Skip to content

Microsoft reads private email on Hotmail/Outlook.com

When Microsoft feels the need, they read cloud emails on Outlook.com (aka Hotmail) or other Microsoft 365 hosted email. Microsoft has been caught reading private data stored on their cloud servers and it’s all quite legal.

In 2012 screenshots of the, then unreleased, Windows 8 had been leaked and Microsoft wanted to know where the blogger had got them. Microsoft opened up the bloggers (who was NOT a Microsoft employee) Hotmail account and read his/her messages, hoping to find the name of the Microsoft employee responsible for the leak. We only know about this because court documents become public knowledge.

Anyone who has heard Microsoft staff assuring audiences about the company’s commitment to privacy might be surprised, even shocked, at this news. But they should not be. Microsoft, like any company, will act in its own self-interest.

Buried in the terms of use for Hotmail/Outlook.com is a clear statement that Microsoft can read anyone’s data, any time they like:

Microsoft reserves the right to review materials posted to the Communication Services and to remove any materials in its sole discretion

You won’t find this in Microsoft Online Privacy Statement (all 4,000 words) instead it’s in a separate “Information on Terms of Use” (another 2,900 words, not linked from the main privacy statement). Under the heading ‘Use of Services’, after the bullet list and in the middle of a paragraph is the sentence quoted above (as at 2014)

Having been caught reading customer emails, Microsoft has been quick to assure customers that

We believe that Outlook and Hotmail email are and should be private”

The privacy of our customers is incredibly important to us,”

Assurances like these are commonly heard from Microsoft management, but are missing from the company’s legal provisions. You can see the entire statement below.

The company has hastily setup a process where an ‘outside attorney’ and ‘former federal judge’ will look over Microsoft’s justification for searching customer information. Nothing in the statement has, so far, been incorporated in the privacy statement or Terms of Use.

James Gleick calls the new arrangement ‘Microsoft has its very own FISA court!”. The FISA court is the US governments mostly ‘rubber stamp’ legal process to approve of data copying (over 33,000 surveillance requests with only 11 denied). There’s nothing in the new Microsoft arrangement to suggest that the ‘outside’ approval will be any more stringent than the FISA court.

Euphemisms

According to Microsoft they don’t ‘read’ customer data, instead they ‘review’ it. In the circumstances it’s hard to see what the difference is.

Other media have leaped on euphemisms to downplay Microsoft’s actions like ‘Peeking’, ‘Sniffing’, ‘Snooping’, ‘Scanning’. At least BBC News called Microsoft’s action what it was “Microsoft admits reading Hotmail inbox of blogger

Microsoft’s statement

We believe that Outlook and Hotmail email are and should be private. Today there has been coverage about a particular case. While we took extraordinary actions in this case based on the specific circumstances and our concerns about product integrity that would impact our customers, we want to provide additional context regarding how we approach these issues generally and how we are evolving our policies.

Courts do not issue orders authorizing someone to search themselves, since obviously no such order is needed. So even when we believe we have probable cause, it’s not feasible to ask a court to order us to search ourselves. However, even we should not conduct a search of our own email and other customer services unless the circumstances would justify a court order, if one were available. In order to build on our current practices and provide assurances for the future, we will follow the following policies going forward:

  • To ensure we comply with the standards applicable to obtaining a court order, we will rely in the first instance on a legal team separate from the internal investigating team to assess the evidence. We will move forward only if that team concludes there is evidence of a crime that would be sufficient to justify a court order, if one were applicable. As an additional step, as we go forward, we will then submit this evidence to an outside attorney who is a former federal judge. We will conduct such a search only if this former judge similarly concludes that there is evidence sufficient for a court order.
  • Even when such a search takes place, it is important that it be confined to the matter under investigation and not search for other information. We therefore will continue to ensure that the search itself is conducted in a proper manner, with supervision by counsel for this purpose.
  • Finally, we believe it is appropriate to ensure transparency of these types of searches, just as it is for searches that are conducted in response to governmental or court orders. We therefore will publish as part of our bi-annual transparency report the data on the number of these searches that have been conducted and the number of customer accounts that have been affected.

The only exception to these steps will be for internal investigations of Microsoft employees who we find in the course of a company investigation are using their personal accounts for Microsoft business. And in these cases, the review will be confined to the subject matter of the investigation.

The privacy of our customers is incredibly important to us, and while we believe our actions in this particular case were appropriate given the specific circumstances, we want to be clear about how we will handle similar situations going forward. That is why we are building on our current practices and adding to them to further strengthen our processes and increase transparency.

John Frank, Vice President & Deputy General Counsel “

Source: Microsoft

About this author

Office-Watch.com

Office Watch is the independent source of Microsoft Office news, tips and help since 1996. Don't miss our famous free newsletter.