I’m reading about how Microsoft read a blogger’s Hotmail (or other Microsoft hosted email) to determine who leaked Microsoft information to that blogger. Microsoft’s response is pathetic, stating that “the privacy of our customers is incredibly important to us” in the same post that explains that they’ll keep doing it.
While I think that doing this is both evil and shortsighted (they lose trust and users), the only thing that surprised me was that they admitted it.
As the Guardian points out, other email providers also reserve the right to do this in their terms of service.
I have first hand knowledge of this. A few years ago, I’m nearly certain that Google accessed my Gmail account after I broke a major story about Google.
A couple of weeks after the story broke my source, a Google employee, approached me at a party in person in a very inebriated state and said that they (I’m being gender neutral here) had been asked by Google if they were the source. The source denied it, but was then shown an email that proved that they were the source.
The source had corresponded with me from a non Google email account, so the only way Google saw it was by accessing my Gmail account.
A little while after that my source was no longer employed by Google.
I certainly freaked out when this happened, but I never said anything about it because I didn’t want people to be afraid to share information with TechCrunch. But I became much more careful to make sure that communications with sources never occurred over services owned by the companies involved in the story.
So, yeah, the Guardian story is accurate.
Update: Google says this never happened (also in a comment below that I just approved). Some of the wording is (just slightly) odd (“opened” denial v. “accessed” accusation) but I assume that was inadvertent and they’re flatly denying this whole story.
Uncrunched 
Are you nearly certain:
“I’m nearly certain that Google accessed my Gmail account ”
Or
100% certain:
“So, yeah, the Guardian story is accurate.”
There is a major informative (as well as liable) difference between your two statements here.
I can’t be 100% certain…the source could have lied to me, for example. But I’m nearly certain.
Pedestrian question: Could Google have accessed your source’s non-Gmail account through your source’s work computer?
This happens all the time at Google, actually.
It wasn’t just a case of “leaked information” in the Microsoft case. There was outright theft of Microsoft intellectual property (including Activation Server source code) by an employee, who passed it along to the blogger. There was a criminal investigation involving the FBI and foreign law enforcement. Somehow you kind of left all that out in your attempt to equate criminal activity with normal (if somewhat lame) journalism.
Except what you said isn’t accurate. MS suspected and the law enforcement activity wasn’t started yet when the Hotmail account was accessed. You seem to remove the logic step going from “suspicion” to “knowing”. The idea that an email provider should be going into accounts they host simply because they suspect nefarious behavior against them is a terrible one to promote.
I would think a journalist would be better off not using the cloud for email storage at all, call me crazy, but, just because the story is not about your cloud provider doesn’t mean your cloud provider has no incentive to help the companies you do write about. Think of all the companies that share board members… Let’s say you write a story about compromized Cisco routing equipment, are you sure the board member Google and Cisco share won’t be discussing the leak?
What’s the logical extension of this type of clause?
If you apply for a job at Google or Microsoft, would it be in their interest to scan your box for information about your health or personal life before they hire you?
Sure, for the vast majority of hires, that is overkill. But senior hires?
I’d really like to know how often the tech companies use that sort of clause. CEOs have been asking the government for permission to publish the numbers and situations in which they look at user’s data when the government requests.
Why not start the discussion by telling us when they look at our information for their own purposes?
fantastic point
I believe Microsoft just stated recently that aside from putting additional layers before they access an email account for their own investigation purposes, they will also add a summary of these activities in their annual disclosure report.
Well, this pretty much sealed the deal for me. I’m getting out of the “free to use” email services. I’ve been taking the past few months to wind down my social networks and I’m almost nearing completion to deletion! Now having proof that Microsoft & Google and probably Yahoo all feel it’s their right to look through your accounts info if they think it concerns them, or at least that’s what they say. What’s stopping them from reading everyone’s emails at anytime? We now know… Nothing is stopping them. Maybe a few thousand/millions of cancelled accounts? I now am sure there’s no other way. It’s time to tell these companies that it’s not okay to be the CIA’s & NSA’s stooge and it’s not okay to act like the CIA & NSA and do whatever you want, whenever you want and call it legal… Thoughts of starting a boycott of these things is playing heavily on my mind. Hopefully, it won’t come to that but I really do feel it’s time for all of us to start sending REAL messages that these types of practices aren’t okay and if legal, shouldn’t be…
Google also spied on my email, it even deleted emails sent to me from people working from the US government meaning google was collaborating with them in deleting some evidence
Well who’s ever running the Algos has the control. Last year Google Plus didn’t like my “real name” that works everywhere else and suspended me out of the blue…for being a “Duck” my real last name. Machines had not learned enough yet:) The story rolled all through MIT and Engadaget on that one.
http://ducknetweb.blogspot.com/2013/01/im-sorry-your-google-plus-name-does-not.html
Are you admitting that you completely screwed this person by using Gmail, and that you’re going to try to make amends?
Probably not, but hey good game, right?
I’d imagine that the google employee was in a better position than me to decide whether or not to send me email at my gmail account.
Hm, that is true. Good response. What the heck were they thinking?
You can use secure email and private cloud Storage on your own appliance which you own and control.
The best option option is Starkit, a fanless, miniature high performance server appliance with a secure built-in Mail Server and Cloud storage software.
-It is bundled with Web Based interface for anywhere access and can be utilized for encrypted private email communication and secure storage.
-All your data is fully encrypted at rest and in transit (email and documents).
-Using Starkit you eliminate the need of any email provider (like Gmail, Outlook or Office365) or any cloud storage provider (like Dropbox).
-Your email and cloud service provider is your Starkit appliance which you own and control.
-True Plug’n’Play solution. No technical skills required to set it up.
Michael I don’t think you understand companies at all. Or even law itself. MS,has the right to check that persons email because of the fact that person stole code and keygens from the company. Even if he signed the agreement to work at MS. He can’t leak confidential info. Which is why MS checked.
study Law Michael please. For your own sake
well I did spend three years at Stanford studying law, and was a corporate attorney for a while, but that’s not really the issue.
Lol…perfect reply
The problem is MS snoop on the blogger’s hotmail account, which is not an MS employee
I think if you would have deleted that correspondence from your google mailbox, then also google would not be able to spy on it as it may be deleted (not sure) from their servers
gmail stays on their servers for at least 60 days, probably in their backup logs/files forever
Incredible story! You should always use PGP at least,
but the fact is that these things can make you paranoid
This is a bit silly, no? Of course Google is allowed to read the emails of its own employees, which is the most likely what happened. Google read the email that this person sent to you. This doesn’t mean they broke into *your* inbox. No?
I am probably THE LAST person to support Micro$oft on anything, but I have to admit their new process is certainly one that covers a lot of points that people are making on /. and other areas: transparency, getting others involved.
Of course, these “external” parties could be in the back-pocket of MSFT, but at the end of the day, if you believe in conspiracy theories, then you believe in all of them.
I am Google’s General Counsel. Mike makes a serious allegation here–that Google opened email messages in his Gmail account to investigate a leak. While our terms of service might legally permit such access, we have never done this and it’s hard for me to imagine circumstances where we would investigate a leak in that way.
This is very good to hear. But if it’s hard to imagine circumstances in which you would do something like this — if you don’t think it would ever be necessary — perhaps you should consider changing your terms of service to make it legally impossible. That would send a strong signal.
Any comfort gained by Google’s lawyer stating they haven’t done this … yet … is so far outweighed by your terms of service permitting the activity. But then, I switched away from Gmail about a year ago out of concern for my privacy.
Actually ALL companies (small and large) have various ways of tracking content transmitted over their network and their machines. This has mostly to do with security and compliance. For example watching illegal video over company network will put company in trouble, if they are not preventing your via firewall, they are definitely tracking the fact that ‘you’ watched ‘that’ video. When at work assume your every keystroke is ‘watched’. So at work, just work.
To goof off, do it in your own time using your own resources…
As a computer scientist we are screaming to “journalist” they are not protecting they source by using “gmail” “microsoft” “yahoo” etc… email services. Those were not even 1 years ago cyphered… and yet not enough protected against these same company that holds the privates keys !!
All spouses of Google employees should be aware that they too are also under constant surveillance. Once my wife had started at Google I had the constant feeling that I was being observed and that strange coincidences were occurring. My wife became secretive. She would be aware of places I had been and people I had spoken to without any real ability to have known this unless she’d been provided this info by Google. My advice de-Google your life ASAP.
Oh do get a life. Never heard of private detectives? She’s on to you!