Software

Microsoft menaced with GDPR mega-fines in Europe for 'large scale and covert' gathering of people's info via Office

Telemetry data slurp broke the law, Dutch govt eggheads say

By Kieren McCarthy in San Francisco

141 SHARE

Microsoft broke Euro privacy rules by carrying out the "large scale and covert" gathering of private data through its Office apps.

That's according to a report out this month [PDF] that was commissioned by the Dutch government into how information handled by 300,000 of its workers was processed by Microsoft's Office ProPlus suite. This software is installed on PCs and connects to Office 365 servers.

The dossier's authors found that the Windows goliath was collecting telemetry and other content from its Office applications, including email titles and sentences where translation or spellchecker was used, and secretly storing the data on systems in the United States. That's a no-no.

Those actions break Europe's new GDPR privacy safeguards, it is claimed, and may put Microsoft on the hook for potentially tens of millions of dollars in fines. The Dutch authorities are working with the corporation to fix the situation, and are using the threat of a fine as a stick to make it happen.

GDPRmageddon: They think it's all over! Protip, it has only just begun

READ MORE

The investigation was jumpstarted by the fact that Microsoft doesn't publicly reveal what information it gathers on users and doesn't provide an option for turning off diagnostic and telemetry data sent by its Office software to the company as a way of monitoring how well it is functioning and identifying any software issues.

Other companies typically give users the option to decide whether to send data on their software's functioning to them.

Much of what Microsoft collects is diagnostics, the researchers found, and it has seemingly tried to make the system GDPR compliant by storing Office documents on servers based in the EU. But it also collected other data that contained private information and some of that data still ended up on US servers.

"Microsoft systematically collects data on a large scale about the individual use of Word, Excel, PowerPoint and Outlook. Covertly, without informing people," said a blog post written by Privacy Company summarizing its report. Privacy Company was hired by the Netherlands government to probe the use of Office in the public sector.

"Microsoft does not offer any choice with regard to the amount of data, or possibility to switch off the collection, or ability to see what data are collected, because the data stream is encoded."

One example: if you use the backspace key several times in a row – suggesting you aren’t sure of the spelling of a particular word – or look up or translate a word through its system, then Microsoft stores the sentence before and after that event.

Why store?

And while the report's researchers note that it is inevitable that users will supply Microsoft with their IP address and email headers as part of making the system work, there is no need for the company to store that information. "Microsoft should not store these transient, functional data, unless the retention is strictly necessary, for example, for security purposes," it argues.

The dossier found that Microsoft tracks around 25,000 different types of "event" and has a team of 20 to 30 engineers who analyze the data. Those techies are also able to add new events to be recorded.

The end result of all this is the Dutch data protection authority has concluded that Microsoft has violated GDPR "on many counts" including "lack of transparency and purpose limitation, and the lack of a legal ground for the processing."

The Seattle-based company could face a huge fine under GDPR and so, according to the Dutch authorities, has provided them with an "improvement plan" that regulators are happy "would end all violations."

GDPR USA? 'A year ago, hell no ... More people are open to it now' – House Rep says EU-like law may be mulled

READ MORE

Microsoft has "committed to submitting these changes for verification in April 2019," the regulator noted. It has also provided a "zero exhaust" version of Office and the researchers recommend that sysadmins apply those new settings. It also suggest prohibiting the use of Microsoft's "Connected Services" and to remove the option for users to send data to "help improve" Office.

It also recommends simply not using the web-only version of Office 365, or SharePoint Oneline. And it recommends periodically deleting the Active Directory accounts of VIP users and creating new accounts for them so that the diagnostic data associated with those accounts is eventually deleted.

And in one piece of advice that will have Redmond execs jumping up and down in fury, the researchers recommend that sysadmins "consider conducting a pilot with alternative software" – something that "would be in line with the Dutch government policy to promote open standards and open source software."

The Dutch privacy watchdog has warned it is monitoring the situation: "If progress is deemed insufficient or if the improvements offered are unsatisfactory, SLM Microsoft Rijk will reconsider its position and may ask the Data Protection Authority to carry out a prior consultation and to impose enforcement measures." In other words, a monster fine, potentially.

The issue affects those with ProPlus subscriptions of Office 2016 and Office 365 and the online version of Office 365.

In a statement, a Microsoft spokesperson told us: "We are committed to our customers’ privacy, putting them in control of their data and ensuring that Office ProPlus and other Microsoft products and services comply with GDPR and other applicable laws.

"We appreciate the opportunity to discuss our diagnostic data handling practices in Office ProPlus with the Dutch Ministry of Justice and look forward to a successful resolution of any concerns." ®

Sign up to our NewsletterGet IT in your inbox daily

141 Comments

More from The Register

We all love bonking to pay, but if you bonk with a Windows Phone then Microsoft has bad news

Look, the platform is dead. Will you just move on already?

Microsoft partner portal 'exposes 'every' support request filed worldwide' today

Exclusive No customer data visible but hell's bells, Redmond, what have you borked now?

Home users due for a battering with Microsoft 365 subscription stick

Job opening at Redmond points to new consumer services

It’s baaack – Microsoft starts pushing out the Windows 10 October 2018 Update

Set to update automatically? Say hello to my little friend…

Born-again open-source enthusiast Microsoft rucks up at OpenChain

How do you solve a problem like compliance?

Microsoft decides Internet Explorer 10 has had its fun: Termination set for January 2020

Windows Server 2012 admins should crank it up to 11

US Department of Defense to sling an estimated $3.17bn at Microsoft resellers

Cash to be splashed over 10 years on software sporting a Microsoft badge

Surface: Tested to withstand the NFL. Microsoft firmware updates? Not so much

Windows is updating your play-by-play, this may take a while

Party pooper Microsoft pulls plug on Party Cluster

If yer name's not on Azure's list, you ain't coming in

Microsoft pulls Office 2010 updates because they're big in Japan. As in, big pain in the ASCII

Software performance tweaks have opposite effect