Microsoft revises privacy policy in wake of Hotmail search case

Blowback in handling of corporate espionage case forces Microsoft to promise stronger policies protecting privacy of Hotmail account holders.

Seth Rosenblatt Former Senior Writer / News
Senior writer Seth Rosenblatt covered Google and security for CNET News, with occasional forays into tech and pop culture. Formerly a CNET Reviews senior editor for software, he has written about nearly every category of software and app available.
Seth Rosenblatt
3 min read

The source code behind Windows RT is among the intellectual property involved in the trade secrets theft case. Microsoft

Microsoft promised to toughen policies regarding the company's potential reading of Hotmail users' emails, after an outcry over Microsoft searching a user's Hotmail account to discover the identity of someone now charged with stealing company secrets.

John Frank, Microsoft's deputy general counsel, said that in the future, the company would meet a more rigorous standard before peeking into a non-employee's Hotmail account.

There are four parts to the new standard, Frank said:

  • "We will not conduct a search of customer email and other services unless the circumstances would justify a court order, if one were available.
  • "To ensure we comply with the standards applicable to obtaining a court order, we will rely in the first instance on a legal team separate from the internal investigating team to assess the evidence. We will move forward only if that team concludes there is evidence of a crime that would be sufficient to justify a court order, if one were applicable. As a new and additional step, we will then submit this evidence to an outside attorney who is a former federal judge. We will conduct such a search only if this former judge similarly concludes that there is evidence sufficient for a court order.
  • "Even when such a search takes place, it is important that it be confined to the matter under investigation and not search for other information. We therefore will continue to ensure that the search itself is conducted in a proper manner, with supervision by counsel for this purpose.
  • "Finally, we believe it is appropriate to ensure transparency of these types of searches, just as it is for searches that are conducted in response to governmental or court orders. We therefore will publish as part of our bi-annual transparency report the data on the number of these searches that have been conducted and the number of customer accounts that have been affected."

Frank also defended Microsoft's use of the "specific circumstances" to justify the "extraordinary actions" of searching a Hotmail user account. A March 17 court filing (PDF) by federal prosecutors states that the company had discovered that a blogger, unnamed in the document and not employed by Microsoft, was selling on eBay Microsoft property allegedly supplied by then-Microsoft employee Alex Kibkalo.

Related stories:

Microsoft internally authorized searching the blogger's Hotmail account after an investigation that Frank said involved "law enforcement agencies in multiple countries;" the issuance of a warrant to search the home of the blogger for evidence of the alleged crimes; and the discovery of what Frank called "clear evidence" that the blogger intended to sell Microsoft's intellectual property and had done so in the past.

"Courts do not, however, issue orders authorizing someone to search themselves, since obviously no such order is needed," Frank wrote, though legal civil liberties expert Jennifer Granick of the Stanford Law School's Center for Internet and Society said, via Twitter, that Frank's statement was "wrong...At best."

Edward Wasserman, Graduate School of Journalism dean at the University of California, Berkeley, told The New York Times that he had "never seen a case like this."

"Microsoft essentially decided that whatever privacy expectation that its own customers supposedly had was basically a dead letter," he said. "It simply decided that in its own corporate interest, it can intrude on a person's email."