@aral Wait what? I'd argue that activation links is the least problem here.

Right, but it's a concrete problem that you can point your finger at.

@aral and a friend just told me that #Microsoft was now «less bad» that it had been, much better than #google or #facebook,... Seriously, how many times do they have to trespass before it sinks in ? #MS is not your friend. None of them are.

@aral @RLetot @aral The #MACFANG tech giants are not all equally evil, and sometimes you may have to favor one over another if you can’t boycott them all, but someone who says MS is less evil than Google & Facebook doesn’t have the big picture. I have an idea where that comes from though.

@RLetot @aral If you ignore all the MS corruption & anti-consumer actions by MS & fixate just on privacy, MS was widely thought to not be in the #surveillanceAdvertising biz (certainly not to the Google/FB extreme). People assumed MS did not snoop in their email. But this year MS bought a surveillance ad spin-off (#XANDR?) from AT&T, so now there can be no mistake: MS is firmly in that business.

@aral @RLetot But in the broader picture of social justice, human rights, transparency, honesty, digital/software freedom, etc, #Microsoft has always been /far/ more evil than Google.

@koherecoWatchdog @RLetot MS has been firmly in that business one way or another with Windows for years, not to mention Bing ads and MSN before that.

@aral @RLetot The widespread opinion is that MS does not depend on ad revenue for survival. Ad revenue is the *life-blood* of Google and FB & they would collapse w/out surveillance advertising. Whereas s/w sales is the life-blood of MS who doesn’t even need ad money to stay afloat. Historically if you start talking about gloves in your MS email, you wouldn’t start seeing ads for gloves.

@RLetot @aral That’s the public perception, and probably where JRepin’s friend was coming from. MS was likely doing some sneaky data collection in email w/out saying so, but if you don’t see targeted ads it suggests MS was limited in how they were using the data. Now after the XANDR acquisition, that’s all changed. They are overtly in the data brokering business.

@RLetot @aral It (un)amuses me when people shill for companies like football teams. They project some sort of personality and moral cohesiveness onto them as if they weren't mindless, corrupt exploitation machines

@aral Skype also has a history of taking links in private conversations

@aral I've experienced something similar myself, while trying to figure out why one-time login links were expiring for random outlook.com email addresses. Digging into the server logs I saw a Microsoft IP address send a HEAD request of the login link included in the email, which was invalidating the one-time link.

I solved it by having my app ignore HEAD login requests and only process GET requests, as my robots.txt file disallows indexing.

Still really rubbed me the wrong way. I figured it was some kind of anti-phishing gimmick, but the fact that they're just using it to populate their spider is an egregious violation of user trust.

@jaywilliams @aral just make the page require a POST, crawlers (or antivirus software or whatever) usually don't send POST requests

@easrng @aral It's hard to make a link in an email send a POST request.

@jaywilliams I know this is very widely ignored but to be compliant with the HTTP specification you should use POST (or some other methods but not GET or HEAD, etc) to have any significant side effect on the server.


Good luck suing MS ;-), their lawyers would just quote “What is important, however, is that the client did not request that additional behavior and cannot be held accountable for it.”

@easrng @aral


Textbook reason for breaking up big tech companies and keeping them small, or at least preventing them running more than one online service.

I'm sure it's against child abuse, that's always the reason to ignore even basic levels of privacy.

@aral So many fails in this article:
"the assumption is if you have access to the email account, you’re probably who you say you are" => FAIL
"All was well for weeks, then suddenly I noticed an increase in logins, but little to no user action after the login event." => Click tracking inside the app ?
"3. Token is expired (which I forgot to actually do)" => FAIL

@aral "This felt like I had stumbled onto a Wikileaks level conspiracy. Microsoft is sharing private email data with its search engine?" => WAW what a discovery ! Like no one ever said that ! 😱

Repeat after me: unencrypted email is not a secure communication channel.

@Haydar Yes and you can be stabbed to death if you're not wearing body armour. And yet we have laws against stabbing people and we treat those who stab others as criminals and understand that the person getting stabbed is the victim here so we don't go around blaming them for not taking steps to ensure their flesh is harder to stab. About time we stopped victim blaming in tech too. The blame here lies with one entity alone: the trillion-dollar faceless corporation we call Microsoft.

@aral Of course Microsoft is the one to blame. I am not saying, that this is the victim's fault. I'm just saying, everyone should know the risks.

We can point fingers at all these data harvesting tech corporations, but they will not change. So we must educate the users and inform them about the risks.

@Haydar Let’s do both :) (Of course, they won’t change but they can be forced to comply with the law if we can influence the right laws. Not that I’m hugely confident we can but still…)

I think Microsoft should be either forced by law or at made to feel very embarrassed if they don't *provide* the proverbial body armor to protect their proverbial potential stabbing victims.

This sort of news needs to be something that corporations' PR people live in fear of and do everything to prevent. But putting it into law requirws more people to actually care, which seems to be a hard problem...

And there's *not even* any choice in that matter. It's not like you can commonly verify yourself through some secure messenger or such.

@aral @Haydar
(wrt to the concrete problem of activation links, that is. The problem runs deeper, of course.)

@aral Yandex had a big scandal in 2018 when they indexed public Google Docs anonymous editor links and Google didn't expect this so robots.txt was wide open.

@aral Oh ffs... Every time I think it can't get worse, it does...

@aral I'm sure this happens more often than most people realize by many companies. The ONLY thing holding me to Microsoft is gaming on Windows.

@Ghr00t @aral

Gaming on Linux is great. Time to make the switch!

@aral MS has been trying to make Bing work locally for enterprises, so it can find things that were sent to/from you via Bing/Cortana. They have a custom enterprise site that lets you search company-related stuff instead of just public www-stuff. I guess e-mail needs to be indexed in order to do that.

@aral @hbenjamin There are many reasons for systems to automatically visit links contained in emails. Some feel pretty evil (see OP's link) but others are definitely good (inspection for safety).

So the conclusion about not sending magic links is probably a good one.

@aral So that's why Github sends you text to copy-paste on their website.

@aral I guess newly thankful that I use FastMail, even when it's less convenient at times.


Microsoft outlook has also a link protection feature that "scan" links in order to prevent the user to go to a malicious website.

That is the ad.

When the user clicks on the link in outlook email, microsoft is notified and will also make a visit to the link. However this visit will happen a few seconds after the user reaches the link endpoint so he could already be trapped....
This is done to avoid a long delay on link clicks I guess but it defeats the security argument.

@aral consider also outlook composer adding preview tiles of links you add to an email..

@aral Saw your post earlier this week and thought about this one. keys.openpgp.org verify links could also be compromised with this as an exploit. Makes me wonder is if some domains are filtered from the indexing.

@aral And once again, we see why we can’t have nice things. 🤦🏻‍♂️

@me @aral Google also has disabled the ability to access your Gmail via traditional IMAP/POP3 clients for "security reasons" in part so they can track which links you are clicking on inside of messages in your Gmail.
Sign in to participate in the conversation
Aral’s Mastodon

This is my personal Mastodon.