When the Boss Hacks

There is an unspoken underlying tension in the workplace on privacy matters relating to office telephones, computers, emails, documents, CCTV cameras, etc. Employers like to think they reserve the right to probe what they consider their property while employees believe their turf should be clear from invasion.

This tension is nowhere better exemplified than by reports last Thursday that operatives with US tech giant Microsoft Inc. hacked into a blogger’s Hotmail account in the course of an investigation to try to identify an employee accused of stealing Microsoft trade secrets.

Based on Microsoft’s hacking, US prosecutors brought proceedings against Alex Kibkalo, a Russian and former Microsoft software architect from the company's Lebanon office. Kibkalo was arrested last Wednesday on a tipoff by an external source who revealed an anonymous tech blogger in France in 2012 had received stolen lines of source code from the then yet-to-be released Windows 8 operating system. The blogger, noted for posting screenshots of pre-release versions of the Windows operating system, then sought expert advice from the undisclosed source.

“The source indicated that the blogger contacted the source using a Microsoft Hotmail email address that TWCI [Microsoft’s Trustworthy Computing Investigations department] had previously connected to the blogger. After confirmation that the data was Microsoft’s proprietary trade secret, on Sept. 7, 2012 Microsoft’s Office of Legal Compliance (OLC) approved content pulls of the blogger’s Hotmail account,” according to the court filing documents.

Microsoft said it had acted within its rights and didn’t require a court order because its terms of service agreement – which most users don’t bother reading in detail – for its Outlook.com and Hotmail services permit under “exceptional circumstances.” However, the company said it would introduce a new policy to proceed with similar searches only after an outside attorney stamps approval to justify a court order.

But in this post-Snowden era the thought that anyone, especially the vendor, snooped into a private email account is sure to raise eyebrows given privacy violation concerns of technology companies these days. More disturbingly, Microsoft’s Outlook platform is ubiquitous in the corporate world.

The report of Microsoft’s hacking is a public relations disaster for the company, which has been critical of Google for scanning users' emails for advertising purposes and now looks hypocritical.

And let's not forget Facebook founder Mark Zuckerberg, who personally called and then met with US President Barack Obama last Friday to complain about spying by the US National Security Agency – and left unsatisfied with administration assurances that the government can protect privacy while continuing surveillance.

“So now you get the same protection from Microsoft reading your emails as you do from the US government, except that Microsoft will tell you if they've been peeping, whereas the government won't,” according to an online comment.

It is not uncommon in my business to encounter client complaints about potential espionage and other alleged misconduct by their employees, leading to their considering searching the (company-owned) computers, emails, phone records, etc.

As with the Microsoft case, much hinges on terms-of-employment contracts even though some legal experts may argue that the company reserves the right to look into its own property. It is common practice these days for companies to install recordings on office landlines without informing staff. Companies also routinely reserve the right to privately request from phone vendors all the recent incoming and outgoing calls logs of company-issued smartphones. The same argument goes for checking company emails traffic from the company's computer servers.

But what if the alleged parties used their personal email accounts like Hotmail or Gmail, instead of company email accounts, on company computers for illegal or inappropriate activity? A computer forensics exercise could take care of that. But without carefully worded employment contracts, the employers could face thorny issues of privacy invasion if they hacked into the private email accounts (or computers) like Microsoft did. As a matter of comparison, consider a company that chose to place a hidden camera above an employee’s desk. It is more straightforward and effective but a definite non-starter, and thus not recommended, due to privacy issues.

If in doubt, remember this quote from Apple co-founder Steve Wozniak:

“A lot of hacking is playing with other people, you know, getting them to do strange things.”

Vanson Soo runs an independent business intelligence and commercial investigations practice specialized in the Greater China region. Blog: http://vansonsoo.com