One of the revelations in this week’s case of a Microsoft worker who leaked pre-release Windows 8 software was that Microsoft accessed the Hotmail account of the blogger to whom the data was leaked. And it did so without a court order.
Well, it turns out Microsoft was apparently within its rights to do so, having explicitly carved out the right to access communications to protect its own intellectual property.
Yahoo and Google have similar clauses.
Here is a bit of code from Windows 8 I got in the mail.
INT WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance,
PSTR lpCmdLine, INT nCmdShow)
{
// Win 8.0
RunFuckedUpUIMakeUsersSuffer();
// Win 8.1
// RunStillFuckedUpUIMakeUsersSufferMore();
// uncomment below for Win 9
// RunUserFriendlyProductiveUI();
return 0;
}
They may very well be within their right to do that, but it turns their “scroogled” campaign into an open exercise in hypocrisy.
I don’t really see why people are complaining. It is their right to do so, and the users of their services are explicitely declaring their consent to those actions. It’s being stated in their terms of service, even the article mentions it. Compare:
The policy for Outlook.com, formerly Hotmail, states that, “We may access information about you, including the content of your communications…to protect the rights or property of Microsoft.”
Source:
http://news.cnet.com/8301-10805_3-57620658-75/microsoft-sniffed-blo…
Of course I know this doesn’t make it any better, and I don’t even try to claim that people read and understand EULAs and other legalese which is blocking their access to the dancing bunnies. Furthermore, I don’t say this interpretation is legal everywhere on this world, in fact, it’s highly debatable if agreeing to a possible violation of data protection law makes this violation legal… but that’s probably a question for a lawyer. Two lawyers, three opinions.
The solution? Don’t use that service. A service is a tool. Use the right tool for the task that you’re planning. The right tools are freely available. It can be as easy as that.
Doc Pain,
A check box on a registration form for a long legal document the user most likely did not read is certainly not explicit user consent of each term contained therein. It’s more of an implied consent. To get *explicit* consent the registration form would have to have a checkbox for each term in the legal document. This way the company could say the user “explicitly” agreed to this term.
It’s hard to fault MS for exercising the rights in their own TOS. But as ichi pointed out earlier it’s still hypocritical for MS to respect user privacy only when it suits them.
This seems to depend on the local jurisdiction, and still is highly debatable when brought before a court. And not agreeing to the terms of service blocks the access to the dancing bunnies, so the way of least resistance applies.
You probably know about this story by Richard Stallman:
http://stallman.org/articles/asked_to_lie.html
In this case, it was just about a piece of paper. But in the world of software, not clicking “OK” or not activating checkmarks will immediately stop you from anything further away (like, creating or accessing your “own” messages).
Personally, I would find this approach much better, as it might make people aware what they’re actually agreeing to. But in our modern times, when installing a flashlight app makes you agree to hand over access to your messages and location to that app, this would scare users, and this is not intended by those offering services “for free”.
But in today’s interpretation, “I agree to everything listed above” is as explicit as it needs to be, even when things like “the above terms may be changed in the future without explicit information” are included. It’s strange, but users are used to deal with it.
I fully agree with this. Because I’m no MICROS~1 user, I actually don’t deserve the right to make any substantial claims here, but my “gut feeling” is that it’s still wrong to exercise rights in a way that regulations of law (data protection law, confidelity, postal law etc.) is possibly broken.
Doc Pain,
Actually I only intended to highlight the difference, rather than offer a legal opinion. I don’t know what the courts do even in my own jurisdiction.
Actually no, I’m glad you linked to it. Excerpt:
This is such a classic Stallman reaction that I might have guessed it was Stallman without his name being attached.
I’ve also changed contract clauses. Would you believe that some employee contracts give the company claim to anything the employee invents off company time and using personal equipment? I brought this up as a sticking point with a previous employer, and he said “well that’s not the intention of the contract”, I responded, “well that’s what the contract says”. So the boss actually allowed me to add exceptions to the contract. That would probably really irk the company lawyer who came up with it if he got wind of it.
The major issue is that I had no knowledge of said contract ahead of accepting the job and quitting the previous one. It’s more of a “Welcome aboard, and oh by the way you’ll need to sign these papers”.
In this case, I’d like to offer an additional point of view. How about this?
“By using our service, you agree to the terms of service listed above.”
This concept of “agreeing by acting” looks “quite okay” at first, but again, it’s not clear if it will have any substantial meaning. It’s comparable to EULAs which claim to be agreed upon by opening a box which contains an installation DVD which will display the EULA text when the installation process has already been started. It’s like “By opening the cardbox, you agree to the terms of service listed in the leaflet packaged at the bottom of the box.”
A contract, as law typically defines it, is a mutual expression of intentions (“you give me money, I give you work”). So you should be free to express your intention if the prepared document doesn’t correctly reflect it, in which case you probably won’t want to sign it (“you take my money, I can take everything you have”).
Yes, I have learned something of that kind, even though I’ve never been subject to such a clause.
Many messaging services and apps claim something comparable: “By using our service, everything you write or send may be accessed by us, and we keep the right to make it our intellectual property if we wish so.” If I remember correctly, ICQ terms contained something like that, but I’m not entirely sure.
As I initially said, users typically don’t care about their rights, which is sad, but it’s their freedom to do so. On the other hand, the provider of a service is free to state under which cicrumstances he will offer the service. No agreement? Don’t use it. End of line.
Doc Pain,
Although designers hate ruining the flow of the signup process, I don’t think the law should hold any users to an agreement that they didn’t see (even if they didn’t click the links). So your approach seems better to me. Also it would add motivation for keeping agreements simple.
In the real world, many legal contracts I’ve encountered needed to be signed & dated on every page, sometimes even needing to initial individual sections to record explicit agreement to those terms.
Yeah, those are the worse. Especially when the vendor’s terms explicitly prohibit you from returning the software for any reason, even though you don’t see the software publisher’s license terms until the installer comes up.
Yes, on the other hand I do think it’s unethical that the terms of use are so long and complicated that we cannot be reasonably expected to understand them. I think society would be better off if courts only officially recognized the first thousand words of a software EULA, nothing else would be legally binding.
This came up in a search and it looks like an interesting idea.
http://tosdr.org/
I do agree largely with what you say: Microsoft are entitled to impose and enforce anything (legal) they like in their contracts. People should be careful about what they sign up to.
However, it’s also true that email (and social networking generally) is a bit of a special case, since it’s not just the receiver, but also the sender that ends up being bound by the conditions.
If I send someone an email I also have to accept that Microsoft might intercept it, even though I didn’t sign up to their agreement.
This means that people should be especially carefully about the communications services they use, since it impacts on others too. And services should have an obligation to be sensitive to others.
Having said all that, email is probably a bad example, since it’s basically a public communications medium anyway.
Just one more example that EVERYTHING on the Internet is public, unless you encrypt it. The sooner people realize this, the better off everyone will be.
Short of running your own mail server out of your house and using encryption end to end, there’s really no way to avoid some company or agency somewhere reading your mail. Email is fine for everyday communication, but anything you wouldn’t want read in a room of your peers, and certainly anything with trade secrets or other highly sensitive information, should never go out over email.
Actually… everything on the internet is public, PERIOD, even if you encrypt it. The difference is by encrypting it, it looks like this: 7hn^4 bdG7a 33kzP Dn81s Q*ci4 eDmi2 etc. etc. etc. and that makes it really hard to read. Not impossible, but really hard, and usually not worth anyone’s time to try, unless someone REALLY wants to read what you wrote.
(EDIT: naturally if you use a truly random one-time-pad, it’s unbreakable, but only if you really use it only once, maintain the secrecy of the sender’s and receiver’s pads, and if they were really and truly random… but who the hell does THAT in a typical communique?)
But seriously though, who today thinks he can use anything from Misrosoft and NOT get screwed? Or anything from any $$$ FOR PROFIT $$$ corporation, for that matter? They’re all out for one thing, and one thing only: getting your money and providing you the least value for it they can. It’s why they have always despised having to compete, and (in MS’s case,) hardly ever have. By compete, I mean compete in a fair marketplace they haven’t illegally manipulated.
At the risk of preaching to the choir, I switched over to FL/OSS for all my computing needs, though kept my last MS Windows install discs in case I ever needed them again for anything. Early last year, I reached a level of confidence that allowed me to feel comfortable doing away with my last copy of their wretchware forever. I threw a little party that culminated with me smashing those discs, and throwing the last of my Misrosoft-made, deliberately and intentionally UNsecure, UTTER-GARBAGEWARE right in the trash! I haven’t looked back since. I am pleased as punch to have a Misrosoft-FREE home for over a year now. Feels great! My OS is secure, fast, and free, and I think it goes without saying that I don’t use MSN-mail or Hotmail or whatever they’re calling it this week, so I don’t worry too much about what Redmond says or does or thinks.
If everyone else took this stance, (and HERE is why I took the time to write the forgoing,) “Windows” 8.x might not even exist, and Misrosoft could take its rightful place in the ashcan or history beside all the companies it drove out of business with its crooked business practices and illegal shenanigans. What a wonderful day that will be!
Edited 2014-03-21 07:16 UTC
I’m not sure how many years of experience you have in the computing field, but I note that you limit your critique to Microsoft. What I’ve noticed over the past 35 years or so is that the cycle repeats.
The young start-up is extremely customer-focused, providing great value at low cost and empowering a type of revolution. Most young start-ups I’ve seen love competition – they want to win on their products (which are great) against the archaic giants they are fighting and their sucky products, high prices, and crappy customer service.
As the company matures and begins to dominate the market, they waffle on competition. They begin to focus on sustaining growth and delivering shareholder value, and consider young start-ups as taking unfair advantage of their “intellectual property” and as “poaching” the most profitable of their customer base.
And soon, they have become the archaic giant with sucky products, high prices, and crappy customer server.
And yet, they never seem to see that. They honestly believe they are the exception – they “do no evil” – and they have a thousand excuses for why what the customer wants is unreasonable and not good for them. Sustaining growth and increasing YOY cash flow is what’s best for the customer, whether the ungrateful customer appreciates that or not.
Going full-FLOSS is one way to opt out of the cycle – just build your own infrastructure and (mostly) avoid dealing with any for-profit. But another option is to be an early adopter for the young start-ups that still try to earn your business, and abandon them as they get caught up in their own story.
There is a solution to this problem to prevent companies doing this: don’t go public and thus stop focusing on shareholder value.
To end up like Matrox in the GPU & GFX cards area? ;P
LOL, a Linux troll… they still make you? Linux on the desktop was irrelevant 10 years ago, is irrelevant now, and will be irrelevant 10 years from now. The reasons for this are numerous and when those of us who aren’t using it explain why, the Evangelists only argue with us and try to explain why we’re wrong. Whatever.
Look, I’m all in favor of REAL alternatives to Microsoft, esp free ones. But Linux ain’t it, and by extension neither are any of the BSDs. Unless your ‘killer apps’ are a terminal window and a bunch of cli utils, but that ain’t most of us. Maybe Android will be a thing someday… who knows, as if Google is really any better than MS.
Edited 2014-03-21 17:42 UTC
Come on, that was low.
We all know you like Windows, but bashing desktop linux by saying it’s all CLI is like talking about how windows blue-screens all the time, and gets heaps of viruses; it’s simply not the case.
This is an operating system enthusiast website, so do mind your tone.
I use Linux on the desktop every day, and with wayland, systemd, kdbus, Qt5, KDE frameworks 5, KDE Plasma Desktop 2, etc. etc. there are so many incredible developments for everyday users.
http://wheeldesign.blogspot.com.au/
Have a gander at some of the sexy UI developments that are being made by the community, and brought into existence by the KDE Visual Design group. It’s beautiful.
Basically, it comes down to don’t trust Microsoft, Google, Yahoo or Apple (or any similar company) with your data.
There needs to be a true to move to encryption by default, so that sending encrypted data doesn’t immediately draw attention.
At least make them work for it.
As others have said or hinted at: your data is vulnerable even while using encryption end to end. The harder you try to hide your communication the more likely someone is to take an interest in it.
If you want to truly hide a message to someone then obfuscate it in with spam messages and send them to everyone, including your intended recipient. Spread the message out over several spam messages would make it even better. Nobody really analyses spam except to find a way to avoid getting it in the first place.
jgagnon,
What makes you believe end-to-end encryption doesn’t work? This would be very major news in CS circles.
I hope you are not actually endorsing this approach. Putting an image up on a website is far less damaging to the internet than sending out bulk spam.
Stenography has merit for high latency, low bandwidth messages. The main motivation for it is to conceal the fact that a message was sent. Even stenography relies on conventional encryption passes for cryptographic strength. If the cryptography were broken (and that’s a big if), then we’d be able to decode stenographic messages easily as the person receiving them.
The NSA has been involved with hijacking encryption protocols for years… and that’s just the stuff we know about. How much do you REALLY know about your theoretical end-to-end solution? Did you review the source code for each piece of the puzzle (encryption software, compiler/linker used to build the executable, libraries they use, etc.)?
That’s not paranoia. There is precious little we can consider sacred these days. All it takes is one piece of the pie being tampered with and the whole thing spoils. So what can YOU rely on with near certainty?
And to answer your other question, no I’m not really advocating sending spam out to do day-day communications. I was just trying to imply it would probably be at least as good at hiding your message as relying on any commercial encryption these days.
I think an alternative is use a one time pad for encryption. So long as you keep it safe and it is truly random it should remain unbreakable.
Since you have to securely deliver the one-time-pad key through secure channels anyway, why not just deliver the message at that point instead? OTP is not a practical solution in the vast majority of cases. It’s great in theory, just not in practice.
jgagnon,
Do you have a link to exactly what you are referring to? The news we keep hearing about is how far the NSA goes to wiretap *unencrypted* networks. In these cases there was no broken cryptography, it just didn’t apply.
Well, as a matter of fact yes, I personally do review and implement encryption algorithms. However let me stop you there and point out that finding a faulty/compromised implementation is NOT the same as suggesting encryption is mathematically broken. The way this earlier statement reads is misleading: “your data is vulnerable even while using encryption end to end.” The NSA can not read encrypted traffic directly, so instead they have to attack the endpoints either before the encryption or after the decryption, maybe this is what you meant but it wasn’t made clear from the statement.
Encryption DOES work, but the caveat is that if your endpoints have been compromised, then the encryption is irrelevant. Clearly the NSA has very sophisticated ways to compromise target systems, however these are ACTIVE attacks rather than PASSIVE wiretap monitoring. There’s a big difference in scope between the two, and active attacks are far riskier in terms of getting caught since there is evidence to prove them.
Edited 2014-03-21 18:42 UTC
There are many variations of this on the Internet, but here’s one: http://www.reuters.com/article/2013/12/20/us-usa-security-rsa-idUSB…
Of course RSA has denied this.
Your end points are not the only possible leak points if the article above and others like it are to be believed. If the NSA or other agency/entity are actively involved in weakening the encryption used or at least promoting the weaker encryption schemes then that promotes a whole lot of FUD (of the legitimate kind, that is). Nobody yet knows how deep the rabbit hole goes, and THAT is the problem.
As for source code… Very few people out there would even know what to look for even if they had the source code available to them. Even fewer would would know what is wrong if they even found something out of place. And fewer still would have any idea how to “fix” it, if it could be fixed.
Computer security and privacy are not things most people seriously consider in their day to day lives. As proof, consider how many people still use Windows XP, never update the software on their home routers, use unencrypted email systems, use old devices that no longer (or ever did) receive security updates, etc.
jgagnon,
Ok, but even at face value this doesn’t even claim encryption algorithms are broken, only alleges that RSA’s random number generation implementation is compromised.
Even if the allegation is 100% true, I think you’re coming away from it with the wrong conclusion. The particular implementation of software running on the endpoint was compromised, it’s not the same thing to say the cryptographic algorithms are broken in general. Open source implementations at least make it possible for security researchers to verify algorithms rather than taking a company’s word for it.
I get that, however the thing is if the government trusts algorithms like AES for it’s own systems, requiring contractors to use it, then they would be putting the US gov at huge risk if they knew it was vulnerable. In any case, nothing stops us from using other algorithms like twofish.
Some software even allows you to cascade multiple encryption ciphers together forcing an attacker to break all of them in order to reveal the cleartext.
They don’t really have to, they only need to verify that they’re using the same software as the security experts *. This is as simple as verifying the hash codes. So acquiring legitimate encryption software is not difficult. To me, the more fundamental security problem is proving that one’s computer hasn’t already been compromised: did I install any software that might have contained a back door? Has any of my hardware been bugged? Was there a window of opportunity for an attacker to exploit a vulnerability before it got patched? To me, these are the kinds of security problems that are hard to solve.
Using security software from a live CD may be a good idea if one cannot vouch for the security of the installed OS.
*Edit: I guess you could argue this isn’t safe either since the security experts might be collectively lying. However it would only take one of them to be honest and reveal the flaw, and the compromise would be detected.
Edited 2014-03-21 19:52 UTC
If your random number generator is broken your encryption is broken, no matter which algorithm you are using.
jgagnon,
No doubt, however it doesn’t make sense to generalize that all network encryption is broken because RSA’s number generator was allegedly compromised by the NSA. That’s not a logical conclusion since “MIGHT BE” is different than “IS”. Consider:
“That man’s 6ft, we know the murder was 6ft, therefor he IS guilty”
“That man’s 6ft, we know the murder was 6ft, therefor he MIGHT BE guilty”
With this in mind, can we agree that your original statement was overgeneralized?
Edited 2014-03-21 20:16 UTC
I don’t think I ever said it was all broken, only that there is no way to trust that it isn’t broken. Even with all of the Snowden-related revelations we still know very little about how deeply the NSA is entrenched into our every day lives. What are their limits? We don’t know. If anything, you should read what I’m saying as “make no assumptions” about anything in the realm of security.
What is important is to create the network protocols so everything is encrypted.
And have a way to replace the algorithms if they turn out are not trustworthy anymore. It’s called (cryptography) algorithmic agility.
It’s the best thing we can do.
Especially considering that Snowden did say: the math is still valid.
The only problem is: one of the documents revealed that they might be getting close to breaking some of math in a practical way.
jgagnon,
It’s security by obscurity, it can work until you get targeted, then the cloud of obscurity falls. Does this mean you do not have a problem with FOSS encryption?
Edited 2014-03-21 18:51 UTC
I’m not sure how to answer that. I am a programmer that is pro-FOSS but I am not a security specialist. I’ve never written encryption software that I would consider letting other people use (I have dabbled, for sure, just not with confidence).
If I know a piece of software has its source code reviewed by various parties on an active basis, I am more inclined to trust it than I would a black box given to me by a single party. If I have some control over the build process then I tend to feel safer, though I realize the warm fuzzies don’t prove anything or make me more secure.
Yes, there is only one place to make that happen: IETF, Internet Engineering TaskForce. The people that create Internet networking standards (those RFCs you might have heared about)
And are they working on it ? Yes.
Funny you should say that…
“The ASIO said:
These changes are becoming far more significant in the security environment following the leaks of former NSA contractor Edward Snowden. Since the Snowden leaks, public reporting suggests the level of encryption on the Internet has increased substantially. In direct response to these leaks, the technology industry is driving the development of new Internet standards with the goal of having all Web activity encrypted, which will make the challenges of traditional telecommunications interception for necessary national security purposes far more complex.”
I.E.: “People want to encrypt their connections, we need to stop that.”
http://arstechnica.com/tech-policy/2014/03/after-snowden-australias…
Well, in this particular case it’s more down to “don’t be a bloody fool”.
If someone sends you classified information about company X don’t use an email service that belongs to company X. I would have expected that to be common sense but alas…