Hacker News new | ask | show | jobs
by ntakasaki 4469 days ago
I can't even fathom how it can be illegal. Those are Microsoft owned servers. Once your data is in someone else's cloud, you have no recourse. That's why it's better to have your business files under your own control with OpenOffice or even MS Office instead of Google Apps or Office Online. If MS patched Office to upload your local files to MS servers, you would have a very strong case against them for "stealing" your files. If you upload them to OneDrive/Google Drive, not so much.

In a similar incident, a Google employee accessed personal information, but Google was never penalized for it.

http://gawker.com/5637234/gcreep-google-engineer-stalked-tee...

As usual, Stallman was right when he called cloud computing "careless computing" and a trap. http://www.theguardian.com/technology/blog/2010/dec/14/chrom...
5 comments
nhaehnle 4469 days ago
I can't even fathom how it can be illegal. Those are Microsoft owned servers.

How would you feel about the postal service opening the letters it transports in a similar scenario? Do you think it's morally a-okay for them to unilaterally decide to read your mail without a court order?

I suspect that most people would say "no", even though it all happens on the postal services own premises, using their own resources. At the same time, I wouldn't be surprised if most people would think like you expressed when it comes to e-mail.

Clearly, more thought needs to go into this to determine in a reasoned and consistent way whether Microsoft's action were morally right in this particular instance. Value judgments are going to play a role, too. Still, I think it's fairly clear that the answer must be the same for physical and electronic mail.

Edit: I know you were talking more about legality than morality. However, as the physical mail scenario shows, there is already a legal precedent for an actor being prohibited by law from acting in a way that is analogous to what Microsoft has done; and ultimately, the law should follow moral considerations, so those are the more interesting questions anyway.

link
Domenic_S 4469 days ago
I always hate when folks make comparisons like this to the USPS for the simple reason that the USPS has reams of laws, codes, and statutes it is bound to follow, full-stop.

These codes explicitly outline how I should expect my mail to be handled by the USPS. They also explicitly define how 3rd parties are handled when they violate your mail. It's all very clear in black & white.

We have expectations of the USPS because of a codified standard. Breaking those expectations is a totally different scenario than the MS scenario.

link
_delirium 4469 days ago
In some countries, email also has laws around it. My employer cannot read my email, even the email that sits on their servers in my employer-provided email account, except under specific circumstances dictated by law, with an oversight process dictated by law. YMMV. (There are exceptions for incidental access of email by technical staff for the purpose of making the email itself work, filtering spam, etc., vs. searching the contents and giving your boss a printout.)

There's an interesting intersection-of-laws issue. Our email is actually hosted by Microsoft Office 365. When Microsoft performs searches like this, do they touch multiple email accounts? If they ran the equivalent of a grep across their whole email infrastructure, they might violate Danish law in doing so, if their grep touched our mailboxes. So how they access email inboxes in general is something they ought to be pretty careful of. At the very least I hope they're making sure only to search Americans' inboxes, hosted on American servers.

link
rfrank 4469 days ago
Earlier in this thread someone said, "Once your data is in someone else's cloud, you have no recourse."

As a more general matter, do you think that's the way it should be? Do you feel that your information no longer being yours once it touches someone else's server is the right way to do things?

link
wetafur 4469 days ago
I don't think that should be the case, but the solution should be more awareness rather than regulation. People should realize that they're giving up something to get a free service or subsidized products like Chromebooks rather than government interfering. Restricting people from searching their own servers will solve nothing.
link
esrauch 4468 days ago
It seems like it would solve at least one thing.
link
anigbrowl 4469 days ago
Edit: I know you were talking more about legality than morality. However, as the physical mail scenario shows, there is already a legal precedent for an actor being prohibited by law from acting in a way that is analogous to what Microsoft has done;

You don't enter into a contractual relationship with the USPS when you mail or receive a letter. When you sign up for a webmail account, you're doing so on the providing party's terms, and you can't really complain if said webmail provider chooses to enforce the contract that you signed up to.

and ultimately, the law should follow moral considerations, so those are the more interesting questions anyway.

Whose moral considerations would these be?

link
nhaehnle 4469 days ago
You don't enter into a contractual relationship with the USPS when you mail or receive a letter.

I would argue that that's a historical accident and in any case subject to change, especially in places where the mail system has been deregulated to allow mail service by private companies. For example, in Germany such companies could potentially have terms similar to a contractual agreement (called AGB) that apply as soon as you post a letter.

The underlying point is really this: the current status quo (good protection for physical mail, no protection for electronic mail) is not something that makes sense if you start reasoning from first principles. It simply developed this way for historical reasons (mainly: webmail providers were created in much more lawyer-happy times, and the rules for physical mail developed over a longer time, during which respect for privacy was valued higher for whatever reason).

I believe that it is a fairly safe bet that, if the internet still exists 100 years from now, most places that will be considered civilized in that future will have laws to protect their citizens' privacy no matter what companies would like to write in their contracts.

Whose moral considerations would these be?

In a democratic society? Everybody's. Yes, a consensus needs to be found, blah blah. The fact that you even felt the need the ask this question is a bit disturbing.

link
Guvante 4469 days ago
Physical mail is much simpler than electronic mail. Telegrams are more akin to email that an actual piece of mail.

How do I guarantee I don't look at it when I literally have to look at it to provide the service?

There are services which avoid this by using thinner servers, but they are in the minority.

link
nhaehnle 4469 days ago
True. Though the comparison I would make is with postcards, and there is still an expectation of privacy there. If somebody in the postal service were found to be reading postcards on purpose, there would be consequences. Intent matters.
link
loup-vaillant 4469 days ago
> Do you think it's morally a-okay for [whoever] to [whatever]?

Morality is not legality. As a webmail provider, spying on your users is obviously very wrong. Thanks to a number of technicalities and loopholes however, it is also perfectly legal.

link
throwaway7767 4469 days ago
> If MS patched Office to upload your local files to MS servers, you would have a very strong case against them for "stealing" your files. If you upload them to OneDrive/Google Drive, not so much.

At work, we use exchange. In the webmail settings, there's a list of plugins, many of which provide basic, necessary core features such as meeting invitations. All the microsoft plugins had a disclaimer along the lines of "This plugin may send your mail and data to a third-party server".

Not saying they're archiving it, but I'm not sure running microsoft software is a great idea if you're very worried about the security of your data.

link
scarmig 4469 days ago
You do have recourse, and it certainly can be illegal.

Just because corporations have a Russia-in-Crimea style boots-on-the-ground advantage when it comes to the cloud doesn't mean you have to throw up your hands and give up when someone violates your rights.

link
cookiecaper 4469 days ago
What's the basis for this assertion? The privacy policies seem to have clauses that allow this type of access. The user wilfully enters an agreement to utilize Microsoft's email servers and that agreement explicitly allows this. Even if it didn't, I don't know of any body of law that would say "the text you're uploading to another person's server can't be read by the server's owners", but I'm not a lawyer. Telecomms are different because their infrastructure is a means of conveyance, not a destination, so they need to file the paperwork to tap the comms between the source and the destination. But in this case, there is no unannounced party in the transaction.

If we assume there are no external legal modifiers, it seems pretty straightforward that the server owners should be able to search their own disks for any reason.

The entire premise of free modern email is that the provider will be automatically parsing the text of your emails, composing a profile of your behavior and interests from that text, and attempting to sell you products based on that profile. Wouldn't that be illegal if it's not legal to search your own disks? How come you can agree to ToS and privacy policies that allow that but not policies that say "we can also look at it if we suspect that you're trying to screw us over"?

link
nhaehnle 4469 days ago
As a society, we put a limit on which kind of contracts are valid and enforceable. To give an extreme example, if you write into a contract that you sell yourself into slavery, that contract would be invalid and not enforced.

Most countries have similar limitations for consumer protection. For example, Germany has a certain minimum warranty that a manufacturer must provide that cannot be waived away no matter what they try to write in the ToS-style contracts that exist for businesses here (AGB).

Contract law is not a physical law. It is shaped over time - ideally in a way that follows a consensus of all citizens in a democratic society. If we feel that morally, webmail providers should not have the right to do targeted investigations in their hosted mailboxes (which is easily distinguished from the kind of algorithmic scanning for marketing purposes), then that can (and should) be turned into law.

link
nikster 4469 days ago
You're making a good argument. I hope it will be tested in court.
link
cookingrobot 4469 days ago
Your landlord doesn't have the right to snoop in your personal files just because they own where they're stored.

The EULA in this case said they can spy if needed to protect their IP rights, but that doesn't fly in this case. The IP was already stolen, and spying on this journalist doesn't put the horse back in the barn and undo the leak. Catching the thief doesn't protect their rights, because the crime is already done.

link
higherpurpose 4469 days ago
It could be illegal, especially if their own ToS doesn't permit them to do that, and promise you stronger privacy.

But it seems they have their bases covered on that, so we'll see.

link