Report: Microsoft’s enterprise products covertly gather personal data on users

Microsoft collects and stores personal data about the behavior of individual users of its enterprise offerings on a large scale, without any public documentation — according to a new report by Privacy Company.

The data protection impact assessment (DPIA) was commissioned by the Dutch government to guide its institutions — which includes 300,000 workstations in ministries, the judiciary, the police, tax authorities, etc. — in their dealings with Microsoft‘s enterprise software.

In a blog post discussing the findings of the report, Privacy Company clearly states that the results of the DPIA on Microsoft Office ProPlus for enterprises are alarming.

Microsoft systematically collects data on a large scale about the individual use of Word, Excel, PowerPoint and Outlook. Covertly, without informing people.

Microsoft does not offer any choice with regard to the amount of data, or possibility to switch off the collection, or ability to see what data are collected, because the data stream is encoded.

Similar to the practice in Windows 10, Microsoft has included separate software in the Office software that regularly sends telemetry data to its own servers in the United States.

Basically, Microsoft gathers a ton of data on employees using the company’s software, without letting them know, and doesn’t provide the option to opt out.

One of the biggest concerns of the report is Microsoft‘s use of the telemetry data, as Microsoft is pushing more and more services off premise. Up until now, Dutch governmental institutions have stored their content data locally, in their own data centers. But this is set to change.

The Dutch authorities are conducting pilots with storing data on the Microsoft cloud, in SharePoint, and in OneDrive — along with testing out the web-only version of Office 365. Although Microsoft does collect data on individual use of its software in current set-ups, the DPIA show that the new methods come with “high data protection risks for data subjects.”

The blog states that Microsoft has already made commitments to make adjustments to its software to accommodate privacy concerns, e.g. a telemetry data viewer tool and a new “zero-exhaust setting.”

While Microsoft‘s plans will hopefully help minimize the risk for its users, Privacy Company outlines six remaining high risks for data subjects:

A Microsoft spokesperson told TNW that the company was committed to finding a solution to the concerns raised in Privacy Company’s report:

We are committed to our customers’ privacy, putting them in control of their data and ensuring that Office ProPlus and other Microsoft products and services comply with GDPR and other applicable laws.

We appreciate the opportunity to discuss our diagnostic data handling practices in Office ProPlus with the Dutch Ministry of Justice and look forward to a successful resolution of any concerns.

In the mean time, Privacy Company recommends admins of the enterprise version of Office ProPlus in the Netherlands (although many of them should also be applicable to other countries) to take the following measures to lower the privacy risk for employees and other users: