Windows Live won’t let records die
A fundamental principal of privacy law and practice is that those who possess personally identifiable information are required to destroy that personal information after the purpose for which the person supplied the information is no longer operative.
Companies are not allowed to simply amass information about citizens and then hold on to it come hell or high water.
The recent finding of the Privacy Commissioner of Canada underlined this principle in its findings against Facebook. In that ruling, the Commissioner reported that Facebook continues to keep user accounts indefinitely after a user has canceled that account.
Facebook is not alone.
Over the past three months, the Secure Surfing Organization has been going through a process of trying to get a very old Hotmail account either reactivated or deleted. With reactivation, the user would be able to regain control over his personal information and, most importantly, provide himself some comfort against the possibility of identity theft, impersonation or reputation attacks that could be mounted as a result of an e-mail account existing using his very identifiable and unique personal name.
This case is special because the name of the account has a last name that is shared with fewer than 25 people in the entire world.
Hotmail has long since been subsumed under the Windows Live service. The account in question predates the creation of the Microsoft Passport which is also now absorbed into Windows Live.
At no point did the user receive notice, must less give consent to have his Hotmail e-mail address converted into a Windows Live account. Microsoft may offer the explanation that the change was announced or communicated by e-mail. The absolute inadequacy of this is seen in the fact that the dormant accounts Microsoft retains have no way to view the notice and are obviously not able to access the Hotmail e-mail addresses.
This method of resetting a password is also the key way Microsoft offers users to recover control over their accounts.
So Microsoft has created a catch-22 that users cannot escape. The user cannot access his Hotmail account because he has not used in many years and cannot remember the password. His choice is to receive an e-mail message providing instructions on how to reset the password. The e-mail address to which the instructions will be sent is the Hotmail e-mail address which the user cannot access.
The other method for reactivating an account is to answer a “secret question.” The problem is that after many years most users will not even remember the question, let alone the answer.
Offering Microsoft alternatives such as Canadian Passport identification, credit card numbers or any other means of direct identity authentication they choose brought a robotic response about using the “forgot my password” system.
At this point the only means to defend the user’s identity is to ask Microsoft to delete the account completely.
The account is not in use and this was verified several times by the Secure Surfing Organization by simply trying to send e-mail to it. Each attempt was met with a deilvery failure notification from Microsoft:
SMTP error from remote server after RCPT command:
host mx3.hotmail.com[65.55.37.104]:
550 Requested action not taken: mailbox unavailable
With the e-mail account not being in active use, Microsoft does not have the argument available that it cannot delete the account in case a legitimate user might reactive it at some unseen future date.
In its final communication with the user, Microsoft wrote:
“In order to give the information you request, MSN Legal Department must receive a court order from your legal council.”
In other words, it falls to the citizen to get a court order to properly deal with his own personal information in the possession of Microsoft.
A complaint will be filed with the Privacy Commissioner. but in the meantime, NEVER use your real name for your Windows Live, Hotmail, Bing or other Microsoft online services. Because if you decide later you do not want to use their services any longer, you may never be able to force them to delete your name and information from their systems.
Instead, read the Secure Surfing Organization “How to “join” stuff safely.“
