Software

Microsoft menaced with GDPR mega-fines in Europe for 'large scale and covert' gathering of people's info via Office

Telemetry data slurp broke the law, Dutch govt eggheads say

Got Tips? 141
SHARE

Microsoft broke Euro privacy rules by carrying out the "large scale and covert" gathering of private data through its Office apps.

That's according to a report out this month [PDF] that was commissioned by the Dutch government into how information handled by 300,000 of its workers was processed by Microsoft's Office ProPlus suite. This software is installed on PCs and connects to Office 365 servers.

The dossier's authors found that the Windows goliath was collecting telemetry and other content from its Office applications, including email titles and sentences where translation or spellchecker was used, and secretly storing the data on systems in the United States. That's a no-no.

Those actions break Europe's new GDPR privacy safeguards, it is claimed, and may put Microsoft on the hook for potentially tens of millions of dollars in fines. The Dutch authorities are working with the corporation to fix the situation, and are using the threat of a fine as a stick to make it happen.

GDPRmageddon: They think it's all over! Protip, it has only just begun

READ MORE

The investigation was jumpstarted by the fact that Microsoft doesn't publicly reveal what information it gathers on users and doesn't provide an option for turning off diagnostic and telemetry data sent by its Office software to the company as a way of monitoring how well it is functioning and identifying any software issues.

Other companies typically give users the option to decide whether to send data on their software's functioning to them.

Much of what Microsoft collects is diagnostics, the researchers found, and it has seemingly tried to make the system GDPR compliant by storing Office documents on servers based in the EU. But it also collected other data that contained private information and some of that data still ended up on US servers.

"Microsoft systematically collects data on a large scale about the individual use of Word, Excel, PowerPoint and Outlook. Covertly, without informing people," said a blog post written by Privacy Company summarizing its report. Privacy Company was hired by the Netherlands government to probe the use of Office in the public sector.

"Microsoft does not offer any choice with regard to the amount of data, or possibility to switch off the collection, or ability to see what data are collected, because the data stream is encoded."

One example: if you use the backspace key several times in a row – suggesting you aren’t sure of the spelling of a particular word – or look up or translate a word through its system, then Microsoft stores the sentence before and after that event.

Why store?

And while the report's researchers note that it is inevitable that users will supply Microsoft with their IP address and email headers as part of making the system work, there is no need for the company to store that information. "Microsoft should not store these transient, functional data, unless the retention is strictly necessary, for example, for security purposes," it argues.

The dossier found that Microsoft tracks around 25,000 different types of "event" and has a team of 20 to 30 engineers who analyze the data. Those techies are also able to add new events to be recorded.

The end result of all this is the Dutch data protection authority has concluded that Microsoft has violated GDPR "on many counts" including "lack of transparency and purpose limitation, and the lack of a legal ground for the processing."

The Seattle-based company could face a huge fine under GDPR and so, according to the Dutch authorities, has provided them with an "improvement plan" that regulators are happy "would end all violations."

GDPR USA? 'A year ago, hell no ... More people are open to it now' – House Rep says EU-like law may be mulled

READ MORE

Microsoft has "committed to submitting these changes for verification in April 2019," the regulator noted. It has also provided a "zero exhaust" version of Office and the researchers recommend that sysadmins apply those new settings. It also suggest prohibiting the use of Microsoft's "Connected Services" and to remove the option for users to send data to "help improve" Office.

It also recommends simply not using the web-only version of Office 365, or SharePoint Oneline. And it recommends periodically deleting the Active Directory accounts of VIP users and creating new accounts for them so that the diagnostic data associated with those accounts is eventually deleted.

And in one piece of advice that will have Redmond execs jumping up and down in fury, the researchers recommend that sysadmins "consider conducting a pilot with alternative software" – something that "would be in line with the Dutch government policy to promote open standards and open source software."

The Dutch privacy watchdog has warned it is monitoring the situation: "If progress is deemed insufficient or if the improvements offered are unsatisfactory, SLM Microsoft Rijk will reconsider its position and may ask the Data Protection Authority to carry out a prior consultation and to impose enforcement measures." In other words, a monster fine, potentially.

The issue affects those with ProPlus subscriptions of Office 2016 and Office 365 and the online version of Office 365.

In a statement, a Microsoft spokesperson told us: "We are committed to our customers’ privacy, putting them in control of their data and ensuring that Office ProPlus and other Microsoft products and services comply with GDPR and other applicable laws.

"We appreciate the opportunity to discuss our diagnostic data handling practices in Office ProPlus with the Dutch Ministry of Justice and look forward to a successful resolution of any concerns." ®

Sign up to our NewsletterGet IT in your inbox daily

141 Comments

Keep Reading

Canary-build Microsoft browser blocks Microsoft extension from inflicting Microsoft search engine

Virtue is its own reward

Microsoft 365 Business to gain more Azure Active Directory toys... oh, and it's called Microsoft 365 Business Premium (from 21 April)

Because this Office branding shake-up isn't confusing at all

Microsoft: 14 January patch was the last for Windows 7. Also Microsoft: Actually...

Wallpaper-stripping bug will be fixed

Non-human Microsoft Office users get their own special licences

Automated operators can pay up like anyone – or anything – else

Microsoft's latest cloud innovation: Printing

Now without all the mucking around on-premises

Microsoft tries really hard not to say the next Xbox could be delayed by coronavirus

But its language has changed from 'clear a space under the tree' to 'our goal remains late 2020 delivery'

Slack hooks up with Microsoft Teams and Zoom VoIP calls

Maybe the world needs the Pidgin of voice and video right now?

Mind your language: Microsoft set to swing the axe on 27 languages in iOS Outlook

Moenie die hoender ruk nie

Thought Microsoft's licence plans were Kafkaesque? How about a Kafka extension for Azure Functions?

Also: Java 8 support? Linux? Ah yes – that would be the new Microsoft

Microsoft's Cortana turns its back on consumers as skills are stripped from Windows 10

Unloved assistant to smarten up its act in Microsoft 365. US only, naturally

Tech Resources

Webcast Slide Deck | Ransomware has gone nuclear

A new generation of attackers are crafting plans to cause the most panic, pain, and operational disruption. They will take the time to maximize your organization’s potential damage and also their payoff -- not just encrypting your data, but stealing it and posting it publicly if you don’t play ball. Join Roger Grimes from KnowBe4 and Tim Phillips from The Reg for a RegCast in which they will be sounding the ransomware emergency klaxon.

A Definitive Guide to Understanding and Meeting the CIS Critical Security Controls

The CIS Critical Security Controls are the industry standard for good security. Are you up to par?

7 Steps to Save Big on Your AWS Bill

How do you lower the Amazon Web Services (AWS) bill without affecting business operations?

CyberArk Alero Delivers Remote Third-Party Access Without Agents or Passwords

Alero provides ‘secure zero trust access’ that enables third-parties to access critical internal resources without VPNs, passwords or installing agents.