How key Microsoft legal emails 'autodestruct'

Redefining document retention policies...

  • alert
  • submit to reddit

SANS - Survey on application security programs

The latest court documents to be unsealed by Judge Frederick Motz in Burst.com's suit against Microsoft paint a picture of Microsoft document handling procedures which destroyed the very emails that were likely to be most relevant to several antitrust actions, Burst's included. According to Burst's lawyers Microsoft's status as "a defendant in major antitrust cases since at least 1995" means that it has a duty to preserve potentially relevant evidence. But "Microsoft adopted policies that, to put it mildly, encouraged document destruction from 1995 forward."

Microsoft is still resisting Burst's attempts to have it hand over documents defining its retention policies, but a Burst brief of 27th September puts forward a forensic examination of the net effect of whatever these policies might be, accompanied by a certain amount of rolling of eyes. We, and the technology press in general, are indebted to PBS columnist Robert X Cringely for his dogged and single-handed pursuit of Burst v Microsoft. You can read his take on the latest developments here, and links to the court documents here.

As Microsoft's retention policies remain for the moment a closely-guarded secret it would be absolutely wrong of us to draw any inference as to what they might be solely from what happens. What happens, though, is pretty damn peculiar. The system as a whole defaults to swift destruction of employees' emails, while there is clear evidence that Microsoft takes a very narrow view of whose documents may be relevant to a particular case. In some cases its choice of 'relevant' employees to be subject to retention seems perverse and misleading.

So in the normal course of events documents would be destroyed swiftly, documents would be saved only by a document retention notice, and if document retention notices were not sent to the right people (the Burst brief argues that they were not), then by the time those people were properly identified the documents would almost certainly have been destroyed. Microsoft exec Jim Allchin, who seems to be shaping up as a star exhibit, instructed Windows division employees in January 2000 to delete emails from their hard drives after 30 days. "Do not be foolish," he said, "do not archive your e-mail." In response to emails about this instruction Allchin sends another which confirms the existence of an "official policy" on document retention sent company-wide in the summer of 1996, and says that this is the only written policy. Allchin however reiterates his 30 day instruction, adding an exception only for those who "have received specific instructions from Legal to retain certain documents or email that may be related to pending litigation. These instructions override the general policy."

Microsoft has not yet yielded the 1996 policy, but Allchin's reference to it plus his insistence on 30 days suggests that the general policy was 30 days, from 1996 onwards. The retention of legally-relevant documents is therefore clearly dependent on Legal sending retention notices to the right people at the right time. Burst's brief at this point notes that Microsoft has confirmed it did not produce any of the Allchin email string in 12 prior cases, including DoJ v Microsoft, on the basis that, it claims, nobody asked for them. But in Sun v Microsoft, Microsoft undertook to "produce documents concerning Microsoft business policies, procedures or guidelines for document retention, to the extent such documents exist, for the period January 1, 1998 to November 30, 2002." This period covers the Allchin string, but the string was not produced, so when Microsoft confirmed that it had completed the production of documents, it was not telling the truth.

The general policy, if it is the policy, of 30 days covers local storage. Email could also be saved on the Exchange servers. Microsoft however enforces rigorous limits on employee storage on these servers, and on average there appears to be space for about a month's emails per employee. No storage allocation left, no email until you delete some. In addition, emails could be saved on servers maintained by the Operations Technology Group. But as made clear previously in this case (reported here), company policy is that emails should not be archived on these servers. This policy was strengthened by the addition of the words "Due to legal reasons..." in 1997, but weirdly, Microsoft claims that this bit was made up by information technology employee Candy Stark, purely to add weight to her campaign to save on storage costs. In fairness, therefore, we should consider the possibility that many other apparently incriminating things in surviving emails have been made up too. Is there a company policy on when to believe what an exec is telling you? And if there is, has it been made up? Frightening, isn't it?

But the Burst brief declines to believe Stark made it up, and suggests the "legal reasons" may track back to the elusive 1996 policy, which again is cited by Stark.

Archive location number four at Microsoft is provided by the servers maintained by the IT person for each individual business group. The servers most relevant to the Burst case were maintained by a Mr Ochs, who did not receive a retention notice, and who testified to routinely destroying documents on the servers. These are the very servers Microsoft has previously said it cannot reasonably search for documents, because it does not know who uses which servers.

The brief puts forward several examples of cases where Microsoft failed to identify relevant employees and send them retention notices. In response to a DoJ request in 1997 it failed to identify Chris Phillips and his boss Eric Engstrom, although Phillips had led negotiations with RealNetworks and the ensuing deal was sometimes referred to internally as "the Chris Phillips deal." Microsoft did identify the in-house lawyer brought in to draft the contracts, but not Phillips or Engstrom, so both destroyed their emails. Neatly, as a Microsoft attorney the lawyer's emails were protected by attorney-client privilege, so Microsoft doesn't have to release them. Similarly Engstrom emails relevant to Intel's decision to drop development of its JMF Java Media Player have been destroyed.

The Burst brief only asks for Microsoft's retention policies to be produced in camera, so even if Redmond does cough up there's no certainty we'll ever know if they explain the apparent weirdness of Microsoft document and archiving policies. But if Microsoft does have a policy to diligently retain relevant documents, well, it clearly needs to write a new policy that works instead. We at The Register have a humble suggestion. Seeing Rick Rashid of MS Labs is in the habit of touring the world telling people that storage is now pretty well cheap enough for you to just record your whole life in a lifeblog, couldn't everybody at Microsoft just... ®

Related links

Allchin named, as proof of MS email destruction policy is sought
Cringely PBS column
Links to court documents

3 Big data security analytics techniques

More from The Register

next story
Next Windows obsolescence panic is 450 days from … NOW!
The clock is ticking louder for Windows Server 2003 R2 users
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Ubuntu 14.04 LTS: Great changes, but sssh don't mention the...
Why HELLO Amazon! You weren't here last time
Half of Twitter's 'active users' are SILENT STALKERS
Nearly 50% have NEVER tweeted a word
Ditch the sync, paddle in the Streem: Upstart offers syncless sharing
Upload, delete and carry on sharing afterwards?
Microsoft TIER SMEAR changes app prices whether devs ask or not
Some go up, some go down, Redmond goes silent
Batten down the hatches, Ubuntu 14.04 LTS due in TWO DAYS
Admins dab straining server brows in advance of Trusty Tahr's long-term support landing
Red Hat to ship RHEL 7 release candidate with a taste of container tech
Grab 'near-final' version of next Enterprise Linux next week
Windows 8.1, which you probably haven't upgraded to yet, ALREADY OBSOLETE
Pre-Update versions of new Windows version will no longer support patches
prev story


Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.