Earlier this week, former Microsoft software architect Alex Kibkalo was arrested and charged with leaking Windows 8 code to a French blogger. According to Seattle PI, which broke the story, the blogger contacted Microsoft to verifiy the authenticity of the code. Investigators at Redmond subsequently dug into the blogger's Hotmail account and claim to have found evidence identifying Kibkalo as the source of the leak.
The fact Microsoft searched the blogger's Hotmail account has irked some privacy advocates. The search apparently didn't violate Hotmail's terms of service, but nobody reads those, anyway. Now, Microsoft clarified its position on Hotmail privacy and explained some of the circumstances surrounding the investigation.
Interestingly, Microsoft claims the blogger had a history of selling leaked code. A court order was issued to search a home related to the case, but getting legal authorization to search the blogger's email account apparently proved problematic. "There’s not an applicable court process for an investigation such as this one relating to the information stored on servers located on our own premises," Microsoft says.
Since the courts apparently aren't up to speed with this sort of thing, Microsoft has announced new policies that will guide its actions in similar matters:
- We will not conduct a search of customer email and other services unless the circumstances would justify a court order, if one were available.
- To ensure we comply with the standards applicable to obtaining a court order, we will rely in the first instance on a legal team separate from the internal investigating team to assess the evidence. We will move forward only if that team concludes there is evidence of a crime that would be sufficient to justify a court order, if one were applicable. As a new and additional step, we will then submit this evidence to an outside attorney who is a former federal judge. We will conduct such a search only if this former judge similarly concludes that there is evidence sufficient for a court order.
- Even when such a search takes place, it is important that it be confined to the matter under investigation and not search for other information. We therefore will continue to ensure that the search itself is conducted in a proper manner, with supervision by counsel for this purpose.
- Finally, we believe it is appropriate to ensure transparency of these types of searches, just as it is for searches that are conducted in response to governmental or court orders. We therefore will publish as part of our bi-annual transparency report the data on the number of these searches that have been conducted and the number of customer accounts that have been affected.
Sounds reasonable to me. Some folks may still be uncomfortable with the fact that Microsoft can search their Hotmail accounts, but I guess they've never seen a sys admin wearing one of these shirts.