Microsoft to Include Itself in Future Transparency Reports

Microsoft to Include Itself in Future Transparency Reports
Microsoft to Include Itself in Future Transparency Reports

The underlying facts are relatively simple. A disgruntled ex-employee, Alex Kibkalo, provided a French blogger with Microsoft source code – specifically the internal SDK used for product key validation. According to the court documents, he "encouraged the blogger to share the SDK with others who might be able to reverse engineer the software and write 'fake activation server' code." This would damage Microsoft's ability to prevent copyright infringement of its products.

The blogger, who had a history of writing on and about Microsoft products, contacted a third-party to check the veracity of the code and better understand its workings. That third-party, however, contacted Steven Sinofsky, who was at the time president of the Windows Division at Microsoft. 

Meanwhile, Microsoft's Trustworthy Computing Investigations (TWCI) department had already been trying to identify the blogger. The external source had told the company that the blogger's request to him had come via a hotmail account (which happened to be one of the accounts already suspected by TWCI to be the blogger in question).

Having ascertained the email account of a person likely to be holding stolen Microsoft IP, Microsoft then conducted a covert search of the blogger's account. They found an email from Kibkalo that "contained six zip files of pre-release 'hot fixes' for Windows 8 RT for ARM devices, which Kibkalo made accessible through his SkyDrive account. The fixes were not publicly available, as Microsoft had not yet released Windows 8."

Microsoft's legal right to conduct the search is not in question – the terms of service clearly give this right "to protect the rights or property of Microsoft or our customers." What is being asked, however, is whether given the public stance it is taking against covert intelligence agency intrusions, it had the moral right to do so without a warrant.

John Frank, deputy general counsel and vice president, legal and corporate affairs for Microsoft, explained in a blog Thursday. "Courts do not, however, issue orders authorizing someone to search themselves, since obviously no such order is needed," he wrote. "So even when we believe we have probable cause, there’s not an applicable court process for an investigation such as this one relating to the information stored on servers located on our own premises." Whether the courts would actually refuse a warrant, or refuse to listen to a request for a warrant might have more to do with the view that this would be a simple contract dispute between supplier and customer.

Nevertheless, it has left Microsoft on slightly sticky moral ground. To solve this it has now amended the relevant terms of service. In future, if it believes it has probable cause for a search, it will obtain a pseudo warrant from from an outside attorney who is a former federal judge. "We will conduct such a search only if this former judge similarly concludes that there is evidence sufficient for a court order," explained Frank.

He added that Microsoft will in future include itself in its own future transparency reports. "We therefore will publish as part of our bi-annual transparency report the data on the number of these searches that have been conducted and the number of customer accounts that have been affected."

What’s hot on Infosecurity Magazine?