Microsoft accessed Hotmail account to uncover internal leaker

This week’s charging of a former Microsoft employee for stealing the company’s trade secrets could have passed almost unnoticed were it not for an important detail revealed in the court filing: in order to discover his identity, Microsoft has resorted to rifling through another person’s private Hotmail account.

Alex Kibkalo, a former Microsoft employee that left the company in 2012, has allegedly stolen Windows 8 source code, software development kits, some documents, and more, and stored it in his personal Windows Live SkyDrive account. He sent links to the files both via Windows Live Messenger and to an (in the filing unnamed) French blogger that was known for leaking details about the then still unreleased Windows 8.

The blogger wanted to confirm that the code he was sent was genuine, so he asked a unnamed person in Redmond to look at it. This person got in touch with Microsoft instead, and indicated that the blogger used a Microsoft Hotmail e-mail address (now Outlook.com).

Once Microsoft confirmed that the code was theirs, they made an unorthodox move and accessed his Hotmail account for clues about the leaker after having consulted with the company’s Office of Legal Compliance and getting the green light.

It’s good to note that Microsoft didn’t do anything illegal, as the company’s Services Agreement clearly states that:

We may access or disclose information about you, including the content of your communications, in order to: (a) comply with the law or respond to lawful requests or legal process; (b) protect the rights or property of Microsoft or our customers, including the enforcement of our agreements or policies governing your use of the Service; or (c) act on a good faith belief that such access or disclosure is necessary to protect the personal safety of Microsoft employees, customers, or the public.

After a predictable and natural outcry from privacy advocates, journalists and the public following these revelations, John Frank, VP and deputy general counsel at Microsoft’s Office of Legal & Corporate Affairs went into “user trust recovery” mode and published a blog post detailing their decision and future actions in similar cases.

He explained that they worked with law enforcement in this investigation, but that courts do not do issue orders authorizing someone to search themselves.

“So even when we believe we have probable cause, there’s not an applicable court process for an investigation such as this one relating to the information stored on servers located on our own premises,” he said. So they turned to the legal team for permission.

“While our actions were within our policies and applicable law in this previous case, we understand the concerns that people have,” he admitted, and explained the steps they will go through if a similar case arises in the future, including submitting the evidence they have to an outside attorney who is a former federal judge and proceeding according to his or her opinion.

Microsoft might have worked within the bounds of the law while doing this, but it’s certainly ironic that the Redmond giant has for years harped on publicly about Google’s automated perusing of Gmail content in order to serve appropriate ads, and then pulled a move like this one.

What’s certain is that they are likely not the only ones.

“Though described as an “extraordinary action’, similar incidents of cloud service providers accessing our confidential data are far too common. The problem is, this is a technically legal activity that we all agree to when we sign up to certain cloud services – whether knowingly or not,” commented Charlie Howe, EMEA Director at Skyhigh Networks.

“For instance, I would guess that most people don’t actually read the full Terms and Conditions before using a new application, and they would probably be surprised by what they are actually agreeing to when they click the “accept’ button on certain cloud services.”

Don't miss