To stop leaks, Microsoft infiltrated a blogger’s Hotmail account

Companies will go to great lengths to preserve their trade secrets and keep the competition in the dark, even if it means crossing into the grey area of privacy breaches. According to a March 17 legal document spotted by Business InsiderMicrosoft(s msft) sifted through the contents of an unnamed blogger’s Hotmail account to figure out who was leaking sensitive Windows 8 information from the inside.

The report, which names Lebanon-based Microsoft employee Alex Kibkalo as the alleged leaker, detailed an investigation approved by Microsoft’s Office of Legal Compliance that rooted through the Parisian blogger’s email to trace the source of the leak. The investigation began after someone tipped off Steven Sinofsky, then-President of Microsoft’s Windows division, to some source code sent by the blogger that turned out to be part of the internal Windows 8 SDK. Microsoft then gained access to the blogger’s Hotmail account — which remains legal due to a clause in Microsoft’s Privacy Policy that reads:

 We may access or disclose information about you, including the content of your communications, in order to: (a) comply with the law or respond to lawful requests or legal process; (b) protect the rights or property of Microsoft or our customers, including the enforcement of our agreements or policies governing your use of the services; or (c) act on a good faith belief that such access or disclosure is necessary to protect the personal safety of Microsoft employees, customers or the public.

From there, Microsoft investigators traced through the emails to find one from Kibkalo that shared six unreleased “hot fixes” for Windows 8 RT, among others. Microsoft also found an archived conversation between the blogger and Kibkalo, which included references to the sample code that tipped Microsoft off in the first place.

Microsoft released a statement in response (via Business Insider):

During an investigation of an employee we discovered evidence that the employee was providing stolen IP, including code relating to our activation process, to a third party.  In order to protect our customers and the security and integrity of our products, we conducted an investigation over many months with law enforcement agencies in multiple countries.  This included the issuance of a court order for the search of a home relating to evidence of the criminal acts involved.  The investigation repeatedly identified clear evidence that the party involved intended to sell Microsoft IP and had done so in the past.

As part of the investigation, we took the step of a limited review of this third party’s Microsoft operated accounts.   While Microsoft’s terms of service make clear our permission for this type of review, this happens only in the most exceptional circumstances.  We apply a rigorous process before reviewing such content.  In this case, there was a thorough review by a legal team separate from the investigating team and strong evidence of a criminal act that met a standard comparable to that required to obtain a legal order to search other sites.  In fact, as noted above, such a court order was issued in other aspects of the investigation.

What Microsoft did to catch its leaker is legal, and well within the company’s rights to protect its property. However, it does show the level of access that a company has in obtaining information transferred across its own channels, and how readily it will access those channels if even a hint of a threat to company property is involved.