Privacy Concerns Dog Microsoft After Arrest of Windows Leaker

Microsoft institutes changes after it's revealed that the company peered into a Hotmail account during its investigation of leaked software.

Alex Kibkalo, an ex-employee of Microsoft, was arrested in Seattle on March 19 in connection with some major leaks at the software giant. But it's Microsoft that's drawing the public's ire.

During the company's investigation, it accessed the Hotmail account of a blogger who had been in touch with Kibkalo and collected confidential files from the former Microsoft software architect, including a software development kit (SDK) used in validating product keys. Microsoft gathered the information from Hotmail (now, which it owns, without a court order.

Jennifer Granick, a Stanford Center for Internet and Society attorney, called the move "stupid" in a New York Times report. "What blogger will use that service now?"

No laws appear to have been broken by Microsoft, as its "actions were within the boundaries of the Electronic Communications Privacy Act, which allows service providers to read and disclose customers' communications if it is necessary to protect the rights or property of the service provider," said the report. Nonetheless, the law isn't shielding the Redmond, Wash.-based tech behemoth from criticism.

"Microsoft essentially decided that whatever privacy expectation that its own customers supposedly had was basically a dead letter," Edward Wasserman, the dean of the Graduate School of Journalism at University of California, Berkeley, told the paper. "It simply decided that in its own corporate interest, it can intrude on a person's email."

Prefacing his remarks by stating that it's his company's belief that "Outlook and Hotmail email are and should be private," John Frank, Microsoft general counsel, said in a statement that in this particular case, his company "took extraordinary actions based on the specific circumstances." The company acted to "protect our customers and the security and integrity of our products," he added.

Frank then laid out the legal reasoning guiding Microsoft's actions, which adhered to its own terms of service, as it conducted its investigation.

He argued that courts do not "issue orders authorizing someone to search themselves, since obviously no such order is needed." No applicable court process exists "for an investigation such as this one relating to the information stored on servers located on our own premises," even when Microsoft believes it has probable cause.

"While our actions were within our policies and applicable law in this previous case, we understand the concerns that people have," admitted Frank. He said that as a result of those concerns, Microsoft "will not conduct a search of customer email and other services unless the circumstances would justify a court order, if one were available."

Part of the process involves a legal team that operates independently from the internal investigating team to determine if a court order would otherwise be issued by a judge. "As a new and additional step, we will then submit this evidence to an outside attorney who is a former federal judge. We will conduct such a search only if this former judge similarly concludes that there is evidence sufficient for a court order," assured Frank.

Pedro Hernandez

Pedro Hernandez

Pedro Hernandez is a contributor to eWEEK and the IT Business Edge Network, the network for technology professionals. Previously, he served as a managing editor for the network of...