Security protections have been tightened at many of the major online services, as firms like Google and Microsoft pledge to protect their users against unwanted prying eyes. But while many people fret about unwarranted government access to their data, the Internet firms themselves play by their own set of rules.
Some of the heat directed lately at the U.S. National Security Agency was focused this week on Microsoft instead. On Wednesday, Microsoft revealed that it had taken a peek at a French blogger’s personal Hotmail emails as part of a company investigation into trade-secret leaks.
Microsoft said it had a right to do so, because its policies allow it to search personal emails to protect its intellectual property. In this case, a former Microsoft employee allegedly leaked Windows RT updates to the blogger via email. Microsoft’s terms of service state that it’s forbidden to use the company’s services to upload or otherwise make available files that contain software or other material protected by intellectual property laws.
“Microsoft reserves the right to review materials posted to the Communication Services and to remove any materials in its sole discretion,” the company says in its terms of use.
Microsoft responded to the criticism by pledging to update its procedures to make them more “transparent.” In the future, it said, a separate legal team at Microsoft will review any evidence and proceed “only if that team concludes there is evidence of a crime that would be sufficient to justify a court order, if one were applicable.” It will then submit the evidence to an outside attorney—a former federal judge—and conduct a search only if that person agrees with its conclusions.
But Microsoft’s explanation of why it needs to pursue this route is itself telling. “Courts do not issue orders authorizing someone to search themselves, since obviously no such order is needed,” it explained. “So even when we believe we have probable cause, it’s not feasible to ask a court to order us to search ourselves.”
In other words, there are no laws preventing Microsoft from looking at the data in its own services, so only Microsoft can decide when it’s appropriate.
It’s not alone in this. Other companies including Google and Yahoo have similar language in their terms of service.
There are at least two class-action lawsuits looking at the way Google’s automated systems scan emails for advertising and other purposes. One of the suits accuses Google of crossing a “creepy line” by scanning the data of Apps for Education users to build profiles that could be used for marketing, according to a report this week in Education Week.
The way Google’s scanning systems work amounts to illegal “interception” or “eavesdropping” under federal and state wiretapping statutes, both suits allege.
When it scans email for advertising purposes, Google isn’t exactly “reading its users’ emails.” It’s all automated, with a machine searching for keywords in the mails and relating them to ads. It’s what allows Google and other companies to offer their services for free. But it still makes some people highly uncomfortable.
Facebook faces a similar lawsuit, which claims the company scans people’s private messages for URLs for “purposes including but not limited to data mining and user profiling.” It’s accused of violating the Electronic Communications Privacy Act, as well as privacy and unfair competition laws in California.
These issues raise questions about the extent to which users should be concerned about the access companies have to their private communications.
With the exception of certain types of information like medical records, your data is basically all there for the taking, said Lorrie Faith Cranor, an associate professor of computer science and of engineering and public policy at Carnegie Mellon University, and director of the CyLab Usable Privacy and Security Lab.
“There’s few restrictions legally on what big companies are allowed to do with your personal data,” she said. “What you purchase, which websites you browse … there’s no law legally saying you can’t look at that,” she said.
There are differences between automatically scanning people’s messages and actually reading them, but in either scenario some actionable use is made of the data. One of the questions, Cranor said, is how that data is put to use.
Scanning emails to prevent spam or viruses is probably fine with most people. But scanning emails to provide targeted ads? That’s where Internet users have mixed feelings.
At the same time, almost all the major Internet firms have bolstered their efforts to protect people’s data from intrusion by outside entities such as governments and hackers. Last month, Microsoft announced availability of its Office 365 Encryption program, which encrypts the emails people send to make snooping harder.
And Google this week said it was removing the option to turn off its HTTPS encryption, to make it harder for others to snoop on people’s email.
For those seeking more online privacy, smaller outfits have cropped up like Syme, an encrypted Facebook-like service, and the messaging app Wickr, which claims to have no way of seeing people’s data even if the company wanted to.
But the major free online services like Facebook and Google are unlikely to be changing their business models any time soon.
“If you’re getting a free service, you’re paying for that service with your data,” said Susan Freiwald, a professor of law at the University of San Francisco, who studies cyberlaw and information privacy. And the fact that your data is stored on a company’s servers, she said, poses risks around its availability to governments, hackers and the companies themselves.
And encryption may only go so far. The topic generated discussion last week at SXSW Interactive in Austin, Texas. During a video interview, NSA contractor-turned-leaker Edward Snowden noted that HTTPS encryption does not prevent service providers from tapping into data stored on their own servers.
End-to-end encryption, which encrypts data before it leaves the user’s own device, is not practical for the Internet giants because it conflicts with their business models, Chris Soghoian, a senior policy analyst at the ACLU, said during the event. That’s because it prevents them from scanning content for advertising or other purposes.
“The tools designed with security as a first goal are often developed by independent developers, activists and hobbyists,” he said.
In other words, if you’re using one of the major online free services, be careful what you say. As the University of San Francisco’s Freiwald put it: “There’s a lot less security online than people think.”