Microsoft Tracks Down Rogue Employee By Snooping Blogger's Hotmail

Image: Mashable, Pete Pachal

UPDATE, March 20, 2010 9PM EST: Microsoft VP and Deputy General Counsel John Frank has issued a statement offering more insight into this situation and its policies concerning user privacy. It is embedded in its entirety at the bottom of this post.

A new court filing details the extraordinary lengths Microsoft is willing to go in order to protect its intellectual property: Accessing a blogger's private Hotmail and chat data.

On Wednesday, it was first reported that Alex Kibkalo, a former Microsoft employee, is facing federal criminal charges over allegations that he stole trade secrets while working for the company.

According to an indictment in the criminal complaint, Kibkalo 'uploaded proprietary software and pre-release software updates for Windows 8 RT as well as the Microsoft Activation Server Software Development Kit (SDK)' to his personal SkyDrive (now OneDrive) account in August 2012. The interesting part of this story is how Microsoft fingered Kibkalo for the leak.

On Sept. 3, 2012, Steven Sinofsky, who was then the president of Microsoft's Windows division, received an email from an unnamed source. The source had received some code from a French blogger - known in the Windows community for leaking screenshots and early software releases - that he thought Sinofsky needed to see.

It turned out this code was sample code from the Microsoft Server SDK. Sinofsky turned the information over to the Trustworthy Computing Investigations (TWCI), the department within Microsoft that is tasked with protecting the company from external and internal security threats.

After talking to the TWCI, the source revealed the email address of the blogger that sent him the code. It turns out, the TWCI was already aware of the blogger and had been trying to discover his identity.

Conveniently for Microsoft, the blogger used a Hotmail account for his communications. This meant that Microsoft could access his account - even without a court order.

How is that possible? Well, a provision in Microsoft's privacy policy very clearly states that the company can access your accounts in order to 'protect the rights or property of Microsoft' or its customers.

The entire provision reads (emphasis ours):

We may access or disclose information about you, including the content of your communications, in order to: (a) comply with the law or respond to lawful requests or legal process; (b) protect the rights or property of Microsoft or our customers, including the enforcement of our agreements or policies governing your use of the services; or (c) act on a good faith belief that such access or disclosure is necessary to protect the personal safety of Microsoft employees, customers or the public.

The blogger's access to proprietary Microsoft code, gave Microsoft justification to gain entry to his Microsoft accounts.

According to the court documents, on Sept. 7, 2012, Microsoft's Office of Legal Compliance 'approved content pulls of the blogger's Hotmail account.'

While accessing the blogger's email, Microsoft tracked down communications between the blogger and then-employee Kibkalo. This included messages with links to Kibkalo's personal OneDrive account, which contained the leaked data.

That revelation led to a subsequent investigation - which included an interview with Kibkalo - where, according to court documents, he admitted leaking Microsoft code to outsiders.

In a statement to Mashable, Microsoft defended its action when it came to accessing the blogger's data.

A Microsoft spokesperson says:

'During an investigation of an employee we discovered evidence that the employee was providing stolen IP, including code relating to our activation process, to a third party. In order to protect our customers and the security and integrity of our products, we conducted an investigation over many months with law enforcement agencies in multiple countries. This included the issuance of a court order for the search of a home relating to evidence of the criminal acts involved. The investigation repeatedly identified clear evidence that the third party involved intended to sell Microsoft IP and had done so in the past.

As part of the investigation, we took the step of a limited review of this third party's Microsoft operated accounts. While Microsoft's terms of service make clear our permission for this type of review, this happens only in the most exceptional circumstances. We apply a rigorous process before reviewing such content. In this case, there was a thorough review by a legal team separate from the investigating team and strong evidence of a criminal act that met a standard comparable to that required to obtain a legal order to search other sites. In fact, as noted above, such a court order was issued in other aspects of the investigation'

OK, so this seems legal - or at least in compliance with Microsoft's privacy policy - but is it ethical? At the very least, we must recognize the irony in Microsoft going to the lengths of accessing a user's account in order to track down the source of a leak.

After all, this is the same company that launched an anti-Google ' Scroogled' ad-campaign, criticizing its rival's privacy and data collection policies.

It's also a reminder that even without the NSA, technology companies can access your data.

It's interesting to note is that Microsoft was able to access the blogger's email, specifically because this incident concerned Microsoft software. If the leaked data was source code from Google or Apple or another company, Microsoft would be unable to intervene - at least without a court order.

This incident also points out an important lesson: If you want to anonymously leak information about a company, think twice before using that company's products for your communications.

USA vs Alex KibkaloMicrosoft Statement

Lokasi:

Share :