Microsoft admits snooping on blogger’s Hotmail account to track leaks; revises policies

By  | 

Microsoft acknowledged that it had searched an anonymous blogger’s Hotmail account to track software leaks and identify an employee it suspected of leaking information.

A former software architect Alex Kibkalo, a Russian native, was accused of stealing Microsoft’s trade secrets in the form of software code for the Windows operating system and leaking the codes to a blogger. Kibkalo was arrested yesterday and ordered held without bail.

According to the March 17 court filing, Steven Sinofsky, then-president of the Windows Division at Microsoft, had received a tip from a person who was contacted via Hotmail by the blogger in question, to verify if the leaked source code was legitimate. Sinofsky notified the Microsoft’s Trustworthy Computing Investigations department, about the tip, to investigate the leak.

As part of the internal investigation, Microsoft accessed the blogger’s Hotmail account, for e-mails from Kibkalo containing “hot fixes” for the Windows 8 RT operating system before it was publicly available.

The filing also revealed that the leaked data included proprietary Microsoft code. Microsoft claims the search to be legal as the terms of service of Outlook (previously known as Hotmail) states that the company can access any information in accounts that are stored including communications in order to “protect the rights or property of Microsoft or our customers.”

“While Microsoft’s terms of service make clear our permission for this type of review, this happens only in the most exceptional circumstances,” the company said in a statement. “We apply a rigorous process before reviewing such content.”

However, Microsoft Deputy General Counsel John Frank assured that in future the company officials will present evidence to an outside lawyer who is a former federal judge, before its investigators access information from customer accounts.

Microsoft also added that it will disclose the number of searches of its own user accounts in its twice-a-year reports of the user information requested by police, law enforcement and government agencies.