Microsoft menaced with GDPR mega-fines in Europe for 'large scale and covert' gathering of people's info via Office

Microsoft broke Euro privacy rules by carrying out the "large scale and covert" gathering of private data through its Office apps.

That's according to a report out this month [PDF] that was commissioned by the Dutch government into how information handled by 300,000 of its workers was processed by Microsoft's Office ProPlus suite. This software is installed on PCs and connects to Office 365 servers.

The dossier's authors found that the Windows goliath was collecting telemetry and other content from its Office applications, including email titles and sentences where translation or spellchecker was used, and secretly storing the data on systems in the United States. That's a no-no.

Those actions break Europe's new GDPR privacy safeguards, it is claimed, and may put Microsoft on the hook for potentially tens of millions of dollars in fines. The Dutch authorities are working with the corporation to fix the situation, and are using the threat of a fine as a stick to make it happen.

The investigation was jumpstarted by the fact that Microsoft doesn't publicly reveal what information it gathers on users and doesn't provide an option for turning off diagnostic and telemetry data sent by its Office software to the company as a way of monitoring how well it is functioning and identifying any software issues.

Other companies typically give users the option to decide whether to send data on their software's functioning to them.

Much of what Microsoft collects is diagnostics, the researchers found, and it has seemingly tried to make the system GDPR compliant by storing Office documents on servers based in the EU. But it also collected other data that contained private information and some of that data still ended up on US servers.

"Microsoft systematically collects data on a large scale about the individual use of Word, Excel, PowerPoint and Outlook. Covertly, without informing people," said a blog post written by Privacy Company summarizing its report. Privacy Company was hired by the Netherlands government to probe the use of Office in the public sector.

"Microsoft does not offer any choice with regard to the amount of data, or possibility to switch off the collection, or ability to see what data are collected, because the data stream is encoded."

One example: if you use the backspace key several times in a row – suggesting you aren’t sure of the spelling of a particular word – or look up or translate a word through its system, then Microsoft stores the sentence before and after that event.

Why store?

And while the report's researchers note that it is inevitable that users will supply Microsoft with their IP address and email headers as part of making the system work, there is no need for the company to store that information. "Microsoft should not store these transient, functional data, unless the retention is strictly necessary, for example, for security purposes," it argues.

The dossier found that Microsoft tracks around 25,000 different types of "event" and has a team of 20 to 30 engineers who analyze the data. Those techies are also able to add new events to be recorded.

The end result of all this is the Dutch data protection authority has concluded that Microsoft has violated GDPR "on many counts" including "lack of transparency and purpose limitation, and the lack of a legal ground for the processing."

The Seattle-based company could face a huge fine under GDPR and so, according to the Dutch authorities, has provided them with an "improvement plan" that regulators are happy "would end all violations."

Microsoft has "committed to submitting these changes for verification in April 2019," the regulator noted. It has also provided a "zero exhaust" version of Office and the researchers recommend that sysadmins apply those new settings. It also suggest prohibiting the use of Microsoft's "Connected Services" and to remove the option for users to send data to "help improve" Office.

It also recommends simply not using the web-only version of Office 365, or SharePoint Oneline. And it recommends periodically deleting the Active Directory accounts of VIP users and creating new accounts for them so that the diagnostic data associated with those accounts is eventually deleted.

And in one piece of advice that will have Redmond execs jumping up and down in fury, the researchers recommend that sysadmins "consider conducting a pilot with alternative software" – something that "would be in line with the Dutch government policy to promote open standards and open source software."

The Dutch privacy watchdog has warned it is monitoring the situation: "If progress is deemed insufficient or if the improvements offered are unsatisfactory, SLM Microsoft Rijk will reconsider its position and may ask the Data Protection Authority to carry out a prior consultation and to impose enforcement measures." In other words, a monster fine, potentially.

The issue affects those with ProPlus subscriptions of Office 2016 and Office 365 and the online version of Office 365.

In a statement, a Microsoft spokesperson told us: "We are committed to our customers’ privacy, putting them in control of their data and ensuring that Office ProPlus and other Microsoft products and services comply with GDPR and other applicable laws.

"We appreciate the opportunity to discuss our diagnostic data handling practices in Office ProPlus with the Dutch Ministry of Justice and look forward to a successful resolution of any concerns." ®