Hotmail snooping puts Microsoft on the spot
Microsoft Thursday admitted that it had taken the “extraordinary action” of accessing an anonymous blogger’s Hotmail account following revelations he was working with an ex-Microsoft employee suspected of leaking confidential information.
Microsoft owns Hotmail but this latest snooping revelation highlights the challenges currently confronting CIOs.
The software giant has been faced a storm of controversy following reports earlier this week that the company had snooped on a blogger’s Hotmail account in order to ascertain information on his relationship with an ex-Microsoft employee, Alex Kibalko.
Kibalko was being investigated for allegedly leaking unreleased code of the upcoming Windows 8 operating system to the blogger in 2012. He was arrested this week.
Microsoft’s deputy general counsel & vice president, legal & corporate affairs John Frank admitted that the company had indeed searched the blogger’s inbox.
“In this case, we took extraordinary actions based on the specific circumstances. We received information that indicated an employee was providing stolen intellectual property, including code relating to our activation process, to a third party who, in turn, had a history of trafficking for profit in this type of material,” Frank wrote on the company’s blog.
“While Microsoft’s terms of service make clear our permission for this type of review, this happens only in the most exceptional circumstances. We applied a rigorous process before reviewing such content,” he added.
Frank also elaborated on how the company intends to strengthen its privacy-assurance practices, promising added transparency (publishing the number of searches bi-annually) and oversight, though it’s difficult to see how these would play out given the software company seems reluctant to change the terms and conditions of its service.
“We will not conduct a search of customer email and other services unless the circumstances would justify a court order, if one were available,” Frank said. “As a new and additional step, we will then submit this evidence to an outside attorney who is a former federal judge. We will conduct such a search only if this former judge similarly concludes that there is evidence sufficient for a court order.”
Whether or not its attempts to reassure customers will in fact trickle down to how the company acts in these matters moving forward, the recent news certainly reveals some unsettling truths about how most use cloud services – indeed any online service, and how this adds an important dimension to the Shadow IT challenge.
“The problem is, this is a technically legal activity that we all agree to when we sign up to certain cloud services – whether knowingly or not,” said Charlie Howe, director, EMEA at Skyhigh Networks.
“I would guess that most people don’t actually read the full terms and conditions before using a new application, and they would probably be surprised by what they are actually agreeing to when they click the ‘accept’ button on certain cloud services,” Howe said.
He explained that the problem becomes exacerbated when these employees bring these services into the workplace, making it increasingly challenging for these organisations to ensure adequate governance and confidentiality over information.
“With such a diverse, disparate workforce, today’s organisations really need to have the visibility to measure and manage unauthorised cloud usage across their networks,” he said, echoing what City of Edmonton chief information officer Chris Moore told Business Cloud News earlier this month.
“By taking time to truly understand the conditions to which they are agreeing, organisations can rest in the knowledge that only enterprise ready cloud services are being used by employees,” he concluded.