First, its heavy handed decision to stop emailing security updates to users (in response to new Canadian anti-spam laws) was u-turned in a rather embarrassing manner.
Then came something much worse as Redmond’s Digital Crimes Unit (DCU) unilaterally sought a court injunction to seize control of 22 domains belonging to DNS firm No-IP.
It did this to arrest the spread of malicious activity on some of the domains, but with good reason commentators are already calling its strategy misjudged this time around:
- No-IP was not informed of the take-down, nor was it working in collusion with the cyber criminals. It also pleaded that it has always co-operated with the authorities when asked on such matters previously.
- Microsoft was unable to filter good traffic from bad, leading to millions of legitimate No-IP customers left without a service earlier this week.
Europol special advisor on internet security, Brian Honan, told me that the incident will further undermine the credibility of tech giants like Microsoft, which has already taking a pasting thanks to the NSA spying revelations from whistleblower Edward Snowden.
He raised a number of valid concerns with me by email:
• If No-IP were not contacted by Microsoft DCU regarding the abuse of their services what right have Microsoft DCU got to determine how good or bad the No-IP abuse mechanisms were? Indeed, what is the criteria and standards that Microsoft used to determine how responsive the No-IP abuse desk is? Are all service providers, including Microsoft, now expected to meet the requirements and expectations of Microsoft DCU? And if not can they expect similar interruptions to their business?
• Microsoft DCU also showed they do not have the technical capabilities in managing Dynamic DNS services and subsequently have impacted many innocent users and businesses, how will Microsoft DCU ensure
• There are also concerns over Microsoft infringing on the privacy of No-Ip’s legitimate customers. In effect Microsoft diverted all of these customers’ internet traffic via Microsoft’s systems. An action that could place No-Ip and Microsoft in breach of their own privacy policies and indeed various privacy laws and regulations.
This is probably the first major mis-step by the Digital Crimes Unit, and it will need to re-examine its procedures and processes very carefully to avoid a repeat. Its loss of face in this incident will only benefit the cybercriminals if it makes Redmond and others more hesitant to take action in future cases.