Can Microsoft snoop through your email when it thinks it has a case against you?
During the past year the National Security Administration and other electronic intelligence agencies have been much maligned for their intelligence gathering practices. The most controversial element of the NSA’s data-hoovering program, PRISM, had the complicity of corporations like Google, Facebook and Microsoft. After Edward Snowden’s leaks brought PRISM into the center of the political conversation, all the companies on the infamous PRISM slide made immediate promises to protect against government intrusion by requiring court orders and internal reviews by legal counsel when presented with an intercept request.
But what if it was neither a government nor cybercriminal snooping through your emails, but your email provider itself?
Consider the case of Alex Kibkalo, the ex-Microsoft employee recently arrested for leaking early versions of Windows 8 to a technology blogger. Microsoft investigators looking to plug the leak found their smoking gun by looking through the Hotmail inbox of the technology blogger (he’s not being named in court documents).
For its part Microsoft says the inbox search was legal, because a clause in the terms and conditions for Hotmail (now Outlook) gives Microsoft the authority to do this in exceptional circumstances.
The clause reads:
We may access or disclose information about you, including the content of your communications, in order to: (a) comply with the law or respond to lawful requests or legal process; (b) protect the rights or property of Microsoft or our customers, including the enforcement of our agreements or policies governing your use of the Service; or (c) act on a good faith belief that such access or disclosure is necessary to protect the personal safety of Microsoft employees, customers, or the public.
Microsoft also says it has a stringent internal review process to determine when it can peek inside a user’s inbox that’s a “standard comparable to that required to obtain a legal order to search other sites.”
Microsoft’s General Counsel, John Frank, posted a statement on the company’s TechNet blog explaining Microsoft’s justification for the privacy intrusion and promising to increase the burden of proof threshold in the future:
We believe that Outlook and Hotmail email are and should be private. Today there has been coverage about a particular case. While we took extraordinary actions in this case based on the specific circumstances and our concerns about product integrity that would impact our customers, we want to provide additional context regarding how we approach these issues generally and how we are evolving our policies.
Courts do not issue orders authorizing someone to search themselves, since obviously no such order is needed. So even when we believe we have probable cause, it’s not feasible to ask a court to order us to search ourselves. However, even we should not conduct a search of our own email and other customer services unless the circumstances would justify a court order, if one were available. In order to build on our current practices and provide assurances for the future, we will follow the following policies going forward:
To ensure we comply with the standards applicable to obtaining a court order, we will rely in the first instance on a legal team separate from the internal investigating team to assess the evidence. We will move forward only if that team concludes there is evidence of a crime that would be sufficient to justify a court order, if one were applicable. As an additional step, as we go forward, we will then submit this evidence to an outside attorney who is a former federal judge. We will conduct such a search only if this former judge similarly concludes that there is evidence sufficient for a court order.
Even when such a search takes place, it is important that it be confined to the matter under investigation and not search for other information. We therefore will continue to ensure that the search itself is conducted in a proper manner, with supervision by counsel for this purpose.
Finally, we believe it is appropriate to ensure transparency of these types of searches, just as it is for searches that are conducted in response to governmental or court orders. We therefore will publish as part of our bi-annual transparency report the data on the number of these searches that have been conducted and the number of customer accounts that have been affected.
The only exception to these steps will be for internal investigations of Microsoft employees who we find in the course of a company investigation are using their personal accounts for Microsoft business. And in these cases, the review will be confined to the subject matter of the investigation.
Going forward the big challenge for Microsoft in its case against Kibkalo will be to ensure that the evidence is admissible in court. Here’s what Washington state law, known as the Revised Code of Washington, says about an individual or corporation intercepting private communications:
RCW 9.73.020: Every person who shall wilfully open or read, or cause to be opened or read, any sealed message, letter or telegram intended for another person, or publish the whole or any portion of such a message, letter or telegram, knowing it to have been opened or read without authority, shall be guilty of a misdemeanor.
RCW 9.73.030: (1) Except as otherwise provided in this chapter, it shall be unlawful for any individual, partnership, corporation, association, or the state of Washington, its agencies, and political subdivisions to intercept, or record any:
(a) Private communication transmitted by telephone, telegraph, radio, or other device between two or more individuals between points within or without the state by any device electronic or otherwise designed to record and/or transmit said communication regardless how such device is powered or actuated, without first obtaining the consent of all the participants in the communication;
(b) Private conversation, by any device electronic or otherwise designed to record or transmit such conversation regardless how the device is powered or actuated without first obtaining the consent of all the persons engaged in the conversation.
But in the era of PRISM, warrantless wiretapping, and meta data collection, it will be questionable if the courts would be receptive to such an argument. The law is fairly clear cut that an individual or corporation can’t intercept another’s communication because they have belief that they are being wronged. But, at the same time, Microsoft’s lawyers might present the case that users can consent to Microsoft snooping around with the click of a button when they consent to the email service’s terms of service. Microsoft may have some wiggle room if they can argue that Washington’s two-party recording consent laws, which state that a conversation may only be recorded if both parties agree to it, apply to its email service. But that’s an uphill battle, and Kibkalo’s lawyers have a strong case to get this evidence obtained from the technology blogger’s inbox thrown out.