Microsoft Will No Longer Inspect Personal Data When a Crime is Suspected

Microsoft Will No Longer Inspect Personal Data When a Crime is Suspected

From zero to hero

Facing criticism from privacy rights advocates, Microsoft on Friday reversed course and announced new policies for examining Microsoft-owned and hosted email and other services when it suspects a crime has been committed against the company. Now, the software giant will let law enforcement determine whether to investigate these crimes instead.

Related: Angry with Performance Review, Microsoft Employee Steals and Shares Trade Secrets

"Effective immediately, if we receive information indicating that someone is using our services to traffic in stolen intellectual or physical property from Microsoft, we will not inspect a customer's private content ourselves," Microsoft general counsel Brad Smith writes in a post to a corporate blog. "Instead, we will refer the matter to law enforcement if further action is required."

How Microsoft got to this point is interesting. And to be clear, the firm's original policy—which became the subject of public debate only after it belatedly sought the arrest of an ex-employee who was stealing from the company—was perfectly legal.

As I wrote previously in "Ex-Microsoftie Arrested for Pirating Windows Activation Software," Microsoft was alerted in August 2012 that one of its employees was stealing intellectual property from the company and distributing it to a so-called "blogger"—which is a bit of a stretch, but whatever—with the ultimately fanciful goal of creating a fake activation server. The plan was for the two to control and use it to sell illegal Windows 8 activation codes online.

After examining the claim, Microsoft's Office of Legal Compliance (OLC) OK'd an analysis of the blogger's Hotmail-based email in September 2012. What they found backed up the claim, and they began searching his accounts on other Microsoft-owned services such as Windows Live Messenger for more evidence. The employee later admitted to the crimes and was subsequently arrested earlier this month.

Although the story is lurid enough on its own, many started questioning Microsoft's decision to search a private individual's digital correspondence. Wasn't this a major privacy violation?

Technically, no. Microsoft—like Google, Apple, Yahoo! and others that maintain email and other digital services—reserves this right in the terms of service that users agree to when they sign on. And the employee in question, of course, is covered by even broader rules. But Microsoft is pliable, if anything, and perhaps a bit too easily to manipulate through public feedback. So it has made two major changes to its policies since the ex-employee's arrest was announced less than two weeks ago.

Facing criticism of its actions, Microsoft first said that it would engage an outside legal expert before it began examining the contents of its own services. And then the firm announced more sweeping changes this past Friday.

"Although our terms of service, like those of others in our industry, allowed us to access lawfully the account in this case, the circumstances raised legitimate questions about the privacy interests of our customers," Mr. Smith noted. "We've entered a 'post-Snowden era' in which people rightly focus on the ways others use their personal information ... rather than inspect the private content of customers ourselves in these instances, we should turn to law enforcement and their legal procedures."

This sequence of events thoroughly changes the perception of both Microsoft and its online services competitors, none of whom have agreed to behave in a similarly privacy-conscious way. In the wake of the ex-employee arrest, many openly called on journalists, bloggers, and other online personalities to drop their Hotmail,, Office 365 and other Microsoft accounts and use rival services instead. But given the changes this past week, these people would be crazy to use any other companies' services for correspondence: Only Microsoft is promising to refer to law enforcement in extreme cases and to never read user email regardless.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.