Can Consumers Flee ‘Free Services’ Where Provider is Both the Judge and Prosecutor?

Consumers should be careful, however, since in this case there is no way to verify the data privacy claims that vendors make.

31 March 2014


Recently the WSJ reported that Microsoft will be changing its policies around accessing users’ information “after the company faced scrutiny for searching a user's Microsoft email account to investigate a leak of company software.”

Microsoft's terms of service grant the organization the right to access users' messages and to reply to any law enforcement requests.  After news broke that the company searched a private email account as part of this investigation, the WSJ reports that “Microsoft said it would act differently in the future."

Here are my thoughts on the subject. First, the title Microsoft to Change Policies for Accessing User Emails implies Microsoft is voluntarily promoting a positive change for everyone’s good, but their plans raise more concerns than solutions. Will the change be significant? They announced they will use a private lawyer (who cares if that person is a former judge?) to review evidence and authorize the search of their users’ data. Microsoft points out that those users have agreed to allow the company access to these types of searches, but since when do end user agreements trump constitutional rights?

Let’s put rhetorical questions aside for now and consider what options consumers realistically have here. One option is to look for a service that values their privacy and the security of their data. Consumers should be careful, however, since in this case there is no way to verify the privacy claims that vendors make. That said - consumers are not powerless against big companies. Even though they cannot vote with their dollars, since the services are ‘free’, they can start abandoning them in droves - which will certainly get the attention of the Microsofts of the world.

Of course, media praising big corporations for doing nothing but damage control does not induce proper discussion and does not help promote changes for the consumer’s benefit.

Another option is to find a vendor who has a traditionally strong enterprise customer base and use their free or low-cost services, if available. At least in this case, one can be sure that paying customers have verified the vendor’s security and privacy claims. I know this is not always that simple since some vendors, who have large non-paying user bases, add-on enterprise features like ‘configuration management and reporting’ and market ‘good for business’ solutions.

Most of the time, these extra features are available only to paying users, leaving the privacy of the vast majority of their users to chance. In my opinion, one effect of IT consumerization is that more stringent standards should be applied to consumer services - ones which have IT-level controls. Consumerization in this context only means that the IT systems must be user friendly, not that consumer products must have low-grade security and privacy. My point is, most of those services that aspire to be good enough for business are not good enough for consumers. Take for example, that it is tax season. How many people have emailed their tax documentation (both personal and business related) to their accountants? How many of us used email or free file sharing services to communicate mortgage-related information? How comfortable are we that companies like Microsoft or Google have all that information indexed and will sell it for a nominal fee?

I personally feel that it is outrageous that Microsoft will search people’s email for any reason without their consent or a warrant. The person they caught may well be a criminal, but this person still has his fourth amendment rights. I hate to say this about someone who essentially breached his employer’s valuable private data, but I hope higher court will find the evidence inadmissible. Microsoft did not have to violate their email user’s privacy – they could have, and should have, gotten a warrant first.

One good thing I hope will come out of this is that people will start thinking twice about the price they pay for their ’free’ services.

Mushegh Hakhinian

Mushegh Hakhinian

Mushegh Hakhinian represents Intralinks at the Cloud Security Alliance SME Council, is a certified information systems security professional, and is a frequent contributor to industry publications. Prior to joining Intralinks, Mr. Hakhinian lead security functions at a multi-tenant online banking service provider and an international bank.