Does Microsoft need a court order in order to peer into a user's Hotmail account? The company doesn't think so, but promised some changes in how it will handle these questions in the future.

Earlier this week, a former Microsoft employee was arrested for stealing and sending trade secrets to someone outside the company. It appears the recipient, an unidentified blogger based in France, had contacted another individual to verify the authenticity of one of the leaked items, according to court papers filed in U.S. District Court in Western Washington. The individual alerted Microsoft to a possible theft, which prompted the company to launch an internal investigation and search the blogger's Hotmail account to identify the original leaker.

"In this case, we took extraordinary actions based on the specific circumstances," John Frank, a Microsoft deputy general counsel and vice-president of legal and corporate affairs, said in a statement posted on Microsoft TechNet.

Was This Legal?

The fact that Microsoft read emails in a user's Hotmail account without notifying the user or obtaining a court order raised questions over what the company is allowed to do with user data. Frank defended the search because Hotmail terms of service allowed the company access under "exceptional circumstances." The actual terms of service states the user agrees Microsoft may access, disclose or preserve users' personal information and content when the company thinks that doing so is necessary to comply with the law, to prevent loss of life or serious physical injury to anyone, or to protect the rights or property of Microsoft or its customers.

"We apply a rigorous process before reviewing such content. In this case, there was a thorough review by a legal team separate from the investigating team and strong evidence of a criminal act that met a standard comparable to that required to obtain a legal order to search other sites," Frank said. There wasn't a legal process that covered investigations relating to "information stored on servers located on our own premises."

"Courts do not, however, issue orders authorizing someone to search themselves, since obviously no such order is needed," Frank said.

"In this case, it does appear that Microsoft's terms of service permit the company to have taken the action that it did," said Nate Cardozo, an attorney with digital civil-liberties organization Electronic Frontier Foundation, told The Seattle-Times, before adding, "from our perspective, it was clearly not the right thing for Microsoft to have done this." Cardozo felt Microsoft still should have gotten a warrant first.

Adopting New Policies

Even though Microsoft acted legally, the company has decided to change some of its policies to cover future situations. "We will not conduct a search of customer email and other services unless the circumstances would justify a court order, if one were available," Frank said.

At the moment, a legal team separate from the actual investigating team assesses evidence to determine if there's enough for a court order. From now on, an outside attorney who's also a former federal judge will make that assessment. The search will proceed only if that attorney agrees there's sufficient evidence for a court order.

Microsoft will also publish the number of times it conducted these types of searches and number of accounts affected in its bi-annual transparency reports.

Thinking Ahead

This situation isn't unique to just Microsoft or Hotmail. When we agree to hand over our communications to another provider, whether we are talking about Google, Twitter, Facebook, Yahoo, or Microsoft, we have to accept there will be some level of snooping involved. The question is just how much you are comfortable with this. There are a number of secure messaging and anonymous email providers promising to make your communications ephmeral. Is that the direction people want to go? It's a question we are all grappling with in this day of surveillance, and there are no easy answers.

via Flickr user Wayne Wilkinson

Further Reading

Security Reviews