Microsoft opens new windows into your email by quietly changing privacy policy

4:42am | 1 November 2012 | by Raegan MacDonald, English

There have been quiet murmurs about Microsoft’s recent change in privacy rules. If you haven’t heard, Microsoft recently changed their privacy policy in almost exactly the same way Google did on March 1st but didn’t receive quite the same level of scrutiny from the broader public. Most notable is the vague wording in some sections (e.g., Section 3.3) that indicate that the company will pool the data across its products and services (Bing, Hotmail, etc), without explicit indication that it will not use the contents of private communications for advertising purposes.

While Microsoft has alleged that it would not use the collection of data across its platforms in this way in blog posts and public statements (e.g., see section on “putting you in control”), the wording of the policy itself seems to allow such practices. Pooling data across the multiple products and services was undeniably one of the more contentious aspects of Google’s privacy policy change.

However, in response to a letter expressing concern about the new policy from Representative Edward J. Markey, a Massachusetts Democrat who is co-chairman of the US Congressional Bipartisan Privacy Caucus, the company said in a statement that, “We could have been clearer about this when we rolled out our updated Services Agreement.” He also added that as a result of the feedback they’ve received, they will update the agreement to make the point explicitly clear.

Access welcomes the fact that Microsoft heard the criticisms and has indicated that they will refine the wording of their policy. But we have to ask: Why didn’t they just make it clear in the first place? Furthermore, regardless of whether or not the company will or will not share the data collected across its platforms for advertising purposes, combining these data will mean the company will be building greater and more detailed profiles of Microsoft consumers (we’ve explained some of the implications of this in a previous post about Google’s privacy policy change that you can check out here).

The increasing power companies assert in ToS agreements

Terms of service agreements, ostensibly an agreement between the service provider and a user, are increasingly designed to protect the interests of the service provider. As the use of the internet and ICT become ever more ubiquitous, these service providers play a determining role in how the rights of users are enabled (or eroded), including the rights to freedom of expression, access to information, and privacy. 

But companies aren’t just rewording their Terms of Service agreements (and privacy policies, acceptable use policies, etc) to generate more profits or to support a business model, there’s also been a recent push from governments to get companies to adopt even stricter content and data management policies. In Europe, for example, the European Commission are asking companies to “voluntarily” adopt measures to solve societal problems such as protecting children (e.g., the CEO Coalition to make the internet a better place for kids) and/or preventing terrorist use of the internet (e.g., CleanIT), into their Terms of Service agreements.

These private contractual agreements mean that service providers not only write the rules – which very often restrict basic human rights and legally protected behaviours – but fail to outline clear criteria for their interpretation, leaving users (those who can take the time to read the often lengthy policies) at a loss as to what powers the provider may actually have over the management of their information. 

Here’s a great example of some of the powers Microsoft provides itself, in the company’s app developer agreement, under removal policies, "Microsoft may remove or suspend the availability of any app from the Windows Store for any reason or no reason".  Unlike many Terms, which are written in complex legalese, this one is pretty clear. They don’t even need a reason, and are free to remove your app from its store, literally whenever they want with no justification whatsoever.

It’s not just Google, or Microsoft, let’s look at the big picture

Unfortunately, it’s not just the Googles and the Microsofts who are doing this, but a much larger corporate trend. Recently, Amazon remotely wiped the contents of an individual’s kindle and closed her account. In the email she received, the company found that her account was “directly related to another which has been previously closed for abuse of our policies.” According to its Conditions of Use, and its affiliates are permitted to “refuse service, terminate accounts, remove or edit content, or cancel orders at their sole discretion.” This is a perfect example of how such vague Terms can be enforced arbitrarily, as one might not assume that this enables the company to remove purchased items on your ebook. Would you expect Amazon or any other book store to come into your home and take books off your shelf that you had purchased there? And this isn’t the first time this has happened, as in 2009, Amazon deleted (perhaps with some sense of irony?) copies of Orwell’s “Animal Farm” and “1984”.

So how are companies getting away with this? Peter Fleisher, Google’s Global Policy Counsel, in a recent post “commended” Microsoft for (almost) getting away with its privacy policy update because it did so quietly, and not openly as he alleges Google did. While Mr. Fleisher might have reason to be a little peeved -- especially considering Microsoft publicly criticised Google’s policy change, and the fact that Google is still under investigation by European data protection authorities for its new privacy rules -- he does raise an important point about the lesson that other companies might take away from this. Namely, that companies could feel penalised for being upfront and transparent about policy changes. 

However, let us be clear, companies should always inform their users about changes to their various terms of service agreements (including privacy policies). Furthermore, in this day and age, it is difficult to do anything “quietly,” so the risks to reputation and company integrity are greater if consumers feel that they are being hoodwinked. In fact, Microsoft’s new policy upgrade is being reviewed by the Luxemburg Data Protection Authority, who will investigate whether this change will entail new risks for the privacy of users and if the policy meets EU standards on notice and choice. According to Gerard Lommel, President of the Authority, “This investigation is not at the same level as the probe concerning Google was a few months ago when it changed its privacy policy, where clear privacy issues had been identified,” since, according to him, potential issues with the upgrade cannot yet be confirmed or excluded. 

As Terms of Service agreements increasingly dictate how our rights are protected (or restricted) on the online products and services we have come to depend on, it is important that such terms are readable, clear, and above all, rights respecting. To learn more about this, there are many ongoing projects at the moment which aim to incentivise companies to be more transparent and rights respecting in these agreements -- such as the EFF’s TOSBackTerms of Service; Didn’t Read, and Privacy Score

But that is just the first step. If we demand it, they will change them. While they may be big companies, let’s not forget that these products and services -- email, blogs, search engines, social networks -- are made for us.