Google Notifies ZeuS Botmasters That Microsoft Is Coming for Them

Google has started sending notifications to the individuals that Microsoft appointed as being behind the ZeuS botnet they've disrupted. Some applaud this decision, while others say that the company’s “one-size-fits-all” privacy policy isn’t the best way to handle things.

Microsoft’s recent takedown of the ZeuS botnet has caused a lot of controversy, mostly because of the way the company addressed the issue.

In April, security journalist Brian Krebs reported that a large part of the security industry blamed Microsoft for using sensitive information for its own agenda without explicit permission from the source, possibly even interfering with the investigations of international law enforcement organizations.

The other problem was that the Redmond company made a deal with a federal judge that would allow it to seize domain names and servers in return for trying to reveal the identities of the suspected cybercriminals.

Now, Krebs reveals that at least 15 of the individuals had email accounts on Hotmail or MSN, which were not a problem to track down, but among the other ones, 39 John Does owned Google accounts.

When Microsoft requested Google to hand over the account information, Google’s privacy policy kicked in and, as a result, all the individuals received notices.

“Google has received a subpoena for information related to your Google account in a case entitled Microsoft Corp., FS-ISAC, Inc. and NACHA v. John Does 1-39 et al., US District Court, Northern District of California, 1:12-cv-01335 (SJ-RLM) (Internal Ref. No. 224623),” reads part of the notice sent by Google.

“To comply with the law, unless you provide us with a copy of a motion to quash the subpoena (or other formal objection filed in court) via email at by 5pm Pacific Time on May 22, 2012, Google may provide responsive documents on this date.”

While many may applaud Google’s decision to stick to its privacy policy, there are some who believe that the company should have taken the time to check if the customers in question deserved the heads-up.

Jon Praed, founding partner of Internet Law Group, has stated that Microsoft should have done a better job in respecting the community, but on the other hand he welcomes the efforts the firm has placed into this operation.

“Privacy needs lots of attention as an issue, and it is clearly true that the average, law-abiding citizen is generally woefully protected wrt privacy,” Praed wrote in a comment to Krebs’ article.

“However, it is also true that the average bad guy is vastly over-protected by simplistic applications of privacy policies that were written, not to protect the bad guy, but to protect the rest of us. Privacy policies need exceptions, and the general public needs to understand enforcing those exceptions are sometimes as important as enforcing the general rule.”

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.