Many who work in IT security are scratching their heads this morning, having received a message from Microsoft announcing that it will no longer be sending automated emails about security issues and updates for Windows and its other software.
What is perhaps even more baffling is that it turns out the reason why Microsoft isn’t going to be sending out the emails any longer is… err… anti-spam legislation.
Here is part of the email that subscribers to Microsoft’s security bulletin email notification service received:
As of July 1, 2014, due to changing governmental policies concerning the issuance of automated electronic messaging, Microsoft is suspending the use of email notifications that announce the following:
* Security bulletin advance notifications
* Security bulletin summaries
* New security advisories and bulletins
* Major and minor revisions to security advisories and bulletins
Your first thought might be that the message is a scam, disguised as a notice from Microsoft in order to trick computer users into clicking on a dangerous link or opening a malicious attachment.
After all, why would Microsoft suspend a service that – presumably – was helpful about keeping people informed about new security updates and issues?
But no, the email is genuine.
Brian Krebs reports that the reason for the change is a new Canadian anti-spam law that kicks in on July 1st, 2014.
The new legislation means that those sending out email newsletters have to get the express consent of subscribers that they wish to opt-in, rather than just assuming they are interested because a checkbox was pre-ticked on a form.
Canada has been attempting to introduce the legislation for many years and – to my mind – most of it seems like a good thing. So I’m pleased to see that they’re finally introducing it.
However, many internet users are reporting a rash of emails arriving in their inbox, urging them to re-confirm their subscription to different mailing lists in the light of the law’s introduction.
Of course, because many mailing lists may not have captured the location on their subscribers, that means a lot of folks outside Canada are receiving the irritating emails too.
Unfortunately, if you have been bedevilled by spammy mailing lists in the past, you can’t expect the messages to disappear from July 1st. Canadian legislators have built in a three year “grace period” during which those running mailing lists can encourage their existing subscribers to opt-in.
So, Microsoft could probably have continued to carry on sending the emails for some while yet. And interestingly, it seems that Microsoft may not have had much to worry about anyway.
After all, there appears to be some exceptions in the Canadian law, including one that states that it does not apply when the email solely “provides warranty information, product recall information or safety or security information about a product, goods or a service that the person to whom the message is sent uses, has used or has purchased.”
In the absence of emails, Microsoft is encouraging those concerned with IT security to sign-up for its RSS feeds instead.
Let’s just hope that your RSS feed reader doesn’t go down, eh?
Update: Good news! Microsoft has done a U-turn!
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
3 comments on “Microsoft stops sending out security advisories via email, because of anti-spam law”
Love your last sentence (as I often do).
Interesting that Microsoft is doing this in so many ways. On the one hand, Microsoft has used the law to its advantage to shutdown spam networks. Some criticised them but I think that was unjustified of the critics (and counter-intuitive.. I think spamhaus was one of the critics which I found odd, no matter how successful it would be in the end). But on the other hand, they often fail to deploy in security and spam included (and the irony of the situation… is really extreme). Even more interesting is the section you cite where they didn't need to worry about it.
But I get the feeling (and this is just a guess at best, probably is less than a guess let alone an educated guess – I don't know their reason, end of story) they are doing this because of the issues they've had in courts themselves. Sure, they're a monopoly. With the logic they used then so too are many other companies (but aren't according to government). There's alternatives – commercial and otherwise so it is biased at best, to suggest they are a monopoly (and frankly I don't defend MS often and in fact I criticise them a lot, so why can I see this but the government cannot? Corruption and wanting a scapegoat, among other reasons). I think in general the idea is: if a company is successful we should punish them (or try to find any reason to cause them grief and unfortunately the reasons are often the wrong reasons). I wish they would actually defend/protect against real abuse (e.g., while they do sue banks – as they bloody well should – they don't do it enough) rather than being the abusive party.
Another example: Google. I don't trust Google and never have nor will I. But to suggest they are using unfair tactics when it is their search engine is ridiculous (and I guess Microsoft is being unfair for imposing restrictions/having licenses/whatever else in their Windows/whatever releases as they see fit, too?). Here's a better idea: don't like their search criterion? Go use another search engine. There's plenty. Some are long gone (anyone remember Excite or Altavista?) but others exist still. Otherwise quit complaining like a spoilt brat.
Had the following after emailing our TAM today:
"On June 27, 2014, Microsoft notified customers that we were suspending Microsoft Security Notifications due to changing governmental policies concerning the issuance of automated electronic messaging. We have reviewed our processes and will resume these security notifications with our monthly Advanced Notification Service (ANS) on July 3, 2014."
What the law doesn't explain clearly is that if as a company you already sent communication to a prospect after he agreed on the phone or via email to give you his email adress, and you can prove you already sent him communications before July 1st 2014 and you never receive a reply or an email like: Stop sending me email'' your company still have 3 years (till July 2017) to get his express conscent.
And Microsoft only needs to make sure that their customer's partners or resellers (the IT cie doing business) are the one that forward the notifications.
Email communication coming from a cie, a provider you are already doing business with, are not subject to the Bill C-28, so if you are a client of ABC company, they won't need to send you an opt-in notification.
If you are a prospect that already conscent to receive information or gave out your email adress to, during a call, they have no obligation to stop sending communications that are relevant to you, unless you ask them specifically to be removed from their mailing. References: Adnetis inc. and a corporate lawyer in Toronto.