Microsoft downs site after top-secret guide published.
The noted government whistleblowing website Cryptome has been taken down after Microsoft saw red over its publication of a top-secret Internet surveillance guide normally shown only to law enforcement agencies.
The 22-page Global Criminal Compliance Handbook contains a reasonably detailed rundown on the information gathered by Microsoft from its various Windows Live operations, including Hotmail, Messenger, MSN Groups, and even the gaming platform, Xbox Live.
The guide explains the information that is retained by Microsoft from customer activities, for how long it is saved, and how it can be accessed by police and security services in accordance with US legal requirements.
After discovering the document on the site, Microsoft is reported to have demanded its removal, citing the US Digital Millenium Copyright Act (DMCA), a request that was rejected by Cryptome editor and founder, John Young. Microsoft then persuaded domain hoster Network Solutions to pull the site, which remains offline as of the morning of 25 February (GMT).
Was Microsoft well advised to come down so heavily on a site that has come to be seen in civil liberties circles as an important bulwark against government secrecy?
The guide itself contains few technical revelations, but does underline the extent to which a company such as Microsoft is able to conduct information surveillance from the traces of people's Internet activity.
Any text or images uploaded to a Microsoft service appear to be retained for 90 days, along with the date and time of the upload and the IP address making the connection.
It is worth noting that all global customer account data for Hotmail - including by implication email records - are stored in the US, which makes it accessible by US authorities under local laws.
UK and non-US residents might not realize this. Records are only deleted after 60 days of account inactivity.
On the other hand, Microsoft doesn't store conversations between users on Windows Live Messenger, its IM service. The most tracked service appears to be the Xbox Live, where names, addresses and credit card data are available to track online users. That is hardly surprising as this is the one service users pay for. This is not quite a flexing arm of the Big Brother state.
Microsoft probably couldn't have made the information in this guide more public if it had tried. It is now available for download from various Internet sources, including fellow whistleblowing site, Wikileaks. The document will no doubt be pored over by thousands of people with only the vaguest idea of the significance - of lack of significance - of its contents.
More background on the takedown is available from the Geekosystem website, which has a direct channel into Cryptome's short-term suffering. Longer term, the site will gain from the troubles, assuming it comes back soon.
By John E. Dunn.
Source: http://news.techworld.com/security/3213603/microsoft-downs-site-after-to...
Makes you feel all fuzzy and warm inside to realize how good old Microsoft looks after us all with tender loving care.
| Attachment | Size |
|---|---|
| Global_Criminal_Compliance_Handbook.pdf | 1.66 MB |
- Login or register to post comments
- Report this page
The document, called the Microsoft Online Services Global Criminal Compliance Handbook, or "spy guide," gives details on how law enforcement can grab user data from a wide range of Microsoft services, from Windows Live ID to Xbox Live to Hotmail.
Microsoft holds and can reveal a huge amount of data on individuals through their social networking and file-sharing services, too. These data include IP addresses, credit cards, chat logs and much more.
How does a large corporation balance end user privacy balance with the need to cooperate and comply with law enforcement? Read on to see how Microsoft handles this issue.
On the Surface.
After a quick read-through of Microsoft's guide, everything initially made sense. They've got a lot of data - IM logs that can help find missing kids, gaming records that can help return a stolen Xbox, emails that can help track down terrorists.
There's an emergency hotline for urgent or life-threatening incidents, "situations like kidnapping, murder threats, bomb threats, terrorism threats, etc."
The full list of services includes email, authentication (Windows Live ID), IM, social networking (Windows Live Spaces and MSN Groups), custom domains, online file storage and gaming (Xbox Live). For each service, data is accessible through a series of web interface that allow law enforcement to browse through relevant data in tables or forms.
And there are procedures for accessing all this information, too. Law enforcement can't simply ask for the information, according to the document. They have to have a subpoena, a court order or a warrant to gain access to data such as usernames, linked accounts and email address books.
Digging Deeper.
But after talking to a few sources who have worked in law enforcement (LE) and government agencies - none of whom wanted to be quoted, for obvious reasons - these procedures are a far cry from the day-to-day realities of data access.
In other words, there's a reason it's called a "spy guide."
For one thing, federal and LE officers tend to have a much easier time getting access to user data than their corporate conspirators might let on, our sources told us. In ticking time bomb scenarios, this can be a good thing, as quick and unobstructed access to data can save people from imminent harm.
Where Are All Those Warrants?
However, we've been told by people who have handled such issues that government and LE often request and are given data without having to go through the proper procedures, often because of corporations' fear of government retribution.
For example, not too long ago, Sprint was revealed to have complied with 8 million LE requests for GPS data in 2009. This figure doesn't include any other type of data from anyone other than LE for any network other than Sprint - this is just for LE GPS data requests from Sprint.
The implications of this are staggering, but the most confounding of them all is that there could not possibly be enough warrants to justify the sum total of requests that digital companies are handed by law enforcement seeking user data.
Our sources all confirmed that without question, LE and government officials are often given user data by companies such as Microsoft without having to provide any kind of justification - not legal documents, not proof of criminal activity and not evidence of guilt.
What About the Fourth Amendment?
And then, there are the less widely known reasons that LE or federal agencies would gain access to user data - programs such as government data mining or Project Carnivore (which is essentially the wiretapping scandal of the digital sphere). Again, our sources confirmed that LE's desire to see user data is often the only reason a digital company would need to turn over information - warrantless wiretapping all over again.
In conclusion, Microsoft's spy guide does state that certain steps much be taken for law enforcement to access data - steps that require law enforcement to prove that their searches and seizures in the digital world are legally justifiable. Whether or not anecdotal evidence supports this claim we will leave to our readers to judge.
What the document does show us, however, is the extraordinary breadth and depth of information that Microsoft has and is willing to give to government and law enforcement agencies. And that alone is enough to make us put on our tin foil hats.
By Jolie O'Dell.
Source: http://www.readwriteweb.com/archives/an_in-depth_look_at_microsofts_spy_...