Did Microsoft leave Hotmail open for Dictators?

On Friday, March 25th, Jillian C. York, a writer for Al Jazeera English, claimed on her personal blog that a Syrian Hotmail could not turn on (Hypertext Transfer Protocol Secure (HTTPS) on Hotmail and, "he was … blocked from turning on the 'use HTTPS automatically' setting." Eva Galperin, a Electronic Frontier Foundation staffer followed up, and found that the "always-use-HTTPS option in Hotmail for users in more than a dozen countries, including Bahrain, Morocco, Algeria, Syria, Sudan, Iran, Lebanon, Jordan, Congo, Myanmar, Nigeria, Kazakhstan, Uzbekistan, Turkmenistan, Tajikistan, and Kyrgyzstan, had been turned off." This meant anyone using Hotmail in these countries could have their e-mail read by their government-controlled ISPs.

Since then, Microsoft, on one of its technical help sites, has denied that it had deliberately disabled HTTPS for some of its users. The statement reads: "We are aware of an issue that impacted some Hotmail users trying to enable HTTPs. That issue has now been resolved. Account security is a top priority for Hotmail and our support for HTTPS is worldwide - we do not intentionally limit support by region or geography and this issue was not restricted to any specific region of the world. We apologize for any inconvenience to our customers that this may have caused."

Inconvenience? The wrong e-mail being read by the powers that be in some of these countries could lead to a one way trip to the closest firing squad.

To the best I can tell, from checking Microsoft support groups, there were no reports of wide-spread HTTPS outages. On the other hand, even now, the vast majority of people are blissfully unaware of the danger of their e-mail or social network messages being intercepted by either governments or just snoopy people using tools like Firesheep. Smart users, no matter where you may live, should adopt secure Internet options to keep their online activities private. Most people though, I'm sorry to say, never even pay attention to whether they're protected or not.

Hotmail at least has an HTTPS option. However, secured Hotmail works only on the Hotmail Windows Live Web site. You can't use HTTPS security with Hotmail if you access it through Microsoft Outlook Connector, Windows Live Mail, or Windows Live for Windows Mobile and Nokia.

That still better than many other popular communication Web sites which still don't offer their users any option. To the best of my knowledge, only Google's Gmail, of the major online mail services, offers HTTPS security by default.

Secure protocol or not, though, a government can still play games with a user's e-mail. Google recently accused the Chinese government of interfering with Gmail service.

The problem with Hotmail security may not lie entirely with Microsoft. Earlier this week, I was told by a source in Syria that he was unable to use HTTPS  to link to any Web site. Some of Syria citizens are now demonstrating against its decades-old dictatorship It could as no surprise if Syria's government is trying to keep a closer eyes on would-be dissents while not making Egypt former government's strategic mistake of turning off the Internet.

I've checked in with both Arbor Networks and Renesys, two companies that provide high-end Internet services and track international Internet issues, to see what they knew about Syria, or other countries, blocking HTTPS use. Neither though have gotten back to me in time for this report.

See Also:

Libya turns off the Internet and the Massacres begin

Bahrain’s death toll grows and its Internet slows

Freedom Box: Freeing the Internet one Server at a time

How the Internet went out in Egypt