Microsoft plays for keeps. As we reported earlier, Microsoft used a clever trademark infringement civil lawsuit to get judicial authorization to raid the host servers running the command and control software brains of the huge Zeus botnet empire. If that was not daring enough, Microsoft has gone on to try and unmask the operators of the criminal phishing and spamming network. And they are recruiting, with the help of a subpoena, Google to assist in identifying the botnet’s remote operators. Per its terms of service, Google has sent notices to the alleged botnet operators whom Microsoft requested personal information on.
Again, what makes Microsoft’s approach interesting, from a legal perspective, is that it is using civil lawsuits and civil litigation processes to crack down on cybercrime. In essence, except for the help of federal marshals in the server raids it conducted earlier, the software giant is pursuing its legal campaign without the involvement of law enforcement entities. While Microsoft’s legal creativity has opened a new front against botnets, it is not entirely without critics. Some security researchers felt betrayed by Microsoft’s actions. They said that they shared information with Microsoft in confidence and now the software giant has exposed such sensitive communication. Others say that Microsoft’s actions actually hampered international law enforcement action on the Zeus botnet.
The betrayal felt by some in the security research community stems from the bargain Microsoft made with the federal judge handling its case. In exchange for making efforts to identify “John Doe” defendants, the court issued a warrant that enabled Microsoft to raid servers connected with the botnet as well as seizing domains used by the botnet. In fulfilling its part of the bargain of identifying John Doe defendants, Microsoft published the identifying information, email addresses, and nicknames of individuals it believed were responsible for the domain purchases and server rentals.
Recently, Google began sending people who registered over three dozen Gmail accounts notices that their accounts are part of Microsoft’s subpoena. The list of email addresses are not really a surprise since Microsoft has already posted them on zeuslegalnotice.com along with nicknames and other identifying information that tied the addresses to 39 “John Does” which Microsoft is trying to unmask. In accordance with Google’s privacy policy, upon receipt of Microsoft’s subpoena for email records, Google sent a notice to each of the affected account holders that Google will turn over the requested information unless the account holders file a formal objection by a certain deadline.
According to anonymous sources who received a copy of the Google alert, this is what the notice says:
“Hello,
Google has received a subpoena for information related to your Google
account in a case entitled Microsoft Corp., FS-ISAC, Inc. and NACHA v.
John Does 1-39 et al., US District Court, Northern District of California,
1:12-cv-01335 (SJ-RLM) (Internal Ref. No. 224623).
To comply with the law, unless you provide us with a copy of a motion
to quash the subpoena (or other formal objection filed in court) via
email at google-legal-support@google.com by 5pm Pacific Time on May
22, 2012, Google may provide responsive documents on this date.
For more information about the subpoena, you may wish to contact the
party seeking this information at:
Jacob M. Heath
Orrick, Herrington, & Sutcliffe, LLP
Jacob M. Heath, 1000 Marsh Road
Menlo Park, CA 94025
Google is not in a position to provide you with legal advice.
If you have other questions regarding the subpoena, we encourage you
to contact your attorney.
Thank you.”
Actually, this vocal notice and procedure sets Google apart from its competitors in the free webmail industry. That is why Gmail gets high marks from online privacy groups for its privacy policies and transparency in responding to law enforcement or governmental requests for information.
A few of the other names on Microsoft’s John Doe list use hotmail.com and msn.com. These services are run by Microsoft and it is not clear if those account holders received a notice similar to the one Google sent.
Microsoft’s legal efforts to use civil litigation to go after botnet operators, while applauded in some circles, strike some privacy watchdogs as self-serving and might also interfere with law enforcement processes and efforts.