Microsoft Reads Your Emails

[CubesTheGamer]

The original post is on The Verge: http://www.theverge.com/2014/3/21/5533814/google-yahoo-apple-all-share-microsofts-troubling-email-privacy-policy

 

Content: 

 

If you're hiding something from Microsoft, you'd better not put it on Hotmail.

It came out yesterday that the company had read through a user's inbox as part of an internal leak investigation. Microsoft has spent today in damage-control mode, changing its internal policies and rushing to point out that they could have gotten a warrant if they’d needed one. By all indications, the fallout is just beginning.

But while Microsoft is certainly having a bad week, the problem is much bigger than any single company. For the vast majority of people, our email system is based on third-party access, whether it's Microsoft, Google, Apple or whoever else you decide to trust. Our data is held on their servers, routed by their protocols, and they hold the keys to any encryption that protects it. The deal works because they're providing important services, paying our server bills, and for the most part, we trust them. But this week's Microsoft news has chipped away at that trust, and for many, it's made us realize just how frightening the system is without it.

We've known for a while that email providers could look into your inbox, but the assumption was that they wouldn't. Even a giant like Microsoft is likely to sustain lasting damage, simply because there are so many options for free web-based email. Why stick with Microsoft if you trust Apple or Google more? But while companies have created a real marketplace for privacy and trust, you'll find the same structural problems at every major service. Ad-supported email means companies have to scan your inbox for data, so they need access to every corner of your inbox. (That's been the basis of Microsoft's Google-bashing "Scroogled" campaign.) Free email also means someone else is hosting it; they own the servers, and there's no legal or technical safeguard to keep them from looking at what's inside.

A close look at company privacy policies only underlines the fact. As Microsoft pointed out its initial statement, "Microsoft’s terms of service make clear our permission for this type of review." Look at the company privacy policy, and you’ll see that's true: "We may access or disclose information about you, including the content of your communications, in order to ... protect the rights or property of Microsoft." That’s a straightforward description of what happened in the Hotmail case.

You’ll find similar language in the privacy policies from Yahoo and Google. Yahoo reserves the right to look through your emails to "protect the rights, property, or personal safety of Yahoo, its users and the public." Google’s language is nearly identical, saying it will access user data "if we have a good-faith belief that access, use, preservation or disclosure of the information is reasonably necessary to … protect against harm to the rights, property or safety of Google." Apple is a little better, but not much, promising to disclose user content "if we determine that for purposes of national security, law enforcement, or other issues of public importance, disclosure is necessary or appropriate." What counts as public importance, exactly?

What’s worse, the current laws won’t do anything to stop them. For standard law enforcement, it takes a warrant to read a person's email — but there's no such restriction on hosting providers. Peeking into your clients' inbox is bad form, but it's perfectly legal. Even if the rights weren't reserved in the terms of service, it's not clear there are even grounds for a lawsuit. Without stronger privacy laws, all companies have to worry about is bad PR.

Microsoft's mole hunt isn't unprecedented either. There have been LOVEINT-style abuses of sysadmin access, as when a Google engineer was fired for spying on friends' chat logs. Last year, Harvard searched its own professors' email accounts as part of a cheating investigation. (The dean behind the search stepped down a few months later.) But those are just the instances we're aware of. In all likelihood, there are dozens of similar incidents that were simply never made public, encouraged by the open nature of third-party hosting. As long as the access is legal and technically feasible, there's no reason to think it will stop.

Anyone living a modern and complicated life over email is left in an awkward place. The crypto crowd has an easy answer: use end-to-end encryption, locking up emails with GnuPG and online chats with programs like Cryptocat. You can hold your own keys, making sure no one can decrypt the message but the person you're sending it to, and count on open-source code reviews to expose anyone who tries to slip a backdoor into the code.

It's a good system and it works, but for most users, it's still a bunch of extra inconvenience for no obvious benefit. In the end, it's easier to blame Microsoft for violating our trust and move onto the next company, with the same data practices and the same terms of service. With Google, Apple, Yahoo, and countless other free webmail services waiting in the wings, there are plenty of options to choose from. They'd never do a thing like this... right?

[Matsy]

Nothing online is private, we all know that by now.

[Fred Castellum]

Doesn't surprise me at all. 

[TheNinjaNextDor]

I'm going to send a complaint email to everyone I know about this.

It's a joke btw.

[FireFox]

Wait, this is news well goddamn eh

[AlexGoesHigh]

and like the article says, so can google, yahoo, apple or any other company that host its own services, microsoft did it to an employee that leaked security measure of windows, which i think is justifiable, yes i do think emails should be private but these companies have so many users that its impossible to keep track of every single one of them, its only in cases like this that they would do it and just to said person and maybe its contacts, besides they don't care what kind of junk can be found in some people mails

[JLCitadel]

& why does it matter?

 

If it's not something you'd want EVERYONE to know then you shouldn't tell ANYONE. That's how the world works my friends.

[mr moose]

And thats why If I have something important to say that I don't want anyone company to know, I tell them directly to the face.  for everything else I don't use web based email, and I even consider normal email to be as safe as facebook chat.

[brownninja97]

Well they know im born on january 1st.

[Admire]

Good. I want them to read all the shit I write about them.

[LAwLz]

& why does it matter?

 

If it's not something you'd want EVERYONE to know then you shouldn't tell ANYONE. That's how the world works my friends.

You can't be for real... Think about what you just said for a little while. Have you never written or said anything any you don't some other person to hear/read? Have you never had a private conversation? If you answer no then I find that really hard to believe.

That is NOT how the world works.

 

If you want a few examples then here you go:

Sexual orientation (punishable by DEATH in some countries)

Medical records

Crime investigations (can ruin your life if leaked, even if you are found innocent)

Bank information and/or economic situation

Product ideas (maybe you want to make a new product and want to ask someone for advice)

Potential investments (for example invest in a company, these things are heavily based on speculation)

 

I have more examples but you get the point. Thinking "if you don't want everyone to know it then nobody should know it" is a very dangerous though and could actually get people killed, depending on where you live.

It's a very naive thought. Hopefully I am just misreading your post.

 

I think we all thought Microsoft was looking through our mail (just like Google and most other email providers), so this just confirms our suspicious. It's very sad, and their damage control is just pathetic.

[JLCitadel]

You can't be for real... Think about what you just said for a little while. Have you never written or said anything any you don't some other person to hear/read? Have you never had a private conversation? If you answer no then I find that really hard to believe.

That is NOT how the world works.

 

If you want a few examples then here you go:

Sexual orientation (punishable by DEATH in some countries)

Medical records

Crime investigations (can ruin your life if leaked, even if you are found innocent)

Bank information and/or economic situation

Product ideas (maybe you want to make a new product and want to ask someone for advice)

Potential investments (for example invest in a company, these things are heavily based on speculation)

 

I have more examples but you get the point. Thinking "if you don't want everyone to know it then nobody should know it" is a very dangerous though and could actually get people killed, depending on where you live.

It's a very naive thought. Hopefully I am just misreading your post.

 

I think we all thought Microsoft was looking through our mail (just like Google and most other email providers), so this just confirms our suspicious. It's very sad, and their damage control is just pathetic.

 

Obviously we don't live in a 3rd world country and what I said doesn't apply to those individuals.

Nor would microsoft report on what your sexual oreintation is.

Nor would they take investment advice from reading your email OR would the NSA.

& If they tried to 'steal' a product idea, if the only evidence you had it was your idea was in an email that's your own fault.

How would my medical records be an issue if they got out? Not like I've got people trying to hunt me down and hold a peanut down my throat (not allergic to anything but providing example)

 

In a first world country, unless your a government employee or in an important position in a company, then no one gives a shit what you say in your email or don't.

Put the tin foil hat away kid

 

Edit: + Not only that, you should know anything you put into the internet isn't safe and NEVER has NOR will be.

[LAwLz]

Obviously we don't live in a 3rd world country and what I said doesn't apply to those individuals.

Nor would microsoft report on what your sexual oreintation is.

Nor would they take investment advice from reading your email OR would the NSA.

& If they tried to 'steal' a product idea, if the only evidence you had it was your idea was in an email that's your own fault.

How would my medical records be an issue if they got out? Not like I've got people trying to hunt me down and hold a peanut down my throat (not allergic to anything but providing example)

 

In a first world country, unless your a government employee or in an important position in a company, then no one gives a shit what you say in your email or don't.

Put the tin foil hat away kid

 

Edit: + Not only that, you should know anything you put into the internet isn't safe and NEVER has NOR will be.

I'm just saying that the whole "If it's not something you'd want EVERYONE to know then you shouldn't tell ANYONE" is a terrible motto. You can then come up with excuses to why situations where it doesn't apply don't matter, but it's still pretty bad.

Also, in countries where the government hunt down homosexuals I wouldn't be surprised if Microsoft sold them access to their mail accounts. They do it in the US so why not in for example Russia?

Your reasoning reminds me a lot of the old fallacy "you got nothing to fear if you got nothing to hide" which assumes that the authority that has access to all info has no ill intentions or conflicting interests.

 

A lot of the things I put on the Internet are safe. The photos I got stored on Google Drive are all encrypted (by me, not by Google) so that only I can access them. There are services which do respect your privacy (Lavabit before they had to shut down for that very reason). For very sensitive info you could use Tor. There are chat programs which lets you set up point to point encryption without any info being stored on a server as well (you give out a public key and your chat programs then they exchange temporary keys over that).

[WanderingFool]

Obviously we don't live in a 3rd world country and what I said doesn't apply to those individuals.

Nor would microsoft report on what your sexual oreintation is.

Nor would they take investment advice from reading your email OR would the NSA.

& If they tried to 'steal' a product idea, if the only evidence you had it was your idea was in an email that's your own fault.

How would my medical records be an issue if they got out? Not like I've got people trying to hunt me down and hold a peanut down my throat (not allergic to anything but providing example)

 

In a first world country, unless your a government employee or in an important position in a company, then no one gives a shit what you say in your email or don't.

Put the tin foil hat away kid

 

Edit: + Not only that, you should know anything you put into the internet isn't safe and NEVER has NOR will be.

The issue I have is with the wording of the privacy policy and how it basically bypasses the law (legally as of now I might add).  My concept is those types of privacy policies about "[...] protect the rights or property of Microsoft or our customers [...]" should only include that of the service providing.  So instead of it including all of Microsoft, it should only include the Outlook team and for all other services/products MS should need a court order.  The reason why I say this is simple, as a company grows in its size it could become easier and easier to target people in "Microsofts best interests".

 

Imagine if MS became a big movie company (or bought one), it could then justify reading your emails to catch you mentioning you downloaded a movie (all someone would have to do is report you).  Just remember this, in theory someone mentioning you have committed a tort against MS could be grounds to read your email (even if you didn't commit a that act).  Yes taking this ground is extreme, but without fighting back against these types of policies we could have another NSA type of fiasco on our hands (I remember being called crazy when I posited to my parents that the government surveillance was getting out of control).  In my opinion these types of policies should be heavily restricted by law, I firmly believe they should need a search warrant if it is not pertaining to offering the service.

 

 

As an fyi @CubesTheGamer, I mentioned about MS over here as the original article had been updated: http://linustechtips.com/main/topic/129437-ex-microsoft-employee-arrested-for-leaking-copies-of-windows-8/?hl=microsoft

[werto165]

I don't care personally, all i have on it is twitch notifications and amazon emails.

[werto165]

The original post is on The Verge: http://www.theverge.com/2014/3/21/5533814/google-yahoo-apple-all-share-microsofts-troubling-email-privacy-policy

Can you change the font colour can't read on the night theme.

[ADaviii]

I'm not shocked by this. It's another reason why I don't understand why certain companies are looked at as privacy invaders, which just about every other major player in tech services like e-mail does the same thing.