Comments Subscribe to Personal Liberty News Feed Subscribe to Personal Liberty
 

Microsoft Says: Come Back With A Warrant, Unless You’re Microsoft

March 21, 2014 by  

Microsoft Says: Come Back With A Warrant, Unless You’re Microsoft

This article, written by Andrew Crocker, originally appeared March 21, 2014 on the website of the Electronic Frontier Foundation.

EFF has long argued that law enforcement agencies must get a warrant when they ask Internet companies for the content of their users’ communications. In 2013, as part of our annual Who Has Your Back report, we started awarding stars to companies that require warrants for content. It is now unclear whether Microsoft, one of our inaugural “gold star” companies in that category, is willing to live by its own maxim.

This controversy was brought to light by the arrest of an ex-Microsoft employee named Alex Kibkalo. According to a criminal complaint sworn in a Seattle federal court, Kibkalo stole proprietary information from Microsoft, including its Activation Server Software Development Kit (SDK), and passed the code to a French blogger. The complaint alleges that Kibkalo committed criminal trade secret theft. What’s troubling is that the FBI’s basis for the arrest was an open-ended, warrantless search of a Hotmail user’s account, conducted by Microsoft itself.

In September 2012, Microsoft’s internal security team received a tip that an anonymous blogger was in possession of the SDK source code. Conveniently for Microsoft, however, the French blogger, who has not been accused of any crime, communicated with Microsoft’s tipster using Hotmail. Since Microsoft runs Hotmail, it simply searched through the contents of that email account for evidence of the SDK leak. Gallingly, the Kibkalo complaint states that Microsoft’s Office of Legal Compliance signed off on this “content pull.”

At first blush, Microsoft’s unilateral decision to rifle through its user’s emails sounds like a violation of the Electronic Communications Privacy Act, ECPA. We at EFF have called for critical updates to ECPA’s privacy protections, but the law is fundamentally designed to protect email from this kind of snooping, albeit with some narrow exceptions.

Microsoft’s initial statement in response explained, “While Microsoft’s terms of service make clear our permission for this type of review, this happens only in the most exceptional circumstances.” Realizing that this wouldn’t cut it, the company’s deputy general counsel subsequently announced a new policy for conducting these searches in the future:

Courts do not issue orders authorizing someone to search themselves, since obviously no such order is needed.  So even when we believe we have probable cause, it’s not feasible to ask a court to order us to search ourselves. However, even we should not conduct a search of our own email and other customer services unless the circumstances would justify a court order, if one were available.  In order to build on our current practices and provide assurances for the future, we will follow the following policies going forward:

To ensure we comply with the standards applicable to obtaining a court order, we will rely in the first instance on a legal team separate from the internal investigating team to assess the evidence. We will move forward only if that team concludes there is evidence of a crime that would be sufficient to justify a court order, if one were applicable. As an additional step, as we go forward, we will then submit this evidence to an outside attorney who is a former federal judge.  We will conduct such a search only if this former judge similarly concludes that there is evidence sufficient for a court order.

Unfortunately, this new policy just doubles down on the Microsoft’s indefensible and tone-deaf actions in the Kibkalo case. It begins with a false premise that courts do not issue orders in these circumstances because Microsoft was searching “itself,” rather than the contents of its user’s email on servers it controlled.

To the contrary, if Microsoft’s independent legal team concluded that there was probable cause, it could have passed the tipster’s information to the FBI to obtain a warrant and conduct the search under the auspices of the criminal justice system. The warrant protections enshrined in the Constitution would be preserved, ECPA would be satisfied, and Microsoft could have claimed the high moral ground. Instead, Microsoft has opted for an internal corporate shadow court.

To be sure, the process described in Microsoft’s statement bears more than a passing resemblance to a standard criminal investigation, with a prosecutorial team building a case and then presenting it to an ostensibly neutral third party, a retired federal judge no less. Let’s call it Warrants for Windows!

The monumental problem here is that Microsoft’s process has none of the protections provided by our legal system. No matter how fairly this process operates in any particular situation, approval by an employee paid by Microsoft, no matter how well qualified, is not approval of a “neutral and detached magistrate,” as required by the Fourth Amendment. Similarly, the protections provided to criminal suspects by the Fifth and Sixth Amendments wouldn’t apply to Microsoft’s internal investigation. In short, “Come back with a warrant” is meaningless when the FBI doesn’t get involved until after all the evidence has been collected.

Yet another colossal problem with Microsoft’s policy is its potential for abuse. Microsoft’s initial statement explained that the Microsoft Services Agreement (TOS) granted it “permission” to conduct the searches. But a brief check of these terms shows that Microsoft reserves the right to conduct search in far more scenarios than merely “exceptional circumstances.” That’s because Section 5.2 of the TOS states:

Microsoft may access, disclose, or preserve information associated with your use of the services, including (without limitation) your personal information and content . . . when Microsoft forms a good faith belief that doing so is necessary . . . . (b) to enforce this agreement or protect the rights or property of Microsoft or our customers[.]

And according to Section 3.5, one of the ways users can violate the agreement and thus give Microsoft “permission” to access their content is to email content that violates the company’s Code of Conduct. Spoiler alert: the Code of Conduct is ridiculously broad.

A few examples of things that would violate the Code of Conduct and allow search and disclosure of Hotmail email content:

Emailing “links to external sites that violate this Code of Conduct” such as by “depict[ing] nudity of any sort.” So you’re out of luck if you wanted to send your friend a link to Wikipedia, because the encyclopedia contains a fair number of articles containing nudity. Nor could you link to a Peanuts cartoon, because Snoopy is eternally pantsless, and Microsoft specifically prohibits links to “nudity in non-human forms such as cartoons.”

Similarly, linking to external content that violates the Code by “incit[ing] [or] express[ing] … profanity.” That means no YouTube, because it has, for example, clips of George Carlin’s Seven Dirty Words routine.

“[P]romoting or otherwise facilitate[ing] the purchase and sale of ammunition or firearms.” Best to unsubscribe from that NRA mailing list.

Presumably, Microsoft isn’t using these sorts of violations as an excuse to rifle through its users’ emails. But when it relies on permission from its TOS to do so, it reserves the right to abuse.

The search in the Kibkalo case may have revealed criminal activity, but it was also conducted in Microsoft’s self-interest, which is an exceedingly dangerous precedent. Combined with the kangaroo court potential of the company’s new internal Warrants for Windows policy, Microsoft is playing with fire. It should have followed its own advice and asked the FBI to step in with a warrant.

Electronic Frontier Foundation

From the Internet to the iPod, technologies are transforming our society and empowering us as speakers, citizens, creators, and consumers. When our freedoms in the networked world come under attack, the Electronic Frontier Foundation (EFF) is the first line of defense. EFF broke new ground when it was founded in 1990—well before the Internet was on most people's radar—and continues to confront cutting-edge issues defending free speech, privacy, innovation, and consumer rights today. From the beginning, EFF has championed the public interest in every critical battle affecting digital rights. https://www.eff.org/

Facebook Conversations

Join the Discussion:
View Comments to “Microsoft Says: Come Back With A Warrant, Unless You’re Microsoft”

Comment Policy: We encourage an open discussion with a wide range of viewpoints, even extreme ones, but we will not tolerate racism, profanity or slanderous comments toward the author(s) or comment participants. Make your case passionately, but civilly. Please don't stoop to name calling. We use filters for spam protection. If your comment does not appear, it is likely because it violates the above policy or contains links or language typical of spam. We reserve the right to remove comments at our discretion.

Is there news related to personal liberty happening in your area? Contact us at newstips@personalliberty.com

Bottom
close[X]

Sign Up For Personal Liberty Digest™!

PL Badge

Welcome to PersonalLiberty.com,
America's #1 Source for Libertarian News!

To join our group of freedom-loving individuals and to get alerts as well as late-breaking conservative news from Personal Liberty Digest™...

Privacy PolicyYou can opt out at any time. We protect your information like a mother hen. We will not sell or rent your email address to anyone for any reason.