Practically every email provider can and will read your emails

• March 22, 2014
• News

• Comment
• Facebook
• Google+
• Twitter
• Reddit
• LinkedIn

The tech blogosphere went haywire Friday as news broke that Microsoft read a French blogger’s emails and instant messages to root out an internal leaker. This is, in fact, perfectly legal. Why? Every user consents to this when they agree to the terms of use. The right to read its users emails is a right claimed by far more than just Microsoft, too.

The story with Microsoft goes like this: an employee received a bad performance review and leaked confidential information regarding Windows 8, which had not yet been released. As part of the criminal investigation, since this involves legitimate theft of intellectual property, Microsoft decided to read the Hotmail account of the blogger who published the leaks. Microsoft did not attain a warrant to search this Hotmail account and that is because their Terms of Service clearly states they do not need one.

Microsoft explains:

As part of the investigation, we took the step of a limited review of this third party’s Microsoft operated accounts. While Microsoft’s terms of service make clear our permission for this type of review, this happens only in the most exceptional circumstances. We apply a rigorous process before reviewing such content. In this case, there was a thorough review by a legal team separate from the investigating team and strong evidence of a criminal act that met a standard comparable to that required to obtain a legal order to search other sites. In fact, as noted above, such a court order was issued in other aspects of the investigation.

For most privacy advocates, this is still quite worrisome. Before you go running from Microsoft products, though, consider your alternatives.

You will not find a mainstream email provider that does not reserve the right to read your emails. Likewise, if intelligence or law enforcement asks for those items, they will turn them over. A service like Hushmail once marketed itself as secure to these sorts of intrusions, but then turned over email records and user passwords with little hesitation.

Indeed, Yahoo, Google, and Apple are also among the providers who make you click “agree” to terms that include handing over the right to your emails’ privacy. While Microsoft’s latest intrusion seems to contradict the crux of their “Scroogled” campaign, there is a key difference to bear in mind. Google reads your email rather shamelessly in order to target advertisements to you. Microsoft provides an apt example of how creepy this can be:

Credit: Microsoft

There is no clear recommendation to make if you want privacy out of your email. Despite the recent scandal, at this point Microsoft actually looks like the most transparent actor here. They have clarified their privacy policy and how they will treat user email accounts going forward (there is more at the link):

We believe that Outlook and Hotmail email are and should be private. Today there has been coverage about a particular case. While we took extraordinary actions in this case based on the specific circumstances and our concerns about product integrity that would impact our customers, we want to provide additional context regarding how we approach these issues generally and how we are evolving our policies.

Courts do not issue orders authorizing someone to search themselves, since obviously no such order is needed. So even when we believe we have probable cause, it’s not feasible to ask a court to order us to search ourselves. However, even we should not conduct a search of our own email and other customer services unless the circumstances would justify a court order, if one were available. In order to build on our current practices and provide assurances for the future, we will follow the following policies going forward:

To ensure we comply with the standards applicable to obtaining a court order, we will rely in the first instance on a legal team separate from the internal investigating team to assess the evidence. We will move forward only if that team concludes there is evidence of a crime that would be sufficient to justify a court order, if one were applicable. As an additional step, as we go forward, we will then submit this evidence to an outside attorney who is a former federal judge. We will conduct such a search only if this former judge similarly concludes that there is evidence sufficient for a court order.

We will see if other providers come forward and lay out similar policies. Still, it is discomforting to see that nobody is willing to give up their right to read customer emails. The founder of TechCrunch recalls having his Gmail read by Google as well, adding to the fact that we already know they are scanned by advertising software.

There are just a couple of options if you have an absolute need for privacy in your email:

• You can encrypt your email. The best way to do this is to use PGP encryption, where you and the recipient each have a private passkey and exchange a public one. Both sender and receiver need to have a setup for this. More info here, from Lifehacker.
• You can use Tor mail. You will only be able to access it via the Tor browser bundle, which is based on Firefox, or other Tor services. This is another not-so-user-friendly option and the vulnerabilities of Tor are becoming more apparent.

The lesson here is to be mindful that your communications via email are not well-protected against your providers. This means taking measures to protect yourself from hackers and government surveillance may not always be enough if your email provider could forsake you in the end. If we find a good email provider who is committed to your privacy, we will let you know and suggest that you use it. Hopefully this news will inspire a service to capitalize on the new demand.

_Featured image by perspec_photo88 (Flickr)._

• Apple
• email
• google
• Microsoft
• privacy
• Yahoo

COMMENTS