Was Microsoft justified in hacking a customer's account? Using Terms of Service to gain access to emails

Mark Leiser: I am a PhD Candidate in Cyber Law at the University of Strathclyde in Glasgow. I have written submissions for the Leveson Inquiry into the culture and ethics of the media and for the Scottish Parliament on the use of social media during trials. My PhD is supervised by Professor Andrew Murray at the London School of Economics and focuses on the effectiveness of cyber-regulation. My research and interests revolve around main areas of Internet law and policy including internet governance & regulation, democracy, social media, privacy, and intellectual property. My PhD research focuses on developing a system of modelling to measure the effectiveness and legitimacy of Internet Regulation. I write in a personal capacity.

It was revealed this week that Microsoft had hacked into one of its own customers’ accounts in order to detect the leak of proprietary and confidential information.

The company forced its way into a blogger’s Hotmail account in order to trace the leak of sensitive company software. After accessing the account and pouring through the blogger’s account and Window Messenger chat dialogues, the company was able to identify the alleged source, an ex-employee from Lebanon named Alex Kibkalo.

The company defended its right to hack into the bloggers account in documents filed in federal court under the premise of “desperate times for desperate measures”. Microsoft felt there was a prima facie case that the blogger would sell the company’s proprietary information and as a result, hackers would be able to poke holes in the security features of the company. Because the tip given to Microsoft indicated that this blogger was in possession of the SDK source code, and had used the Hotmail account to communicate with the tipster, Microsoft simply was able to search through the email contents looking for evidence of the leak. Microsoft’s Office of Legal Compliance signed off on the leak.

How did Microsoft justify this legally? It relied on a clause in their Terms and Conditions of Service. When you use Microsoft communication products -- Outlook, Hotmail, and Windows Live -- you agree to "this type of review ... in the most exceptional circumstances."

There are several legal issues that arise from this case. Why did Microsoft not need a warrant to search the Hotmail account? What is the legal position of the terms and conditions that give Microsoft property rights in the contents of your email? Who determines what an exceptional circumstance is that justifies a warrantless search of emails sent through Microsoft’s servers? And finally, do other clauses in Microsoft’s Terms of Service give it permission to have a glance over your emails?

Microsoft claimed that they do not need a warrant to access your emails because they have property rights in the data that is sent through their servers. As you will notice in their initial statement, they claimed that this was one of those “exceptional circumstances” that justified taking action. However, Clause 5.2 of the Terms of Service (ToS) states that, “Microsoft may access, disclose, or preserve information associated with your use of the services, including (without limitation) your personal information and content . . . when Microsoft forms a good faith belief that doing so is necessary . . . . (b) to enforce this agreement or protect the rights or property of Microsoft or our customers[.]” That is rather exceptional.

According to Section 3.5 of the ToS, one of the ways users can violate the agreement, giving Microsoft “permission” to access email content is when it violates the company’s “Code of Conduct”. And according to the Andrew Crocker of the Electronic Frontier Foundation (EFF), the “Code of Conduct” violations are “extremely broad”.

In the UK and the US, the courts are very reluctant to interfere with the contracts that are negotiated between any two parties. Most courts will not interfere in contracting save the exceptional circumstances that someone has contracted away their right to sue for negligence resulting in personal injury or death. The Unfair Contract Terms Act (UCTA) 1977 is a piece of primary legislation in the UK whereas the Unfair Terms in Consumer Contracts Regulations is in the form of secondary legislation introduced to implement a European Directive. UCTA provides specific instances of what may amount to an unfair term. If a term is not within one of the specified categories it is not capable of amounting to an unfair term under the Act. Section 11 of the Act does set out a reasonableness test, with one branch judged by all the circumstance which were known, or ought to have been known or in the contemplation of the parties at the time of the contract.

In the 1991 American case, Carnival Cruise Lines v Shute, a dispute arose about the Terms and Conditions that had a specific clause about what State any legal dispute that arose from the contract can be heard. The clause had specifically stated that any litigation that was to arise out of the contract would have to be adjudicated in Florida. The Plaintiff lived in Seattle and raised a claim that it was not fair to enforce this clause and it was naturally fairer for the parties involved to hear the case in Washington State. However, the court enforced the clauses. The court declined to consider the adequacy of passengers’ information about those forum selection clauses:

“Respondents have essentially conceded that they had notice of” that provision. What the respondents conceded was “the respondents do not contest… that the forum selection clause was reasonably communicated to the respondents, as much as three pages of fine print can be communicated.”

What the plaintiff conceded was that regulations aimed at greater communications might not be beneficial, but other regulations (such as prohibiting these clauses) might be a more suitable outcome.

The problem that Microsoft has now is how it justified this intrusion into someone’s private account? Did the user not have a legitimate expectation of privacy? This case sets a very dangerous precedent for large technology companies. I pose a question for Microsoft. What if you had not found anything? What if the tipsters that you had relied on had simply been misinformed and had been given bad information? In this instance you found evidence of criminal wrong-doing by your former Microsoft employee, but you searched through the blogger’s email and chat logs to find criminal evidence – a guy who has not been charged with any crime. Serious questions will continue to be asked about how technology companies who have been extremely critical of government snooping and surveillance in a post Snowden world, can simply contract out of privacy through Terms of Service and into its users’ emails.

Join us, it's free.

Become a member to get access to:

  • Exclusive Content
  • Daily and specialised newsletters
  • Research and analysis

Join us, it’s free.

Want to read this article and others just like it? All you need to do is become a member of The Drum. Basic membership is quick, free and you will be able to receive daily news updates.