Microsoft collects and stores personal data about the behavior of individual users of its enterprise offerings on a large scale, without any public documentation — according to a new report by Privacy Company.
The data protection impact assessment (DPIA) was commissioned by the Dutch government to guide its institutions — which includes 300,000 workstations in ministries, the judiciary, the police, tax authorities, etc. — in their dealings with Microsoft‘s enterprise software.
In a blog post discussing the findings of the report, Privacy Company clearly states that the results of the DPIA on Microsoft Office ProPlus for enterprises are alarming.
Microsoft systematically collects data on a large scale about the individual use of Word, Excel, PowerPoint and Outlook. Covertly, without informing people.
Microsoft does not offer any choice with regard to the amount of data, or possibility to switch off the collection, or ability to see what data are collected, because the data stream is encoded.
Similar to the practice in Windows 10, Microsoft has included separate software in the Office software that regularly sends telemetry data to its own servers in the United States.
Basically, Microsoft gathers a ton of data on employees using the company’s software, without letting them know, and doesn’t provide the option to opt out.
One of the biggest concerns of the report is Microsoft‘s use of the telemetry data, as Microsoft is pushing more and more services off premise. Up until now, Dutch governmental institutions have stored their content data locally, in their own data centers. But this is set to change.
The Dutch authorities are conducting pilots with storing data on the Microsoft cloud, in SharePoint, and in OneDrive — along with testing out the web-only version of Office 365. Although Microsoft does collect data on individual use of its software in current set-ups, the DPIA show that the new methods come with “high data protection risks for data subjects.”
The blog states that Microsoft has already made commitments to make adjustments to its software to accommodate privacy concerns, e.g. a telemetry data viewer tool and a new “zero-exhaust setting.”
While Microsoft‘s plans will hopefully help minimize the risk for its users, Privacy Company outlines six remaining high risks for data subjects:
- The unlawful storage of sensitive/classified/special categories of data, both in metadata and in, for example, subject lines of e-mails
- The incorrect qualification of Microsoft as a data processor, instead of as joint controller as defined in article 26 of the GDPR
- Insufficient control over sub-processors and factual data processing
- The lack of purpose limitation, both for the processing of historically collected diagnostic data and the possibility to dynamically add new types of events
- The transfer of (all kinds of) diagnostic data outside of the EEA, while the current legal ground for Office ProPlus is the Privacy Shield and the validity of this agreement is subject of a procedure at the European Court of Justice
- The indefinite retention period of diagnostic data and the lack of a tool to delete historical diagnostical data
A Microsoft spokesperson told TNW that the company was committed to finding a solution to the concerns raised in Privacy Company’s report:
We are committed to our customers’ privacy, putting them in control of their data and ensuring that Office ProPlus and other Microsoft products and services comply with GDPR and other applicable laws.
We appreciate the opportunity to discuss our diagnostic data handling practices in Office ProPlus with the Dutch Ministry of Justice and look forward to a successful resolution of any concerns.
In the mean time, Privacy Company recommends admins of the enterprise version of Office ProPlus in the Netherlands (although many of them should also be applicable to other countries) to take the following measures to lower the privacy risk for employees and other users:
- Apply the new zero-exhaust settings
- Centrally prohibit the use of Connected Services
- Centrally prohibit the option for users to send personal data to Microsoft to ‘improve Office’
- Do not use SharePoint Online / OneDrive
- Do not use the web-only version of Office 365
- Periodically delete the Active Directory account of some VIP users, and create new accounts for them, to ensure that Microsoft deletes the historical diagnostic data
- Consider using a stand-alone deployment without Microsoft account for confidential/sensitive data
- Consider conducting a pilot with alternative software, after having conducted a DPIA on that specific processing This could be a pilot with alternative open source productivity software.