For just over a year, Microsoft has been attacking Google over email privacy. Consumers are getting “Scroogled” by a Google that doesn’t respect privacy, it has said. Microsoft can now retire that Scroogled campaign. After violating the privacy of a third-party’s email account, Microsoft’s not in a position to be taking the high-road, any longer.
The Privacy Invasion
This week, a case against a former Microsoft employee made the news. The employee is accused of passing trade secrets — software code and other information about Windows — to an unidentified blogger. Some argue he (we do know he’s a he) is also a journalist. Others disagree.
How did Microsoft track down the employee doing this? By going into the blogger’s Hotmail account and reading his email without the blogger’s permission. The blogger had contacted someone outside Microsoft for help verifying some of the information they were receiving. That person passed along the information — including the blogger’s Hotmail email address — so that Microsoft would learn of it.
Someone at Microsoft then had the idea that since they knew the blogger was using Hotmail — Microsoft’s free email system for consumers now called Outlook.com — why not just go into the person’s email and see if there was information linking that person to anyone at Microsoft.
Sworn testimony from an FBI agent who is part of the investigation explains all this:
In particular, Microsoft’s Office of Legal Compliance reviewed the situation, then decided that since Microsoft’s trade secrets were involved, it was OK to approve “content pulls” from the blogger’s account.
Microsoft Was Supposed To Respect Email Privacy
Let’s be very clear about what happened. Microsoft didn’t go into the email account of one of its employees, which many laws do allow. It went into the email account of one of its customers, one of those customers that it’s in a very public battle with Google to win over, with the value proposition that unlike Google, Microsoft respects email privacy:
The screenshot above is the big opener to Microsoft’s Scroogled site, the section on email privacy that positions Gmail as bad, Outlook as good. The message is clear: Google doesn’t respect privacy.
That’s continued throughout the page. One section says:
Your email is nobody else’s business. But Google makes it their business.
Or from a video that’s on the site:
You need email that respects your privacy.
But as this week’s revelations make clear, Microsoft will respect your email privacy right up to the point where Microsoft’s own self-interests may be involved.
That Google Does It “More” Doesn’t Make It Better
Of course, Microsoft’s Scroogled campaign is all about how Google “reads” email to deliver ads, and there’s a fair point that Google’s automatic scanning of email impacts vastly more people (hundreds of millions) than this action by Microsoft, which seems a largely one-off incident (though there may be others we don’t know about).
Indeed, this should have been a big week for Microsoft to extend its Scroogled campaign. While Google won a victory when a “wiretapping” case involving Gmail was denied class-action status, it emerged that Google is creating long-term “Content Onebox” profiles based on the emails people get for targeting purposes.
That’s pretty disturbing. This isn’t just Google quickly targeting ads based on the content of a particular email. It’s profiling, and it’s happening even to people at schools using a version of Gmail that’s ad free. They might not get the ads but apparently they do get profiled for them in the future.
But people are also used to having ads targeted to them. In particular, they’re used to Google doing that in Gmail. It’s not new — Gmail turns 10 years old later next month. If it were a big privacy concern for consumers, it would have long ago killed Gmail. And all of Microsoft’s efforts over the past year to whip it back up as a concern have done, as best I can tell, nothing to gain consumers.
What consumers might be more concerned about is the idea that a human being at a company (rather than an automated program) might decide to read their email if the company feels there’s something in its own interest to protect. That’s what happened in the Microsoft situation — and it wasn’t just some rogue employee doing it but rather done with full corporate approval.
What next? If Microsoft suspects someone is using an illegally-obtained product key, and it knows that person is an Outlook user, will it go into their accounts for proof?
Taking such actions is a Pandora’s Box of bad potentials Microsoft really didn’t want to open. And opening that up involving someone considered journalist to some is one of the worst things it could have done. This now means any pitch Microsoft makes to journalists about it respecting privacy more than Google is going to immediately have them thinking “but what about how you went into that blogger’s account?”
Believe me, they’ll know about that. And they won’t forget.
The Microsoft “Had The Right” Is Beside The Point
Another key point in all this is that no one’s really questioning if Microsoft broke any laws. It probably didn’t. Microsoft, just like Yahoo, Google and Apple — as the Guardian points out – has broad terms allowing this.
Major companies all have Pandora’s Boxes. The issue is how often they open them. Google hasn’t come under fire for using its terms as permission to have actual human beings read third-party emails to serve its interests (though that might change, now that Michael Arrington writes being “almost certain” that someone at Google read his Gmail account after breaking a major story).
Microsoft has now, very publicly, gone into someone’s email with actual human readers to serve itself. Box opened, and hard-to-close.
Microsoft’s “We Can’t Be Ordered To Search Ourselves” Argument
In the fallout from all this, Microsoft is taking a “we had no other choice” type of argument, for the privacy violation it undertook. In a statement today, it writes:
Courts do not, however, issue orders authorizing someone to search themselves, since obviously no such order is needed. So even when we believe we have probable cause, there’s not an applicable court process for an investigation such as this one relating to the information stored on servers located on our own premises.
I’m looking forward to a few lawyers taking a harder look at this. I’m not a lawyer, so I could be way off base. But there’s a lot that feels more PR than legal in this.
Again, technically and legally, Microsoft doesn’t seem to need a court order to do anything with stuff on its servers. Terms are often so broad that companies can do whatever they want (which is why worrying about terms no one reads is often a waste-of-time — consumers depend on a reputation for trust).
But Microsoft also wasn’t searching itself. It was searching the contents of a third-party’s email account. It was searching someone else.
To say there’s no applicable court process in such a case seems absurd. I could own an apartment complex and think there’s wrong-doing in an apartment I rent. That doesn’t mean I have to walk in and investigate it myself. Rather, I could go to law enforcement and follow the instructions I’m given — which might include them asking for entry or determining that a court should give entry.
Microsoft did none of this, not that it has disclosed. It was doing an internal investigation, seemed to figure there was information within a third-party’s account and then, without apparently going to law enforcement, went into that account to gain more information. Law enforcement, as best I can tell, was contacted after this was done.
We’ll never know if a court actually couldn’t have ordered Microsoft to search the account or not. Or whether the FBI investigating the case might have requested that. We don’t know that, because as far as we know, Microsoft unilaterally made the decision to go in on its own.
I also don’t find this reassuring:
As part of the investigation, we undertook a limited review of this third party’s Microsoft operated accounts. While Microsoft’s terms of service make clear our permission for this type of review, this happens only in the most exceptional circumstances. We applied a rigorous process before reviewing such content. In this case, there was a thorough review by a legal team separate from the investigating team and strong evidence of a criminal act that met a standard comparable to that required to obtain a legal order to search other sites.
Do you know who really knows if there’s a standard met that’s comparable to a legal order? The legal system. I’d far rather trust the legal system to tell me if Microsoft is meeting legal standards rather than Microsoft itself saying that’s the case.
If I took that statement above and changed “Microsoft” to “Google,” Microsoft would have had a field day with Google reassuring that don’t worry, you can trust us, everything we did was just as good as any court would have done.
Microsoft says that in the future, it won’t do such things in the future unless “the circumstances would justify a court order.” If it really is the case that court orders are impossible, I’d encourage the company to step up further and say it won’t do such a thing until some legal process has also been involved, where applicable.
It is reassuring that, for the first time, the company is also pledging to reveal a count of how often it goes into people’s emails as part of internal investigations. That’s a standard we should see other companies meet, as well — including Google.
Overall, I do believe what Microsoft did is a relatively rare thing that should give most consumers little panic. But in terms of positioning itself as the protector of email privacy, I can’t see that Microsoft has anywhere near the high-ground now that it was trying to claim against Gmail and Google.
Postscript (March 28): A week later, kudos to Microsoft, which has done exactly what I hoped and will involve law enforcement before going into customer data. From a new blog post on the topic:
Effective immediately, if we receive information indicating that someone is using our services to traffic in stolen intellectual or physical property from Microsoft, we will not inspect a customer’s private content ourselves. Instead, we will refer the matter to law enforcement if further action is required.