Microsoft stops Patch Tuesday emails, blames Canada, then does U-turn

Filed Under: Featured, Microsoft, Security threats

Email ban. Image courtesy of ShutterstockWell, it's been a busy few days for Microsoft.

First it decided we would all have to kiss its Patch Tuesday emails goodbye.

The Redmondians sent out a decree on Friday saying that regular email notifications of security advisories are coming to a stop on 1 July.

Microsoft, confusing itself with South Park, was blaming Canada.

The decree mentions "changing governmental policies concerning the issuance of automated electronic messaging" - a head-scratcher that Microsoft spokespeople subsequently clarified by pointing to a new Canadian anti-spam law that takes effect on 1 July.

Here's the announcement:

Notice to IT professionals:

As of July 1, 2014, due to changing governmental policies concerning the issuance of automated electronic messaging, Microsoft is suspending the use of email notifications that announce the following:

* Security bulletin advance notifications

* Security bulletin summaries

* New security advisories and bulletins

* Major and minor revisions to security advisories and bulletins

The new law goes beyond attempting to quash annoying spam email - it requires explicit or implicit consent for a commercial business to communicate through email, text message and social media messages.

In other words, Canada's moving from email opt-OUT to email opt-IN.

Potential penalties if, say, your business sends notice of a special sale to somebody who only signed up for a e-newsletter, and that miffed party then complains:

  • Your business may be fined up to $10,000,000
  • Your CEO, and each officer, may be fined up to $1,000,000
  • Your Marketing Agency may be fined up to $10,000,000
  • You, as an individual, may be fined $10,000

Ye-OW! No wonder Microsoft tucked its e-tail between its e-legs, huh?

There's just one thing, though: Canada didn't understand how in the world Microsoft could be misreading the law as it has done.

Anti-spam experts who worked on Canada's Anti-Spam Legislation (CASL) - a law that they've worked on for nearly 10 years - told security journalist Brian Krebs that Microsoft’s response was baffling.

Neil Schwartzman, executive director of the Coalition Against Unsolicited Commercial Email (CAUCE), said CASL more than accommodates email concerning warranty and product safety and security alerts. In other words, Microsoft's security advisories would be exempt.

He quotes Schwartzman:

I am at a complete and total loss to understand how the people in Redmond made such an apparently panicked decision ... This is the first company I know of that’s been that dumb.

CAUCE board member Jeff Williams, a former group program manager at Microsoft’s Malware Protection Center, told Krebs that Microsoft’s decision likely could be attributed to having come out of a tough choice rather than a lack of legal understanding or grey matter:

I can imagine the discussion and wondering among the lawyers and [Microsoft] whether they should try to get hundreds of millions of opt-ins before June 30 or if they should change the way they share info. I’m sure it wasn’t an easy decision, but I wouldn’t call it an overreaction.

But, fear not, Microsoft has now performed a restart on its security notifications. A spokesperson told Brian Krebs late yesterday that Microsoft will be re-starting its emails early in July.

On June 27, 2014, Microsoft notified customers that we were suspending Microsoft Security Notifications due to changing governmental policies concerning the issuance of automated electronic messaging. We have reviewed our processes and will resume these security notifications with our monthly Advanced Notification Service (ANS) on July 3, 2014.

Phew.

As always, Naked Security will stay on top of Patch Tuesday notifications for you.

Another great reason to keep getting the Naked Security newsletter, liking the Naked Security Facebook page, or popping on by the site.

See you on Patch Tuesday!

Image of email ban courtesy of Shutterstock.

, , , ,

You might like

6 Responses to Microsoft stops Patch Tuesday emails, blames Canada, then does U-turn

  1. Tinfoil Hat · 110 days ago

    From what I get out of this article is that Neil Schwartzman, as intelligent as he may be, is arrogant while Jeff Williams has enough experience and intelligence to understand that a corporation the size of Microsoft will need to make very sure they will not get sued using some loophole by everyone on the Canadian mailing list.

    Personally, I think there was something else going on in the back rooms since Microsoft could have easily not said anything and not send out any email until they examined every word of the law.

    • Anonymous · 110 days ago

      It's not like the legislation was passed and set into law this past week. There was plenty of time for corporations to get their ducks in order for the July 1st date.

      So the question is what exactly was Microsoft's legal department doing all this time? Sitting on their hands and waiting for a few days before the anti-spam law came into effect before they looked at the details of the law?

      There are plenty of other large corporations out in the world, yet why haven't people received similar emails from them if the law was so confusing?

      In other words Schwartzman had the right of it, Microsoft snoozed on getting it's act together in regards to the law and panic emailed at the last minute.

  2. Rob · 110 days ago

    Agreed.

  3. Bemused · 110 days ago

    "Another great reason to keep getting the Naked Security newsletter, LIKING the Naked Security Facebook page, or popping on by the site."

    You're kidding right?

  4. I thought you had to opt in to receiving those emails in the first place? I know I did.
    Is that not enough?

  5. cbwierda · 110 days ago

    The part I find most mystifying is the rash action in light of the 3 year compliance time line.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.