Using Discardable Office 365 Accounts to Preserve User Privacy
Delve and Signals
When the Delve app appeared in Office 365 in 2015, it created quite a stir because of its ability to highlight documents in its “Popular Documents” view that people didn’t think were shared and available publicly. Of course, Delve did what it is designed to do to connect people based on their communications as captured in signals in the Microsoft Graph.
All sorts of rumors spread about Delve’s ability to offer documents to people who weren’t entitled to view their contents. It was all rubbish, but Microsoft was worried enough to include the Are my documents safe in Delve link in the app.
Some documents did appear in Delve unexpectedly, mostly because of poorly-controlled permissions for SharePoint Online libraries. This is not a fault of Delve; the problem lies with the site owners. Computer programs can only process the data they have to process. Although Microsoft gathers a lot of data about how people work inside Office 365 (too much for some), the fact remains that if you don’t protect data, it can be exposed.
Some Signals Need Blocking
Office 365 is not going to stop tracking how users communicate with each other. While mostly the signal data adds values to users, as when it is used to suggest new teams or Office 365 groups to join, the signals surfaced by Delve and other apps (like the Discover feature in OneDrive for Business) can have unfortunate consequences in certain circumstances.
Take the example of someone who is referred for advice to a company counselor and begins to email and share documents with their counselor. These sharing activities might turn up and tip other people off that the person is receiving help from a counselor. Although letting others know that someone is looking for support might not be a problem, it could be if the advice covered sensitive topics like addiction to drugs or alcohol. Revealing sensitive personal information like this is not a good idea, especially when organizations must comply with regulations like GDPR.
A user can disable the collection of signals that power how Delve and OneDrive for Business select documents for display (Figure 1). And you can use the SharePoint Admin Center to disable the Graph for everyone in the organization. These seem like radical steps, and I dislike disabling useful functionality where a better solution exists.
Discardable Office 365 Accounts
Instead of stopping signals flowing into the Microsoft Graph, my proposal is that those who seek confidential help from their company about sensitive topics should be assigned a discardable Office 365 account for communications. My definition of what a discardable account looks like is:
- An account for short-term use that is removed as soon as the user no longer needs help.
- Assigned a cheap F1 license to access email, SharePoint, Office 365 Groups, and Teams. Its mailbox is small, but that’s OK because it is unlikely to receive much email.
- Given a name that is not associated with the user (like Temp_1987471), does not appear in address lists, and has an obscure email address, like Temp_1987471_ffa@com.
It’s easy to create a discardable account with the necessary characteristics using the Office 365 Admin Center or through PowerShell.
Let’s imagine that the organization creates a small pool of five or so discardable accounts. When someone seeks help, a counselor assigns that person a discardable account from the available pool. Although email is enough to communicate and OneDrive for Business can be used to share documents, it might be better to create a private team with two members (the counselor and the discardable account) to share documents and conversations relating to the case and host video and audio meetings.
To make sure that the case information is kept, both the discardable account and the counselor account should be placed on hold. And of course, the Delve setting controlling the document view is disabled in the discardable account.
Once the account is ready, the person seeking help can log into their discardable account and communicate in complete privacy. A clear separation exists between their normal work activity and their need for support, which is how it should be.
Hopefully, the need for support will abate in time. At that point, the discardable account is no longer needed and it can be removed from Office 365. Because the account is on hold, Exchange will put the mailbox into an inactive state and keep it until the hold elapses or is removed, meaning that if any unforeseen problems arise, the mailbox can be recovered or restored.
Artificial intelligence and machine learning are going to be increasingly important as time goes by. And while there’s no need to fear what these technologies bring (unless you think of Skynet),, sometimes it’s good to cloak the activities of Office 365 users from the Microsoft Graph.