• United States



Microsoft Spying on Users For Free

Nov 22, 20104 mins
CybercrimeData and Information SecurityMicrosoft

Are the feds one of Microsoft's best customers? Microsoft does not charge the government even a penny for surveillance of its users. Google charges $25 per user and Yahoo charges $29 per user.

In November 1985, Windows 1.0 was born. Now that Microsoft Windows is 25 years old, I’m wondering if the feds are one of Microsoft’s biggest and best customers?

Security researcher and privacy advocate Christopher Soghoian recently scored big through the Freedom of Information Act (FOIA) and received the total amount that the US Drug Enforcement Administration (DEA) paid to providers for pen registers and wiretaps for the last four years. Unlike a wiretap that records actual phone or Net conversations, a pen register gathers all phone numbers or email addresses to show with whom a person has been communicating. The DEA spent $6.7 million for pen registers and $6.5 million for wiretaps in 2010. Microsoft does not charge the government even a penny for surveillance of its users. Google charges $25 per user and Yahoo charges $29 per user.

Microsoft may not be happy that the news is out, that it seems to have a very friendly relationship with the DEA, since it had a near meltdown in 2008 when Cryptome published the Microsoft Online Services Global Criminal Compliance Handbook. MS must not have wanted regular people to know its handbook subpoena advised, “when you are looking for information on a specific incident like a photo posting or message posting, please request all group content and logs. We cannot retrieve single incident data.” Microsoft promptly produced a DMCA notice and temporarily shut down Cryptome.

The DEA pricing document [PDF] states, “There are no current costs for information requested with Subpoenas, Search Warrants, Pen Registers, or Title III Collection with Microsoft Corporation.”

Another thing about wiretaps, law enforcement agencies prefer to rely on their access to stored communication like email since it is both much cheaper and much easier to access. Soghoian published The State of Surveillance for The Center for Cybersecurity Research for Indiana University. The slideshow advises that “drugs are bad if you value your privacy.” It also suggests, “If you are going to break the law, and don’t want to be wiretapped, stick with something safer…like murder, bribery or extortion.” Of the 2,376 total intercept orders for 2009, 2,046 were for narcotics.

In regards to what the DEA doesn’t pay to Microsoft, Soghoian told The Register that Microsoft should at least charge a penny per government surveillance to create a paper trail. “You don’t like companies to make money spying on their customers, they should charge something. You can’t FOIA Microsoft’s invoices, because they don’t send any invoices.”

I haven’t seen the PR spin that Microsoft will put on the fact that it gives up its users for free, but its PR on Kinect hacking surely flip-flopped. “Alex Kipman says Kinect interface was left unprotected ‘by design.’ Shannon Loftis says she’s ‘inspired’ by community finding new uses,” MS officials told Science Friday. As Adafruit wrote on its blog, “In about one week we turned ‘work closely with law enforcement’ to ‘inspired’ by community finding new uses for Kinect.”

Sometimes I think Microsoft’s PR people think MS users are stupid. The quote that I get every time I ask a question is a no-answer answer that links to MS privacy policy and a statement on how important my privacy is to Microsoft. Yet earlier this year, the FTC named the worst privacy abusers — companies who failed to protect consumers’ personal information. Among the list of scammers and spammers, the FTC also named Microsoft as one of the companies that failed to keep the promises they made to consumers regarding the security of their personal information. According to testimony [PDF] delivered to the Senate, “Failure to maintain reasonable security is an “unfair” practice that violates the FTC Act involved such practices as the alleged failure to:

1.  comply with posted privacy policies

2.  take even the most basic steps to protect against common technology threats.

3.  dispose of data safely

4.  take reasonable steps to guard against sharing customer data with unauthorized third parties.

Do you think Microsoft should charge for government surveillance? Or do you believe Microsoft should stick to “spying” on its users for free instead of profiting from it?

Like this? Check out these other posts:

  • All of today’s Microsoft news and blogs
  • Microsoft Proposes Each PC Needs A Health Certificate or No Net Access Allowed
  • Microsoft Considering Encryption For Bing
  • Microsoft’s Davis on Privacy: Your Digital Life Data is Bankable Currency
  • ACLU Report: Spying on Free Speech Nearly At Cold War Level
  • Full-Body X-Ray Scanners Driving Down A Street Near You?
  • Facial recognition: Identifying faces in a crowd in real-time
  • Microsoft’s Live@edu email not encrypted on cloud servers
  • Cyber-Warfare: U.S. Military Hackers and Spies Prepare to Knock the World Offline
  • Kinect Long Term Privacy Issues Daunting?

Follow me on Twitter @PrivacyFanatic

ms smith

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues. She focuses on the unique challenges of maintaining privacy and security, both for individuals and enterprises. She has worked as a journalist and has also penned many technical papers and guides covering various technologies. Smith is herself a self-described privacy and security freak.