If the EFF wants to continue pretending that they're still primarily a legal outfit, I want one of their lawyers to prepare an actual brief or at least a citation on this matter of law on which they have deigned to hold court.
I am of course not a lawyer, but the inability of what is ostensibly a legal advocacy group to fail to attempt a prima facie case on violation of a law is just too pathetic for me to care.
Stuff like "HTTPSEverywhere" isn't entirely a legal advocacy matter, either. I don't think EFF needs to constrain itself to legal advocacy to be an effective organization. Making technical and policy recommendations to private companies and individuals (as producers and consumers) seems fine.
"At first blush, Microsoft’s unilateral decision to rifle through its user’s emails sounds like a violation of the Electronic Communications Privacy Act, ECPA. We at EFF have called for critical updates to ECPA’s privacy protections, but the law is fundamentally designed to protect email from this kind of snooping, albeit with some narrow exceptions."
The charge is that they violated the spirit but not the letter of ECPA
The point isn't that Microsoft have done anything illegal[0] it is what they have done is crappy and privacy invading. If Microsoft's actions are legal (regardless of whether they should be) any legal case would be bogus and almost certainly lose; achieving nothing.
The EFF doesn't constrain themselves to just writing briefs in an effort to make sure that only the current laws on the books are interpreted in a sane fashion. Have you not seen them advocate for policy changes or against poor policy changes (e.g. SOPA)?
I think I would prefer an ethical one. Most interesting problems are not legal—the law simply reflects the solution. I think the EFF correctly identified this as a problem, even if they aren't going to be fined by the government.
Kind of the way it is with every service, unless you take extra measures to protect yourself. E.g., PGP, careful selection of data you upload, or just not using any cloud services in the first place.
There are many online-services, where there is no such right given to the hosting company to read the data contained in the service. I would say, that such a statement is rather uncommon (may be changed by the eMail providers MS and Google).
And: In my opinion, they just pretend! In my country, such a behavior could well be contested in court in my opinion, because we normally have strong rights protecting communications.
Not defending MS at all but what is the alternative for them? What people want is the judicial oversight. But can Microsoft really go to a court and say "hey judge, we're Microsoft, we want a warrant for Microsoft to provide this"?
Ideally, I'd like to see a situation where you (1) have a contract protecting user data which is reasonably enforceable given the power dynamics which exist between the two parties, and (2) it's required for a judge to arbitrate whether a given situation provides justification to breach that contract.
Where "judge" is proxy for a nominally impartial third party who nominally has the experience to make an informed decision which reasonably protects the interests of both parties, the public interest, and our stated commitments to civil liberties. And we already make routine use of judges for this function in cases where the data or other artifacts are not possessed by the party who wants extraordinary permission to access them.
Agreed -- based on MS's statement they went through a fairly rigorous internal procedure (of course, they could be lying, but it seems fairly unlikely particularly given the regulatory attention MS generally has on it). I don't fully understand what people think they "should" have done to access the emails -- waste a court's time on a meaningless judgement?
>When you act rightfully, it is never wasting time of the legal system!
In this case, it really would be a waste of time. Microsoft wouldn't be seeking a subpoena, nor are they a government seeking a warrant. Microsoft would just be asking the court for permission to do something the court cannot grant.
There's no legal question, unless say, someone were to sue Microsoft for accessing their data.
I am not familiar with the US law system, but in our country it would be normal, that for example my landlord has to go to court before he can search my house, even when he is the owner. And the warrant is not against the landlord, but against me.
So I disagree with your statement, at least in my country it would be not wasting anything ... but DOING THE RIGHT THING!
And I would really wonder, if in the US the landlord could just search your house, because he thinks that you might have stolen something of him -- with the argument, that he does not want to "waste anybodies time"!
I think the problem is that we have extensive precedent in the USA that warrants to search cloud data are properly presented to the cloud hosting provider, NOT the "owner" of the data -- in fact, the data owner is often prohibited from even knowing that the process is taking place.
Others have pointed out that this is a clear way in which cloud storage is fundamentally different from local storage, which one might not expect -- being able to be secure in one's papers, a fundamental right in the US, only pertains if the papers are physically located on your person or property.
I'm overextending here, but I think the physical analogy applies as well -- if the police want to search a rented storage locker, the search warrant is served to the storage company, not the lessee of the locker.
If in the US information is only secure, if in your own possession (not any trustee or similar), than cloud storage and any online service of vital documents is just impossible in the US.
If this is the case: I don't think, that many companies are aware of this. But that would render the worth of online services to void for many companies.
If you have information you want to keep private or secure, it's your responsibility to ensure that it private or secure. This means understanding the agreements you make when you store said data in certain locations.
> I don't think, that many companies are aware of this.
No, many companies are in fact aware of this. This is the reason there providers that do provide increased security and oversight as far as data access goes. Apple, Google, and Microsoft just happen to provide free email services that aren't that secure if you violate their T&C.
> than cloud storage and any online service of vital documents is just impossible in the US.
Yeah, if you think using a cloud service outside the US immediately makes you immune to these problems, you are the one who isn't aware of the situation.
> Yeah, if you think using a cloud service outside the US immediately makes you immune to these problems, you are the one who isn't aware of the situation.
If you read my statements carefully, I did not say that. But in my country there are different laws and I know that many cloud service providers do not have privacy holes as Hotmail has in their legal statements.
I also said, that I don't know how the law in the US is, but some statements here made the impression, that companies like MS could just do what they want.
They should have called the FBI, the FBI would have requested a warrant, the Judge would have approved the warrant, and the FBI would have accessed the information in the user's account.
That doesn't provide a remedy when you only want to launch a civil investigation, not a criminal one. And given how frequently the criminal process is abused to go after relatively minor crimes (e.g. Aaron Swartz), this is probably something we shouldn't encourage.
I disagree. Having this person criminally charged for violating a civil contract (the non-disclosure contract with his now-former employer) is a bad idea. The FBI, or even the City of Redmond Police Department, will require that there be at least the probability of a crime having been committed before they'll go in front of a judge.
Whether or not we agree with the law is a separate matter from whether or not a crime was committed -- which they had reasonable suspicion to believe it was. Therefore, they should have gone in front of a judge for a warrant.
It's far too idealist to be realistic, but they shouldn't be able to use that information for their own civil inquiry. If gmail or pgp were used they wouldn't have access to it, it being a Microsoft account shouldn't make its contents available to them for a private investigation. Of course it does and probably always will because they have lots of lawyers and terms of service, but I just disagree with them being able to.
I agree that if they have to do this investigation (and really they're the ones that will ultimately decide that) they shouldn't get anyone else involved - especially the criminal justice system.
I think what I'm trying to get at is that the conversation is turning here toward just how should Microsoft access the data they want, when it should be whether they should be able to at all. I don't like the idea that it's a given that they can take that information, and that's what should change here.
Except for the T&C you signed with Hotmail when you signed up to explicitly allow them to go through your email.
If you are actually stupid enough to leak trade secrets for Microsoft's premiere product, while using Hotmail to do it, well you really deserve what you get.
I don't know, how the situation in the US is, but in my country, if a landlord would add a statement in the rental agreement, that he can search your home, such a statement would be void from the beginning! Because you can't break or bend the law just by adding a statement in a contract in my country.
I agree with the stupidity on evidence, but Microsoft's taking advantage of that stupidity of course underlines that they will read your email if they think it is to their advantage to do so and can make a legally satisfactory argument.
> But can Microsoft really go to a court and say "hey judge, we're Microsoft, we want a warrant for Microsoft to provide this"?
Yes. They want people to use their products, don't they? I'm not going to spend money on a product that gives me zero assurance that I have control of my information.
Can you cite any precedent where a court has agreed to hear such an argument? This is not a rhetorical question - I'm genuinely curious whether civil procedure allows it. As a non-lawyer (and MSFT employee) who is interested in the law, the closest thing I can think of is a motion for declaratory judgment, but even there I think you need an actual case or controversy before the judge will hear arguments.
You can't be serious. Microsoft could have filed complaint against employee with law enforcement agency who then would have received warrant to search any properties that law enforcement agency deemed as required.
Key here is that Microsoft is not searching itself. Content of the email account does not belong to Microsoft, it belongs to the user. To search it Microsoft needs explicit permission of user or law enforcement agency.
Indeed. Consider this: you are a budding new software engineer, and you've used gmail since it came out. Now you start work at google. And now, google is entitled to search through your email? (Replace outlook.com/hotmail and microsoft, or y! mail and yahoo! etc)
Microsoft's actions in this case are pretty predictable, and the fact that this is a "story" at all just highlights the lowest common denominator news cycle (or alternatively the out of touch entitlement of webmail users).
But just think if they had filed a civil suit and gone to court for discovery of information that they had possession of but conceivably not the right to - they could have created a nice legal precedent and ended up being lauded by the EFF!
I think they should just leave their users property alone, and act like a dumb conduit without the ability to inspect. Find other ways to solve the problem. Do what they would do if they were not in the convenient position of being the email host.
You missed that "what they would do if they were not in the convenient position of being the email host" is subpoena the email host. Unfortunately, you can't really subpoena yourself. Nor is it clear that they could subpoena the user here and compel the user to give information to Microsoft that Microsoft already has.
The EFF suggests getting the FBI involved and having them serve a court-approved warrant, but that doesn't work if you want to keep this a purely civil process and not involve the police (and given recent abuse of police powers for relatively minor crimes, getting the FBI involved is probably not something to be categorically encouraged).
Someone sharing proprietary info using your email platform, and its completely in their right as per eua to look at it, then damn right they should have reviewed the leakers account.
The guy knowingly received proprietary info.
Eff is almost like a troll sometimes
For one summer between semesters I worked for a MS call center who handled hotmail which we could read peoples mail if wanted.
We didn't as MS has great auditing
As for me: MS has discredited itself with this behavior.
How can I know, that MS will not open my Word or Excel documents that I have in the Online-Office system, because it may contain information of value to its business -- or it may infringe on patents MS holds?
So, neither MS online mail products, nor online office systems can be trusted any more! Any business owner should know this and withdraw from usage of any MS owned online systems.
Completely agreed. Also, I think starting with Windows 8.1, if you're logged in to Windows with a Microsoft account, your documents get saved automatically to Microsoft's cloud. I would watch out for that, especially if you have sensitive documents.
If they could get a court order, why did they not do so?
I am really amused about the law feeling in the US. It seems to me, that in the US it is enough that a big company thinks that it can get a court order -- in that case nothing else is needed -- don't waste the time of the courts just go on.
Why not allow MS to also do the punishment -- don't waste any court-time!
Really cute!
To come to your question: There are cases, where you can get warrants because you infringe patents. So, when MS thinks, that I could infringe one -- why not search my office documents first??
Is this enough example? I would say, there could be thousands ... just imagine a world where the lawyers of the big companies make the court decisions ... <sarcastic>would be OK, they are making the laws anyway!</sarcastic>
Maybe, maybe not. Perhaps I am an employee with a big technology company like google and my company has a wide array of partnerships, contracts, and ongoing lawsuits with various microsoft business units. Some court may give a court order to disclose some email from some employees of my company, but Microsoft might just decide to search every hotmail account of every employee of my company for whatever reason they want, and only reveal extremely limited subset as required by specific litigation.
Completely agree. As a convicted monopolist Microsoft at the very least needs this kind of behavior, especially conducting search on its own without any law enforcement order.
"So, neither MS online mail products, nor online office systems can be trusted any more! Any business owner should know this and withdraw from usage of any MS owned online systems"
FYI: Google and Yahoo have similar policies and similar histories of abuse.
If you feel this way about Microsoft, you should feel this way about Google products, sites and services too.
So, neither MS online mail products, nor online office systems can be trusted any more!
can you back this up with proper evidence? If I get it correctly, the hotmail EULA sort of allowed to do MS what they did. So does the Online-Office system (is that the same as Skydrive actually?) have a similar EULA? If so, then your statement seems valid. Else you are comparing apples with, erm, something that still comes close to apples: legally MS can't do that - which is no guarantee that they won't. Apart from that, like with probably any cloud service, there is always the risk a thir party like the NSA does whatever they want with your data anyway.
I ask myself, why the rights of the (big) owners of "Intellectual Property" are strengthened all the time, but the rights of the small owners of Private information are reduced and reduced.
This is equivalent to USPS opening your mail because they were tipped off of wrongdoing against their company, with no evidence whatsoever. Do you have a problem with that? Well too bad, its "their" mail.
Many Randians believe that a free and unregulated capitalist market is the best solution to most problems. This is being put forth as an example of a problem with allowing private corporations such a central role in society without any oversight beyond the "invisible hand" of the market.
This is situation I feel would not matter in this case. We live in a very regulated societies and corporations always have had a very central role as it is. Go further into the past and just replace corporations with the elites, the wealthy and the aristocracy. Very regulated and large governments easily produce the series of financial and human rights disasters we have seen in the past decade.
It's still buyer beware. Don't use services which say they can look at your email if they want to. Self-interested organizations and people will act self interested, it's a bit of a no-brainer.
In this example no government oversight would probably work much better. If a carrier starts opening your mails, they would lose their customer base and other services would come up. Also, you could probably stipulate this in the terms of service so that you can have a legal recourse if the carrier violates the contract. With government intervention, all carriers would be subject to government bullying, legal or otherwise. Which scenario would you prefer?
I think it's been shown many times that the depth of consumer considerations of technical and ethical issue is about as deep as a puddle. Most of people simply have neither the background nor time to understand them, and simply assume that whoever's on top is doing things right.
For Microsoft, this is very much a win the battle, lose the war situation. While they were perfectly within their legal rights to access the Hotmail account, it was horribly bad optics. It just looks bad. And it's stuff like this that makes cloud services a hard sell to a large demographic.
So while this may blow over, people will be more paranoid that Microsoft will decide that they have the right to look at your data, just because it exists on their servers.
Google isn't much better in this regard. Amazon so far is better positioned because they don't offer any other private "consumer" services that they'd want to review. But really unless you have the hardware in your physical possession, you will always be subject to these problems.
What worries me is that FBI or NSA could've established a sort of relationship with Microsoft, where they don't even need to get court orders or warrants, because they can get them from "Microsoft" voluntarily, and Microsoft can just take the data from the users without any other judicial step, and give it to them. Wouldn't this type of loophole work in theory? I wonder if this is what the Snowden documents meant about Microsoft and NSA's "team sport":
Everyone who uses Hotmail, Gmail, Google Drive, OneDrive, Google Docs, Dropbox, Evernote, and countless other similar services needs to keep in mind the following quip (which I stole from somewhere on the Internet):
Today's word: The cloud.
Explanation: Someone else's computer.
I'm a user of various cloud services, but I'm not naive enough to have any expectation of privacy, from either that company or from the NSA. Period. Full stop.
"with intent to convert trade secrets belonging to Microsoft, specifically Microsoft's Activation Server Software Development Kit, to the economic benefit of someone other than Microsoft" "All in violation of Title 18, United States Code, Section 1832(a)(2), (a)(4), and 2."
Unlikely. I don't think a reasonable court would conclude that one has to have a specific beneficiary in mind to satisfy the prong of intent to benefit a third party.
What a bunch of pathetic hypocrites. Spending money on lame smear campaigns against Google while snooping through the emails and documents of their users.
It's a pity Google isn't vindictive because if they were they would make this two faces lying company pay. On the plus side, whenever Microshits even try to bring up privacy concerns about Google we can always shut them up by pointing out how their favorite company really does business.
85 comments
[ 0.25 ms ] story [ 152 ms ] threadI am of course not a lawyer, but the inability of what is ostensibly a legal advocacy group to fail to attempt a prima facie case on violation of a law is just too pathetic for me to care.
The charge is that they violated the spirit but not the letter of ECPA
[0] They haven't as far as I am aware.
I think I would prefer an ethical one. Most interesting problems are not legal—the law simply reflects the solution. I think the EFF correctly identified this as a problem, even if they aren't going to be fined by the government.
We may access information about you, including the content of your communications to protect the rights or property of Microsoft.
In short, you agreed that they can search any of your shit without warrant or permission if they deem that you are a risk to Microsoft in anyway.
[1] http://privacy.microsoft.com/en-us/fullnotice.mspx
And: In my opinion, they just pretend! In my country, such a behavior could well be contested in court in my opinion, because we normally have strong rights protecting communications.
Where "judge" is proxy for a nominally impartial third party who nominally has the experience to make an informed decision which reasonably protects the interests of both parties, the public interest, and our stated commitments to civil liberties. And we already make routine use of judges for this function in cases where the data or other artifacts are not possessed by the party who wants extraordinary permission to access them.
When you act rightfully, it is never wasting time of the legal system!
Because I can do something (without asking anybody else) it needs not to be right!
In this case, it really would be a waste of time. Microsoft wouldn't be seeking a subpoena, nor are they a government seeking a warrant. Microsoft would just be asking the court for permission to do something the court cannot grant.
There's no legal question, unless say, someone were to sue Microsoft for accessing their data.
So I disagree with your statement, at least in my country it would be not wasting anything ... but DOING THE RIGHT THING!
And I would really wonder, if in the US the landlord could just search your house, because he thinks that you might have stolen something of him -- with the argument, that he does not want to "waste anybodies time"!
Others have pointed out that this is a clear way in which cloud storage is fundamentally different from local storage, which one might not expect -- being able to be secure in one's papers, a fundamental right in the US, only pertains if the papers are physically located on your person or property.
I'm overextending here, but I think the physical analogy applies as well -- if the police want to search a rented storage locker, the search warrant is served to the storage company, not the lessee of the locker.
If this is the case: I don't think, that many companies are aware of this. But that would render the worth of online services to void for many companies.
Or are we living in a world of morons?
If you have information you want to keep private or secure, it's your responsibility to ensure that it private or secure. This means understanding the agreements you make when you store said data in certain locations.
> I don't think, that many companies are aware of this.
No, many companies are in fact aware of this. This is the reason there providers that do provide increased security and oversight as far as data access goes. Apple, Google, and Microsoft just happen to provide free email services that aren't that secure if you violate their T&C.
> than cloud storage and any online service of vital documents is just impossible in the US.
Yeah, if you think using a cloud service outside the US immediately makes you immune to these problems, you are the one who isn't aware of the situation.
If you read my statements carefully, I did not say that. But in my country there are different laws and I know that many cloud service providers do not have privacy holes as Hotmail has in their legal statements.
I also said, that I don't know how the law in the US is, but some statements here made the impression, that companies like MS could just do what they want.
That would have been the correct way to do it.
Whether or not we agree with the law is a separate matter from whether or not a crime was committed -- which they had reasonable suspicion to believe it was. Therefore, they should have gone in front of a judge for a warrant.
I agree that if they have to do this investigation (and really they're the ones that will ultimately decide that) they shouldn't get anyone else involved - especially the criminal justice system.
I think what I'm trying to get at is that the conversation is turning here toward just how should Microsoft access the data they want, when it should be whether they should be able to at all. I don't like the idea that it's a given that they can take that information, and that's what should change here.
If you are actually stupid enough to leak trade secrets for Microsoft's premiere product, while using Hotmail to do it, well you really deserve what you get.
verb 1. justify or necessitate (a certain course of action).
Yes. They want people to use their products, don't they? I'm not going to spend money on a product that gives me zero assurance that I have control of my information.
Key here is that Microsoft is not searching itself. Content of the email account does not belong to Microsoft, it belongs to the user. To search it Microsoft needs explicit permission of user or law enforcement agency.
But just think if they had filed a civil suit and gone to court for discovery of information that they had possession of but conceivably not the right to - they could have created a nice legal precedent and ended up being lauded by the EFF!
The EFF suggests getting the FBI involved and having them serve a court-approved warrant, but that doesn't work if you want to keep this a purely civil process and not involve the police (and given recent abuse of police powers for relatively minor crimes, getting the FBI involved is probably not something to be categorically encouraged).
Someone sharing proprietary info using your email platform, and its completely in their right as per eua to look at it, then damn right they should have reviewed the leakers account.
The guy knowingly received proprietary info.
Eff is almost like a troll sometimes
For one summer between semesters I worked for a MS call center who handled hotmail which we could read peoples mail if wanted. We didn't as MS has great auditing
It's almost like they're trying to free email from being a corporate black hole.
How can I know, that MS will not open my Word or Excel documents that I have in the Online-Office system, because it may contain information of value to its business -- or it may infringe on patents MS holds?
So, neither MS online mail products, nor online office systems can be trusted any more! Any business owner should know this and withdraw from usage of any MS owned online systems.
But after this happening, MS can write anything in their statements, it can not be trusted! (since statements can be changed anyway)
I am really amused about the law feeling in the US. It seems to me, that in the US it is enough that a big company thinks that it can get a court order -- in that case nothing else is needed -- don't waste the time of the courts just go on.
Why not allow MS to also do the punishment -- don't waste any court-time!
Really cute!
To come to your question: There are cases, where you can get warrants because you infringe patents. So, when MS thinks, that I could infringe one -- why not search my office documents first??
Is this enough example? I would say, there could be thousands ... just imagine a world where the lawyers of the big companies make the court decisions ... <sarcastic>would be OK, they are making the laws anyway!</sarcastic>
FYI: Google and Yahoo have similar policies and similar histories of abuse.
If you feel this way about Microsoft, you should feel this way about Google products, sites and services too.
http://www.theguardian.com/technology/2014/mar/21/yahoo-goog...
http://uncrunched.com/2014/03/21/google-spied-gmail/
can you back this up with proper evidence? If I get it correctly, the hotmail EULA sort of allowed to do MS what they did. So does the Online-Office system (is that the same as Skydrive actually?) have a similar EULA? If so, then your statement seems valid. Else you are comparing apples with, erm, something that still comes close to apples: legally MS can't do that - which is no guarantee that they won't. Apart from that, like with probably any cloud service, there is always the risk a thir party like the NSA does whatever they want with your data anyway.
Something I just can't comprehend.
However, this guy used a company's email-service to try to leak proprietary business info about the same company.
You can't seriously expect to get away with that.
Randian utopia at its finest.
It's still buyer beware. Don't use services which say they can look at your email if they want to. Self-interested organizations and people will act self interested, it's a bit of a no-brainer.
So while this may blow over, people will be more paranoid that Microsoft will decide that they have the right to look at your data, just because it exists on their servers.
Google isn't much better in this regard. Amazon so far is better positioned because they don't offer any other private "consumer" services that they'd want to review. But really unless you have the hardware in your physical possession, you will always be subject to these problems.
It is mind-boggling that they could have shared the kinds of details they did with the press about their behavior.
"We busted a criminal. Along the way, we shat in the corner. We got the criminal really good."
How in the world could they have missed that second sentence? It's just incredible. My mouth is agape.
http://www.theguardian.com/world/2013/jul/11/microsoft-nsa-c...
Cough... cough...
http://www.law.cornell.edu/uscode/text/18/1832
So had Alex Kibkalo simply published this in the public domain, there would be no criminal case?
What a bunch of pathetic hypocrites. Spending money on lame smear campaigns against Google while snooping through the emails and documents of their users.
It's a pity Google isn't vindictive because if they were they would make this two faces lying company pay. On the plus side, whenever Microshits even try to bring up privacy concerns about Google we can always shut them up by pointing out how their favorite company really does business.