Software giant Microsoft has changed some of its privacy rules after a storm of trouble after it hacked into a customer’s email to dig up some dirt on a corporate spying case.
The customer in this case was an ex-Microsoft employee who was later arrested for leaking trade secrets and internal Windows related software builds to a blogger.
According to court documents, Microsoft snooped into Outlook/Hotmail accounts of the blog to crack the case.
Vole said that during an investigation of an employee it discovered evidence that the employee was providing stolen IP, including code relating to our activation process, to a third party.
It claims that in “order to protect its customers” and the security and integrity of our products, it conducted an investigation over many months with law enforcement agencies in multiple countries.
It obtained a court order for the search of a home relating to evidence of the criminal acts involved. The investigation repeatedly identified clear evidence that the third party involved intended to sell Microsoft IP and had done so in the past.
As part of the investigation, Vole carried out a “limited review” of this third party’s Microsoft operated accounts.
But don’t worry, this snooping was given a thorough review by Microsoft legal team separate from the investigating team.
It said that there was “strong evidence of a criminal act” that “met a standard comparable to that required to obtain a legal order to search other sites.”
However there are signs that Microsoft might not be so confident about how it handled the case.
John Frank, Vice President and Deputy General Counsel has announced changes about the way such investigations are handled in the future.
In a statement, he admitted that Outlook and Hotmail email are and should be private.
“While we took extraordinary actions in this case based on the specific circumstances and our concerns about product integrity that would impact our customers, we want to provide additional context regarding how we approach these issues generally and how we are evolving our policies,” Frank said,
The way the law stands, courts do not issue orders authorizing someone to search themselves, he pointed out.
Microsoft promises that it will comply with the standards applicable to obtaining a court order and will add another step in the process.
“Microsoft will submit the evidence to an outside attorney who is a former federal judge. We will conduct such a search only if this former judge similarly concludes that there is evidence sufficient for a court order,” Frank said.
Microsoft promised to publish as part of its bi-annual transparency report the data on the number of these searches that have been conducted and the number of customer accounts that have been affected.
This will not apply to internal investigations of Microsoft employees who we find in the course of a company investigation are using their personal accounts for Microsoft business.