Microsoft sniffed blogger's Hotmail account to trace leak

The company's legal department determined that it had the right to go through a private e-mail account, citing a leak of proprietary Microsoft code.

Charles Cooper Former Executive Editor / News
Charles Cooper was an executive editor at CNET News. He has covered technology and business for more than 25 years, working at CBSNews.com, the Associated Press, Computer & Software News, Computer Shopper, PC Week, and ZDNet.
Seth Rosenblatt Former Senior Writer / News
Senior writer Seth Rosenblatt covered Google and security for CNET News, with occasional forays into tech and pop culture. Formerly a CNET Reviews senior editor for software, he has written about nearly every category of software and app available.
Charles Cooper
Seth Rosenblatt
3 min read
Former Windows chief Steven Sinofsky, seen here at the Windows 8 debut in New York in October 2012, appears to have played a crucial role in the discovery of former Microsoft employee Alex Kibkalo, who is being charged with stealing trade secrets. Seth Rosenblatt/CNET

Microsoft went through a blogger's private Hotmail account in order to trace the identity of a source who allegedly leaked trade secrets.

A March 17 court filing by federal prosecutors reveals that Microsoft's Office of Legal Compliance approved the decision after confirming that the leaked data in question included proprietary Microsoft code.

According to the filing, Microsoft received a tip from a person who was contacted via Hotmail by the blogger, who wanted to verify that the leaked source code was legitimate. Instead, the tipper went to Steven Sinofsky, then-president of the Windows Division at Microsoft, and told him of the interaction. Sinofsky forwarded the details to Microsoft's Trustworthy Computing Investigations department, which investigates external threats and internal information leaks.

"After confirmation that the data was Microsoft's proprietary trade secret on September 7, 2012, Microsoft's Office of Legal Compliance approved the content pulls of the blogger's Hotmail account," the filing says. Microsoft's investigation uncovered e-mails from then-Microsoft employee Alex Kibkalo to the unnamed blogger sharing prerelease Windows 8 RT code, according to the filing.

Federal prosecutors have charged Kibkalo, who worked for Microsoft in Lebanon and Russia, with theft of trade secrets.

The court filing (PDF) reads, in part:

The blogger was known to those in the Microsoft blogging community for posting screenshots of prerelease versions of the Windows Operating System. The blogger began his online persona by posting Windows-related comments on forums related to Microsoft products. The blogger later started posting Microsoft news and information to his own Web sites.

Kibkalo worked for Microsoft for seven years, and before leaving the company, in 2012, received "a poor performance review and threatened to resign if the review was not amended," according to the filing.

Legally, Microsoft appears to be protected by its privacy policies. The policy for Outlook.com, formerly Hotmail, states that, "We may access information about you, including the content of your communications...to protect the rights or property of Microsoft."

Microsoft representatives provided CNET with a statement defending their actions:

During an investigation of an employee we discovered evidence that the employee was providing stolen [intellectual property], including code relating to our activation process, to a third party. In order to protect our customers and the security and integrity of our products, we conducted an investigation over many months with law enforcement agencies in multiple countries. This included the issuance of a court order for the search of a home relating to evidence of the criminal acts involved. The investigation repeatedly identified clear evidence that the third party involved intended to sell Microsoft IP and had done so in the past.

As part of the investigation, we took the step of a limited review of this third party's Microsoft operated accounts. While Microsoft's terms of service make clear our permission for this type of review, this happens only in the most exceptional circumstances. We apply a rigorous process before reviewing such content. In this case, there was a thorough review by a legal team separate from the investigating team and strong evidence of a criminal act that met a standard comparable to that required to obtain a legal order to search other sites. In fact, as noted above, such a court order was issued in other aspects of the investigation.

Update, 4:10 p.m. PT: with statement from Microsoft.

Update, 1:57 p.m. PT: Clarifies the sequence of events.