Microsoft read the email of Hotmail users without a warrant, in order to catch someone who'd leaked some Microsoft software. When they were caught out, the pointed out that they'd always reserved the right to read Hotmail users' email, and tried to reassure other Hotmail users by saying that they were beefing up the internal process by which they decided whose mail to read and when.
Now, citing the "'post-Snowden era' in which people rightly focus on the ways others use their personal information," the company has announced that it will not read its users' email anymore when investigating theft or copyright violations -- instead, it will refer this sort of thing to the police in future (they still reserve the right to read your Hotmail messages without a court order under other circumstances).
As Techdirt's Mike Masnick points out, this is a most welcome change. The message announcing the change by Brad Smith (General Counsel & Executive Vice President, Legal & Corporate Affairs) is thoughtful and forthright. It announces a future round-table on the questions raised by the company's snooping that the Electronic Frontier Foundation can participate in.
Smith asks a seemingly rhetorical question: "What is the best way to strike the balance in other circumstances that involve, on the one hand, consumer privacy interests, and on the other hand, protecting people and the security of Internet services they use?" That is indeed a fascinating question, but in the specific case of Hotmail, I feel like it has a pretty obvious answer: change your terms of service so that you promise not to read your customers' email without a court order. Then, if you think there's a situation that warrants invading your customers' privacy, get a court order. This is just basic rule-of-law stuff, and it's the kind of thing you'd hope Microsoft's General Counsel would find obvious.
The fact that the question is being raised casts more light on Microsoft's extensive "Scroogled" campaign, which (rightly) took Google to task for having a business-model that was predicated on harvesting titanic amounts of personal data. The takeaway here is that while Microsoft's business-model (at the moment) is less privacy-invading than Google's, that is not due to any inherent squeamishness about spying on people -- rather, it's just a practical upshot of its longstanding practices.
In part we have thought more about this in the context of other privacy issues that have been so topical during the past year. We’ve entered a “post-Snowden era” in which people rightly focus on the ways others use their personal information. As a company we’ve participated actively in the public discussions about the proper balance between the privacy rights of citizens and the powers of government. We’ve advocated that governments should rely on formal legal processes and the rule of law for surveillance activities.
While our own search was clearly within our legal rights, it seems apparent that we should apply a similar principle and rely on formal legal processes for our own investigations involving people who we suspect are stealing from us. Therefore, rather than inspect the private content of customers ourselves in these instances, we should turn to law enforcement and their legal procedures.
This also has focused our attention on other important questions about the privacy interests of consumers as they use services across the Internet. What is the best way to strike the balance in other circumstances that involve, on the one hand, consumer privacy interests, and on the other hand, protecting people and the security of Internet services they use? It’s an important question across the tech sector. And it’s the type of question we believe would benefit from broader discussion rather than a single company or industry trying to divine the answers by itself.