Update 2: Microsoft has fixed the bug; all users can now enable HTTPS.
Update: Further testing by EFF International Activist Eva Galperin found that, in addition to Arab countries and Iran, Myanmar, Nigeria, Kazahstan, Uzbekistan, Turkmenistan, Tajikistan, and Kyrgyzstan are also affected.
This morning, a Syrian Hotmail user noted that he could not turn on HTTPS on Hotmail. At closer look, we learned that the user was actually in Jordan, and had his Hotmail location set to Jordan as well…and yet he was still blocked from turning on the “use HTTPS automatically” setting.
Specifically, Microsoft Hotmail’s HTTPS feature states that turning on HTTPS will work for Hotmail over the Web, but will cause errors through external programs. Users can still force HTTPS temporarily, for a given page. We have confirmed that users in some of the countries below are able to force HTTPS (either by typing it in manually or using a program like HTTPS Everywhere, however, we cannot confirm that this works for everyone, or on all pages). In any case, it’s imperative that users have access to encryption all the time.
Replicating the Error
I quickly created a Hotmail account to see if I could replicate the situation; sure enough, when I set my location to the United States, I could turn on HTTPS as a setting, but when I switched to Jordan, I could not. I tested several other Arab countries–Syria, Bahrain, Lebanon, Morocco, Algeria–also no HTTPS. I then tested Guatemala, Israel, and Turkey: all fine. France, German: fine. Iran…no HTTPS.
The message received by users with their settings turned to one of the aforementioned countries is: Your Windows Live ID can’t use HTTPS automatically because this feature is not available for your account type.
…in which “account type” = Arab/Iranian.
Incidentally, users in the aforementioned countries are able to easily change their location setting to the United States (or another country) and then successfully turn on HTTPS. It is therefore interesting that, whatever Microsoft’s reasons for barring users from HTTPS, they chose not to enforce by IP address.
By contrast, Yahoo mail does not offer HTTPS, while Gmail enforces HTTPS by default in all countries.
This isn’t the first time Microsoft has acted prejudicially toward Arab users: In 2010, my colleague Helmi Noman at the OpenNet Initiative discovered that Microsoft’s Bing was blocking Arabic-speaking users (e.g., those using the Arabic-language/Arab countries version of Bing) from searching for certain terms, mostly related to sexual content.
For activists, there are two courses of action: Either change your location to a country that will allow you to enforce HTTPS or switch to Gmail or another secure service.
As for Microsoft, we’ve let them know about the situation. It is my hope that this is a mistake and will soon be corrected. I’ll keep you posted.