Software

Microsoft menaced with GDPR mega-fines in Europe for 'large scale and covert' gathering of people's info via Office

Telemetry data slurp broke the law, Dutch govt eggheads say

By Kieren McCarthy in San Francisco

141 SHARE

Microsoft broke Euro privacy rules by carrying out the "large scale and covert" gathering of private data through its Office apps.

That's according to a report out this month [PDF] that was commissioned by the Dutch government into how information handled by 300,000 of its workers was processed by Microsoft's Office ProPlus suite. This software is installed on PCs and connects to Office 365 servers.

The dossier's authors found that the Windows goliath was collecting telemetry and other content from its Office applications, including email titles and sentences where translation or spellchecker was used, and secretly storing the data on systems in the United States. That's a no-no.

Those actions break Europe's new GDPR privacy safeguards, it is claimed, and may put Microsoft on the hook for potentially tens of millions of dollars in fines. The Dutch authorities are working with the corporation to fix the situation, and are using the threat of a fine as a stick to make it happen.

GDPRmageddon: They think it's all over! Protip, it has only just begun

READ MORE

The investigation was jumpstarted by the fact that Microsoft doesn't publicly reveal what information it gathers on users and doesn't provide an option for turning off diagnostic and telemetry data sent by its Office software to the company as a way of monitoring how well it is functioning and identifying any software issues.

Other companies typically give users the option to decide whether to send data on their software's functioning to them.

Much of what Microsoft collects is diagnostics, the researchers found, and it has seemingly tried to make the system GDPR compliant by storing Office documents on servers based in the EU. But it also collected other data that contained private information and some of that data still ended up on US servers.

"Microsoft systematically collects data on a large scale about the individual use of Word, Excel, PowerPoint and Outlook. Covertly, without informing people," said a blog post written by Privacy Company summarizing its report. Privacy Company was hired by the Netherlands government to probe the use of Office in the public sector.

"Microsoft does not offer any choice with regard to the amount of data, or possibility to switch off the collection, or ability to see what data are collected, because the data stream is encoded."

One example: if you use the backspace key several times in a row – suggesting you aren’t sure of the spelling of a particular word – or look up or translate a word through its system, then Microsoft stores the sentence before and after that event.

Why store?

And while the report's researchers note that it is inevitable that users will supply Microsoft with their IP address and email headers as part of making the system work, there is no need for the company to store that information. "Microsoft should not store these transient, functional data, unless the retention is strictly necessary, for example, for security purposes," it argues.

The dossier found that Microsoft tracks around 25,000 different types of "event" and has a team of 20 to 30 engineers who analyze the data. Those techies are also able to add new events to be recorded.

The end result of all this is the Dutch data protection authority has concluded that Microsoft has violated GDPR "on many counts" including "lack of transparency and purpose limitation, and the lack of a legal ground for the processing."

The Seattle-based company could face a huge fine under GDPR and so, according to the Dutch authorities, has provided them with an "improvement plan" that regulators are happy "would end all violations."

GDPR USA? 'A year ago, hell no ... More people are open to it now' – House Rep says EU-like law may be mulled

READ MORE

Microsoft has "committed to submitting these changes for verification in April 2019," the regulator noted. It has also provided a "zero exhaust" version of Office and the researchers recommend that sysadmins apply those new settings. It also suggest prohibiting the use of Microsoft's "Connected Services" and to remove the option for users to send data to "help improve" Office.

It also recommends simply not using the web-only version of Office 365, or SharePoint Oneline. And it recommends periodically deleting the Active Directory accounts of VIP users and creating new accounts for them so that the diagnostic data associated with those accounts is eventually deleted.

And in one piece of advice that will have Redmond execs jumping up and down in fury, the researchers recommend that sysadmins "consider conducting a pilot with alternative software" – something that "would be in line with the Dutch government policy to promote open standards and open source software."

The Dutch privacy watchdog has warned it is monitoring the situation: "If progress is deemed insufficient or if the improvements offered are unsatisfactory, SLM Microsoft Rijk will reconsider its position and may ask the Data Protection Authority to carry out a prior consultation and to impose enforcement measures." In other words, a monster fine, potentially.

The issue affects those with ProPlus subscriptions of Office 2016 and Office 365 and the online version of Office 365.

In a statement, a Microsoft spokesperson told us: "We are committed to our customers’ privacy, putting them in control of their data and ensuring that Office ProPlus and other Microsoft products and services comply with GDPR and other applicable laws.

"We appreciate the opportunity to discuss our diagnostic data handling practices in Office ProPlus with the Dutch Ministry of Justice and look forward to a successful resolution of any concerns." ®

Sign up to our NewsletterGet IT in your inbox daily

141 Comments

More from The Register

Microsoft giveth and Microsoft taketh away: Partner boss explains yanking of free licences

Updated Cloud giant's blunt instrument clobbers loyal resellers too

Microsoft breaks out checkbook, turns Hungarian 'bribe' charge into a mere 'settlement'

Brad's big bucks banish bothersome Budapest bung

Dutch cheesed off at Microsoft, call for Rexit from Office Online, Mobile apps over Redmond data slurping

Cloggies less than chilled out over Windows telemetry

The democratisation of IT: Amazon and Microsoft own half the cloud infrastructure market

Choice? Yes, we've heard of it too

Microsoft sends partners hundreds of unwanted OPI: Other People's Invoices

Risky business: Azure cloud rains bills

Microsoft follows up those licensing hikes by snipping away costs for Azure Archive Storage

Amazon CTO not happy. Isn't it ironic... don't you think?

Don't press the red b-... Windows Insiders' rings hit by surprise Microsoft emission

That's 20H1 for you, 20H1 for you and 20H1 for you

Disabled by default: Microsoft ups the ante in its war against VBScript on Internet Explorer

Will the last IE 11 user please turn out the lights?

Microsoft Surface users baffled after investing in kit that throttles itself to the point of passing out

400MHz ought to be enough for anyone?

Microsoft blacklisted TSO Host's email IPs from Hotmail, Outlook inboxes and no one seems to care

Apart from the poor sods paying for the service, that is