LFI to RCE via access_log injection

Microsoft will not access content of private email accounts any more


Microsoft has decided it will no longer access the emails of Hotmail users it suspects of foul deeds, announcing that from now on it will leave this activity to law enforcement officials.
The move comes a week after the firm reported the arrest of former employee Alex Kibkalo, who was apprehended after Microsoft's Trustworthy Computing unit accessed his Hotmail account without a warrant to prove he had sent proprietary code to a blogger based in France.
The news caused widespread criticism over Microsoft using powers outside the realm of data privacy rules, to monitor and access the content of private emails that happened to be sent via its email system.
In the wake of the backlash, general counsel and executive vice president for Legal and Corporate Affairs at Microsoft Brad Smith revealed that the firm would be swiftly changing its ways.
"Last Thursday, news coverage focused on a case in 2012 in which our investigators accessed the Hotmail content of a user who was trafficking in stolen Microsoft source code," he noted in a blog post. "Over the past week, we've had the opportunity to reflect further on this issue, and as a result of conversations we’ve had internally and with advocacy groups and other experts, we’ve decided to take an additional step and make an important change to our privacy practices."
Smith said that as of now, it will pass on any information related to suspected intellectual property or physical theft to law enforcement officials to decide if further action is required, rather than inspecting customers' private content itself. This change will also be put into Microsoft terms and conditions, so it is binding.
Smith cited Edward Snowden’s exposure of PRISM, and Microsoft’s discomfort with the NSA monitoring its customers’ data as another reason for the firm taking this step. "We've advocated that governments should rely on formal legal processes and the rule of law for surveillance activities," he noted.
"While our own search was clearly within our legal rights, it seems apparent that we should apply a similar principle and rely on formal legal processes for our own investigations involving people who we suspect are stealing from us. Therefore, rather than inspect the private content of customers ourselves in these instances, we should turn to law enforcement and their legal procedures."
Smith’s approach to email privacy is an about-turn from that outlined by his deputy general counsel John Frank last week. He wrote in a blog post: “While Microsoft’s terms of service make clear our permission for this type of review, this happens only in the most exceptional circumstances. We applied a rigorous process before reviewing such content.  
“In this case, there was a thorough review by a legal team separate from the investigating team and strong evidence of a criminal act that met a standard comparable to that required to obtain a legal order to search other sites. In fact, as noted above, such a court order was issued in other aspects of the investigation.”
Microsoft has also instigated a joint privacy project with the Center for Democracy & Technology and the Electronic Frontier Foundation, aimed at identifying potential best practices.

Comments