Microsoft Does Some Scroogling to Catch a Thief
Microsoft's nosing around in a Hotmail user's account may have been completely justified under the circumstances -- the company was gathering evidence to prosecute the theft of its intellectual property -- but it still may have caused some embarrassment for the company. Microsoft has been pummeling Google for what it considers an invasion of email users' privacy.
Microsoft, which has been mocking Google's searching of Gmail subscribers' emails with its "Scroogled" campaign, is fielding criticism for having itself searched the email of a Hotmail user.
The search, which came to light last week, was conducted after Microsoft found that an employee, Alex Kibkalo, who worked for it in Lebanon, had stolen proprietary code and shared it with the Hotmail user, who is a blogger.
Microsoft later turned over the information to the FBI, which reportedly has filed a complaint in a Washington court alleging Kibkalo stole trade secrets.
"Microsoft appears to have acted reasonably under the circumstances, and engaged the FBI upon knowing of the theft," patent and IP lawyer Raymond Van Dyke told TechNewsWorld.
"Users of software, which is only licensed and not owned, grant the providers broad rights regarding that account," Van Dyke explained. "Here Microsoft, the licensor and owner of the email account in question, investigated an actual or presumed abuse of the software, such as in furtherance of a crime -- code theft."
The Charges Against Kibkalo
The FBI last week filed its complaint in U.S. v. Kibkalo before United States Magistrate Judge Mary Alice Theiler in the U.S. District Court for the Western District of Washington in Seattle.
The complaint alleges Kibkalo, formerly a software architect with Microsoft, stole trade secrets, specifically Microsoft's Activation Server SDK.
Kibkalo reportedly is being held without bail and is being represented in court by public defender Russell Leonard.
Jokes and Daggers
Kibkalo, a Russian national, apparently stole the SDK in August of 2012 in retaliation for having received a poor performance review.
He allegedly sent the SDK to a blogger in France who then asked a third party, reportedly a Microsoft employee, to authenticate it. That person contacted a former Microsoft executive who apparently alerted Redmond.
Microsoft internal investigators interviewed the third party, who disclosed a Hotmail account used by the blogger.
In September 2012, Microsoft's Office of Legal Compliance reportedly approved a search of that account. The search discovered emails from Kibkalo to the blogger indicating he had leaked unreleased Windows 8 code.
On being interviewed by Microsoft, Kibkalo apparently admitted to leaking the code to the blogger. The blogger apparently admitted to knowingly obtaining confidential and proprietary information from Kibkalo and selling Windows Server activation keys on eBay.
Microsoft then turned over the case to the FBI, which launched an investigation in July 2013.
We Got the Power
Microsoft believes "Outlook," as the Hotmail email service has been renamed, should be private, said Deputy General Counsel John Frank.
The searches of the blogger's Hotmail account constituted "extraordinary actions based on the specific circumstances."
The blogger "had a history of trafficking for profit in this type of material," and Microsoft launched an investigation "over many months with law enforcement agencies in multiple countries," Frank said. He did not indicate whether the agencies were involved before or after the case had been turned over to the FBI.
There is no process for seeking a court order for an internal investigation relating to information stored on servers on one's own premises, Frank pointed out. Microsoft is strengthening its policies relating to its customers.
Microsoft's Terms of Service "specifically state that Microsoft can and will gain access to an account if they believe a crime has been committed," Rob Enderle, principal analyst at the Enderle Group, told TechNewsWorld.
It's likely that Gmail and Yahoo Mail have similar terms in their ToSes, he added, because "these things tend to be pretty standardized, and you'd think companies might want to be free to go into their own services to discover theft against them."