Last Thursday, news coverage focused on a case in 2012 in which our investigators accessed the Hotmail content of a user who was trafficking in stolen Microsoft source code. Over the past week, we’ve had the opportunity to reflect further on this issue, and as a result of conversations we’ve had internally and with advocacy groups and other experts, we’ve decided to take an additional step and make an important change to our privacy practices.
Effective immediately, if we receive information indicating that someone is using our services to traffic in stolen intellectual or physical property from Microsoft, we will not inspect a customer’s private content ourselves. Instead, we will refer the matter to law enforcement if further action is required.
In addition to changing company policy, in the coming months we will incorporate this change in our customer terms of service, so that it’s clear to consumers and binding on Microsoft.
It’s always uncomfortable to listen to criticism. But if one can step back a bit, it’s often thought-provoking and even helpful. That was definitely the case for us over the past week. Although our terms of service, like those of others in our industry, allowed us to access lawfully the account in this case, the circumstances raised legitimate questions about the privacy interests of our customers.
In part we have thought more about this in the context of other privacy issues that have been so topical during the past year. We’ve entered a “post-Snowden era” in which people rightly focus on the ways others use their personal information. As a company we’ve participated actively in the public discussions about the proper balance between the privacy rights of citizens and the powers of government. We’ve advocated that governments should rely on formal legal processes and the rule of law for surveillance activities.
While our own search was clearly within our legal rights, it seems apparent that we should apply a similar principle and rely on formal legal processes for our own investigations involving people who we suspect are stealing from us. Therefore, rather than inspect the private content of customers ourselves in these instances, we should turn to law enforcement and their legal procedures.
This also has focused our attention on other important questions about the privacy interests of consumers as they use services across the Internet. What is the best way to strike the balance in other circumstances that involve, on the one hand, consumer privacy interests, and on the other hand, protecting people and the security of Internet services they use? It’s an important question across the tech sector. And it’s the type of question we believe would benefit from broader discussion rather than a single company or industry trying to divine the answers by itself.
For this reason, we’ve reached out to the advocacy community to undertake a project that brings together a variety of stakeholders to help identify, flesh out and discuss these important issues. The Center for Democracy and Technology (CDT) has agreed to convene stakeholders and the Electronic Frontier Foundation will be a key participant. We hope that this project can help us all identify potential best practices from other industries and consider the best solutions for the future of digital services. We’ve agreed to help support this effort and will participate wholeheartedly. We hope that other companies will join in as well. Ultimately, these types of questions affect us all, and they will benefit from even more of the thought-provoking discussions that the events from last week have encouraged.