It's no secret that online service providers cooperate with law enforcement agencies and will hand over personal information of various kinds when subpoenaed, subject to court order, or compelled by search warrant. What is secret has been exactly what information these companies store about their users, and what they will hand over to the authorities when required. In recent days a series of these documents have been leaked to whistle-blowing site Cryptome. The policies of (among others) Facebook, AOL, and Skype have all been posted to the site, and several more were posted last December, including those of Verizon, Sprint, and Yahoo.While most companies have not responded to these leaks, Yahoo, back in December, and Microsoft, whose Global Criminal Compliance Handbook was posted on Saturday, both issued DMCA takedown notices to have the documents removed. In both cases, Cryptome refused to take any action. Yahoo's demand went no further, but Microsoft decided to take things to the next stage, and told Cryptome's ISP, Network Solutions, to take the site down. Network Solutions duly complied. Microsoft now has 14 business days to begin litigation, after which the site will be reinstated.
John Young, Cryptome editor, notes that only Microsoft and Yahoo have "behaved like assholes" and taken legal action to try to get the documents removed. Though the other companies are no doubt far from thrilled to have their internal documents posted, they have not seen fit to take any action as a result. Cryptome, for its part, has moved to a temporary new host, and all the documents remain available to download.
The information that Microsoft could give to law enforcement is for the most part exactly the information one would expect. They cover the full range of Microsoft's online services; Hotmail, Windows Live ID, Windows Live Messenger, Office Live, and Xbox Live to name a few. The document describes what the services are, how long they retain data, and what data they do and don't keep. For example, Windows Live Messenger's logging records the Windows Live ID activity (sign on and sign off) and contact IDs, but does not retain any data about the actual messages. Xbox Live records indicate which gamertag was playing what game and when, but no mention is made of, say, whether the messages sent between users on the system have any accessible logs, or who is playing with who.
What's more surprising is why Microsoft should take such a hard line against the document's posting. While the company could argue that yes, technically the information contained is all proprietary and copyrighted, the fact is, it's what any half-way competent developer would expect to log. Some companies such as Cisco have even made their documents public voluntarily, for precisely this reason: there are no exciting dirty little secrets here. It's a bit surprising in places—it has to explain to readers that Microsoft can't provide access to e-mails stored on local hard drives (something that does not speak highly of the wit of the law enforcement officers who might be making such requests)—and is both quite specific in some places (explaining how to read and interpret the logs that Windows Live ID creates) and annoyingly vague in others (when discussing Office Live Small Business and Windows Live SkyDrive)—but for the most part, the thing that is striking is how mundane it is.
About the only real value in the whole document is that it makes clear that criminals should clearly conduct their business over Windows Live Messenger—unlogged—rather than e-mail. Law enforcement can't request what Microsoft doesn't keep in the first place, after all.
The decision to take action under the DMCA is also surprising because of the counterproductive result. If Redmond had done nothing, the likelihood is that few people would have even noticed that the document had been posted. Sure, it would be "out there" on the Web, but the thing is hardly compulsive reading. By having Cryptome taken offline, the Handbook has garnered far more attention—and far more redistribution around the Web—than it ever would have if the company had left the site alone. At least Yahoo's compliance guide contained pricing information—about $30-$40 to get a copy of a Yahoo user's e-mail. Microsoft's lacks anything even that juicy.
All in all, it is a strange fight for Redmond to pick. No good can come of it—the document is out there, and probably distributed more widely than ever—and the handbook tells us only what we already knew anyway. There are surely better ways to tarnish a reputation and accumulate legal costs.
Source: Arstechnica.com
