58 thoughts on “Microsoft Kills Security Emails, Blames Canada

  1. Marc Erickson

    As a Canadian computer professional, I’m unhappy about the move by MS to discontinue email updates for security issues and move to RSS. I find RSS to be not as simple as promised – and emails land in my Inbox automatically. With RSS I have to go to a webpage or agreggator to get security update news.

      1. Jason

        Except by design with security in mind, my org’s email (or Desktop PC) doesn’t have direct Internet access. We run brower-based Internet access in a VDI hosted on servers in DMZ to contain threats. We really don’t want to run another set of VDI instances just to get RSS feeds into Outlook.

    1. ana silva lopes

      you are a computer professional and are upset by the use of RSS? you probably work for microsoft. every professional uses RSS / ATOM feeds everyday.

  2. Jasmine G.

    This sounds like a bad idea all around.

  3. raz

    Yes because the people spamming links to illegal pharmacy always obey the law

  4. IA Eng

    See !

    Threats of attacking a company’s bottom line – profit works. Now if the US “covertment” can grow a set and get their act together in regards to breaches and non-compliance, setting the same fine levels – You betcha they either comply or go broke.

    If Microsoft balks and knee-jerks at something like this, many other agencies would definately readjust their outlook on security.

    I am so freaking tired of hearing ‘Oh, dang, we got hacked and fell victim as well” – as if its trendy for people to get hacked for free publicity. Want publicity? Go to Hollywood – or Dollywood and marry a hottie and then divorce each other for no good reason other than “breaking news”.

    Blah.

  5. Bob Brown

    I’m pretty sure it is easier and cheaper for MS to allow interested partied to “pull” information using RSS than it is to manage an email list with a gazillion subscribers. This may be something they’ve wanted to do for a while.

    1. Rick

      Bingo. This provides a handy excuse to do what they must have wanted to do anyway, because no other explanation is logical.

  6. TheOreganoRouter.onion.it

    This real s*cks , I am dependent of getting those emails every month!

  7. Joe Dirt

    Surface
    Windows RT
    VDA licensing
    metro UI
    The missing start menu
    and not this….
    Did they make weed legal in Redmond or something?

    1. Me

      Microsoft has been in a tailspin ever since Bill Gates left. The CEO may have changed but obviously the company continues to be made up of dumbasses still. This is more about optics than anything else. If it is about a cost issue then there is a right way to go about doing it. Whoever is responsible for this decision should be fired, and a clear message should be sent to all employees that the old way of functioning is over. Only then will Microsoft have any hope of recovering. Until then the like of Apple and Google will eat their lunch.

    2. Gene M

      > Did they make weed legal in Redmond or something?

      Yes, but don’t go looking outside Microsoft for help. It’s legal statewide.

    3. Elaine

      Weed is legal in Washington State. Except there is no legal place to purchase it yet. Of course it’s been easier to buy weed here than alcohol.

  8. timeless

    Personally, I like the law. Many companies don’t send a confirmation email with a randomly generated token to ensure that the person who controls for email address was the person who entered the email address into a form.

    In three years, I’ll be able to sue these incompatible companies for $ 200 / message (up to 5,000 messages) per day.

    Companies I’d like money from include:
    Facebook
    Groupon
    LinkedIn
    Square
    Match
    Monroe and Main
    PurePlay (I have no is who they are and don’t want to know, but I will happily seek reimbursement from them using the Private Action portion of the legislation)
    Microsoft (Skype) – but based on this I expect them to stop spamming me!
    Ronald Reagan Presidential Library (OK, this isn’t a company, but I’ve tried to reason with them and that failed)

    Users should not be encouraged to click random links in unsolicited email messages. That’s an invitation to being attacked by a browser exploit leading to malware / a botnet.

        1. timeless

          Yes, I said “in three years” in the parent comment.

    1. JK

      And that is exactly why companies like Microsoft will bow out of serving Canadian customers. None of the major companies you listed are spamming you – you almost certainly provided consent at some point. As a company whose business has a heavy newsletter component, we get numerous complaints from individuals saying they never signed up for our list (though we have a 100% explicit opt-in list and NEVER spam).

      With the new Canadian law, we will now be faced with the prospect of individuals (like you) having the right to sue us for damages because you forgot you signed up for an email and either paying the extensive legal costs to defend those frivolous suits or being forced to settle each one (which we would likely do because the cost is so much lower).

      And while Canada becomes the capital of frivolous email lawsuits against legitimate companies, the real spammers will continue on in all their anonymous glory.

      1. Debbie

        I completely disagree that people ‘forget’ that they have signed up for the email. I have been receiving email that other people signed me up for, for years. I get someone’s Sprint bill, I get someone else’s On Star monthly information, I used to get scripts, I would also receive Frat Mom info emails.

        It is very obvious to me that these companies do not require affirmative action to add emails to a list or I would not be getting these. These emails call me by many names, Michelle, Danielle, David, amongst others. I think the people they are meant for just forget to put the extra numbers or letters that they must have in their email but I would not get their personal info emailed to me if they had to confirm their email.

        1. JK

          We track every email signup with a confirmation IP address. When we investigate complaints, that IP address almost always corresponds with the complainer’s location. People just forget.

          Most of the other issues you’re describing aren’t spam, they’re simply transcription mistakes for when people sign up for Sprint service in-store or buy a new car and activate OnStar. It’s unclear how the Canadian law would affect these situations since there is will be clear opt-in documentation, someone just screwed up the typing, Also, all of these emails from legitimate companies have an unsubscribe link at the bottom, as already required under CAN-SPAM. These are hardly the types of spam situations the Canadian law is intended to address,

          1. Debbie

            That’s where you’d be wrong. These emails from actual companies sending me actual customer information do not have unsubscribe links. They do have a link to access my “account” but require a password to do so. Obviously I don’t know the password.

            Could have been easily solved by requiring confirmation in the first place.

            1. Bob Brown

              Go to the “account” page. Click “Lost Password.” They’ll mail you a password reset link. Log in to the account, opt out of email (or change the email address to bogus@bogus.com) and change the password to a 28-character random string. Problem solved.

              1. tim Doty

                So you are recommending that she hack into people’s accounts? Not a smart move…

                1. Chriz

                  Not really. What do you recommend? Spending hours on the phone with their tech support, waiting to fix someone else’s mistake? Changing the password to access the account and change the email will force the rightful owner to contact the tech support themselves and fix things.

              2. Gerhard

                And if that link doesn’t exist? I have seen some companies only allow you to change email address and passwords if you have the account number and that is sometimes not contained in the emails they send you.

          2. Gerhard

            It is spam if there is no way to get off of them. Quite often from larger companies you cannot change the address or stop emails unless you are the confirmed owner of the account.

            I have had this problem in the past: no remove link, no postmaster inbox, no success calling them on the phone. In some cases they don’t even check that the email even delivers.

            1. TJ

              That’s exactly why I always use a disposable email address when I sign up for any online service. Heck, I’m even using a disposable email address to post this comment. I’ve had to discontinue numerous disposable email addresses over the years that I’ve provided to legitimate organization because their systems were breached, and I started receiving spam and phishing scams.

        2. timeless

          Thanks Debbie for explaining how we get this unsolicited junk.

          As for how I’d expect a company to protect itself, it’s pretty simple:
          1. Log the origin of an email address addition request
          2. Send (and log) a single email to that address requiring affirmative action – this needs to include a randomly generated token for verification.
          3. Do not send any further email messages to that address unless and until:
          4. User takes affirmative action based on the email from 2 – providing their email address and the token
          5. Log 4.

          Competent companies (and modern list serves) already use this process for managing sign ups. Adding logging shouldn’t be a big deal. Incompetent companies don’t require affirmative action and deserve to be fined until they reform.


          Yes, I do sign up for email with companies, but I don’t use the email address at which I’m receiving the spam, and I don’t give random names.

          I’m also on a Sprint / MVNO and had at least one person purchase agreement least one iPhone with my email address listed for the account – that got me an IMEI.

          I have I’m still being reminded of laser hair removal in Florida…

      2. Neil Schwartzman

        You are going to pay instead of having a simple proof of sign-up and confirmation? Really? please do tell me your company name.

        1. JK

          Look at the message from Timeless my comment was in response to. My company name could be Facebook, Groupon, or Microsoft. Look at Debbie’s complaint on receiving an email from Sprint because of a mistyped email address as an example of spam. There are legions of people who are all set to sue and ask questions later, and this suit gives them the ability to do that.

          No matter how frivolous, any suit or threatened suit requires a legal response (at $300+ per hour), along with the time of researching and documenting each individual case. If the company actually has to go to court to defend itself, that will easily run into the thousands of dollars. Most companies would quickly settle in these circumstances rather than fighting. Which, unfortunately, encourages more people to file frivolous suits.

          1. SeymourB

            Except that few companies run opt-in mailing lists, and instead run opt-out mailing lists, and many don’t honor opt-out requests. This legislation appears to force companies to switch to opt-in mailing lists, which insures the individual sending the email is actually the person sending the email.

            BTW, in your other response, I noticed you referenced an IP address. Have you ever stopped and considered that thousands of systems can be NAT’d behind a single public IP address? What if, for example, a student thinks its funny to sign up his teachers for mailing lists, and his request goes out – via the school’s network – on the same IP address that the teacher’s request to remove themselves goes out on? These situations happen far often than you think, and rise precipitously when alcohol gets involved. At my last workplace the executive in charge of maintaining the email lists thought that because he stopped getting bounce notices (after nearly everyone stopped sending/receiving bounce notices) that meant all the email addresses – harvested by having drunken idiots type in email addresses in bars – were legally valid to spam with dozens of emails in a week. No attempt at an opt-in system was ever implemented because it wasn’t legally required and the customers (the drunks entering the incorrect addresses) didn’t care.

            1. SeymourB

              Dammit. Opt-in insures the individual receiving the email is the individual who requested the email.

            2. JK

              All US companies are required to honor opt-out under CAN-SPAM already. And I strongly support only allowing opt-in emails and requiring opt-out compliance.

              All this talk of drunk students (we’ve never had an instance of mass sign-ups creating spam complaints) and mistyped email addresses is a red herring. The vast majority of spam (I’ll hazard a guess that means about 99.999% on a volume basis, and that’s probably an underestimate) comes from anonymous senders masked via overseas servers. Since individuals have no means of pursuing these spammers, the individual right to sue clause in Canada will have essentially no effect on the volume of spam. Any “real” companies violating the law, can be pursued by Canadian law enforcement for penalties (as it works here in the States). Balance that against the cost to companies of defending frivolous lawsuits, and the individual pursuit aspect of the law seems highly ill-advised.

              1. David

                And you are 100% correct. The main people hurt by this are companies that must now use the telephone or use regular mail to contact prospects.

                Coincidently this may help the failing Canada Post and their union.

                This law is an embarrassment and as JK said it will have pretty well zero effect on SPAM.

  9. Chris Lewis

    This sounds to me to either be a convenient way of dumping an expensive delivery channel (30m emails are more expensive than a RSS feed) and blaming it on someone else, OR, someone’s lawyers can’t read. Or both.

    If the recipients of these emails had signed up for them, then, there is already explicit consent, and they could have continued sending with no issue whatsoever.

    If Microsoft had only been sending them with implicit rather than explicit (in other words, the users _didn’t_ expressly sign up for them contrary to Microsoft’s claim), the new law allows them 3 whole years to gain explicit consent.

  10. Canuck

    Sounds like they are lazy. As a Canadian I have seen most company’s response to this – send a new email asking for their email list clients to opt-in/confirm once again that they want to emailed.

    I’ve been getting a few of those a day for a month now and we did it for our own company as well.

    1. TheOreganoRouter.onion.it

      New video ” Blame Microsoft eh !”

  11. OldGnome

    Read the quote in Brian’s article. The Canadian law does not apply to security-related email. Consequently it should not be used as an excuse to terminate security bulletin distribution via email. Microsoft can always use their security bulletin distribution lists to disseminate an opt-in notice even though it is not required by law. There is no “hard decision” to make regarding the Canadian law. Microsoft Security Bulletins fall clearly within the stated exceptions. Microsoft can continue sending their security bulletins via email. Just do it!!!

  12. Sheeple

    This is the only place I’ve seen reference to any email service continuing. Is there more specific information on continuing to receive email alerts on Microsoft accounts?

    “In addition to pushing notices about new updates out via Microsoft’s RSS feeds, the company also appears to be making the security email alerts available to users who have Live, Outlook or Hotmail accounts with Microsoft.”

  13. Nick

    Microsoft is being entirely reasonable. The law explicitly says “solely”, and one could certainly argue that most Microsoft updates contain some level of promotion, in addition to the actual information. Microsoft has little interest in proactively sending notifications which don’t contain promotional verbiage, and even less interest in fighting inevitable lawsuits alleging that the emails do not contain “solely” security update information. The reasonable and safe course is to just discontinue the emails.

    If that’s considered a bad thing, blame the people who made the law. Don’t blame Microsoft for reacting in a prudent business manner to questionable legislation.

    1. Stuffy

      You forgot to add your Microsoft employee ID….

      1. TomS.

        No he didn’t post as a MS shill.

        There is a non-zero, if unfortunate, risk that a message reiterating the demise of support for Windows XP, and offering recommended purchase paths to replacement products, may be interpreted as “not wholly security content”.

        Do you, as a matter of business policy, want to put that decision into the hands of many court jurisdictions, possibly conflicting verdicts, and then pursue resolution through ever higher courts?

        MS success has never been primarily technical, somebody else has almost always done it first, or better someplace else. From the first sale of Basic, it has been, an often “good enough” product, with a better marketing strategy than the other guy.

        Not being able to put a marketing message in a security announcement, which is one of their most persuasive levers, MS pathologically can’t do that. It isn’t in their corporate DNA.

  14. Stratocaster

    Notification of the updates is still available (according to the Web site) by signing up for the Microsoft Security Newsletter (I have been receiving it for years), though that generally doesn’t come out until several days after Black Tuesday.

  15. Susan

    To Nick: There is no promotion of business in the security emails. It’s plain email with a pgp signature. I’m blaming overactive Attorneys at Microsoft who interpreted this law incorrectly.

    Meanwhile I’m receiving Apple security emails with no such re-opt in and no such discontinuance of alerts.

  16. Tim A

    “I’m sure it wasn’t an wasn’t an easy decision, but I wouldn’t call it an overreaction.”

    Déjà vu… A glitch in the matrix, no doubt.

  17. SecGuy01

    This coming from the company that cloaks sender IP’s making fraudulent emails and harassment email impossible to track with out going through a zillion legal loopholes. Big surprise…

  18. JM

    Another example of Bureaucracy gone array. at the end of the day this not going to deter spammers..

    1. SeymourB

      Really? Having legal judgements entered against you that can be lead to court-enforced seizure of assets isn’t going to deter anyone?

      So because people commit murder we should remove all laws on the book relating to murder?

      This argument seems to always center around a minority of lawless individuals who won’t be deterred no matter what legislation is enacted. Because we can’t have 100% enforcement therefore all laws should be abolished. This patently ridiculous argument, sadly, passes as political discourse in parts of the US.

      1. JK

        It’s actually the MAJORITY of lawless individuals who won’t be deterred. Unless your spam situation is very different in Canada than it is here in the US, the vast, vast majority of spam comes from overseas spam servers and criminal networks that this law will do little to prevent.

  19. Tobie Fysh

    Just had the following after emailing our TAM:

    “On June 27, 2014, Microsoft notified customers that we were suspending Microsoft Security Notifications due to changing governmental policies concerning the issuance of automated electronic messaging. We have reviewed our processes and will resume these security notifications with our monthly Advanced Notification Service (ANS) on July 3, 2014.”

  20. me

    Funny though that I got the “please click to continue to receive mail from us” from the MS certificate portal emails yet this one they opted not to (at first) follow the same route. I suppose a company this large has differing divisions and control and uniformity isn’t so easy to control (if desired). Just found that ironic when this hit the press at first (didn’t get a chance to post till now).

    What an opportunity for phishers though, I’ve gotten about 40 – 50 requests to renew and half of them I don’t even recognize until I search through my email and junk folders, ha. Wow…They won’t be missed, thanks Canadian Gov’t for this!

  21. Me Again

    I love how all these companies are including promos in their emails to stay with them. One I just got said “Saying good bye shouldn’t be this easy!” in the subject. I thought to myself, “Oh, yes, yes it should!!! Good riddance!”. I couldn’t be bothered to go through the trouble of supposedly unsubscribing from mailing lists and making things worse (I just don’t have the time most times to work through the labyrinth they setup) but spam filters and email filtering on keywords/terms works as good…Ah well. Just made me giggle, that headline, heh. Some of the companies I do want mail from included promos too, so that was cool! 🙂

    Say, where is the BK email alert to stay connected…? Hmm… ;oP

  22. Davey

    “Blame Canada” – did I venture into a Southpark Movie review by mistake?

  23. gta v beta

    Hi there! I could have sworn I’ve visited this blog before
    but after going through a few of the posts I realized it’s new to me.

    Nonetheless, I’m certainly happy I stumbled
    upon it and I’ll be bookmarking it and checking back frequently!

    Look at my web site gta v beta

Comments are closed.