This week it was learned that an ex-Microsoft employee was arrested for leaking early copies of Windows 7 and 8.
Software architect Alex Kibkalo leaked a pre-release version of the operating systems as a way to get back at the company after a poor performance review. Kibkalo allegedly leaked the trade secrets to an unnamed “French technology blogger.”
It’s common to find leaked copies of Windows online, but what made Kibkalo’s leak different is that he stole Microsoft’s “Activation Server Software Development Kit” which is the main software it uses to protect against piracy. Kibkalo told the blogger to share the kit online so others could circumvent activation protections used for Microsoft Office and Windows.
The unnamed blogger contacted a Microsoft employee to check the validity of the kit. The Microsoft employee went to a company executive, who prompted an investigation after the kit was verified to be authentic.
As part of the investigation, Microsoft secretly accessed the Hotmail and Outlook.com accounts used by Kibkalo and the blogger. It was discovered that Kibkalo was illegally sharing trade secrets, and even described sneaking into Building 9 on Microsoft’s Redmond campus and attempting to copy a server.
Wait, Microsoft spied on somebody’s email?!
Yep, that’s what happened. Microsoft’s internal investigation team conducted a search on the pair’s Hotmail and Outlook accounts, an act that’s believe to be in violation of user privacy. Microsoft didn’t obtain a court order to carry out these searches, and some believe that its actions shows just how little it cares about user privacy.
But though this might be unethical, it seems that Microsoft is in the clear, legally speaking.
Microsoft’s Terms of Service clearly states that the company “may access or disclose information about you, including the content of your communications, in order to: (a) comply with the law or respond to lawful requests or legal process; (b) protect the rights or property of Microsoft or our customers, including the enforcement of our agreements or policies governing your use of the Service; or (c) act on a good faith belief that such access or disclosure is necessary to protect the personal safety of Microsoft employees, customers, or the public.”
Section b of the ToS gives Microsoft the right to access the accounts since it is protecting its own rights.
As for getting a court order, Microsoft’s Deputy General Counsel John Frank stated that it’s not really feasible to get a court order to search itself. Which makes sense if you think about it. Would you need permission from another person to inspect your own body? But Frank did point out that circumstances should not reach the point that it has to search its own service or customers, unless justifiable by a court order.
“The privacy of our customers is incredibly important to us, and while we believe our actions in this particular case were appropriate given the specific circumstances, we want to be clear about how we will handle similar situations going forward. That is why we are building on our current practices and adding to them to further strengthen our processes and increase transparency,” Frank said in a statement.
He added that the company will be implementing new practices in future. This includes having a legal team separate from the internal investigating team to assess the evidence and decide whether a court order is needed to carry out any searches, and submit evidence to an outside attorney who is a former federal judge.
Microsoft charges DITU for consumer data
In other Microsoft news, the Syrian Electronic Army, a hacker group loyal to Syrian President Bashar al-Assad, has posted leaked documents onto the web that seems to illustrate the fees the company charges the FBI whenever it views its customer information.
Yep, Microsoft apparently gets paid to let people snoop on you…
The documents contained invoices and emails between Microsoft’s Global Criminal Compliance team and the FBI’s Digital Intercept Technology Unit (DITU). They showed how much money Microsoft is charging DITU in terms of compliance costs, when DITU provides warrants and court orders for customers’ data.
The document showed that in December 2012, Microsoft charged $100 per request for information for a total of $145,100. In August 2013, Microsoft charged DITU for $352, 200, at a rate of $200 per request. The latest invoice was from November 2013, amounting to $281,000.
It might sound scandalous, but once again it looks as if Microsoft is in the clear. Lawyers and technologists see nothing wrong in charging the DITU, as it’s well within its rights to charge for “reasonable expenses.” Also, charging for customer’s data just makes things more transparent, as it provides a detailed record of government tracking. However, it is quite alarming as to how frequent these charges are, not to mention the mass of data the government is asking for each month
A Microsoft spokesperson stated that “as pursuant to U.S. law, Microsoft is entitled to seek reimbursement for costs associated with compliance with a valid legal demands. … To be clear, these reimbursements cover only a portion of the costs we actually incur to comply with legal orders.”