November 17, 2024

Special Report: Technology and Innovation: Microsoft Inherits Sticky Data Collection Issues From Skype

BARCELONA — When Microsoft, the world’s largest software maker, bought Skype in May 2011 for $8.5 billion, it acquired not only the technology behind the world’s dominant Internet voice and video service, but a connection with more than 250 million active users.

But perhaps what Microsoft did not anticipate when it made the purchase was that it would inherit the delicate privacy aspects of Skype’s business, including its billions of encrypted, peer-to-peer Internet conversations.

Those conversations, and the access Microsoft grants to them, are now the focus of a lobbying campaign by 50 digital rights groups and dozens of individuals.

In a letter sent in January, the group asked Microsoft to disclose what data it collected from Skype users and whether that data was passed on — whether to potential advertisers or to law enforcement agencies conducting criminal investigations.

The group, a collection of Internet activists from around the world that includes the Electronic Frontier Foundation, Reporters Without Borders and Zwiebelfreunde, a German university group, called on Microsoft to begin publishing regular transparency reports listing the requests made by government agencies for Skype client information around the world.

Amid the pressure, there are signs that Microsoft may be preparing to relent and publish what are known as transparency reports, which disclose the level of government requests for information. Google has provided the reports since 2010. Since then, Twitter and LinkedIn, among others, have moved toward offering regular reports — but not Microsoft.

Besides public disclosures, said Eva Galperin, a global policy analyst at the Electronic Frontier Foundation, the group also wanted to know the location of Skype’s headquarters — whether in Luxembourg, as it was before it was acquired by Microsoft, or at Microsoft’s base in Redmond, Washington.

The location is important, Ms. Galperin said, because if Skype’s headquarters are in the United States, Microsoft and Skype would be required to comply with requests made by U.S. intelligence services under Calea, the Communications Assistance for Law Enforcement Act, which gives agencies easier access to monitor data from online businesses like Skype.

Internet activists in countries with authoritarian regimes also need to know whether their Skype conversations, once considered a hack-proof way of avoiding government phone wiretaps because of the peer-to-peer nature of the exchanges, are still secure, she said.

“What we know right now is that we don’t know,” said Paul Bernal, a lawyer and professor of technology, intellectual property and media law at the University of East Anglia in Norwich, England, one of 61 individuals who also signed the open letter to Microsoft.

“We need to know how Microsoft and Skype cooperate with law enforcement and others around the world,” Mr. Bernal said. “People living under authoritarian regimes need to know what kinds of personal risks they are taking when using Skype.”

Dominic Carr, a Microsoft spokesman in Redmond, said that Skype’s headquarters, even after the purchase, remained in Luxembourg and the company was subject to laws of Luxembourg and the European Union, not the United States.

Luxembourg, like other E.U. countries, has mutual assistance pacts and other legal mechanisms that permit companies like Microsoft to share information with foreign law enforcement agencies in continuing investigations. The purchase of Skype by Microsoft has not changed the ability of law enforcement to gain access to Skype data, Mark Gillett, a corporate vice president responsible for Skype engineering and operations, wrote in a blog post.

According to Microsoft’s published privacy policy, three types of information are generated by Skype: personally identifiable information on users; nonidentifiable information; and the actual contents of Skype-to-Skype audio and video conversations.

Article source: http://www.nytimes.com/2013/02/25/technology/microsoft-inherits-sticky-data-collection-issues-from-skype.html?partner=rss&emc=rss

DealBook: Behind Google’s $500 Million Settlement With U.S.

The investigation was led by the U.S. attorney's office for the District of Rhode Island, headed by Peter Neronha, and the F.D.A.'s Office of Criminal Investigations.Joe Giblin/Associated PressThe investigation was led by the U.S. attorney’s office for the District of Rhode Island, headed by Peter Neronha, and the F.D.A.’s Office of Criminal Investigations.

The Justice Department’s settlement of a criminal investigation of Google for allowing Canadian pharmacies to advertise drugs for distribution in the United States reflected an effort by prosecutors to extend the reach of federal drug laws. This may present future challenges to Internet search companies over their advertisements.

Google entered into a nonprosecution agreement with the government last week over the use of its AdWords program by Canadian pharmacies that helped them sell prescription drugs in the United States in violation of a federal law, 21 U.S.C. § 331(a). That law prohibits causing the “introduction or delivery for introduction into interstate commerce of any food, drug, device, tobacco product, or cosmetic that is adulterated or misbranded.”

White Collar Watch
View all posts

Google agreed to forfeit $500 million, representing its revenue from the Canadian pharmacies, and to enhance its compliance program for drug advertising.

For Google, the settlement puts an embarrassing investigation to rest and eliminates a distraction while it pursues its $12.5 billion acquisition of Motorola Mobility. By styling the settlement as a nonprosecution agreement, the company will not have a criminal record once it complies with the terms.

The Canadian prescriptions sold to American customers were considered “misbranded” under the statute because they were not approved by the Food and Drug Administration. In some cases, the drugs were obtained from countries other than Canada that lacked adequate regulation of pharmacies.

Larry Page, chief executive of Google.Mario Anzuoni/ReutersLarry Page, chief executive of Google.

The United States attorney for Rhode Island, Peter F. Neronha, whose office was responsible for the investigation, said Google’s conduct was not the result of a few rogue employees, according to The Wall Street Journal. Mr. Neronha said the company’s chief executive, Larry Page, “knew what was going on.”

The statute prohibits the “introduction or delivery” of the drugs, but Google was not involved in any way in their actual transfer into the United States, which is the usual means of proving a violation of the statute. Instead, the Justice Department viewed Google as an accomplice to the crime by enhancing the ability of the Canadian pharmacies to reach American consumers.

Can a search engine be held responsible for how consumers use the products or services allowed to be advertised on it? That question goes to a core issue in the criminal law regarding the responsibility of suppliers for the use of products they sell.

There were negligence lawsuits in the early 1990s against Soldier of Fortune magazine for advertisements it ran for people willing to engage in criminal acts, including murder. These cases were brought by victims of attacks and involved a question about whether the magazine published ads that were a “clear and present danger” to the public, and therefore unprotected by the First Amendment.

Unlike a private lawsuit alleging negligence, the Justice Department’s nonprosecution agreement with Google involved an assertion that the company aided a criminal violation — i.e., that it was an active participant in a crime.

To prove accomplice liability, the prosecution must show the defendant provided some assistance in the commission of the crime, which can include counseling or encouraging the offense. There is a fine line between supplying goods that are later used for the commission of a crime and actually assisting in its completion.

Even if one does furnish some measure of assistance, the law further requires that the accomplice be aware of the user’s intention to commit a crime and intend to give some assistance or encouragement in its completion.

The Justice Department’s position in the Google case emphasizing the awareness of its chief executive shows it took an aggressive approach about what can constitute aiding a violation of the drug importation laws.

Google was not involved in the actual movement of the prescriptions, but the government viewed its role as sufficiently important to the success of the Canadian pharmacy sales that it was similar to someone who actually supplied or shipped misbranded drugs.

The fact that the case was resolved by a nonprosecution agreement can be seen as an indication that the Justice Department understood its position on accomplice liability could be open to challenge if criminal charges were filed in court.

Unlike a guilty plea, this type of resolution does not require any judicial approval, so a judge will not question whether the conduct rose to the level of aiding and abetting a crime.

Google’s $500 million payment was labeled as a forfeiture of the gross revenue it received from the advertising by the Canadian pharmacies, not a criminal fine or civil monetary penalty. While Google lost the proceeds of the pharmacy advertisements, it did not experience any additional monetary punishment for its conduct.

The Internet allows messages to be better focused on particular groups of potential customers. With that ability comes the growing possibility that the Justice Department will view search engines as more than mere passive conduits of information, and instead as potentially active participants in conduct that may violate the law.


Peter J. Henning, who writes White Collar Watch for DealBook, is a professor at Wayne State University Law School.

Article source: http://feeds.nytimes.com/click.phdo?i=4d49b4ab91f6ef055b8287b9ee2a4ece