tl;dr: Don't trust Big Tech with your data. Choose services that encrypt your data and respect your privacy, like Tutanota. 😉
As reported by the German tech site Heise, Malik was suddenly unable to login to his Microsoft account, not knowing why that might have happened.
What was worse: As recommended by Microsoft he had encrypted all his data with Bitlocker and stored the encryption key not locally, but with Microsoft. According to Microsoft, this was the best option to increase his security. But now this decision left him with zero access to his data: As he did not get into his Microsoft account, he also did not have access to the key required for decrypting his data.
Other logins were gone as well because Malik was no longer able to access his second factor OTP keys, he generated with Microsoft Authenticator.
The issue was caused by an automated scan. One that was looking for criminal content and flagged Malik's Microsoft account for abuse. Such incidents are not uncommon.
A similar case happened to a Gmail user whose entire Google account was blocked for sending naked pictures of his son to his doctor for remote diagnosis during the Covid 19 lockdowns: email, calendar, photos, logins - everything gone in one swoop.
Big Tech companies such as Microsoft and Google have become known for blocking user accounts without warning. They use automated scans to flag criminal content, such as naked pictures of children that could be interpreted as child sexual abuse material.
To prevent or detect child sexual abuse, many platforms scan their users' content, such as Microsoft, Google and Meta. They use algorithms and machine learning to find already known images and also detect new ones. The Big Tech companies send their findings to the National Center for Missing and Exploited Children (NCMEC), where they are checked against a database. The NCMEC forwards the suspected cases to law enforcement agencies, also internationally.
However, the automated scans are not always correct and, thus, also block logins to Microsoft and Google by accident.
The main issue for affected people is that they center their entire digital identity with an online service - if the account is lost, so is the identity.
This, at least, was the case with Malik as Heise reports:
"The data on OneDrive is still there, but Malik, who we won't call by his real name here at his request, can no longer access it. So photos from 13 years, all the work and research for his ongoing computer science studies, documents for his work as a student assistant in the IT industry and sensitive documents stored in OneDrive's "safe vault" are lost, at least for now. Microsoft won't let Malik into the Xbox library either, and he can forget about his games for over 1000 euros. Not to mention the 400-euro family license for Office 365, which is now useless."
"Shortly before the block, Malik sorted his photo collection in OneDrive via the Microsoft account, otherwise nothing special happened. But Microsoft justifies the block as follows: "We have detected activities that violate our Microsoft service agreement." Malik has no way of knowing that behind this meaningless sentence lies a suspicion of the distribution of child pornography. He is at a loss."
Similar incidents have become known not just form Microsoft, but also from Google, Amazon or Apple. What is frustrating for people when their account gets blocked is the complex process of regaining access.
These Big Tech companies make it very difficult for customers to contact them. And even if you do get through, it can be a real hassle - if not impossible - convince them that you did not do anything illegal and that they should unlock your account again.
In the New York Times report on a blocked Google account, law professor Ms Hessick speculates:
"From Google’s perspective, it’s easier to just deny these people the use of their services. Otherwise, the company would have to resolve more difficult questions about "what’s appropriate behavior with kids and then what’s appropriate to photograph or not."
In this case, it was a particularly tough decision by Google as the account remained locked after the man whose account got blocked proved to Google that he was innocent. He even had a police report stating that the authorities has decided that the sending of the naked picture of his son to his doctor "did not constitute child abuse or exploitation".
Regardless, Google did not unblock the account. Then it got permanently deleted due to inactivity.
The process by Microsoft, Google and others to block logins of users is completely legal. While the blocking of an account must only happen because of an "important reason", for example the distribution of child pornography, the block can then take place immediately and permanently. A justified suspicion by the online service is absolutely sufficient - even if the suspicion turns out to have been false.
In Malik's case, his Microsoft login got blocked for suspicion of storing child pornographic material to Microsoft's OneDrive. According to Malik, the pictures were a harmless, depicting his nephew playing naked on the beach.
The pictures, taken on his smartphone, had been uploaded to OneDrive where Misrosoft's CSAM scan flagged them as potentially criminal content.
When Malik contacted Microsoft support, explaining the issue, he simply received an answer stating "Microsoft has deactivated access to the account due to a serious violation of the Microsoft Services Agreement."
In the Heise article, the lawyers Sebastian Laoutoumai and Oliver Löffel recommend that anyone who has been blocked from their login to their online service without a reason should immediately dispute the block and issue a warning to said service. If the service "does not respond or does not respond as requested," one can apply for an injunction against the blocking of the account in Germany. "This prohibits the online service from blocking the account - for certain reasons or without giving reasons - under threat of a fine of up to 250,000 euros."
Malik's case was investigated by th police who dropped the charges of sharing child pornographic images.
However, his Microsoft account remained blocked.
The two examples depicted here by Microsoft and Google users loosing access to their login show how "easy" it is for Big Tech to get away with this practise of blocking accounts based on automatic scans. It is therefore advisable not to use Microsoft or Google as your only back-up or original storage.
Instead you should always keep a local back-up of valuable data. It is also recommendable to pay for online services as direct support is often limited to paying customers. If you lose your login credentials, fast access to support can be crucial.