Since 1996, the whistleblower site Cryptome has been posting sensitive government and corporate documents. Now Cryptome has been removed from the web after releasing the Microsoft Online Services Global Criminal Compliance Handbook, a 'spy guide' for law enforcement detailing what data Microsoft has, keeps, and can relinquish.
Most of us are Microsoft users in one way or another - whether you purchase Xbox Live points, log on to Office Live or sending emails through Hotmail - so you probably have a few questions.
What is the 'Spy Guide'?
The Global Criminal Compliance Handbook is a quasi-comprehensive explanatory document meant for law enforcement officials seeking access to Microsoft's stored user information. It also provides sample language for subpoenas and diagrams on how to understand server logs.
I call it "quasi-comprehensive" because, at a mere 22 pages, it doesn't explore the nitty-gritty of Microsoft's systems; it's more like a data-hunting guide for dummies.
Which of my Microsoft services are affected?
All sorts. Microsoft keeps user information related to its online services. The data ranges from past emails to credit-card numbers. The information is kept for a designated period of time, sometimes forever.
The sites referenced are:
- Windows Live
- Windows Live ID
- Microsoft Office Live
- Xbox Live
- Windows Live Spaces
- Windows Live Messenger
- MSN Groups
Some of these Microsoft services may not apply to a lot of people. Who uses MSN Groups, for instance? But accessing personal information from Xbox Live accounts, for example, could be a big problem for 23 million subscribers; especially since Xbox Live keeps more data than many of Microsoft's other services.
What information does Microsoft have?
It depends on the service. We'll deal with the big ones here.
Windows Live ID
Windows Live ID is a one-stop shop for user info retention and is used on a multitude of sites to limit scattered user names and passwords. Because of its wide reach, Windows Live ID could allow law enforcement agencies to access tons of your personal web-surfing information. Microsoft keeps "the last 10 Microsoft site and IP connection record combinations (not the last 10, consecutive IP connection records)."
All things considered, that's not bad. It gets worse.
"Email account registration records are retained for the life of the account. Internet Protocol connection history records are retained for 60 days," according to the document. But if you, like many, switched over to Gmail and let your Hotmail account lapse, all email content is "typically deleted after 60 days of inactivity. Then if the user does not reactivate their account, the free MSN Hotmail and free Windows Live Hotmail account will become inactive after a period of time."
Email content that is older than 180 days can be disbursed "as long as the governmental entity follows the customer notification provisions in ECPA (see 18 U.S.C. §§ 2703(b), 2705)." If the content is less than 181 days, you need a search warrant.
Xbox Live stores a lot of information.
- Credit card number
- Phone number
- First/last name and location details
- Serial number (but only if box has been registered online)
- Service request number from Xbox Hotline (e.g. SR 103xx-xx-xx)
- Email accoun
- IP history for the lifetime of the gamertag (only one gamertag at a time)
This information comes in handy for non-nefarious purposes, just so you don't get completely paranoid. For instance, if your Xbox 360 console is stolen, Microsoft can hunt it down quickly using its vast tracking records of you and your machine.
Office Online and Windows Live SkyDrive
The scariest part of the handbook comes here. Office Online and Windows Live SkyDrive are both services that store documents and files in the cloud. The two pages devoted to these services describe only what the products are and not the access Microsoft has to pertinent information. What can Microsoft get at? How long is everything stored? What are the legal parameters? All of this is uncertain and worrying.
Cloud computing is the next big thing in technology. Companies are apt to store sensitive financial and human relations documents in one of Microsoft's clouds. If prompted by the government, Microsoft could (or couldn't?) dip its fingers into your spreadsheets and extract all it wants.
Next: the legal hoops to obtain all this information >>
The last page of the document details the legal procedures required to obtain Microsoft's information, but with warrantless wiretapping such a big fad lately - as evidenced lately by Google's shady dealings with the NSA - one never knows how much red tape the government can snip through to get what it wants.
A brief case history
It's uncertain as to how John Young, Cryptome's proprietor, obtained The Global Criminal Compliance Handbook; what's certain is that it caught Microsoft's attention. The corporation quickly filed a Digital Millennium Copyright Act (DMCA) notice alleging copyright infringement.
In 1998, the DMCA criminalised production and dissemination of high-tech methods intended to skirt protections such as DRM that control access to copyrighted works. It also criminalises the act of circumventing an access control, whether or not there is actual infringement of copyright itself.
Some organisations have a problem with Microsoft's use of the DMCA in this case. "The Electronic Frontier Foundation finds it troubling that copyright law is being invoked here. Microsoft doesn't sell this manual. There's no market for this work. It's not a copyright issue. John [Young's] copying of it is fair use. We don't do this anywhere else in speech law," Cindy Cohn of the Electronic Frontier Foundation told ReadWriteWeb.
Cohn stated that in cases involving libel or trade secrets there is a procedure of going to court, making a case, and getting an injunction - filing a DMCA complaint "makes censorship easy".
Either way, Microsoft prevailed. Cryptome's host, Network Solutions, tore the site down. Young filed a counterclaim yesterday.
Personally, I feel the Global Criminal Compliance Handbook isn't as nightmarish as some may paint it (save for the cloud computing part). Microsoft needs to have measures to work with the US government in cases of danger, plain and simple. But with so much data out there, so much of it 'owned' by Microsoft, I cannot help but feel exposed and vulnerable.
And for the sake of internet freedom, it's crucial that Cryptome is released back into the wild. The site serves a clear and important purpose; its latest - and perhaps last - release proves that point.