A few days ago, an internal Microsoft document was leaked online and published by Cryptome, a site which routinely publishes government and corporate documents leaked by whistleblowers. In the past, Cryptome has published similar documents from companies such as Paypal, Myspace, Comcast, Facebook and others.

The Microsoft document, which was posted on Cryptome February 20th, serves as a guide for law enforcement agencies who wish to request customer information from the company during an investigation, detailing which information is collected from customers, how long that information is retained, and which legal requirements must be met in order for Microsoft to release it. Long story short, they keep exactly the sort of data you would expect an online service provider to keep, and they require a subpoena, court order, or a search warrant to release any of it to government agencies.

Overall the document is fairly uninteresting, the details about customer data are the sort of information that could be included in Microsoft’s own privacy policies for its online services, and as John Young from Cryptome notes in one of the letters posted on the site, other companies do publish their compliance procedures in detail. While it is certainly notable that Microsoft saw fit to keep this specific information private, and did not disclose it in the same level of detail to its customers, what turned this situation into a firestorm of outrage and angry blog posts, was how Microsoft responded to the leak.

Step back for a moment, and consider what it is we’re dealing with here: a simple PDF document. There is a very clear copyright notice on the second page reserving all rights to Microsoft, and denying anyone else the right to copy or transmit the document without Microsoft’s written permission. It’s a copyrighted work, and Microsoft controls that copyright, no question. Now, what sort of tools does Microsoft, or any copyright holder, have at their disposal to respond to an infringement of that copyright? Why, the beloved DMCA takedown system of course, and that is exactly the tool they chose to use in this case, a DMCA takedown notice.

According to CNET, initial attempts to get the document removed from Cryptome were refused by the sites owner, prompting an investigator working on behalf of Microsoft’s antipiracy division to send a DMCA takedown notice on February 23rd to Network Solutions, the DNS registrar for Cryptome, who then disabled the site.

One day later, after the entire Cryptome site had been taken offline, Evan Cox of Covington & Burling LLP, outside counsel for Microsoft Corporation, sent an email to Network Solutions retracting the takedown notice, additionally stating that they had not intended to have the entire site taken offline, just the single Microsoft file. The retraction letter does state that Microsoft still believes this situation represents an infringement of their copyright, and they could still file a lawsuit, but they have little to gain by doing so at this point.

And now just 2 days after this whole fiasco began, the Cryptome site is back online including the Microsoft document and all the others. Of course, unlike when the document was first posted 5 days ago, potentially millions of people have probably seen it now, simply because of the DMCA notice Microsoft tried to use to limit its availability.

Documents like this don’t typically receive widespread attention, especially when they don’t contain anything particularly interesting. However, DMCA notices sent by large corporations to small websites do receive widespread attention because they are frequently misused, both in cases where the infringement would be excused by a court as fair use, and by those who don’t even have rights to the material in dispute. It stands to reason that in this climate of close scrutiny of the DMCA, takedown notices are probably not the best course of action when something is intended to be kept secret. Indeed, if the goal is to keep something from spreading across the internet like wildfire, any legal action at all will probably have the opposite effect. However, the DMCA takedown system is fast, which is likely why it was used in this situation even though there are other more appropriate ways to prevent the release of confidential information.

The lesson for the rest of us though, is to reserve judgment until all the facts are known. The Microsoft document isn’t all that different from that of other companies serving the consumer market. For instance, Facebook won’t reveal any customer information without a court order. Comcast has a very similar policy.

One notable exception is the eBay/Paypal law enforcement guide, also hosted on Cryptome, which says that law enforcement requests for any information associated with a Paypal user require a court order or subpoena, but limited eBay user information such as home address, bidding history and any email addresses associated with the account, can be requested with only department letterhead from the agency, no subpoena, no court order, no warrant. This, it would seem, is far more objectionable than anything in the Microsoft document, but many users will never see eBay’s law enforcement guide because the big fuss was about Microsoft’s DMCA notice.

What was true before this started, and remains good advice, is that users would be wise to familiarize themselves with how specific companies deal with personal information, what sort of information they collect and retain, and for how long they retain it.