Microsoft Subnet An independent Microsoft community View more

Your privacy is 'very important,' Microsoft says after reading users' emails and IMs

Microsoft also complies by selling user data to the FBI for $200 per pop.

After twice hacking Microsoft and vowing to publish proof of Microsoft "spying" on email accounts and selling user data to Johnny Law Officer, the Syrian Electronic Army went public with monthly invoices showing what Microsoft charges the FBI for user data. Microsoft previously admitted that "documents associated with law enforcement inquiries were stolen."

SEA allowed The Daily Dot to review the stolen documents, which "appear to be invoices and emails between Microsoft's Global Criminal Compliance team and the FBI's Digital Intercept Technology Unit (DITU), and purport to show exactly how much money Microsoft charges DITU, in terms of compliance costs, when DITU provides warrants and court orders for customers' data." It appears as if the emailed correspondence between Microsoft and the FBI was not encrypted.

Three leaked invoices indicate that Microsoft no longer spies on users for free. In fact, according to the sample invoices, it seems as if taxpayers, We the People, pony up millions to foot the bill. A December 2012 invoice charged the FBI $100 per request for user data and totaled $145,100. By August 2013, Microsoft doubled its charges to $200 per request and billed the FBI for a monthly total of $352,200. The November 2013 invoice was for a total of $281,000.

According to the screenshot tweeted by the SEA hackers, Microsoft allegedly charges $200 a pop for handing over the following user account details to the FBI: email address, Passport Unique Identifier (PUID), first and last name, state, zip code, country, timezone, IP from which the account was registered, as well as the date and timestamp of account registration. However, Microsoft notes in parentheses, "Not every field may appear in your report. This data was provided to us by the user, and Microsoft does not make any representations regarding its authenticity."

The FBI refused to comment and told The Daily Dot to ask Microsoft "given that SEA claims to have stolen the documents" from the Redmond giant. Microsoft repeated how it must comply with lawful government demands. Furthermore, it can legally seek reimbursement for costs to comply with those demands. "To be clear, these reimbursements cover only a portion of the costs we actually incur to comply with legal orders."

It would be interesting to see what each email company makes per month for "complying" and selling user data to all law enforcement agencies.

Syrian hackers tweeted another screen grab and claimed Microsoft also shared user info with a private law firm. The package password was a pathetic repeating keyboard pattern (asdfasdf), but each "package" came with a separate "access key." Unfortunately, the story behind this is unknown.

Your privacy is very important, Microsoft says after reading users' emails and IMs

Your privacy is very important to Microsoft, unless of course there's some legal way around it, as was the case when Microsoft searched through a French blogger's Hotmail account. The snoopfest was part of an internal investigation into the leak of pre-release Windows RT updates and product activation software. Former Microsoft employee Alex Kibkalo was arrested last week for the alleged theft of trade secrets.

Immediately after the media backlash, Microsoft's Deputy General Counsel John Frank wrote, "Outlook and Hotmail email are and should be private." Microsoft's response post could be considered damage control. The rest of the blog post was a PR campaign devoted to how Microsoft will "strengthen" its snooping-on-users' policy for future investigations.

In this case, we know about the user account snooping due to court documents that kicked up a media storm. Theft of trade secrets is not cool and it's unsurprising that Microsoft launched an investigation. Yet we don't know if, when, or how many times Microsoft has taken similar "extraordinary actions" and snooped through user accounts. Microsoft says it will publish the number of times in a transparency report, but it remains to be seen if this will go back to all the prior years. Apple, Google and Yahoo also claim the right to read users' emails, but are we to believe that Microsoft is more transparent since it chose to share its internal policies on accessing users' email without a court order?

If that suggestion made you scoff, then it is enough to gag a person when, in conclusion, Microsoft's post stated, "The privacy of our customers is incredibly important to us."

Oh really? Your email "privacy" is the heart of Microsoft's Scroogled campaign against Google. Google scans your emails for keywords to serve up more relevant ads. While I'm no fan of that, at least it's a machine data mining your email privacy. Microsoft used human eyes to go through email and instant messages, all without the benefit of a court order. But that's supposedly OK because there is no "applicable court process for an investigation such as this one relating to the information stored on servers located on our [Microsoft's] own premises."

If you want email privacy then it's up to you to encrypt. Even that doesn't hide metadata.

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

To comment on this article and other Network World content, visit our Facebook page or our Twitter stream.
Must read: Hidden Cause of Slow Internet and how to fix it
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.