How to Apply Transparency to Assure Privacy

Microsoft (temporarily) adopted a policy of transparency to address a privacy issue. Transparency can indeed help show that an institution is handling privacy responsibly, even though Microsoft decided it was not enough in this particular case.

Cloud Provider Searches Customer Content!

Here is the story behind Microsoft's temporary, special policy of transparency.

Court documents revealed that Microsoft searched the content of a Hotmail account belonging to a Microsoft customer. The customer was an independent blogger who did not work for Microsoft. (Hotmail is a webmail service also known as Outlook.com, owned and operated by Microsoft.) Microsoft searched the account as part of an investigation into the alleged theft of Microsoft trade secrets by a now-former Microsoft employee. The trade secrets in question were software code.

Microsoft's decision to search a customer account raises privacy worries. Microsoft is a cloud computing service provider. Hotmail is one of Microsoft's cloud offerings, just as OneDrive is one of Microsoft's cloud offerings. When customers use Microsoft's cloud services, they store data like email and files with Microsoft and they expect Microsoft to provide some degree of protection for the data.

Microsoft said it had legal permission to search the Hotmail account because the terms agreed by the customer permit Microsoft to conduct searches to protect Microsoft rights and intellectual property.

Microsoft as Intellectual Property Search Monster?

But as a long-time Microsoft customer, I myself am squeamish about Microsoft searching my cloud-stored content for evidence of intellectual property infringement (or some other violation of Microsoft's rights). I have been using Microsoft products and services for almost three decades. In all those years I have clicked on and agreed to hundreds if not thousands of Microsoft End User License Agreements (EULAs) and terms of service. Those long-winded EULAs have come to me when I have

* opened/initiated/installed fresh versions of Microsoft desktop software (Windows, Office, Money, Windows Defender, Streets and Trips, etc., etc.);

* installed updates;

*visited Microsoft web sites, such as to download clipart; and

* opened accounts to use services, such as Windows Live Messenger, which is now retired.

Even though I am a tech lawyer, I have not read and remembered every word of every one of those complex agreements. (Have you?)

Over all the years, I have indeed tried to comply with Microsoft's agreements, and I still try to this day. But I must say that sometimes those agreements have confused and surprised me. As the years have gone by, Microsoft has published subtly different EULAs for similar products (e.g., Office Home and Business Edition, Office Starter Edition, Office Web Apps Edition, Office Blah-Blah-Blah Edition).

In addition to using Microsoft desktop products, I use its cloud services like Outlook.com and OneDrive. I store data and files in those services.

By contract to which I have agreed, Microsoft has reserved the right to search my content for evidence that I have violated Microsoft's legal rights or intellectual property. OK. A deal is a deal. I agreed to let Microsoft search through my files and documents for that purpose.

However, I'd be disappointed if Microsoft conducted a dragnet through my documents looking for evidence that I violated a long-forgotten EULA (forgotten by me). For all I know, some spreadsheet I created in 2005 (and haven't touched since) contains a tell-tale sign that I did not comply precisely with the EULA for an October 2004 update to Office 2003, a product I have not used in years.

If Microsoft did engage in that kind of dragnet, customers like me would be motivated take our cloud computing business elsewhere. We'd be motivated to move our old archives like that spreadsheet to competitors like Dropbox or Google Drive.

Microsoft Wants to Re-assure Its Cloud Storage Customers.

Microsoft seems to understand the problem I have just described. Microsoft does want to keep good customers like me in its cloud computing tent.

Therefore, shortly after Microsoft articulated the (probably valid) legal grounds for its search of the blogger's Hotmail account, Microsoft made an additional public announcement. The announcement had two components:

1. Microsoft said that before it searched the contents of a customer's cloud account, it would seek an opinion from a former US federal judge. This former judge (presumably under the pay of Microsoft) would opine hypothetically on whether Microsoft possessed enough evidence of wrongdoing to justify a court order that the account be searched. If the former judge did so opine, then Microsoft would reserve the right to search the account.

2. Microsoft committed to a form of transparency.

Transparency

It said it would periodically report to the public about any incidents in which Microsoft actually executed on a search of a customer's cloud account.

“Microsoft to Change Policy on User Data,”Wall Street Journal, March 21, 2014.

What Benefit Does Transparency Provide?

I think Microsoft committed to the transparency report because it would help set its cloud customers' mind at ease. Customers might suspect the former judge would have a conflict of interest when s/he evaluates Microsoft's evidence; Microsoft is paying the former judge.

Microsoft probably believed that the number of instances in which it actually searched customer accounts would be few. (It is rare that the Microsoft-controlled cloud account of a non-Microsoft employee would hold information about trade secrets stolen by a Microsoft employee.) Microsoft probably believed that it would voluntarily refrain from conducting the kind of dragnet through old spreadsheets that I described above.

Hence, Microsoft's reasoning was that over time customers would feel assured because they could see that in practice Microsoft was not abusing its powers and not violating the normal expectations of customers.

I agree with Microsoft that transparency can help to achieve privacy. Transparency can be a form of check and balance, albeit imperfect.

Transparency can help to inform the public whether an institution is behaving responsibly.

Transparency (in this case the commitment to periodic disclosures) can open an institution to criticism. If it discloses, for example, that it searched a customer account looking for a spreadsheet that violates an October 2004 EULA update, then

a) People would complain in public; and

b) Many customers would be spooked and would take their cloud business to competitors.

What keeps an institution honest about its commitment to transparency? Part of the answer is leaks and whistleblowers. If Microsoft says it will make periodic reports – and then fails to report a relevant case of searching – it is taking a big risk. As Edward Snowden and other leakers have proven, Microsoft's secret can leak out. A leak showing that Microsoft defaulted on its commitment to transparency could be devastating to Microsoft's reputation.

Was This Commitment to Transparency Enough?

All of the foregoing is not to say that Microsoft's commitment to transparency was enough to satisfy customers.

At this time I do not judge whether Microsoft's commitment to transparency is “enough.” But as I weigh what Microsoft did to reassure customers, I note that general counsel at Microsoft's competitor Google declares that Google has never investigated a leak of Google intellectual property by searching the content of a customer's Gmail account. Further, says Google counsel, “it’s hard for me to imagine circumstances where we would investigate a leak in that way.”

Ouch. A statement like that from a competitor makes Microsoft uncomfortable.

Microsoft Quickly Changed Course.

Shortly after Microsoft announced its policy of former-judge-plus-transparency, it changed course again. Microsoft declared: “if we receive information indicating that someone is using our services to traffic in stolen intellectual or physical property from Microsoft, we will not inspect a customer’s private content ourselves. Instead, we will refer the matter to law enforcement if further action is required.” 

Let's Draw Larger Lessons about Privacy and Transparency.

Whether Microsoft's short-lived commitment to transparency was good enough is a moot question. Microsoft said that rather than relying on the former-judge-plus-transparency model, it would instead rely on law enforcement.

However, Microsoft's thought process can be helpful to institutions and policy makers who strive to handle sensitive data responsibly.

Microsoft wanted to assure its customers. So it committed to seeking the input of a respected third party – a former judge. But it realized this commitment needed more. It therefore committed to transparency. A commitment to transparency is in fact a substantive control in favor of a civil right like data privacy.

An institution like Microsoft will never know for sure whether controls and commitments will satisfy the public or satisfy ethical obligations. But a genuine observation of transparency can help over time. Candid disclosure of the facts, including embarrassing facts, can help to win trust.

As nonprofits, corporations and government entities search for the right ways to manage data, transparency can aid the search. But transparency does not work by itself. Other controls and commitments are needed, such as honesty, deliberation, accountability and more.

What do you think?

By: Benjamin Wright

Related: Transparency makes a block chain more trustworthy.