Just one week after news surfaced that Microsoft secretly broke into the Hotmail email account of one of its users, the company is updating its security policies.
Microsoft stated it will now contact law enforcement if it needs access to a user's email account for security purposes instead of secretly doing it themselves, the company wrote in a blog poston Friday.
In 2012, Microsoft accessed a blogger's private Hotmail account to determine if a former employee stole trade secrets. News of the incident ignited an outcry over the privacy implications.
"Over the past week, we’ve had the opportunity to reflect further on this issue, and as a result of conversations we’ve had internally and with advocacy groups and other experts, we’ve decided to take an additional step and make an important change to our privacy practices," Microsoft executive Brad Smith wrote in the post.
"Effective immediately, if we receive information indicating that someone is using our services to traffic in stolen intellectual or physical property from Microsoft, we will not inspect a customer’s private content ourselves," he said.
Microsoft will be updating this change to its customer terms of service in the coming months, so that it’s "clear to consumers and binding on Microsoft."
Last week, reports circulated that former Microsoft staffer Alex Kibkalo is facing federal criminal charges over allegations that he stole trade secrets during his tenure at the company. The indictment states Kibkalo "uploaded proprietary software and pre-release software updates for Windows 8 RT as well as the Microsoft Activation Server Software Development Kit (SDK)" to his personal SkyDrive (now OneDrive) account in August 2012.
Soon after, a French blogger tipped off Microsoft that he received a code from the Microsoft Server SDK, which had originally come from a Hotmail user. Since Microsoft operates Hotmail (now Outlook.com), it could access his account without a court order. This was legal because a statement in Microsoft's terms of service allowed the action to take place if it was to protect the security of its customers. Eventually, the move led to an investigation where, according to court documents, Kibkalo was identified as the source and admitted leaking Microsoft code to outsiders.
"It’s always uncomfortable to listen to criticism. But if one can step back a bit, it’s often thought-provoking and even helpful. That was definitely the case for us over the past week," Smith wrote. "Although our terms of service, like those of others in our industry, allowed us to access lawfully the account in this case, the circumstances raised legitimate questions about the privacy interests of our customers."
Smith also referenced how in the “post-Snowden era,” Microsoft has advocated that governments should rely on formal legal processes and the rule of law for surveillance activities.
"While our own search was clearly within our legal rights, it seems apparent that we should apply a similar principle and rely on formal legal processes for our own investigations involving people who we suspect are stealing from us," Smith wrote. "Therefore, rather than inspect the private content of customers ourselves in these instances, we should turn to law enforcement and their legal procedures."