What a difference a few hours makes.
Yesterday, we heard news that ex-Microsoft employee and Russian nationalist, Alex Kibkalo, has been arrested for stealing trade secrets and delivering them to an external source. That news bloomed over the course of the day and ended in a reveal that Microsoft had collected its hard evidence against Kibkalo by sifting through the Hotmail account of the external source.
On the surface, this doesn't seem like much, considering the Hotmail/Outlook terms and conditions reads:
We may access or disclose information about you, including the content of your communications, in order to: (a) comply with the law or respond to lawful requests or legal process; (b) protect the rights or property of Microsoft or our customers, including the enforcement of our agreements or policies governing your use of the Service; or (c) act on a good faith belief that such access or disclosure is necessary to protect the personal safety of Microsoft employees, customers, or the public.
Based on the legalese, Microsoft had every right to do what they did in sifting through email accounts stored in their own Cloud. But, the backlash from the news later forced Microsoft to issue a statement saying that the company will be revising its privacy policies for its Cloud email services. In a formal post, Deputy General Counsel & Vice President, Legal & Corporate Affairs at Microsoft, John Frank defended Microsoft's actions (and rightly, so), but then went on to announce that changes are in the works to strengthen processes and increase transparency. Microsoft was clearly aware of the public backlash over snooping (or Scroogling itself) and had to act quickly to minimize damage. Frank says, "The privacy of our customers is incredibly important to us."
Basically, it's easier to ask forgiveness than to ask permission.
So, from the time the news broke yesterday morning until John Frank issued his statement, the original story was completely clouded (pun intended) over. Like a TV episode of 24, the story about a Russian spy stealing corporate secrets and handing them off to a cloaked liaison turned to a tale of hate over big-headed corporate culpability.
Personally, I have no issue with how Microsoft handled the situation. They had every right to snoop through their own servers. The terms and conditions give the company clear legal right.
BUT…
This entire story should be evidence enough for companies investing in moving data and applications to the Cloud that, no matter what the Cloud provider says up front or during sales negotiations, once the contract is signed anything that resides on servers owned by the Cloud provider, becomes property of the Cloud provider.
Cloud providers will say things like "it's your data, we just store it for you," to create a cushion of trust and a false sense of security. That's simply not the case.
Apple co-founder, Steve Wozniak, said it best in August 2012, when he said:
"With the cloud, you don’t own anything. You already signed it away. The more we transfer everything onto the web, onto the cloud, the less we’re going to have control over it."
In the same stretch, Wozniak also pontificated:
"I really worry about everything going into the cloud. I think it’s going to be horrendous. I think there are going to be a lot of horrible problems in the next five years."
Through this single, but fully warranted legal action, Microsoft has proven the point that when companies choose to store data in the Cloud, they are unwittingly forfeiting ownership. This is not just a Hotmail/Outlook issue. This transcends to all Microsoft Cloud properties (Windows Azure, Xbox Live, OneDrive, etc.). And, this is a horrible problem.
For a consumerized, Facebook heavy world, this is not an issue. Consumers are giving up privacy daily. But, for businesses that need to retain control and ownership, it's unfathomable and unacceptable.
Again, it's my belief that there was nothing wrong in the way Microsoft conducted itself. The company had every legal right to "protect the personal safety of Microsoft employees, customers, or the public." As a company interested in storing data in the Cloud, you should be extremely dilligent in reading each provider's terms of service (TOS) related to privacy, data retention, and legal processes. Sometimes a single provider offers various services and each one has its own, different TOS. Don't be so confident that the same rules that apply to one service applies the same across all of them.
Microsoft's privacy policies for Hotmail/Outlook definitely took a hit yesterday, but it's good to hear they are working to improve them should similar actions be required in the future.
