Menu
Worried about the government? Internet giants also dip their hands in the cookie jar

Worried about the government? Internet giants also dip their hands in the cookie jar

Internet companies can access your data even as they secure it from intrusion by others

Security protections have been tightened at many of the major online services, as firms like Google and Microsoft pledge to protect their users against unwanted prying eyes. But while many people fret about unwarranted government access to their data, the Internet firms themselves play by their own set of rules.

Some of the heat directed lately at the U.S. National Security Agency was focused this week on Microsoft instead. On Wednesday, Microsoft revealed that it had taken a peek at a French blogger's personal Hotmail emails as part of a company investigation into trade-secret leaks.

Microsoft said it had a right to do so, because its policies allow it to search personal emails to protect its intellectual property. In this case, a former Microsoft employee allegedly leaked Windows RT updates to the blogger via email. Microsoft's terms of service state that it's forbidden to use the company's services to upload or otherwise make available files that contain software or other material protected by intellectual property laws.

"Microsoft reserves the right to review materials posted to the Communication Services and to remove any materials in its sole discretion," the company says in its terms of use.

Microsoft responded to the criticism by pledging to update its procedures to make them more "transparent." In the future, it said, a separate legal team at Microsoft will review any evidence and proceed "only if that team concludes there is evidence of a crime that would be sufficient to justify a court order, if one were applicable." It will then submit the evidence to an outside attorney -- a former federal judge -- and conduct a search only if that person agrees with its conclusions.

But Microsoft's explanation of why it needs to pursue this route is itself telling. "Courts do not issue orders authorizing someone to search themselves, since obviously no such order is needed," it explained. "So even when we believe we have probable cause, it's not feasible to ask a court to order us to search ourselves."

In other words, there are no laws preventing Microsoft from looking at the data in its own services, so only Microsoft can decide when it's appropriate.

It's not alone in this. Other companies including Google and Yahoo have similar language in their terms of service.

There are at least two class-action lawsuits looking at the way Google's automated systems scan emails for advertising and other purposes. One of the suits accuses Google of crossing a "creepy line" by scanning the data of Apps for Education users to build profiles that could be used for marketing, according to a report this week in Education Week.

The way Google's scanning systems work amounts to illegal "interception" or "eavesdropping" under federal and state wiretapping statutes, both suits allege.

When it scans email for advertising purposes, Google isn't exactly "reading its users' emails." It's all automated, with a machine searching for keywords in the mails and relating them to ads. It's what allows Google and other companies to offer their services for free. But it still makes some people highly uncomfortable.

Facebook faces a similar lawsuit, which claims the company scans people's private messages for URLs for "purposes including but not limited to data mining and user profiling." It's accused of violating the Electronic Communications Privacy Act, as well as privacy and unfair competition laws in California.

These issues raise questions about the extent to which users should be concerned about the access companies have to their private communications.

With the exception of certain types of information like medical records, your data is basically all there for the taking, said Lorrie Faith Cranor, an associate professor of computer science and of engineering and public policy at Carnegie Mellon University, and director of the CyLab Usable Privacy and Security Lab.

"There's few restrictions legally on what big companies are allowed to do with your personal data," she said. "What you purchase, which websites you browse ... there's no law legally saying you can't look at that," she said.

There are differences between automatically scanning people's messages and actually reading them, but in either scenario some actionable use is made of the data. One of the questions, Cranor said, is how that data is put to use.

Scanning emails to prevent spam or viruses is probably fine with most people. But scanning emails to provide targeted ads? That's where Internet users have mixed feelings.

At the same time, almost all the major Internet firms have bolstered their efforts to protect people's data from intrusion by outside entities such as governments and hackers. Last month, Microsoft announced availability of its Office 365 Encryption program, which encrypts the emails people send to make snooping harder.

And Google this week said it was removing the option to turn off its HTTPS encryption, to make it harder for others to snoop on people's email.

For those seeking more online privacy, smaller outfits have cropped up like Syme, an encrypted Facebook-like service, and the messaging app Wickr, which claims to have no way of seeing people's data even if the company wanted to.

But the major free online services like Facebook and Google are unlikely to be changing their business models any time soon.

"If you're getting a free service, you're paying for that service with your data," said Susan Freiwald, a professor of law at the University of San Francisco, who studies cyberlaw and information privacy. And the fact that your data is stored on a company's servers, she said, poses risks around its availability to governments, hackers and the companies themselves.

And encryption may only go so far. The topic generated discussion last week at SXSW Interactive in Austin, Texas. During a video interview, NSA contractor-turned-leaker Edward Snowden noted that HTTPS encryption does not prevent service providers from tapping into data stored on their own servers.

End-to-end encryption, which encrypts data before it leaves the user's own device, is not practical for the Internet giants because it conflicts with their business models, Chris Soghoian, a senior policy analyst at the ACLU, said during the event. That's because it prevents them from scanning content for advertising or other purposes.

"The tools designed with security as a first goal are often developed by independent developers, activists and hobbyists," he said.

In other words, if you're using one of the major online free services, be careful what you say. As the University of San Francisco's Freiwald put it: "There's a lot less security online than people think."

Zach Miners covers social networking, search and general technology news for IDG News Service. Follow Zach on Twitter at @zachminers. Zach's e-mail address is zach_miners@idg.com


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags social mediaprivacyMicrosoftinternetGoogleFacebooklegalsocial networkinganalyticsMailYahooInternet-based applications and servicesDesktop security

Events

Featured

Slideshows

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners

This year’s Reseller News 30 Under 30 Tech Awards were held as an integral part of the first entirely virtual Emerging Leaders​ forum, an annual event dedicated to identifying, educating and showcasing the New Zealand technology market’s rising stars. The 30 Under 30 Tech Awards 2020 recognised the outstanding achievements and business excellence of 30 talented individuals​, across both young leaders and those just starting out. In this slideshow, Reseller News honours this year's winners and captures their thoughts about how their ideas of leadership have changed over time.​

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners
Reseller News Exchange Auckland: Beyond the myths — how partners can master cloud security

Reseller News Exchange Auckland: Beyond the myths — how partners can master cloud security

This exclusive Reseller News Exchange event in Auckland explored the challenges facing the partner community on the cloud security frontier, as well as market trends, customer priorities and how the channel can capitalise on the opportunities available. In association with Arrow, Bitdefender, Exclusive Networks, Fortinet and Palo Alto Networks. Photos by Gino Demeer.

Reseller News Exchange Auckland: Beyond the myths — how partners can master cloud security
Reseller News welcomes industry figures at 2020 Hall of Fame lunch

Reseller News welcomes industry figures at 2020 Hall of Fame lunch

Reseller News welcomed 2019 inductees - Leanne Buer, Ross Jenkins and Terry Dunn - to the fourth running of the Reseller News Hall of Fame lunch, held at the French Cafe in Auckland. The inductees discussed the changing face of the IT channel ecosystem in New Zealand and what it means to be a Reseller News Hall of Fame inductee. Photos by Gino Demeer.

Reseller News welcomes industry figures at 2020 Hall of Fame lunch
Show Comments