Microsoft's Spy Guide: What You Need to Know
Since 1996, the whistleblower site Cryptome has been posting sensitive government and corporate documents. Now Cryptome has been stricken from the Web after releasing the Microsoft Online Services Global Criminal Compliance Handbook
, a "spy guide" for law enforcement detailing what data Microsoft has, keeps, and can relinquish. Since most of you are Microsoft users, there are a few tidbits of information you'll need to know before purchasing Xbox Live points, logging onto Office Live, or sending an e-mail through Hotmail.(Editor's Note: See Microsoft Relents, Cryptome Returns for an update on this issue.)
What is the "Spy Guide"?
The Global Criminal Compliance Handbook is a quasi-comprehensive explanatory document meant for law enforcement officials seeking access to Microsoft's stored user information. It also provides sample language for subpoenas and diagrams on how to understand server logs.
I call it "quasi-comprehensive" because, at a mere 22 pages, it doesn't explore the nitty-gritty of Microsoft's systems; it's more like a data-hunting guide for dummies.
Which of My Microsoft Services are Affected?
All sorts. Microsoft keeps user information related to its online services. The data ranges from past e-mails to credit card numbers. The information is kept for a designated period of time, sometimes forever.
The sites referenced are:
- Windows Live
- Windows Live ID
- Microsoft Office Live
- Xbox Live
- Windows Live Spaces
- Windows Live Messenger
- MSN Groups
Some of these Microsoft services may not apply to a whole lot of people. Who uses MSN Groups, for instance? But accessing personal information from Xbox Live accounts, for example, could be a big problem for 23 million subscribers; especially since Xbox Live keeps more data than many of Microsoft's other services.
What Information Does Microsoft Have?
It depends on the service. We'll deal with the big dogs here:
Windows Live ID
Windows Live ID is a one-stop shop for user info retention and is used on a multitude of sites to limit scattered user names and passwords. Due to its wide reach, Windows Live ID could allow law enforcement agencies to access tons your personal Web surfing information. Microsoft keeps "the last 10 Microsoft site and IP connection record combinations (not the last 10, consecutive IP connection records)."
All things considered, that's not bad. It gets worse.
"E-mail account registration records are retained for the life of the account. Internet Protocol connection history records are retained for 60 days," according to the document. But if you, like many, switched over to Gmail and let your Hotmail account lapse, all e-mail content is "typically deleted after 60 days of inactivity. Then if the user does not reactivate their account, the free MSN Hotmail and free Windows Live Hotmail account will become inactive after a period of time."
E-mail content that is older than 180 days can be disbursed "as long as the governmental entity follows the customer notification provisions in ECPA (see 18 U.S.C. §§ 2703(b), 2705)." If the content is less than 181 days, you need a search warrant.
Xbox Live stores a lot of information:
- Credit card number
- Phone number
- First/last name with zip code Serial number but only if box has been registered online
- Service request number from Xbox Hotline (e.g. SR 103xx-xx-xx)
- E-mail account (e.g. @msn.com, @hotmail.com or any other Windows Live ID account name)
- IP history for the lifetime of the gamertag (only one gamertag at a time)
This information comes in handy for non-nefarious purposes, just so you don't get completely paranoid. For instance, if your Xbox 360 console is stolen, Microsoft can hunt it down lickety-split using its vast tracking records of you and your machine.
Office Online and Windows Live SkyDrive
The scariest part of the handbook comes here. Office Online and Windows Live SkyDrive are both services that store documents and files in the cloud. The two pages devoted to these services describe only what the products are and not the access Microsoft has to pertinent information. What can Microsoft get at? How long is everything stored? What are the legal parameters? All of this is uncertain and worthy of a little spine-shake.
Cloud computing is the next big thing in technology. Companies are apt to store sensitive financial and human relations documents in one of Microsoft's clouds. If prompted by the government, Microsoft could (or couldn't?) dip its fingers into your spreadsheets and extract all it wants.
The last page of the document details the legal procedures required to obtain Microsoft's information, but with warrantless wiretapping being such a big fad lately -- as evidenced lately by Google's shady dealings with the NSA -- one never knows how many reams of red tape the government can snip through to get what it wants.
A Brief Case History
It's uncertain as to how John Young, Cryptome's proprietor, obtained The Global Criminal Compliance Handbook; what's assured is that it caught Microsoft's attention. The corporation quickly filed a Digital Millennium Copyright Act (DMCA) notice alleging copyright infringement.
In 1998, the DMCA criminalized production and dissemination of tech methods intended to skirt protections such as DRM that control access to copyrighted works. It also criminalizes the act of circumventing an access control, whether or not there is actual infringement of copyright itself.
Some organizations have a problem with Microsoft's use of the DMCA in this case. "[The Electronic Frontier Foundation" find[s] it troubling that copyright law is being invoked here. Microsoft doesn't sell this manual. There's no market for this work. It's not a copyright issue. John [Young's] copying of it is fair use. We don't do this anywhere else in speech law," Cindy Cohn of the Electronic Frontier Foundation told ReadWriteWeb. Cohn stated that in cases involving libel or trade secrets there is a procedure of going to court, making a case, and getting an injunction -- filing a DMCA complaint "makes censorship easy."
Either way, Microsoft prevailed. Cryptome's host, Network Solutions, tore the site down. Young filed a counterclaim yesterday.
Personally, I feel The Global Criminal Compliance Handbook isn't as nightmarish as some may paint it (save for the cloud computing part). Microsoft needs to have measures to work with the government in cases of danger, plain and simple. But with so much data out there, so much of it "owned" by Microsoft, I cannot help but feel exposed and vulnerable.
And for the sake of Internet freedom, it's crucial that Cryptome is released back into the wild. The site serves a clear and important purpose; its latest -- and perhaps last -- release proves that point.