Former Microsoft employee Alex Kibkalo, who two weeks ago was charged with stealing — then leaking — company secrets, pleaded guilty on Monday in a Seattle federal court.
In a plea deal reached between U.S. prosecutors and Kibkalo's public defender, Kibkalo will plead guilty to theft of trade secrets. In return, prosecutors will recommend a three-month prison sentence. Kibkalo will also be required to pay Microsoft $22,500 in restitution, according to the agreement.
Kibkalo, a Russian national who was working in Microsoft's Lebanon office when he was terminated in September 2012, allegedly stole pre-release copies of Windows RT and the Activation Server SDK (software development kit), internal-only code used to create the activation systems which validate product keys, Microsoft's primary anti-piracy technology.
He shared that information with an unidentified French blogger, and encouraged the blogger to contact a hacker who could use the Activation Server SDK to write a fake product key activation server, federal authorities claimed.
Microsoft first got wind of Kibkalo's alleged theft in September 2012 when a source claimed that the blogger had shared the Activation Server SDK code, asking the source to help verify its legitimacy and assist the blogger to better understand the SDK. The source, also unnamed in the original complaint, then contacted Steven Sinofsky, at the time the head of Windows development, but later ousted from the company.
Microsoft kicked off an internal investigation of the blogger, beginning with the blogger's Hotmail email account. Hotmail was renamed Outlook.com in mid-2013. Email from Kibkalo's own Hotmail account was discovered in the blogger's inbox. Further digging also found instant messages between Kibkalo and the blogger.
Microsoft's prowling through Kibkalo's and the blogger's email accounts prompted a firestorm of protest, with critics accusing the Redmond, Wash. company of spying on users. Prominent privacy advocates, including the Electronic Frontier Foundation (EFF), lambasted Microsoft, calling its actions in the Kibkalo case "indefensible and tone-deaf."
Although Microsoft defended its right to go through the email messages — the accounts were from its own service, it said, and the terms of service allowed it to search inbox contents in certain circumstances — it first amended those policies then last week went further, saying it would no longer peek into email accounts but would instead present future investigative findings to law enforcement, which could request a court order to access the information on Microsoft's servers.
By striking a plea agreement, Kibkalo was able to avoid the possibility of a much longer prison sentence if he had been convicted by a jury. In court documents, prosecutors said that the statutory maximum sentence for the crime was a 10-year stretch in federal prison, a fine of up to $250,000 and three years of probation.
Sign up for CIO Asia eNewsletters.