees like they’ve done it now, they’ve been a lot worse than Google. Starting from being the first company to join PRISM and have “team play” with the NSA, to not using encryption on their services, or later on PFS, or encryption between their email servers, and so on.

    Also, if tech writers would’ve paid attention, they would’ve seen Microsoft’s ToS for their cloud services is just as bad if not worse than Google’s. So lesson for next time: just because a company puts out an add trashing their competitors, doesn’t make them any better.

  • Michael Martinez

    You have so little information about those NSA programs you really don’t need to embarrass yourself with such faulty logic. Danny is merely pointing out that Microsoft has now publicly outed itself for doing what it has accused Google of doing (sort of).

  • Danny Sullivan

    Well, actually I never made that assumption. And yes, I know exactly the issues with the terms of service and, in fact, have written them before:

  • PStrohm

    They are microsoft.

    microsoft and hypocrite are synonymous.

  • cipnrkorvo

    It’s good at least that Microsoft is saying they won’t do this again. Still I think it’s not enough: they should be totally transparent about everything, including tell its users if the government does a data request.

    The EFF made a nice list of sites that protect or don’t protect your privacy (including Microsoft and Google), based on different criteria. You can find it here

    Of course Microsoft will be less well rated in the 2014 report, since they crossed the line now by cheating their users. It’s interesting to see Google isn’t that bad. They would just need to tell its users about government data requests, in order to gain people’s trust. All in all, Twitter has the best privacy. Too bad they don’t have an email service.

Get Our News, Everywhere!

Daily Email:

Follow Marketing Land on Twitter @marketingland Like Marketing Land on Facebook Follow Marketing Land on Google+ Subscribe to Our Feed! Join our LinkedIn Group Check out our Tumblr! See us on Pinterest


Click to watch SMX conference video

Join us at one of our SMX or MarTech events:

United States


Australia & China

Learn more about: SMX | MarTech

Free Daily Marketing News!

Marketing Day is a once-per-day newsletter update - sign up below and get the news delivered to you!