Microsoft
(temporarily) adopted a policy of transparency to address a privacy
issue. Transparency can indeed help show that an institution is
handling privacy responsibly, even though Microsoft decided it was
not enough in this particular case.
Cloud Provider Searches Customer Content!
Here
is the story behind Microsoft's temporary, special policy of
transparency.
Court
documents revealed that Microsoft searched the content
of a Hotmail
account belonging
to a Microsoft customer. The
customer was
an
independent
blogger who did not work for Microsoft. (Hotmail
is a webmail
service
also known as Outlook.com, owned
and operated by Microsoft.)
Microsoft
searched the account as part of an investigation into the alleged
theft
of Microsoft
trade
secrets by a now-former Microsoft
employee.
The
trade secrets in question were software code.
Microsoft's
decision to search a customer account raises privacy worries.
Microsoft is a cloud computing service provider. Hotmail is one of
Microsoft's cloud offerings, just as OneDrive is one of Microsoft's
cloud offerings. When customers use Microsoft's cloud services, they
store data like email and files with Microsoft and they expect
Microsoft to provide some degree of protection for the data.
Microsoft
said it had legal permission to search the Hotmail account because
the terms agreed by the customer permit Microsoft to conduct searches
to protect Microsoft rights and intellectual property.
Microsoft as Intellectual Property Search Monster?
But
as a long-time Microsoft customer, I myself am squeamish about
Microsoft searching my cloud-stored content for evidence of
intellectual property infringement (or some other violation of
Microsoft's rights). I have been using Microsoft products and
services for almost three decades. In all those years I have clicked
on and agreed to hundreds if not thousands of Microsoft End User
License Agreements (EULAs) and terms of service. Those long-winded
EULAs have come to me when I have
*
opened/initiated/installed
fresh versions of Microsoft desktop
software
(Windows, Office, Money,
Windows Defender, Streets and Trips, etc., etc.);
*
installed updates;
*visited
Microsoft web sites, such as to download clipart; and
*
opened
accounts to use services, such as Windows Live Messenger, which is
now retired.
Even
though I am a tech lawyer, I have not read and remembered every
word of every
one of those complex agreements. (Have
you?)
Over
all the years, I have indeed tried to comply with Microsoft's
agreements, and
I still try to this day.
But I must say that sometimes
those
agreements have confused and surprised me. As
the
years have gone by, Microsoft
has
published
subtly
different
EULAs for similar products (e.g.,
Office
Home and Business Edition, Office Starter Edition, Office
Web Apps Edition, Office
Blah-Blah-Blah Edition).
In
addition to using Microsoft desktop products, I use its cloud
services like Outlook.com and OneDrive. I store data and files in
those services.
By
contract to which I have agreed, Microsoft
has
reserved
the right to search my content for evidence
that I have violated Microsoft's
legal
rights or
intellectual property. OK. A deal is a deal. I
agreed to let Microsoft search through my files
and documents
for that purpose.
However,
I'd
be disappointed if
Microsoft
conducted a dragnet through my documents looking for evidence that I
violated a long-forgotten EULA (forgotten
by me).
For all I know, some spreadsheet I created in 2005 (and
haven't touched since) contains
a
tell-tale sign
that I did not comply precisely with the EULA for an
October 2004 update
to Office 2003, a
product I have not used in years.
If
Microsoft did engage in that kind of dragnet, customers like me would
be motivated take our cloud computing business elsewhere. We'd be
motivated to move our old archives like that spreadsheet to
competitors like Dropbox or Google Drive.
Microsoft Wants to Re-assure Its Cloud Storage Customers.
Microsoft
seems to understand the problem I have just described. Microsoft does
want to keep good customers like me in its cloud computing tent.
Therefore,
shortly after Microsoft articulated the (probably valid) legal
grounds for its search of the blogger's Hotmail account, Microsoft
made an additional public announcement. The announcement had two
components:
1.
Microsoft said that before it searched the contents of a customer's
cloud account, it would seek an opinion from a former US federal
judge. This former judge (presumably under the pay of Microsoft)
would opine hypothetically on whether Microsoft possessed enough
evidence of wrongdoing to justify a court order that the account be
searched. If the former judge did so opine, then Microsoft would
reserve the right to search the account.
2.
Microsoft committed to a form of transparency.
It said it would
periodically report to the public about any incidents in which
Microsoft actually executed on a search of a customer's cloud
account.
Transparency |
“Microsoft
to Change Policy on User Data,”Wall Street Journal, March 21, 2014.
What Benefit Does Transparency Provide?
I
think Microsoft committed to the transparency report because it would
help set its cloud customers' mind at ease. Customers might suspect
the former judge would have a conflict of interest when s/he
evaluates Microsoft's evidence; Microsoft is paying the former judge.
Microsoft
probably believed that the number of instances in which it actually
searched customer accounts would be few. (It is rare that the
Microsoft-controlled cloud account of a non-Microsoft employee would
hold information about trade secrets stolen by a Microsoft employee.)
Microsoft probably believed that it would voluntarily refrain from
conducting the kind of dragnet through old spreadsheets that I
described above.
Hence,
Microsoft's reasoning was that over time customers would feel assured
because they could see that in practice Microsoft was not abusing its
powers and not violating the normal expectations of customers.
I
agree with Microsoft that transparency can help to achieve privacy.
Transparency can be a form of check and balance, albeit imperfect.
Transparency
can help to inform the public whether an institution is behaving
responsibly.
Transparency
(in this case the commitment to periodic disclosures) can open an
institution to criticism. If it discloses, for example, that it
searched a customer account looking for a spreadsheet that violates
an October 2004 EULA update, then
a)
People would complain in public; and
b)
Many customers would be spooked and would take their cloud business
to competitors.
What
keeps an institution honest about its commitment to transparency?
Part of the answer is leaks and whistleblowers. If Microsoft says it
will make periodic reports – and then fails to report a relevant
case of searching – it is taking a big risk. As Edward Snowden and
other leakers have proven, Microsoft's secret can leak out. A leak
showing that Microsoft defaulted on its commitment to transparency
could be devastating to Microsoft's reputation.
Was This Commitment to Transparency Enough?
All
of the foregoing is not to say that Microsoft's commitment to
transparency was enough to satisfy customers.
At
this time I do not judge whether Microsoft's commitment to
transparency is “enough.” But as I weigh what Microsoft did to
reassure customers, I note that general counsel at Microsoft's
competitor Google declares that Google has never investigated a leak
of Google intellectual property by searching the content of a
customer's Gmail account. Further, says Google counsel, “it’s
hard for me to imagine circumstances where we would investigate a
leak in that way.”
Ouch.
A statement like that from a competitor makes Microsoft
uncomfortable.
Microsoft Quickly Changed Course.
Shortly
after Microsoft announced its policy of
former-judge-plus-transparency, it changed course again. Microsoft
declared: “if we receive information indicating that someone is
using our services to traffic in stolen intellectual or physical
property from Microsoft, we will not inspect a customer’s private
content ourselves. Instead, we will refer the matter to law
enforcement if further action is required.”
Let's Draw Larger Lessons about Privacy and Transparency.
Whether
Microsoft's short-lived commitment to transparency was good enough is
a moot question. Microsoft said that rather than relying on the
former-judge-plus-transparency model, it would instead rely on law
enforcement.
However,
Microsoft's thought process can be helpful to institutions and policy
makers who strive to handle sensitive data responsibly.
Microsoft
wanted to assure its customers. So it committed to seeking the input
of a respected third party – a former judge. But it realized this
commitment needed more. It therefore committed to transparency. A
commitment to transparency is in fact a substantive control in favor
of a civil right like data privacy.
An
institution like Microsoft will never know for sure whether controls
and commitments will satisfy the public or satisfy ethical
obligations. But a genuine observation of transparency can help over
time. Candid disclosure of the facts, including embarrassing facts,
can help to win trust.
As
nonprofits, corporations and government entities search for the right
ways to manage data, transparency can aid the search. But
transparency does not work by itself. Other controls and commitments
are needed, such as honesty, deliberation, accountability and more.
No comments:
Post a Comment