Hacking happens.
That was the message from Redmond, Washington Monday as Microsoft, along with industry self-regulatory watchdog Truste, revealed the findings of an independent audit of Hotmail.
In pronouncing the email service sound, Microsoft shifted the blame for Hotmail's massive security leak from its own security measures to malicious hackers.
Also:
Hotmail Fallout: A Mere Trickle
Hotmail Accounts Exposed to All
Want Security? Forget Web Mail
Did MS Dig Its Hotmail Hole?- - - - - -
The August incident, the worst Web security meltdown in history, left every one of Hotmail's 50 million email accounts exposed to anyone with access to a Web browser.
"Hotmail maintains the very high standards we place on consumer privacy and security," said Richard Purcell, Microsoft's data practices director.
"Unfortunately, malicious hackers target all technology platforms, but we believe this effort will help ensure that we have the right security controls in place to protect customers of Hotmail."
The audit, conducted by an unnamed "big five" accounting firm, pronounced Microsoft's repair work effective and said that it showed Redmond to be in compliance with the Truste licensing agreement, according to Richard Purcell, Microsoft's data practices director.
He said the report makes it clear that all is well with Hotmail.
"Our quick response and third-party review are evidence of not only Microsoft's committment to protecting online privacy, but also to Truste in their dispute resolution process."
Truste is an industry-sponsored nonprofit organization meant to assure compliance with certain Web privacy standards in lieu of government regulation.
A group calling itself "Hackers Unite" discovered the Hotmail hole in August.
The group then publicized the hole, which was evidently a blunder in Microsoft's server administration. They said through a spokesman that they wanted to draw attention to what they said was Microsoft's spotty security record.
Microsoft did not reveal technical details of either the audit or the problem. The patch ostensibly nailed the hole shut and the company said it also put new quality-control procedures in place to prevent future problems.
Truste executive director Bob Lewin said its watchdog complaint system – in which consumers lodge complaints about privacy problems they experience on the Web – worked seamlessly to "ensure that indeed the problem was fixed."
But only time will tell how solid the fix really is. Web servers are by nature leaky boats that must constantly be patched if they are to remain secure and afloat.
When Microsoft announced it would open itself to the audit, critics welcomed the decision.
But independent watchdogs said if the company was really committed to strong self-regulation, it should have done the same in response to a severe privacy problem discovered last March.
In that incident, Microsoft admitted to collecting special identification numbers from users' PCs during the Windows registration process.
At the time, the company promised it was not using the unique identifiers to track Web visitors. It said it would discontinue the collection practice and promised to purge any questionable data from company databases.
But if any situation called for an independent audit, that one did, observers complained.
Microsoft's Purcell explained what he called a simple difference between the two incidents and the company's response: In contrast to the Hotmail problem, the Windows registration issue was not raised in a specific consumer complaint.
"It was not a security breach that was reported through the watchdog process at all," Purcell said. "The hardware ID issue was never used, so there was no claim against it."
In other words, a hole has to be exploited before Microsoft will consent to an independent review.
"When it comes to a point where we need to convice a partner such as Truste or a wider audience to the veracity of the resolution we put in place, then it's up to us as to what kind of independent review that we would conduct," Purcell said.
To privacy advocate Jason Catlett, CEO of Junkbusters, that's an inconsistent policy.
"It's a prime example of Microsoft's instinctual treatment of security as a PR issue to be ignored until it requires emergency spin surgery," he said. "They had a chance to show their confidence in their technology by commissioning an audit to be published, and they fled."
Besides, Catlett asked of the March incident, "how do we know there was no security breach?"
"Self-regulation is the business-class of regulation: It's much more expensive, but so much more convenient."
