Microsoft will now tell users of its email services when their accounts are being attacked by government hackers. The change in policy comes as Reuters reported that the company chose not to tell thousands of Hotmail users that their email accounts had been hacked by Chinese government officials.
Security experts for the company reportedly found evidence in 2011 of attacks on Hotmail accounts used by Japanese and African diplomats, human rights lawyers, and Tibetan and Uighur leaders, but rather than inform them of the covert activity, Microsoft elected to ask affected users simply to change their passwords.
Experts tracked the attacks back to Chinese spies
Attempts to intercept communications from the email accounts in question began as early as June 2009, two former Microsoft employees allege, but the attacks weren't discovered until 2011. In May of that year, independent security firm Trend Micro spotted a program that could exploit a vulnerability in Microsoft's free email services, secretly sending incoming mail to a third party. Microsoft began its own investigation, in which it reportedly discovered a number of the attacks could be traced to a Chinese network known as AS4808, a cell which had been publicly implicated by the US government in other secret surveillance campaigns.
In a statement today, Microsoft justified its decision not to inform the thousands of users affected by the incursions, specifying that the attacks "did not come from one single country" and that neither it nor the US government could pinpoint the source of the attack. But Reuters says the decision came after an internal debate involving Scott Charney, Microsoft's head of security, and Brad Smith, the company's current president. Two people reportedly familiar with the discussions said that company executives had not wanted to anger the Chinese government by publicly issuing warnings about the security breaches.
Microsoft says some of the attacks came from other countries
Where Google, Facebook, and Yahoo all regularly issue warnings about government-level hacking attempts, Microsoft had not followed suit — until now. Announcing its new policy, the company wrote "as the threat landscape has evolved our approach has too, and we'll now go beyond notification and guidance to specify if we reasonably believe the attacker is 'state-sponsored.'" The change could help stop government snooping in the future, but comes too late for people like Seyim Tumturk, vice president of the World Uyghur Congress, who held one of the accounts targeted. Speaking to Reuters, Tumturk said companies like Microsoft "have an ethical and a moral responsibility to let the users know that they are being hacked."