Critics Upset as Microsoft Conducts Email Search in Leak Investigation

leak investigation

Microsoft caught searching through the contents of its users’ communication without a search warrant as part of an internal investigation.

Late last week it emerged that Microsoft had searched through the contents of a French blogger’s Hotmail account in order to track down the source of a leak of proprietary information from the Redmond, Wash., tech giant.

The Electronic Frontier Foundation and transparency advocates have expressed stark disapproval of the entire situation. The EFF is even suggesting that Microsoft’s actions here constitute a direct violation of the Electronic Communications Privacy Act (ECPA).

The saga began when a Microsoft employee named Alex Kibkalo allegedly stole protected information pertaining to Microsoft’s Activation Server Software Developer’s Kit (SDK) and emailed it – via Hotmail, which is owned and operated by Microsoft – to a French blogger.

Around August 2012, Microsoft became aware that someone had leaked the SDK after the blogger in question – who is not named in the criminal complaint filed against Kibkalo in September 2012 – began posting screenshots of unreleased Windows operating system features. Microsoft’s Trustworthy Computing Investigations (TWCI), the division of the company tasked with protecting it against both external and internal threats, launched an investigation accordingly.

In early September 2012, an unnamed person contacted former president of the Windows Division of Microsoft, Steven Sinofsky. This source had been contacted by the blogger in order to confirm that the code he had received was in fact proprietary Microsoft code. In an interview with the TWCI, the source indicated that the blogger had contacted the source via Hotmail.

According to the complaint (which was acquired by the Register), “After confirmation that the data was Microsoft’s proprietary trade secret, on September 7, 2012 Microsoft’s Office of Legal Compliance (OLC) approved content pulls of the blogger’s Hotmail account.”

Upon examining the contents of the blogger’s email account, Microsoft found Kibkalo’s correspondence with the blogger. The company then provided all of this information to the FBI, who then arrested Kibkalo and charged him with the theft of trade secrets.

Microsoft published a response to the emergence of these facts, noting that it would make certain changes to its policies, but ultimately defending its right to search the contents of its users’ communication without legal oversight.

“Courts do not, however, issue orders authorizing someone to search themselves, since obviously no such order is needed,” wrote John Frank, deputy general counsel and vice president of legal and corporate affairs. “So even when we believe we have probable cause, there’s not an applicable court process for an investigation such as this one relating to the information stored on servers located on our own premises.”

Frank goes on to claim that the company acted within its terms of service by conducting “a limited review of this third party’s Microsoft operated accounts,” which the company only undertakes in “the most exceptional circumstances” after “[applying] a rigorous process before reviewing such content.”

Frank also notes the company’s understanding of public concern regarding their actions, and thus, the company says it will adhere to the following policies moving forward:

  • Microsoft will not conduct a search of customer email and other services unless the circumstances would justify a court order, if one were available.
  • To ensure compliance with the standards applicable to obtaining a court order, Microsoft will rely in the first instance on a legal team separate from the internal investigating team to assess the evidence. It will move forward only if that team concludes there is evidence of a crime that would be sufficient to justify a court order, if one were applicable. As a new and additional step, the company will then submit this evidence to an outside attorney who is a former federal judge. It will conduct such a search only if this former judge similarly concludes that there is evidence sufficient for a court order.
  • Even when such a search takes place, it is important that it be confined to the matter under investigation and not search for other information. Microsoft says it will continue to ensure that the search itself is conducted in a proper manner, with supervision by counsel for this purpose.
  • Finally, the company believes it is appropriate to ensure transparency of these types of searches, just as it is for searches that are conducted in response to governmental or court orders. The company therefore will publish as part of its bi-annual transparency report the data on the number of these searches that have been conducted and the number of customer accounts that have been affected.

“Unfortunately, this new policy just doubles down on the Microsoft’s indefensible and tone-deaf actions in the Kibkalo case,” says EFF legal fellow, Andrew Crocker. “It begins with a false premise that courts do not issue orders in these circumstances because Microsoft was searching ‘itself,’ rather than the contents of its user’s email on servers it controlled.”

Had the company believed it had probable cause to search one of its users’ Hotmail accounts, Crocker continues, Microsoft could have easily presented its case to the FBI and acquired a proper search warrant.

“To be sure, the process described in Microsoft’s statement bears more than a passing resemblance to a standard criminal investigation, with a prosecutorial team building a case and then presenting it to an ostensibly neutral third party, a retired federal judge no less,” Crocker writes. “Let’s call it Warrants for Windows!”

Crocker admits that while this search may have revealed criminal activity, it was also conducted in Microsoft’s own self-interest, and, therefore, sets an extremely dangerous precedent.

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.