â€œMicrosoft systematically collects data on a large scale about the individual use of Word, Excel, PowerPoint and Outlook.â€� You might want to look at what’s being sent back to Microsoft’s servers…:
Microsoft plans to update itsÂ Office Pro PlusÂ productsÂ by the end ofÂ April to address a series of privacy concerns raised in an audit commissioned by the Dutch justice ministry that flagged what the auditors called â€œhigh risksâ€� to government usersâ€™ privacy.
The update forÂ many of the companyâ€™s Office Pro Plus customers,Â which has been confirmed by Microsoft, will address concerns relating to a package of popular Microsoft programs â€” namely that theyÂ were sending diagnostic data from Europe to the United States withoutÂ adequateÂ documentation and user controls over what was sent.
Microsoft and the Dutch justice ministry agreed on the changes as part of an â€œimprovement planâ€� with an April deadline. A ministry spokesman told POLITICO that if Microsoftâ€™s responsesÂ proved â€œunsatisfactory,â€� the ministry could raise the concerns with European data protection authorities for further action that could include â€œenforcement measures.â€�
In a statement, Microsoftâ€™s top privacy and regulatoryÂ counsel, Julie Brill, underscored that the Dutch ministry had commissioned theÂ auditÂ as a customer of Microsoft and had not sought regulatory action against the company.
â€œThe ministry commissioned the report in its capacity as a customer to clarify how our services are run and weâ€™re working with the ministryâ€™s staff to share additional information and help resolve its questions as we would for all enterprise customers,â€� Brill said.
She added that the issues raised in the report, conducted by the Privacy Company, a Hague-based consultancy, relate to â€œdiagnostic dataÂ in one product,â€� Office Pro Plus, and that the company was â€œconfident this is consistent with Dutch law and GDPR,â€� Europeâ€™s General Data Protection Regulation privacy law. Office Pro Plus includes a range of Microsoft programs.
â€œWe feel good about what weâ€™re doing to give customers transparency and choice on the diagnostic data they share with us, but we always want to do more,â€� Brill said. â€œIn the coming weeks we will take additionalÂ steps toÂ make it easier for customers to understand what data needs to go to Microsoft to run our services and why, and where data-sharing is optional.â€�
When Microsoft updates products, the updateÂ usuallyÂ takes place worldwide for users of the product and the company gave no indication that would be different in this case.
Under the EUâ€™s data protection laws, the Irish Data Protection Commission is the â€œlead supervisory authorityâ€� in charge of making sure Microsoft complies with the rules. If the Netherlands chose to escalate its concerns, it could forward a request on the relevant issues to the Irish regulator. Meanwhile, any issues would be closely monitored by the European Data Protection Board, which gathers all EU data regulators, and theÂ European Data Protection Supervisor, whichÂ mayÂ in turn start their own investigations that could lead to enforcement action.
A spokesperson for the Irish Data Protection Commission said it was â€œaware of this matter and its significance to companies using the Microsoft product in question. On becoming aware, the DPC immediatelyÂ engaged with Microsoft seeking further information on the processing of telemetry data, in response to which Microsoft is providing detailed responses.â€�
The Privacy Company, a consulting firm that the ministry contracted to do the audit, saidÂ in a blog summary of the findings that â€œMicrosoft systematically collects data on a large scale about the individual use of Word, Excel, PowerPoint and Outlook.â€�
It added: â€œCovertly, without informing people â€¦ Microsoft does not offer any choice with regard to the amount of data, or possibility to switch off the collection,Â or ability to see what data are collected, because the data stream is encoded.â€� A major concern of the Dutch was that the company sends the data back to its servers in the U.S.
MicrosoftÂ doesnâ€™tÂ agree with some of the assertions of the Privacy Companyâ€™s report butÂ is making changes to its productsÂ asÂ it routinely does to accommodate customers.Â The company has previously disclosed to customers its use of diagnostic data.
The new focus on privacy comes as different components of Microsoft,Â one of the worldâ€™s most valuable companies,Â have recently faced scrutiny for a variety of privacy concerns, especially LinkedIn, which Microsoft bought in late 2016 for $26 billion.
Nicole Leverich, a spokesperson for LinkedIn, said â€œmember data is never shared with customers on an individually identifiable level, only in aggregate for ad sales.â€� Last November, Irelandâ€™s Data ProtectionÂ CommissionÂ foundÂ that LinkedIn used the email addresses of around 18 million non-LinkedIn members to target individuals with ads on Facebook all in an effort to grow its customer base.
The regulators noted that LinkedInâ€™s actions violated its protection standards, although the dispute was amicably resolved.
Leverich said the company â€œfully cooperated with the DPCâ€™s 2017 investigation of a complaint about a European advertising campaign and found the global processes and procedures we had in place wereÂ not followed. We took appropriate action and have made the internal changes to help protect against this happening again.â€� In Brazil last year, federal prosecutorsÂ saidÂ Microsoft had violated local laws with its collection of Windows 10 usersâ€™ data without getting proper consent. In 2016, FranceÂ ordered Microsoft to cut back its collection of user data and to halt tracking of the web browsing habits of Windows 10 users without getting permission.
Despite these privacy dustups, Brill touted the recent steps Microsoft has made to improve usersâ€™ privacy, including â€œnew features in the Windows setup process, enhanced options for error data reporting in Xbox, a feature called Lockbox for Azure, and updates to our Privacy Dashboard including new tools for parents to manage their childrenâ€™s settings,â€� she said.
Saint or sinner?
Microsoft has been the subject of a number of complaints to the Irish Data Protection Commission, according to a commission spokesman, but none were serious enough to warrant a statutory investigation, and of the 16 open investigations into multinational tech companies, none are related to Microsoft. There have been 3,500 complaints to the commission in total.
Unlike other tech companies, like Facebook, that have drawn fire for privacy issues and problems spreading fake news, Microsoft has set itself up as a paragon of good behaviour, welcoming scrutiny into the company and the broader tech industry. Company leadership routinely highlights its proactive investments in privacy.Â Last year, the U.S. Supreme Court heardÂ arguments afterÂ MicrosoftÂ challenged an American search warrant for a customer email that resided in Microsoftâ€™s servers in Ireland,Â and last May, theÂ company announced it was extending the privacy rights that are at the core of GDPR to its worldwide consumer customer base.
â€œHaving the scrutiny is actually good, I think,â€� CEO Satya NadellaÂ toldÂ the Washington Post last October. He urged the tech sector to improve its behavior. â€œAnyone who is providing a very critical service needs to raise the standards of the safety of that technology and the security of that technology.â€�
The huge problems affecting Facebook have touched other companies as well, including Microsoft. The New York Times reportedÂ in December that Facebook gave Bing, Microsoftâ€™s search engine, the ability to view the names of almost all Facebook usersâ€™ friends without permission and also had data-sharing arrangements with companies including Netflix, Spotify, Amazon and Yahoo.
â€œBing did not maintain profiles based on Facebook data for advertising or personalization purposes, and we took significant engineering steps beyond what Facebook required to ensure this could not happen,â€�Â said Brill.
â€œWe ended our contract with Facebook in February 2016 and data stopped appearing in search results.â€�