I personally think this is a good move. There isn't a lot of choices for the company. As they indicated they can't request official search of themselves. And short of hiring a 3rd party company to approve/disapprove there isn't much more they can do. I think they are doing by trying to be transparent and not hide the fact what they did. It could have all been hidden quite easily. I see no other service not doing the same thing. Gmail with Google employees. Apple with imail and etc... What I think is stupid is that the former employee who was clearly violation was using Microsoft services to bad mouth them with. I feel like he should have been using alternative emails and services if he was going to continue his inappropriate actions.
They could have reported the case to the authorities. The cops would have sought a search warrant for the mail and had to go through the legal process for that. That's how these things are supposed to work.
That's quite literally schizophrenic ("split-mind"). What do they imagine will be the disagreement rate between the two teams? What is the incentive for the second team, which is after all employed by Microsoft, the same company that employs the other, to disagree? This is envisioned as being for a scenario where Microsoft's interests are directly affected, after all.
Why the hell are users even subjected to whatever mock-trial Microsoft deigns to give them? The whole point is that there is no legal bar to them doing as they please, so why won't they just bypass the whole procedure when it suits them?
The only solution is a company that ties itself to the mast with verifiable technical measures.
"Disagreement rate" would be as meaningless a number as conviction rates are. A low disagreement rate could indicate the "plaintiff" is careful to make only reasonable requests, or it could indicate the "defense" is not doing its job. A high disagreement rate could indicate the lots of unreasonable requests, or it could indicate reasonable requests are being unreasonably denied.
You can't even reach a conclusion as to what would constitute a high, low, or expected rate.
Why hasn't Microsoft volunteered to disclosure past data? Hiding something? The comparison to the near framework is warranted to highlight the bite of the proposed new framework.
It's really not that different from other internal audit teams. Financial audit doesn't exist to make the accountants happy, and IT audit teams won't hesitate to rip into the IT groups. This is basically a comprehensive, proactive legal audit of any internal user data request. As long as they don't fall under the same management as the other legal team, there shouldn't be much internal pressure to compromise.
They are worried that the negative PR of them reading users mail when it suits them will result in stricter legislation about these matters. So to head that off, they've invented this legal circus show to legitimise the whole thing.
I don't get it. Why don't they just drop the clause that they exercised in their privacy policy such that they need a real court order to get at the data just like any external email address?
I'm having trouble even conceiving of how you could structure that. You can't sue yourself, so to even make the case arguable in the US, you'd have to set up the contract such that Microsoft would initiate legal process against the customer, requesting a declaratory judgement that they would not be liable for damages for searching the customer's data.
I don't think there's any case law on this, so the first thing the courts would have to do is figure out if they even have jurisdiction to handle such a novel claim. The answer to that could vary between different states' courts and between state and federal courts. (And might even vary between federal courts, since federal cases borrow a lot from state laws, both from the state they sit in, and from other relevant states, like the state in which an entity is incorporated, or the state a contract was executed in.)
(And even if you get past all that, you haven't actually stopped Microsoft from doing anything at all. They can still search your data without going to court in the first place if they're willing to risk being held liable for damages for breach of contract. Those damages would not likely amount to much.)
They searched the account of a French blogger, so that adds another layer of insane complications (I'd guess both France and EU would come down pretty hard on Microsoft, but for the wrong reasons)
If you read the Ars article [1], they specify in the second statement that "Courts do not issue orders authorizing someone to search themselves, since obviously no such order is needed."
I think the claim is based on the fact that if you ask any judge if you can search yourself, the answer is automatically yes, possibly followed up with "why are you even here?"
So they're doing the next best thing by having a mock trial, where the answer isn't automatically "yes". They're in kind of a weird position here, but it doesn't seem like there is a better way to do it. IANAL obviously.
Breaking NDAs and leaking company secrets are civic, not criminal, breaches of law; they only exist insofar as the company is empowered to sue using them. There are no authorities who would be interested in investigating.
Nothing new about that. A great many commercial disputes are settled in the offices of professional arbitrators by mutual agreement or contractual obligation, because it's less expensive than going to court. Contracts give parties wide latitude to define what each others' rights and responsibilities are, notwithstanding the fact that they may be adhesive.Some kinds of contractual arrangements can be declared unconscionable, but not that many - generally only those drafted in such a manner as to be deceptive or which impose retroactive conditions on one of the parties (obviously it's a lot more complicated than that).
