Microsoft stops Patch Tuesday emails, blames Canada, then does U-turn

Email ban. Image courtesy of Shutterstock

Email ban. Image courtesy of ShutterstockWell, it’s been a busy few days for Microsoft.

First it decided we would all have to kiss its Patch Tuesday emails goodbye.

The Redmondians sent out a decree on Friday saying that regular email notifications of security advisories are coming to a stop on 1 July.

Microsoft, confusing itself with South Park, was blaming Canada.

The decree mentions “changing governmental policies concerning the issuance of automated electronic messaging” – a head-scratcher that Microsoft spokespeople subsequently clarified by pointing to a new Canadian anti-spam law that takes effect on 1 July.

Here’s the announcement:

Notice to IT professionals:

As of July 1, 2014, due to changing governmental policies concerning the issuance of automated electronic messaging, Microsoft is suspending the use of email notifications that announce the following:

* Security bulletin advance notifications

* Security bulletin summaries

* New security advisories and bulletins

* Major and minor revisions to security advisories and bulletins

The new law goes beyond attempting to quash annoying spam email – it requires explicit or implicit consent for a commercial business to communicate through email, text message and social media messages.

In other words, Canada’s moving from email opt-OUT to email opt-IN.

Potential penalties if, say, your business sends notice of a special sale to somebody who only signed up for a e-newsletter, and that miffed party then complains:

  • Your business may be fined up to $10,000,000
  • Your CEO, and each officer, may be fined up to $1,000,000
  • Your Marketing Agency may be fined up to $10,000,000
  • You, as an individual, may be fined $10,000

Ye-OW! No wonder Microsoft tucked its e-tail between its e-legs, huh?

There’s just one thing, though: Canada didn’t understand how in the world Microsoft could be misreading the law as it has done.

Anti-spam experts who worked on Canada’s Anti-Spam Legislation (CASL) – a law that they’ve worked on for nearly 10 years – told security journalist Brian Krebs that Microsoft’s response was baffling.

Neil Schwartzman, executive director of the Coalition Against Unsolicited Commercial Email (CAUCE), said CASL more than accommodates email concerning warranty and product safety and security alerts. In other words, Microsoft’s security advisories would be exempt.

He quotes Schwartzman:

I am at a complete and total loss to understand how the people in Redmond made such an apparently panicked decision ... This is the first company I know of that’s been that dumb.

CAUCE board member Jeff Williams, a former group program manager at Microsoft’s Malware Protection Center, told Krebs that Microsoft’s decision likely could be attributed to having come out of a tough choice rather than a lack of legal understanding or grey matter:

I can imagine the discussion and wondering among the lawyers and [Microsoft] whether they should try to get hundreds of millions of opt-ins before June 30 or if they should change the way they share info. I’m sure it wasn’t an easy decision, but I wouldn’t call it an overreaction.

But, fear not, Microsoft has now performed a restart on its security notifications. A spokesperson told Brian Krebs late yesterday that Microsoft will be re-starting its emails early in July.

On June 27, 2014, Microsoft notified customers that we were suspending Microsoft Security Notifications due to changing governmental policies concerning the issuance of automated electronic messaging. We have reviewed our processes and will resume these security notifications with our monthly Advanced Notification Service (ANS) on July 3, 2014.


As always, Naked Security will stay on top of Patch Tuesday notifications for you.

Another great reason to keep getting the Naked Security newsletter, liking the Naked Security Facebook page, or popping on by the site.

See you on Patch Tuesday!

Image of email ban courtesy of Shutterstock.