A Guide to Knowing What Microsoft Knows About You
Remember the website Cryptome? This site was quite popular because it posted information such as confidential corporate documents or sensitive government data on its pages for those interested in browsing them. However, it was recently shut down when it posted a kind of guide for spies for those enforcing the law. This handbook, called the ‘Microsoft Online Services Global Criminal Compliance Handbook’, basically outlines the different kinds of information that Microsoft Corporation retains and controls on its customers. This is the kind of information that it can get from when you join and use Hotmail, Office Live, or even Xbox Live!
This Interesting Handbook
This handbook serves as a guide for officials working in law enforcement who want to gain access to the extensive database of information that Microsoft stores on and for its user base. Basically, it gives diagrams, guidelines and subpoenas on how to figure out what server logs really are by giving the reader a sample language. Although this guide just touches the surface of how to gain access and doesn’t really go into detail (it is only 22 pages long), it still gives the person who reads the guide a pretty good idea of how to hunt for data on the Microsoft systems.
Which Microsoft Services Are Covered in the Guide?
The sites that are mentioned in the guide are MSN Groups, Hotmail, Windows Live Messenger, Windows Live Spaces, MSN, Xbox Live, Microsoft, Office Live, windows Live ID and Windows Live. In fact, since Microsoft retains a lot of data on users, especially those using Microsoft services online, then these databases may be accessed. This kind of information may cover from addresses and birth dates to credit card numbers and even emails that were sent and received in the current and past. This information is often retained by Microsoft over a set time period, but there is also information that Microsoft keeps forever.
What Microsoft May Have On You
Depending on what Microsoft application and service you use, this is where the data on you can be accessed. Here is the kind of information that Microsoft may keep about you.
First, for those who use Hotmail, the information that you share with Microsoft here is usually kept for as long as the account stays active. However, standard procedure for IP connection records in history is that they are not kept for longer than 60 days. But if your Hotmail account stays inactive for 60 days, after those 60 days, your email is deleted. Further, if you never reactivate your email account, even the Windows Live Hotmail and MSN Hotmail free services also become dormant. If an email is older than 180 days, then it can be accessed by government officials working on an official capacity following ECPA provisions. But, a search warrant is required if they want to access your emails that are less than 180 days old.
Second, Xbox Live is another service that retains a lot of user information. This may include your phone number, credit card number, gamertag, Xbox Hotline service request number, your first and last name and corresponding zip code serial number if your Xbox unit was registered using online resources, your email account and those accounts with an account name using Windows Live ID, and a gamertag’s lifetime IP history. Just remember that if your Xbox is ever stolen, information like this is useful to track it down, which is why you give them this information in the first place.
Third is Windows Live ID. Information like passwords and user names are the kinds of data stored here. Windows Live ID has a wide global reach which means that agencies in law enforcement can access a lot of this data online, including personal information that you share while surfing the Web, especially since Microsoft retains the 10 most recent record combinations of your IP connection and Microsoft site information.
In-the-Cloud Personal Information Storage
The handbook also covers the products of Windows Live SkyDrive and Office Online. It is still a question that needs to be answered, will law enforcement actually have access to the sensitive information that companies and individuals will store online? In-the-cloud computing is something that is getting more popular by the moment. However, because of this guidebook, people may think twice about using these services.
Some may take comfort that there are still legal procedures that law enforcement have to follow to make access to Microsoft databases of information more lawful. The last page of the guide details this kind of information. But with wiretapping happening without warrants present may still make others a little nervous.
Short History on the Guide
With the release of the guide, Microsoft immediately responded to Cryptome’s Administrator (John Young) with a notice that alleged that copyright infringement was done with the posting as supported by provisions on the DMCA or Digital Millenium Copyright Act. The DMCA criminalizes copyright infringement (since 1998) as well as indirect infringement of copyright such as the circumvention of an access control.
Some, like the Electronic Frontier Foundation, are skeptical that invoking copyright law may not be a solution since this manual is not being marketed and sold by Microsoft Corporation. The EFF consider it a case of fair use. But in the end Microsoft did prevail, despite the fact that EFF found that basing the argument on the DMCA basically only deepened the problem of censorship. After the complaint by Microsoft, Cryptome was ordered to shut down which caused John Young to file a counterclaim.
In the end, there will have to be a better solution to the whole situation by Microsoft working directly with law enforcement to prevent users and their personal information from becoming too vulnerable to the public. Also, having websites like Cryptome is essential. Sites like these are held to maintain the checks and balances of huge companies who think they own user data and can put this data in danger of being used against its customers.