Office|Office 365

Dutch Report Slams Microsoft for GDPR Violations in Office

Office 365 with Teams

Dutch Government Data Assessment and Office

A blog posted on November 13 by the Privacy Company in the Netherlands slams Microsoft for the amount of telemetry and diagnostic data gathered by Office applications without customer control. The report is based on work done for the Dutch SLM Rijk organization, which deals with Microsoft for procurement of its services for use within the Dutch government.

The information presented is after a Data Protection Impact Assessment (DPIA) done by the Privacy Company for SLM Rijk. Under the European Union’s General Data Protection Regulations (GDPR), companies must perform a DPIA for new high-risk processing projects. To get the full picture, you can download and read the complete PDF of the complete DPIA.

Largescale Covert Collection of Personal Data

The original focus of the DPIA considered the telemetry gathered by Windows 10 Enterprise but switched to Office 2016 (MSI and Click to Run) and the Office online apps as used by Office 365. According to the report, Microsoft told SLM Rijk that 23,000 to 25,000 different events are gathered by Office and sent to Microsoft for analysis by between 20 and 30 engineering teams.

Sponsored Content

Passwords Haven’t Disappeared Yet

123456. Qwerty. Iloveyou. No, these are not exercises for people who are brand new to typing. Shockingly, they are among the most common passwords that end users choose in 2021. Research has found that the average business user must manually type out, or copy/paste, the credentials to 154 websites per month. We repeatedly got one question that surprised us: “Why would I ever trust a third party with control of my network?

Although this isn’t the first time that people have raised concerns about the collection of diagnostic data for Office (here’s an example), the Dutch report calls this activity “large scale and covert collection of personal data” and points out that there’s no way for an individual user or an Office 365 admin to turn off the collection.

On the surface, acquiring telemetry spanning such a wide spectrum of events is goodness because it allows Microsoft to understand how people use the Office apps and where problems happen. Many who have spoken to Microsoft engineers recently are familiar with the mantra that “the telemetry tells us…” trotted out to explain why software behaves that it does.

Personal Data and GDPR

But the problem is that Microsoft very likely includes personal data in the information it gathers and analyses. GDPR is very strict on defining personal data as “any information relating to an identified or identifiable natural person (the data subject).” Although the definition is open to interpretation, many consider that elements like IP addresses come within its scope.

Another issue pointed to in the report is the use of connected services which can collect data. For instance, if you use Teams to translate a message, the original language text is transmitted to Microsoft, translated there, and the translated text is returned to the client. The original text could contain personal data.

Further problems might come from Office 365 audit data, which can hold snippets of personal data such as the subject of email messages. Take Figure 1 for instance, which shows an audit record captured when a delegate removed a message from an Exchange Online mailbox. The message subject is clearly visible. Although the subject isn’t very exciting in this example, you can imagine how more interesting and informative subjects might turn up during an audit log search.

Audit Data Office 365
Figure 1: : Personal data in an Office 365 audit record (image credit: Tony Redmond)

Only Microsoft Knows

Grabbing tens of thousands of events accrued during user sessions with applications like Teams, OWA, Planner, SharePoint Online, and OneDrive for Business and the Office desktop apps casts a wide net that probably includes some personal data. Without showing organizations exactly what data is captured from its user activities, only Microsoft can say with certainty that no personal data is collected.

One example of how Microsoft might use the vast amount of telemetry data sitting in its Cosmos databases is the recent failed attempt to send Office 365 users “helpful training and tips via email.” Although Microsoft has backed down from this idea, there’s a lingering suspicion that the personalized tips might be based on the data gathered about Office 365 usage.

Because of the amount of information captured by Microsoft and its storage in the U.S., the Dutch report considers Microsoft to be a joint controller and not a data processor under GDPR Article 26. This imposes more responsibility on Microsoft to manage personal data.

Strong Recommendations

Microsoft is responding to the queries raised in the DPIA, but you can see the obvious frustration at the lack of formal written responses. While the Privacy Company awaits Microsoft’s answers, they’ve issued some advice to admins about how to lower the risks of using Office. Some of the steps suggested by Privacy Online are sensible, like stopping Office sending data back to Microsoft to “Improve Office” or using the zero-exhaust mode for Windows. Others are a tad radical for my taste. For instance, periodically deleting and recreating the accounts of VIP users might remove telemetry for those accounts, but it also removes any sharing permissions the accounts have in other tenants.

No reasons are given for the recommendation that you don’t use SharePoint Online or OneDrive for Business in the report, but the DPIA gives more insight in that information stored by these apps includes details of how employees access, send, or receive labelled information. I guess the same reason lies behind the recommendation not to use the web-only version of Office 365 (like OWA). In both cases, is this enough to stop you using major parts of Office 365?

Pragmatic Approach Needed

The Dutch report does the Office 365 community some service by highlighting the way Microsoft gathers and uses data without telling customers what data is collected and where it is stored. In the era of GDPR when large fines await those who fail to obey the regulations, data processors and controllers can’t adopt such a blasé attitude to personal data.

It will be interesting to hear how Microsoft responds to the DPIA. They can hardly ignore the Dutch government. Let’s hope that Microsoft can come up with a pragmatic and effective approach to meet their GDPR obligations.

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (11)

11 responses to “Dutch Report Slams Microsoft for GDPR Violations in Office”

  1. <p>I agree that the Subject captured in the log data provides grounds for concern; however, it is not PII according to GDPR. For Joint Controller obviously the tenant subscriber is a controller…I can see MS being considered a joint only it insomuch as the subscriber may not have read about how MS's 'purposes and means of processing'. The primary subscriber still has to provide access (e.g. lockbox) in order to get into the true PII…</p><p><br></p>

    • <blockquote><em><a href="#15823">In reply to Breaker119:</a></em></blockquote><p>Not in the example. But if the subject was "Payreview for J. Bloggs" it is PII.</p><p>Likewise, the log information includes the user SIDs, they definitely are PII.</p>

      • <blockquote><em><a href="#15825">In reply to wright_is:</a></em></blockquote><p>Wouldn't SID being PII depend on if there is a corresponding piece of PII that ties back to an individual name/identity to go along with it?</p>

        • <blockquote><em><a href="#15826">In reply to Breaker119:</a></em></blockquote><p>The SID is stored in Exchange and Azure AD to deference back to the user account.</p>

      • <blockquote><em><a href="#15825">In reply to wright_is:</a></em></blockquote><p>I agree. The point is that personal data (not PII, the definitions are different) can show up in message subjects and do all the time. It's not the only personal data that can be found in the log – a document title like "Recommendation to fire Jack Smith" is obviously personal to Jack Smith.</p>

        • <blockquote><em><a href="#15827">In reply to Tony-Redmond:</a></em></blockquote><p>It's really a shame – <span style="color: rgb(0, 0, 0); background-color: transparent;">&nbsp;I think </span>the 'spirit' of the law for GDPR is being corrupted. Additionally, much of what is likely complained about could likely be covered under the "necessary for the data controller's business" argument…just as my employer doesn't have to comply with my request to be deleted as they can state that information with my personal and PII in it is necessary for the business and its operations.</p>

          • <blockquote><em><a href="#15830">In reply to Breaker119:</a></em></blockquote><p>I think we're in a period during which companies like Microsoft and their customers are struggling to come to a practical understanding of what GDPR means in practice. I am quite sure that much of the telemetry sent back to Microsoft is only of value to Microsoft and is used for the benefit of customers to eliminate bugs and improve functionality, but that doesn't mean that customers should not know about the data and have some opportunity to control the transmission. It's the same with the signals collected in the Microsoft Graph about user behavior in Office 365. You can get some nice benefits from it (like understanding when important documents are shared), but we have no control over what the Graph collects. Over time, with goodwill from all parties, we'll get to a pragmatic understanding and application of the GDPR that will benefit both Microsoft and its customers. At least, that's my hope.</p>

            • <blockquote><em><a href="#15840">In reply to Tony-Redmond:</a></em></blockquote><p>Yes and no, why do they need the account and subject line? OK, you might be able to argue that an illegal character or buffer overflow might be need the subject line, but given this is very sensitive information, it should only be supplied upon an extra request.</p><p>TBO, I think most of these big corporations know they are in breech of GDPR, but it will take a lot of time and effort to become compliant, and they will lose valuable (to them) tracking information. They are waiting to see, whether anyone actually calls them out and then they will try and amend their behaviour to comply in the cheapest way possible, and with the smallest level of impact to their data collection that they can possibly get away with. They want to be seen to be complying, whilst not complying, if possible.</p><p>Given that the customer could be held responsible for Microsoft's misuse of the data, it could become very expensive, especially now that it is known that MS products contravene GDPR. Any company using MS products, now that it is known that they are not compliant, would have to show a risk assessment that shows how they are stopping this information being sent back to Microsoft – and given that some of it is required, otherwise the products stop working, like the regular license number verification, this is next to impossible.</p><p>Theoretically, any company or private individual holding information about Europeans in their MS products should stop using them until MS makes the products compliant, but that is practically possible and the Dutch government have given MS until April to sort it out, before they are referred to the DPO for further sanctions.</p>

              • <blockquote><em>Personally, I would like to see tenant control over what is logged in audit records. That way you could decide whether mail subject lines were included. In Microsoft's defense, mail subjects have been logged in audit records ever since Exchange 2010… <a href="#15843">In reply to wright_is:</a></em></blockquote><p><br></p>

  2. <p>We use Office 365/ Microsoft 365, but it is not linked to our onsite AD and all accounts in the MS/Office 365 cloud are anonymous (E.g. [email protected], [email protected] etc.). The link between an AD user and their MS365 account is held locally and never goes to the cloud.</p><p>We only use local Office apps, Teams, SharePoint, Exchange Online, OneDrive for Business etc. are disabled.</p><p>The Windows and Office installations are as screwed down as possible with GPOs to ensure that only the very minimum of telemetary is sent home. We also uses WSUS and have the PCs set to never look at the MS servers for updates – by default, even if you use WSUS, Windows 10 will phone home every few months to see if it is missing any updates or feature updates.</p>

    • <blockquote><em><a href="#15824">In reply to wright_is:</a></em></blockquote><p>Update: After negotions with the Dutch Government, Microsoft have agreed to provide a compliant version of Office by April 2019. They must provide regular updates to the Dutch Government and if the government feels they are dragging their heels or they miss the deadline, the matter will be referred to the data protection office for further measures, which could include fines (upto 4% of international turnover).</p>

Leave a Reply

Tony Redmond has written thousands of articles about Microsoft technology since 1996. He covers Office 365 and associated technologies for and is also the lead author for the Office 365 for IT Pros eBook, updated monthly to keep pace with change in the cloud.