Microsoft said it will honor its privacy commitments to its customers, even those it suspects may be thieves.
In a blog post Friday, Microsoft executive VP and general counsel Brad Smith said that the company has reflected on the criticism it received over how it handled a 2012 case in which its investigators accessed the Hotmail account of a blogger alleged to have received stolen Windows code from a disgruntled employee. As a consequence of internal conversations and input from advocacy groups, Microsoft has decided that its privacy promises should also be binding on its own employees and agents.
"Effective immediately, if we receive information indicating that someone is using our services to traffic in stolen intellectual or physical property from Microsoft, we will not inspect a customer's private content ourselves. Instead, we will refer the matter to law enforcement if further action is required," said Smith.
[Say hello to the privacy revolution. Read March Madness: Online Privacy Edition.]
Smith said Microsoft will incorporate this change into its terms of service to clarify its commitment to customers and to make it binding.
Over the past week, Microsoft has been the target of withering criticism from privacy advocates who pointed out the hypocrisy of Microsoft's Scroogled ad campaign -- which takes Google to task for using algorithms to read Gmail messages to target ads -- in light of its own behavior. While many acknowledged that Microsoft may have been within its rights to access a customer account outside of normal legal processes, they said it was a stupid thing to do because of the damage done to the company's image.
The Electronic Frontier Foundation suggested in a blog post last week that Microsoft's decision to access the Hotmail user's account might qualify as a violation of the Electronic Communications Privacy Act (ECPA). Smith maintains Microsoft's actions were lawful.
The advocacy group said that Microsoft's insistence that its terms of service allow such action is itself worrying because so many possible actions could violate its code of conduct, thereby granting the company access. The EFF noted that merely linking to a Peanuts cartoon would be enough to justify a suspension of user privacy "because Snoopy is eternally pantsless, and Microsoft specifically prohibits links to 'nudity in non-human forms such as cartoons.'"
Microsoft's critics took time to praise the company for reversing its stance. "Microsoft's legal team (and their privacy team who were involved in discussions) deserve serious praise for this change in policy," said Christopher Soghoian, principal technologist at the ACLU, via Twitter. "Bravo."
"While our own search was clearly within our legal rights, it seems apparent that we should apply a similar principle and rely on formal legal processes for our own investigations involving people who we suspect are stealing from us," said Smith. "Therefore, rather than inspect the private content of customers ourselves in these instances, we should turn to law enforcement and their legal procedures."
Now the question is whether Google and other companies that store customer data will join Microsoft in rejecting the special privileges written into their terms of service contracts.
The NSA leak showed that one rogue insider can do massive damage. Use these three steps to keep your information safe from internal threats. Also in the Stop Data Leaks issue of Dark Reading: Technology is critical, but corporate culture also plays a central role in stopping a big breach. (Free registration required.)