Update (March 28, 2014): Microsoft has announced a new policy which is described in a new post.

EFF has long argued that law enforcement agencies must get a warrant when they ask Internet companies for the content of their users’ communications. In 2013, as part of our annual Who Has Your Back report, we started awarding stars to companies that require warrants for content. It is now unclear whether Microsoft, one of our inaugural “gold star” companies in that category, is willing to live by its own maxim.

This controversy was brought to light by the arrest of an ex-Microsoft employee named Alex Kibkalo. According to a criminal complaint sworn in a Seattle federal court, Kibkalo stole proprietary information from Microsoft, including its Activation Server Software Development Kit (SDK), and passed the code to a French blogger. The complaint alleges that Kibkalo committed criminal trade secret theft. What’s troubling is that the FBI’s basis for the arrest was an open-ended, warrantless search of a Hotmail user’s account, conducted by Microsoft itself.

In September 2012, Microsoft’s internal security team received a tip that an anonymous blogger was in possession of the SDK source code. Conveniently for Microsoft, however, the French blogger, who has not been accused of any crime, communicated with Microsoft’s tipster using Hotmail. Since Microsoft runs Hotmail, it simply searched through the contents of that email account for evidence of the SDK leak. Gallingly, the Kibkalo complaint states that Microsoft’s Office of Legal Compliance signed off on this “content pull.”

At first blush, Microsoft’s unilateral decision to rifle through its user’s emails sounds like a violation of the Electronic Communications Privacy Act, ECPA. We at EFF have called for critical updates to ECPA’s privacy protections, but the law is fundamentally designed to protect email from this kind of snooping, albeit with some narrow exceptions.

Microsoft’s initial statement in response explained, “While Microsoft’s terms of service make clear our permission for this type of review, this happens only in the most exceptional circumstances.” Realizing that this wouldn’t cut it, the company’s deputy general counsel subsequently announced a new policy for conducting these searches in the future:

Courts do not issue orders authorizing someone to search themselves, since obviously no such order is needed.  So even when we believe we have probable cause, it’s not feasible to ask a court to order us to search ourselves. However, even we should not conduct a search of our own email and other customer services unless the circumstances would justify a court order, if one were available.  In order to build on our current practices and provide assurances for the future, we will follow the following policies going forward:

To ensure we comply with the standards applicable to obtaining a court order, we will rely in the first instance on a legal team separate from the internal investigating team to assess the evidence. We will move forward only if that team concludes there is evidence of a crime that would be sufficient to justify a court order, if one were applicable. As an additional step, as we go forward, we will then submit this evidence to an outside attorney who is a former federal judge.  We will conduct such a search only if this former judge similarly concludes that there is evidence sufficient for a court order.

Unfortunately, this new policy just doubles down on the Microsoft’s indefensible and tone-deaf actions in the Kibkalo case. It begins with a false premise that courts do not issue orders in these circumstances because Microsoft was searching “itself,” rather than the contents of its user’s email on servers it controlled.

To the contrary, if Microsoft’s independent legal team concluded that there was probable cause, it could have passed the tipster’s information to the FBI to obtain a warrant and conduct the search under the auspices of the criminal justice system. The warrant protections enshrined in the Constitution would be preserved, ECPA would be satisfied, and Microsoft could have claimed the high moral ground. Instead, Microsoft has opted for an internal corporate shadow court.

To be sure, the process described in Microsoft’s statement bears more than a passing resemblance to a standard criminal investigation, with a prosecutorial team building a case and then presenting it to an ostensibly neutral third party, a retired federal judge no less. Let’s call it Warrants for Windows!

The monumental problem here is that Microsoft’s process has none of the protections provided by our legal system. No matter how fairly this process operates in any particular situation, approval by an employee paid by Microsoft, no matter how well qualified, is not approval of a “neutral and detached magistrate,” as required by the Fourth Amendment. Similarly, the protections provided to criminal suspects by the Fifth and Sixth Amendments wouldn’t apply to Microsoft’s internal investigation. In short, “Come back with a warrant” is meaningless when the FBI doesn’t get involved until after all the evidence has been collected.

Yet another colossal problem with Microsoft’s policy is its potential for abuse. Microsoft’s initial statement explained that the Microsoft Services Agreement (TOS) granted it “permission” to conduct the searches. But a brief check of these terms shows that Microsoft reserves the right to conduct search in far more scenarios than merely “exceptional circumstances.” That’s because Section 5.2 of the TOS states:

Microsoft may access, disclose, or preserve information associated with your use of the services, including (without limitation) your personal information and content . . . when Microsoft forms a good faith belief that doing so is necessary . . . . (b) to enforce this agreement or protect the rights or property of Microsoft or our customers[.]”

And according to Section 3.5, one of the ways users can violate the agreement and thus give Microsoft “permission” to access their content is to email content that violates the company’s Code of Conduct. Spoiler alert: the Code of Conduct is ridiculously broad.

A few examples of things that would violate the Code of Conduct and allow search and disclosure of Hotmail email content:

  • Emailing “links to external sites that violate this Code of Conduct” such as by “depict[ing] nudity of any sort." So you’re out of luck if you wanted to send your friend a link to Wikipedia, because the encyclopedia contains a fair number of articles containing nudity. Nor could you link to a Peanuts cartoon, because Snoopy is eternally pantsless, and Microsoft specifically prohibits links to “nudity in non-human forms such as cartoons."
  • Similarly, linking to external content that violates the Code by “incit[ing] [or] express[ing] … profanity." That means no YouTube, because it has, for example, clips of George Carlin’s Seven Dirty Words routine.
  • "[P]romoting or otherwise facilitate[ing] the purchase and sale of ammunition or firearms." Best to unsubscribe from that NRA mailing list.

Presumably, Microsoft isn’t using these sorts of violations as an excuse to rifle through its users’ emails. But when it relies on permission from its TOS to do so, it reserves the right to abuse.

The search in the Kibkalo case may have revealed criminal activity, but it was also conducted in Microsoft’s self-interest, which is an exceedingly dangerous precedent. Combined with the kangaroo court potential of the company’s new internal Warrants for Windows policy, Microsoft is playing with fire. It should have followed its own advice and asked the FBI to step in with a warrant.