Posted on 11/18/2018 6:44:03 PM PST by dayglored
Telemetry data slurp broke the law, Dutch govt eggheads say
Microsoft broke Euro privacy rules by carrying out the "large scale and covert" gathering of private data through its Office apps.
That's according to a report out this month [PDF] that was commissioned by the Dutch government into how information handled by 300,000 of its workers was processed by Microsoft's Office ProPlus suite. This software is installed on PCs and connects to Office 365 servers.
The dossier's authors found that the Windows goliath was collecting telemetry and other content from its Office applications, including email titles and sentences where translation or spellchecker was used, and secretly storing the data on systems in the United States. That's a no-no.
Those actions break Europe's new GDPR privacy safeguards, it is claimed, and may put Microsoft on the hook for potentially tens of millions of dollars in fines. The Dutch authorities are working with the corporation to fix the situation, and are using the threat of a fine as a stick to make it happen.
The investigation was jumpstarted by the fact that Microsoft doesn't publicly reveal what information it gathers on users and doesn't provide an option for turning off diagnostic and telemetry data sent by its Office software to the company as a way of monitoring how well it is functioning and identifying any software issues.
Other companies typically give users the option to decide whether to send data on their software's functioning to them.
Much of what Microsoft collects is diagnostics, the researchers found, and it has seemingly tried to make the system GDPR compliant by storing Office documents on servers based in the EU. But it also collected other data that contained private information and some of that data still ended up on US servers.
"Microsoft systematically collects data on a large scale about the individual use of Word, Excel, PowerPoint and Outlook. Covertly, without informing people," said a blog post written by Privacy Company summarizing its report. Privacy Company was hired by the Netherlands government to probe the use of Office in the public sector.
"Microsoft does not offer any choice with regard to the amount of data, or possibility to switch off the collection, or ability to see what data are collected, because the data stream is encoded."
One example: if you use the backspace key several times in a row – suggesting you aren’t sure of the spelling of a particular word – or look up or translate a word through its system, then Microsoft stores the sentence before and after that event.
And while the report's researchers note that it is inevitable that users will supply Microsoft with their IP address and email headers as part of making the system work, there is no need for the company to store that information. "Microsoft should not store these transient, functional data, unless the retention is strictly necessary, for example, for security purposes," it argues.
The dossier found that Microsoft tracks around 25,000 different types of "event" and has a team of 20 to 30 engineers who analyze the data. Those techies are also able to add new events to be recorded.
The end result of all this is the Dutch data protection authority has concluded that Microsoft has violated GDPR "on many counts" including "lack of transparency and purpose limitation, and the lack of a legal ground for the processing."
The Seattle-based company could face a huge fine under GDPR and so, according to the Dutch authorities, has provided them with an "improvement plan" that regulators are happy "would end all violations."
Microsoft has "committed to submitting these changes for verification in April 2019," the regulator noted. It has also provided a "zero exhaust" version of Office and the researchers recommend that sysadmins apply those new settings. It also suggest prohibiting the use of Microsoft's "Connected Services" and to remove the option for users to send data to "help improve" Office.
It also recommends simply not using the web-only version of Office 365, or SharePoint Oneline. And it recommends periodically deleting the Active Directory accounts of VIP users and creating new accounts for them so that the diagnostic data associated with those accounts is eventually deleted.
And in one piece of advice that will have Redmond execs jumping up and down in fury, the researchers recommend that sysadmins "consider conducting a pilot with alternative software" – something that "would be in line with the Dutch government policy to promote open standards and open source software."
The Dutch privacy watchdog has warned it is monitoring the situation: "If progress is deemed insufficient or if the improvements offered are unsatisfactory, SLM Microsoft Rijk will reconsider its position and may ask the Data Protection Authority to carry out a prior consultation and to impose enforcement measures." In other words, a monster fine, potentially.
The issue affects those with ProPlus subscriptions of Office 2016 and Office 365 and the online version of Office 365.
In a statement, a Microsoft spokesperson told us: "We are committed to our customers’ privacy, putting them in control of their data and ensuring that Office ProPlus and other Microsoft products and services comply with GDPR and other applicable laws.
"We appreciate the opportunity to discuss our diagnostic data handling practices in Office ProPlus with the Dutch Ministry of Justice and look forward to a successful resolution of any concerns." ®
Gee, Golly, if only someone had warned us that our computers could be spying on us.
I suppose someday, it will come out that Linux does it too....
But for now, I’ll try to feel relieved that I switched over to it a few years ago.
I quit using Microcrap’s Office applications YEARS ago.
I still run Word97.
The envelope/label feature is great for my fairly low usage.
Otherwise, it’s LibreOffice.
MS Excel can’t represent dates in their date format before 1900. Makes it useless for sharing genealogical info so you can sort on date.
It amazes me that Microsoft has chosen to flush so much goodwill down the toilet.
The ceo is from India. I do not think anyone there has rights. That would be the mindset of the ceo when dealing with anyone else.
We used to have Lotus AmiPro, and I liked it a lot better than Word.
It seems to have disappeared, and I’m still using an old, old,version of Word now.
I refuse to sign up for the “subscription” Word. I’ll find another substitute when the time comes.
They don’t need goodwill: they have sweetheart deals with dozens of large companies who have agreed to force Microcrap on everyone they deal with.
Same as Big Pharma cutting deals with doctors and hospitals, and to hell with the patients.
Yup. That's what it will take. These days, unless you have very complex excel docs that make heavy use of microsoft-specific macros and such, there is really no reason you couldn't change to something like LibreOffice. The vast majority of folks don't use more than 10% of the features of any of these 'office' programs.
The open document format of LibreOffice is superior in any case, as it is fully documented. The worst document format ever IMO is microsoft's "xml" variation. It is horrific with nasty undocumented data blobs.
Microsoft has a caste system there too in Redmon.
By the color of your badge.
Good. Microsoft has somehow been cast as the relatively good guy compared to Facebook, Google and Twitter. But not just Office but even more Windows 10 is a massive intrusion on privacy.
I use Word 2000 on a Windows 10 computer. Also use Frontpage 2000.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.