Surveillance guide gets Cryptome site into hot water.
The sign at a main entrance to the Microsoft corporate campus. The Redmond Microsoft campus today includes more than 750,000 m² (approx. 8 million square feet) and over 30,000 employees.
The noted government whistleblowing website Cryptome has been taken down after Microsoft saw red over its publication of a top-secret Internet surveillance guide normally shown only to law enforcement agencies.
The 22-page Global Criminal Compliance Handbook contains a reasonably detailed rundown on the information gathered by Microsoft from its various Windows Live operations, including Hotmail, Messenger, MSN Groups, and even the gaming platform, Xbox Live. The guide explains the information that is retained by Microsoft from customer activities, for how long it is saved, and how it can be accessed by police and security services in accordance with US legal requirements.
After discovering the document on the site, Microsoft is reported to have demanded its removal, citing the US Digital Millenium Copyright Act (DMCA), a request that was rejected by Cryptome editor and founder, John Young. Microsoft then persuaded domain hoster Network Solutions to pull the site, which remains offline as of the morning of 25 February (GMT).
Microsoft botnet take down will not stop spam, says researchers
Was Microsoft well advised to come down so heavily on a site that has come to be seen in civil liberties circles as an important bulwark against government secrecy?
The guide itself contains few technical revelations, but does underline the extent to which a company such as Microsoft is able to conduct information surveillance from the traces of people’s Internet activity. Any text or images uploaded to a Microsoft service appear to be retained for 90 days, along with the date and time of the upload and the IP address making the connection.
It is worth noting that all global customer account data for Hotmail – including by implication email records – are stored in the US, which makes it accessible by US authorities under local laws. UK and non-US residents might not realise this. Records are only deleted after 60 days of account inactivity.
On the other hand, Microsoft doesn’t store conversations between users on Windows Live Messenger, its IM service. The most tracked service appears to be the Xbox Live, where names, addresses and credit card data are available to track online users. That is hardly surprising as this is the one service users pay for. This is not quite a flexing arm of the Big Brother state.
Microsoft probably couldn’t have made the information in this guide more public if it had tried. It is now available for download from various Internet sources, including fellow whistleblowing site, Wikileaks. The document will no doubt be pored over by thousands of people with only the vaguest idea of the significance – of lack of significance – of its contents.
More background on the takedown is available from the Geekosystem website, which has a direct channel into Cryptome’s short-term suffering. Longer term, the site will gain from the troubles, assuming it comes back soon.
By John E. Dunn
Published: 11:15 GMT, 25 February 10
Source: Techworld