Last week Microsoft admitted that it had snooped into a user’s hotmail account in order to pursue an investigation into the theft of Microsoft’s Intellectual Property. Microsoft’s Deputy General Counsel & VP, Legal and Corporate Affairs, John Frank, points out in a blog that, firstly, they were within their rights based on the Terms of Service that the user agreed to when he registered for the account, and secondly that they couldn’t get a court order because they owned the servers hosting the data:
Courts do not, however, issue orders authorizing someone to search themselves, since obviously no such order is needed. So even when we believe we have probable cause, there’s not an applicable court process for an investigation such as this one relating to the information stored on servers located on our own premises.
In order to address end user privacy concerns stemming from this incident, the blog goes on to assure users that they would only view user data if the circumstances would have warranted a court order to do so, that the circumstances would be evaluated by a legal team outside the investigation, that they would only look at data pertinent to their investigation, and that Microsoft would report on the number of times and number of users affected by said searches in their annual report.
Personally, I expect that anything I send outside my LAN is no longer private. If it’s not over a VPN, it can be sniffed out. If it is stored on someone else’s server, someone else could read it. Mind you, I don’t expect anyone is itching to expose my favorite scalloped turnip recipe, but SaaS provided banking or tax information is potentially snoop-worthy. I seldom read all the way through Terms of Service agreements, and when I have in the past, it’s basically confirmed my suspicion that, if it’s a free service, I give up rights to the information, and, if I’m paying for it, I have a limited expectation of privacy in that the provider shouldn’t be reading my data directly, but the metadata describing my usage is being collected and analyzed.
Now that Microsoft has demonstrated the privacy limits for free services, the question is: what are the limits for paid services?
Microsoft’s first argument for free services was that the user agreed that Microsoft owned the data. That is not the case if you’re paying for a Cloud implementation. In section 2c of the Windows Azure Agreement:
Ownership of Customer Data.
Except for Software we license to you, as between the parties, you retain all right, title, and interest in and to Customer Data. We acquire no rights in Customer Data, other than the right to host Customer Data within the Services, including the right to use and reproduce Customer Data solely as necessary to provide the Services.
Microsoft’s second argument was that they could not get a search warrant to search themselves, even though a warrant was justified. What would it take to justify a warrant for Cloud data? In section 1b of the Agreement, Microsoft defines an acceptable use of the Azure Cloud:
You may use the Product only in accordance with this Agreement. You may not reverse engineer, decompile, disassemble, or work around technical limitations in the Product, except to the extent that applicable law permits it despite these limitations. You may not disable, tamper with, or otherwise attempt to circumvent any billing mechanism that meters your use of the Product. You may not rent, lease, lend, resell, transfer, or sublicense the Product or any portion thereof to or for third parties.
The legalese is vague enough to allow for interpretation as technology develops, and that could lead to unintentional violations. If a Cloud consumer came up with an innovative, wildly effective way of circumventing the “technical limitations” of the product, would violation of the terms of service justify a warrant? What if a subscription to a Cloud based SaaS application began to look a lot like reselling Cloud services?
The caveat here is that, at a minimum, you should read the Terms of Service carefully. And given the vagaries of legal language, get a lawyer to review any agreement for services if you’re going to do something a bit beyond the mainstream.