Microsoft has always reserved the right to read and disclose your Hotmail messages

Microsoft's "Scroogled" campaign (no relation) boastfully compared Hotmail's privacy framework to Gmail's, condemning Google for "reading your mail." Now, Microsoft has admitted that it scoured the Hotmail messages belonging the contacts of a suspected leaker in order to secure his arrest, and points out that Hotmail's terms of service have always given Microsoft the right to read your personal mail for any of a number nebulously defined, general reasons.

The company says that is had an undisclosed "rigorous process" to determine when it is allowed to read and publish your private email. In a statement, it sets out what the process will be from now on (though it doesn't say what the process has been until now) and vows to include the instances in which it reads its users' mail in its transparency reports, except when it is secretly reading the Hotmail accounts of people who also work for Microsoft.

Here's a PGP tool that claims to work with Hotmail, and would theoretically leave your Hotmail messages unreadable to Microsoft, though the company could still mine your metadata (subject lines, social graph, etc).

Courts do not issue orders authorizing someone to search themselves, since obviously no such order is needed. So even when we believe we have probable cause, it's not feasible to ask a court to order us to search ourselves. However, even we should not conduct a search of our own email and other customer services unless the circumstances would justify a court order, if one were available. In order to build on our current practices and provide assurances for the future, we will follow the following policies going forward:

To ensure we comply with the standards applicable to obtaining a court order, we will rely in the first instance on a legal team separate from the internal investigating team to assess the evidence. We will move forward only if that team concludes there is evidence of a crime that would be sufficient to justify a court order, if one were applicable. As an additional step, as we go forward, we will then submit this evidence to an outside attorney who is a former federal judge. We will conduct such a search only if this former judge similarly concludes that there is evidence sufficient for a court order.

Even when such a search takes place, it is important that it be confined to the matter under investigation and not search for other information. We therefore will continue to ensure that the search itself is conducted in a proper manner, with supervision by counsel for this purpose.

Finally, we believe it is appropriate to ensure transparency of these types of searches, just as it is for searches that are conducted in response to governmental or court orders. We therefore will publish as part of our bi-annual transparency report the data on the number of these searches that have been conducted and the number of customer accounts that have been affected.

Microsoft: We have the right to search your Hotmail account (updated) [Mariella Moon/Engadget]

Notable Replies

  1. Newsflash, all webmail providers can do this. That's the tradeoff for convenience, you leave your email on a remote server where it can be data mined at will.

  2. It isn't about the fact that they have the technical capability, that much is trivially obvious; it's about the fact that they've been running an insufferable ad campaign for who-knows-how-long-now about how privacytastic they are; but their actual privacy policy consists of 150 pages of output from a Markov process trained on randomly selected legal documents, along with a star chamber that houses adorable kangaroos.

    If anything, it's exactly those situations where an entity's ability to do something is essentially unfettered that their degree of dishonesty matters most. If they didn't have the capability, their honesty would be largely irrelevant.

  3. If I had something in a safe deposit box in a bank, could the bank just open it without a court order? I think that would be the scenario to compare here. It's not really "Microsoft searching itself." It's Microsoft giving someone a box to use for themselves and then searching the box.

  4. SamLL says:

    So you're saying, a blogger greatly angered Microsoft so they decided to rifle through the blogger's email account.

    Their policy sounds like "we won't look through your Hotmail messages, unless we really, really want to."

  5. then they can go make a criminal complaint and someone can get a warrant

Continue the discussion

5 more replies