Last week we learned that Microsoft will read your email if they believe you’re sharing their trade secrets. This isn’t illegal – if you sign up for Hotmail, you agree to terms & conditions that give Microsoft the right to poke through your stuff.
The case against this blogger appears pretty solid, which makes me wonder – how many bloggers did Microsoft pursue before they settled on this guy? Are they batting a thousand with their investigations, or were there other email-reading incidents that went unreported because they didn’t find enough evidence to win a case?
With free email, chat, and voice services, I totally understand that this is the price we pay. Like they say, if you’re not the paying customer, then you’re the product. But what about the paying customers? Specifically:
What about Azure cloud services customers?
What happens if you host your business’s data in Microsoft’s cloud, and Microsoft believes you’re doing something to harm them – like, say, pirating software?
The Windows Azure Agreement says as of Jan 2014:
1. d. Customer Data. You are solely responsible for the content of all Customer Data. You will secure and maintain all rights in Customer Data necessary for us to provide the Services to you without violating the rights of any third party…
This is your first warning: you’d better not be storing copyrighted data that belongs to somebody else. If you do, you can’t claim it was somebody else’s fault – it’s yours. (That’s totally fair, and typical with other hosting provider agreements.)
Next up: who can see the data?
2. b. Privacy and data location. We treat Customer Data in accordance with our Privacy Statement.
Switching over to the Privacy Statement’s Customer Data section. At first glance, it sounds more secure than the Hotmail terms & conditions, but keep reading:
We only use Customer Data to provide the Services. This may include troubleshooting aimed at preventing, detecting and repairing problems affecting the operation of the Services and the improvement of features that involve the detection of, and protection against, emerging and evolving threats to the user (such as malware or spam).
“Spreading spam” is one heck of a low bar. If you’re running an email list in Azure, and someone marks your email as spam, the Azure terms & conditions give Microsoft the right to read your cloud data and look for evidence that you’ve broken the law.
But furthermore, that second sentence is interesting because it gives Microsoft a nice loophole. They’re in the business of keeping Windows secure for their users. If they suspected you of spreading malware – or, say, spreading a pirated version of Windows that just might contain malware – they could use your Azure data to detect that.
In that case, who gets to read your Azure data?
In the Sharing Your Information section:
We will not disclose Customer Data, Administrator Data, Payment Data or Support Data (“your information”) outside of Microsoft or its controlled subsidiaries and affiliates except as you direct, or as described in your agreement(s) or this privacy statement.
In with the Hotmail incident, the problem was that Microsoft itself was reading the blogger’s communications, not that the data was sent to outside groups. Microsoft built the case for law enforcement and then handed over the evidence. So could they do that in Azure?
We will not disclose Customer Data to a third party (including law enforcement, other government entity, or civil litigant; excluding our subcontractors) except as you direct or unless required by law.
The “required by law” line is a little tricky. If Microsoft picks up the phone and says they have good reason to believe you’re pirating Windows or spreading malware or whatever, the government would then start to build a case against you, and ask Microsoft to hand over your customer data. They’d be “required to by law.”
Is Amazon Web Services any better?
The AWS Customer Agreement has similar wording about you being responsible for your content, and that you’re not allowed to host copyrighted content. As to who gets access:
8.1 Your Content. As between you and us, you or your licensors own all right, title, and interest in and to Your Content. Except as provided in this Section 8, we obtain no rights under this Agreement from you or your licensors to Your Content, including any related intellectual property rights. You consent to our use of Your Content to provide the Service Offerings to you and any End Users. We may disclose Your Content to provide the Service Offerings to you or any End Users or to comply with any request of a governmental or regulatory body (including subpoenas or court orders).
Amazon doesn’t include “malware” or “spam” anywhere in the doc, or any wording about protecting other end users from what you’re doing. To some extent this makes sense because they aren’t a software manufacturer who needs to worry about desktop operating systems. (Although they do make the Kindle.)
This section is a little vague though:
Information You Give Us: We receive and store any information you enter on our Web site or give us in any other way. Click here to see examples of what we collect. You can choose not to provide certain information, but then you might not be able to take advantage of many of our features. We use the information that you provide for such purposes as responding to your requests, customizing future shopping for you, improving our stores, and communicating with you.
So if the paranoid guy inside me reads this, technically the data I store in AWS can be used to improve the online store at Amazon.com. If you’re an e-commerce vendor, your eyes probably just got a little wider.
Welcome to the cloud. Here’s your tin foil hat.
Online privacy isn’t just dead – it never existed. Companies like Microsoft and Amazon are responsible to their shareholders to safeguard value. Today, if you’re going to use their services to do something illegal to undermine their value, you shouldn’t be surprised if they turn your data over to law enforcement. This isn’t Big Brother NSA snooping – this is just the common sense business world that we’ve built.
Yes, in the process of their investigation, corporations are going to read the data of some innocent bystanders – the investigators are human, and they’re going to make mistakes. You won’t hear about those until Edward Snowden v2.0 comes out of the corporate woodwork.
Now, about that always-on webcam in your living room game console, and those Google Glasses that you want to strap onto your face….
I have never understood how some of the companies I have dealt with have triple-strength protection that serves to prevent their own employees from doing their jobs by making data basically inaccessible, are then perfectly comfortable outsourcing their data storage/systems administration to the lowest bidder…
Even more troubling is that Microsoft can search any content if you link to any sites known to contain objectionable material. This includes YouTube (which hosts dirty words), Facebook (ditto), Twitter, and even wikipedia. The EFF’s analysis of the situation is fantastic including our inability to link to a Peanuts comic since Snoopy doesn’t wear clothes – https://www.eff.org/deeplinks/2014/03/microsoft-says-come-back-warrant-unless-youre-microsoft
Of course, whatever you do, don’t check the ToS on your browser 😉
Update: Microsoft won’t read your email any more. https://www.eff.org/deeplinks/2014/03/reforming-terms-service-microsoft-changes-its-policy-access-user-data