Microsoft Setting a Precedent for Cloud Provider Access to Data

Earlier this month Microsoft’s privacy policies became the focal point of a controversy about the right of cloud providers to access their customer’s data. The controversy, and Microsoft’s subsequent response, may create a precedent that will influence terms of service for cloud providers going forward.

Briefly, the controversy erupted when it was revealed that, in the process of investigating a potential leak from one of its employees, Microsoft accessed the Hotmail inbox of a blogger that it suspected was the recipient of the leaked, internal Microsoft documents. While Microsoft was within its rights to do so under its terms of service at the time, this investigation was perhaps the first instance of a cloud provider admitting to making use of such data access provisions. Subsequent allegations by well-known blogger Mike Arrington that Google had similarly spied on his e-mail were vehemently denied by Google’s General Counsel Kent Walker.

Last week, in the face of a rapidly growing firestorm of controversy, Microsoft reacted swiftly and revised its privacy policy, as outlined by Microsoft’s General Counsel Brad Smith:

Effective immediately, if we receive information indicating that someone is using our services to traffic in stolen intellectual or physical property from Microsoft, we will not inspect a customer’s private content ourselves. Instead, we will refer the matter to law enforcement if further action is required.

If a cloud provider needs to access data stored on its systems as part of an internal or external investigation, mediating the investigation through law enforcement is the correct thing to do. Microsoft has taken the right first step here (and kudos to the company for acting so swiftly), and has hopefully set a precedent other cloud providers will follow.