Microsoft just exposed email's ugliest secret

Email is more broken than you think

If you're hiding something from Microsoft, you'd better not put it on Hotmail.

It came out yesterday that the company had read through a user's inbox as part of an internal leak investigation. Microsoft has spent today in damage-control mode, changing its internal policies and rushing to point out that they could have gotten a warrant if they’d needed one. By all indications, the fallout is just beginning.

Our data is held on their servers, routed by their protocols

But while Microsoft is certainly having a bad week, the problem is much bigger than any single company. For the vast majority of people, our email system is based on third-party access, whether it's Microsoft, Google, Apple or whoever else you decide to trust. Our data is held on their servers, routed by their protocols, and they hold the keys to any encryption that protects it. The deal works because they're providing important services, paying our server bills, and for the most part, we trust them. But this week's Microsoft news has chipped away at that trust, and for many, it's made us realize just how frightening the system is without it.

They own the servers, and there's no legal or technical safeguard to keep them from looking at what's inside

We've known for a while that email providers could look into your inbox, but the assumption was that they wouldn't. Even a giant like Microsoft is likely to sustain lasting damage, simply because there are so many options for free web-based email. Why stick with Microsoft if you trust Apple or Google more? But while companies have created a real marketplace for privacy and trust, you'll find the same structural problems at every major service. Ad-supported email means companies have to scan your inbox for data, so they need access to every corner of your inbox. (That's been the basis of Microsoft's Google-bashing "Scroogled" campaign.) Free email also means someone else is hosting it; they own the servers, and there's no legal or technical safeguard to keep them from looking at what's inside.

"We may access or disclose information ... to protect the rights or property of Microsoft."

A close look at company privacy policies only underlines the fact. As Microsoft pointed out its initial statement, "Microsoft’s terms of service make clear our permission for this type of review." Look at the company privacy policy, and you’ll see that's true: "We may access or disclose information about you, including the content of your communications, in order to ... protect the rights or property of Microsoft." That’s a straightforward description of what happened in the Hotmail case.

You’ll find similar language in the privacy policies from Yahoo and Google. Yahoo reserves the right to look through your emails to "protect the rights, property, or personal safety of Yahoo, its users and the public." Google’s language is nearly identical, saying it will access user data "if we have a good-faith belief that access, use, preservation or disclosure of the information is reasonably necessary to … protect against harm to the rights, property or safety of Google." Apple is a little better, but not much, promising to disclose user content "if we determine that for purposes of national security, law enforcement, or other issues of public importance, disclosure is necessary or appropriate." What counts as public importance, exactly?

What’s worse, the current laws won’t do anything to stop them. For standard law enforcement, it takes a warrant to read a person's email — but there's no such restriction on hosting providers. Peeking into your clients' inbox is bad form, but it's perfectly legal. Even if the rights weren't reserved in the terms of service, it's not clear there are even grounds for a lawsuit. Without stronger privacy laws, all companies have to worry about is bad PR.

Peeking into your clients' inbox is bad form, but it's perfectly legal

Microsoft's mole hunt isn't unprecedented either. There have been LOVEINT-style abuses of sysadmin access, as when a Google engineer was fired for spying on friends' chat logs. Last year, Harvard searched its own professors' email accounts as part of a cheating investigation. (The dean behind the search stepped down a few months later.) But those are just the instances we're aware of. In all likelihood, there are dozens of similar incidents that were simply never made public, encouraged by the open nature of third-party hosting. As long as the access is legal and technically feasible, there's no reason to think it will stop.

As long as the access is legal, there's no reason to think it will stop

Anyone living a modern and complicated life over email is left in an awkward place. The crypto crowd has an easy answer: use end-to-end encryption, locking up emails with GnuPG and online chats with programs like Cryptocat. You can hold your own keys, making sure no one can decrypt the message but the person you're sending it to, and count on open-source code reviews to expose anyone who tries to slip a backdoor into the code.

It's a good system and it works, but for most users, it's still a bunch of extra inconvenience for no obvious benefit. In the end, it's easier to blame Microsoft for violating our trust and move onto the next company, with the same data practices and the same terms of service. With Google, Apple, Yahoo, and countless other free webmail services waiting in the wings, there are plenty of options to choose from. They'd never do a thing like this... right?