EU data privacy investigation finds Microsoft guilty of "large scale and covert" harvesting and "unlawful" storage of MS Office user data

[Delicieuxz]

In 2018, the Dutch government commissioned a formal investigation into what data Microsoft was harvesting from government computers running Microsoft Office software and how Microsoft was handling that data. This investigation is a different one than the one which investigated Microsoft's data-harvesting practices regarding Windows 10.

 

In a 91-page assessment published in November, the investigative team raises the alarm over serious violations of GDPR including extreme amounts of undeclared data-harvesting and storing of that data outside of the EU's borders, in the US.

 

The full report in English is here: DPIA+Microsoft+Office+2016+and+365+-+20191105.pdf

And a backup link is available here: microsoft-office-gdpr-fail.pdf

 

 

A brief summary of the report: Impact assessment shows privacy risks in Microsoft Office ProPlus Enterprise

Quote

The results of this Data Protection Impact Assessment (DPIA) are alarming. Microsoft collects and stores personal data about the behaviour of individual employees on a large scale, without any public documentation. The DPIA report (in English) as published by the Ministry is available here.

 

Starting today, and with the help of Microsoft, SLM Rijk offers zero exhaust settings to admins of government organisations. During the writing of this DPIA, Microsoft has committed to take a number of other important measures to lower the data protection risks.

 

...

 

Microsoft does not (yet) offer a possibility to inspect the contents of the diagnostic data flow. Microsoft has explained that 23.000 to 25.000 types of events are sent to Microsoft’s servers, and that 20 to 30 engineer teams work with these data. The engineers can dynamically add new events to the data stream from all computers with Office ProPlus. This collection of data is much more specific than in Windows 10 telemetry. If the telemetry is set to ‘full’ in Windows 10, it involves 1000 up to 1200 types of events. And 10 teams with engineers.

 

 

An article about the report: Microsoft menaced with GDPR mega-fines in Europe for 'large scale and covert' gathering of people's info via Office

Quote

Microsoft broke Euro privacy rules by carrying out the "large scale and covert" gathering of private data through its Office apps.

 

That's according to a report out this month [PDF] that was commissioned by the Dutch government into how information handled by 300,000 of its workers was processed by Microsoft's Office ProPlus suite. This software is installed on PCs and connects to Office 365 servers.

 

The dossier's authors found that the Windows goliath was collecting telemetry and other content from its Office applications, including email titles and sentences where translation or spellchecker was used, and secretly storing the data on systems in the United States. That's a no-no.

 

Those actions break Europe's new GDPR privacy safeguards, it is claimed, and may put Microsoft on the hook for potentially tens of millions of dollars in fines. The Dutch authorities are working with the corporation to fix the situation, and are using the threat of a fine as a stick to make it happen.

 

Microsoft is apparently working with the investigators to address the issues raised in the report.

 

 

In their assessment, the Dutch investigators listed a series of possible countermeasures to curtail Microsoft's current illegal data-harvesting, transferring, and storing practices:

 

 

 

It's a good sign that the investigators bring up the idea of implementing more controls over data in Microsoft Office software. It's not just Microsoft Office software that is lacking in that regard, but also the Windows OS software.

 

As I've said before, Microsoft is in gross violation of GDPR rules regarding the Windows OS, yet, thus far, investigators and authorities have been seemingly turning a blind eye to it. I hope that changes and that real actions start to be taken to give people their rightful control over their personal and personally-owned data their activities, computers, and hardware generate in their Windows OSes.

 

 

The report also notes that Microsoft admits that the data being harvested through MS Office products "may contain" personal names and IP addresses. As the Dutch DPA's Windows 10 investigation found that all the data harvested through Windows 10 is tagged with multiple personal identifiers, I take Microsoft's "may contain" to be a reluctant and guilty admission that all the data harvested through MS Office is also tagged with multiple personal identifiers, just like the data that's harvested through Windows 10 is:

Quote

Just like the Windows 10 telemetry data, the Office telemetry data are stored in the central Cosmos database. Microsoft explains in its own Office 365 GDPR compliance assessment, “Cosmos is the central audit record repository for all service teams and audit logs are uploaded to Cosmos from all servers in the Office 365 environment.” 24 Microsoft explains that system-generated event logs are stored in Cosmos as well.

 

In response to this DPIA report, Microsoft has admitted that Cosmos may contain end-user identifiable information (abbreviated by Microsoft as EUII) such as names and IP-addresses. These are stored in a hashed form. Microsoft also admits that Cosmos may contain logs with end-user pseudonymous identifiers such as User GUIDs, PUIDs, or SIDs (abbreviated by Microsoft as EUPI).

 

 

This newer report on Microsoft reminds me of what I said in a thread about the bigger topic of data-harvesting, which is that "The exploitation of people's data has always been leagues beyond what the public is ever let to know".

[Ashleyyyy]

why does this not surprise me...

[ARikozuM]

Can the world stop trying to data mine everything? 

[ZacoAttaco]

Quote

The dossier's authors found that the Windows goliath was collecting telemetry and other content from its Office applications, including email titles and sentences where translation or spellchecker was used, and secretly storing the data on systems in the United States. That's a no-no.

  

Those actions break Europe's new GDPR privacy safeguards, it is claimed, and may put Microsoft on the hook for potentially tens of millions of dollars in fines. The Dutch authorities are working with the corporation to fix the situation, and are using the threat of a fine as a stick to make it happen.

Yeah, this excerpt in particular is shocking. Storing email titles and email sentences of enterprise Office users without disclosing any this. Disappointing Microsoft, they definitely deserve what ever comes there way, not only for this data harvesting but also for clearly keeping it secret and not disclosing it.

[Ashleyyyy]

1 hour ago, VegetableStu said:

or at least make achievements out of the data pots (e.g. number of files saved, number of undos, level of nested IF() functions, etc) ._.

a sorta bing rewards program for all the data they take from you. 

[Enochian]

Isn't that big companies with own IT departments adjust windows for their needs and set how it needs to work and what data to collect?

[suicidalfranco]

Inb4 fine is just a drop in the bucket like they did with Google

[leadeater]

12 minutes ago, Enochian said:

Isn't that big companies with own IT departments adjust windows for their needs and set how it needs to work and what data to collect?

Not for the Office 365 online resources like SharePoint Online, OneDrive, Office 365 Web Applications. Those are all controlled by Microsoft and run on Microsoft services (Azure).

[Enochian]

19 minutes ago, leadeater said:

Not for the Office 365 online resources like SharePoint Online, OneDrive, Office 365 Web Applications. Those are all controlled by Microsoft and run on Microsoft services (Azure).

but the system itself on pc's should be flexible enough i guess, to adjust the telemetry and other things? 
Otherwise it would mean that no one is safe? No goverment, no company... that's why the wild west was better  

[leadeater]

2 minutes ago, Enochian said:

but the system itself on pc's should be flexible enough i guess, to adjust the telemetry and other things? 
Otherwise it would mean that no one is safe? No goverment, no company... that's why the wild west was better  

Well it sounds like there is also issues with the Office 2016/365 desktop applications as well. You can configure and control the Office settings but some things just don't have an off option.

[Teddy07]

The EU is just mad that they do not have tech giants so they started to crack down on US tech giants.

[leadeater]

3 minutes ago, Teddy07 said:

The EU is just mad that they do not have tech giants so they started to crack down on US tech giants.

Only if we ignore SAP and the large amount of EU tech giant companies in the hardware sector for things like power distribution.

[Teddy07]

4 minutes ago, leadeater said:

Only if we ignore SAP and the large amount of EU tech giant companies in the hardware sector for things like power distribution.

You are absolutely right!

There is only one EU company among the top 25 tech companies by market cap and it is SAP (~ rank 13).

 

In my post, I was more referring to Google, Facebook, Amazon, Apple, IBM,  and such where there isn´t any EU equivalent even close.

[yolosnail]

20 minutes ago, Teddy07 said:

You are absolutely right!

There is only one EU company among the top 25 tech companies by market cap and it is SAP (~ rank 13).

 

In my post, I was more referring to Google, Facebook, Amazon, Apple, IBM,  and such where there isn´t any EU equivalent even close.

That's because the EU are just a load of... *political rant censored*

 

Seriously though, would you want to run a technology company in the EU with all of the 'rules' they have in place or are trying to get passed, I certainly wouldn't!

[leadeater]

27 minutes ago, Teddy07 said:

In my post, I was more referring to Google, Facebook, Amazon, Apple, IBM,  and such where there isn´t any EU equivalent even close.

All of them which heavily rely on EU tech companies like APC and Eaton to exist at all and offer their services. EU tech companies aren't known for being front facing home consumer companies but they are big and focus on business sector services and support.

 

Also tech doesn't mean software companies.

[Enochian]

EU has also lot of good regulations, that people (like myself) can benefit from. 
It's a different mentality of course and some countries tend to overdo and guide citizens by the hand but in lot of cases it helps.
Starting your own business is very easy in the EU and they fund a lot of initiatives

[RuffRuffmcgruff]

They should be slapped with the fine of 4% Annual Global Turnover, doing some guestimating looks like it would be around $4 Billion Dollars...

[Guest]

stop whining, it's for improving their products!!!!

 

Thanks God Microsoft cares about consumers.

 

Spoiler

 

Edited February 5, 2019 by Guest

[LAwLz]

12 minutes ago, Lukyp said:

stop whining, it's for improving their products!!!!

 

Thanks God Microsoft cares about consumers.

You might want to add a "/s" at the end.

I can't tell if this is sarcasm or not.

[Guest]

26 minutes ago, LAwLz said:

You might want to add a "/s" at the end.

I can't tell if this is sarcasm or not.

I should have added a smiling bill gates pic at the end

 

done

Edited February 5, 2019 by Guest

[yian88]

OFFICE? hahahahah fking office no one cares about that they should check how much data they hoard from windows,emails and browsers its insane they should be banned to life and 10 billion$ fine for how much they steal illegaly, even if it was legal they should be banned from existence, but then again can say the same for google and other over 50% of all  services,web and mobile apps.

[RejZoR]

And I held Microsoft as company with good privacy policies. I guess I was wrong. I've ditched Google and will be slamming the final nail in their coffin after ditching Android too (hell froze over and I'm going with Apple pretty soon). Now Microsoft fucking shit up, it's almost as if they want us, the customers to go to competition. If they continue with this idiocy I might end up buying stupidly overpriced Mac as well in the end. Because Apple hasn't fucked up yet. If it turns out they've been doing this as well, then what?

[SansVarnic]

21 minutes ago, RejZoR said:

And I held Microsoft as company with good privacy policies. I guess I was wrong. I've ditched Google and will be slamming the final nail in their coffin after ditching Android too (hell froze over and I'm going with Apple pretty soon). Now Microsoft fucking shit up, it's almost as if they want us, the customers to go to competition. If they continue with this idiocy I might end up buying stupidly overpriced Mac as well in the end. Because Apple hasn't fucked up yet. If it turns out they've been doing this as well, then what?

You dont have to use office WordPerfect is still around.

[RejZoR]

1 hour ago, SansVarnic said:

You dont have to use office WordPerfect is still around.

Wordstar ftw!

[Doobeedoo]

7 hours ago, ARikozuM said:

Can the world stop trying to data mine everything?