In a move that may wind up helping spammers, Microsoft is blaming a new Canadian anti-spam law for the company’s recent decision to stop sending regular emails about security updates for its Windows operating system and other Microsoft software.
Update, 5:39 p.m. ET: In an apparent reversal, Microsoft now says it will be re-instating the security notifications via email. Please read the update at the end of this post.
Last week, Microsoft sent the following notice to IT professionals and others who have signed up to receive email notices of security updates:
“As of July 1, 2014, due to changing governmental policies concerning the issuance of automated electronic messaging, Microsoft is suspending the use of email notifications that announce the following:”
* Security bulletin advance notifications
* Security bulletin summaries
* New security advisories and bulletins
* Major and minor revisions to security advisories and bulletins
“In lieu of email notifications, you can subscribe to one or more of the RSS feeds described on the Security TechCenter website.”
“For more information, or to sign up for an RSS feed, visit the Microsoft Technical Security Notifications webpage at http://technet.microsoft.com/security/dd252948.”
Asked about the reason for the change, a Microsoft spokesperson said email communication was suspended to comply with a new Canadian anti-spam law that takes effect on July 1, 2014.
Some anti-spam experts who worked very closely on Canada’s Anti-Spam Law (CASL) say they are baffled by Microsoft’s response to a law which has been almost a decade in the making.
Neil Schwartzman, executive director of the Coalition Against Unsolicited Commercial Email (CAUCE), said CASL contains carve-outs for warranty and product safety and security alerts that would more than adequately exempt the Microsoft missives from the regulation.
Indeed, an exception in the law says it does not apply to commercial electronic messages that solely provide “warranty information, product recall information or safety or security information about a product, goods or a service that the person to whom the message is sent uses, has used or has purchased.”
“I am at a complete and total loss to understand how the people in Redmond made such an apparently panicked decision,” Schwartzman said,” noting that Microsoft was closely involved in the discussions in the Canadian parliament over the bill’s trajectory and content. “This is the first company I know of that’s been that dumb.”
Schwartzman said many companies have used CASL as an excuse to freshen up their email lists and to re-engage their customers. Some have even gone so far as to enter respondents who verify that they still want to receive email communications from a company into drawings for cash prizes and other giveaways.
“Over the past couple of weeks, I’ve seen nothing but a steady stream of reconfirmation mails from various companies,” he said. “I’m now in the running for several $500 dollar gift certificates because I confirmed my email. And at the bottom of each of these messages is a note that says ‘please ignore this offer if you’re not Canadian.’”
CAUCE board member Jeff Williams, a former group program manager at Microsoft’s Malware Protection Center, chalked Microsoft’s decision up to a little more than a tough call.
“I can imagine the discussion and wondering among the lawyers and [Microsoft] whether they should try to get hundreds of millions of opt-ins before June 30 or if they should change the way they share info,” Williams said. “I’m sure it wasn’t an wasn’t an easy decision, but I wouldn’t call it an overreaction.”
In addition to pushing notices about new updates out via Microsoft’s RSS feeds, the company also appears to be making the security email alerts available to users who have Live, Outlook or Hotmail accounts with Microsoft. And of course, readers can continue to rely on KrebsOnSecurity to feature information on any new security updates available from Microsoft, including each Patch Tuesday bundle as well as emergency, “out-of-band” updates released to address zero-day security threats.
Update, 5:40 p.m. ET: In an apparent reversal of its decision, Microsoft now says it will be re-starting its security notifications via email early next month. From a Microsoft’s spokesperson: “On June 27, 2014, Microsoft notified customers that we were suspending Microsoft Security Notifications due to changing governmental policies concerning the issuance of automated electronic messaging. We have reviewed our processes and will resume these security notifications with our monthly Advanced Notification Service (ANS) on July 3, 2014.”