Microsoft Compromises Users’ Privacy: No HTTPS in Arab Countries, Iran

With the ongoing protestes and violent crackdown from governments in the Middle East, compromising online security could have dire repercussions on the wellbeing of internet users in the region. Email security is a priority and HTTPS should be enabled by default. Gmail does that, while Microsoft allows users to choose to activate the option, and Yahoo! Mail does not offer it.

Accessnow created and circulated a much needed step-by-step guide to protect privacy online. This morning a Syrian student in Jordan approached me on twitter and said that he couldn't follow the guide to enable HTTPS for his Hotmail account. I asked him send me a screen shot and proceeded to alert Jillian York of the Berkman Center to the issue.

York, who's also an Advocacy contributor, proceeded to investigate the issue further. Her first suspicion was export controls due to sanctions imposed on Syria, but the user stated he was in Jordan and that his profile info was set to Jordan as well. That ruled out the possiblity of the problem being caused by over-complying with the export controls, so she took a closer look at the issue:

I quickly created a Hotmail account to see if I could replicate the situation; sure enough, when I set my location to the United States, I could turn on HTTPS as a setting, but when I switched to Jordan, I could not. I tested several other Arab countries–Syria, Bahrain, Lebanon, Morocco, Algeria–also no HTTPS. I then tested Guatemala, Israel, and Turkey: all fine. France, German: fine. Iran…no HTTPS.

The screenshot below shows the error message users from Arab countries and Iran get when attempting to activate secure connections (HTTPS) for their free webmail account provided by Microsoft.

Luckily, a temporary workaround exists for concerned users. All they need to do is change the country in their profile to the US and they would be able to set HTTPS to be used automatically. York also suggests that affected users can also switch to gmail which has the setting enabled by default globally, and she states that Microsoft has been contacted and informed about the problem. Hopefully Microsoft will handle this security risk in a timely manner.

3 comments

  • Fabrice

    Actualy, Microsoft also helped compromise security certificate in many countries… The situation is in fact much worse than that, and its been going on for years
    http://news.ycombinator.com/item?id=2138565

  • Thibaut

    Microsoft clients there are the gouvernements.

    The client is always the king.

    But, here, in europe, the fact microsoft is doing this is something that give me a very bad feeling about the company.

    And I’m not the only one.

    Microsoft as to make his choices. Being a smart company and not having such markets or being evil and have a bad reputation here.

    They obviously choosed the bad reputation.

    I hope this have an impact on them business so that one day they will change them way to go.

    Some yeayrs ago it was : “I hope that one day, I will live in country where my 4 little chilren will not be juged by the color of them skin.” —> We can always hope some ameliorations.

  • […] on this topic. [Translate] TweetEcrit par Anas Qtiesh · Traduit par Claire Ulrich · Voir le billet d'origine [en]Compromettre la sécurité en ligne des internautes du monde arabe durant cette période de […]

Join the conversation

Authors, please log in »

Guidelines

  • All comments are reviewed by a moderator. Do not submit your comment more than once or it may be identified as spam.
  • Please treat others with respect. Comments containing hate speech, obscenity, and personal attacks will not be approved.