,
43 tweets,
35 min read
Read on Twitter
Through its software and operating system, #Microsoft collects and stores personal data about user behavior, so-called #diagnostic data, on a large scale. Microsoft collects this data in various ways: 2/n
via system-generated logs of events on its servers and via the telemetry client in Windows 10, in Office 365 ProPlus, and in the mobile Office apps. These telemetry clients collect diagnostic data on your device and send this information to Microsoft's servers in the US. 3/n
In our latest #DPIAs for the Dutch Government, we at @privacy_company investigated #Microsoft's processing of diagnostic user data in these products. 4/n
@privacy_company Our technical analysis of data traffic from Office Online and the mobile apps shows that Microsoft does not collect much diagnostic data, and no content data from the contents of files, e-mails or chats, BUT .... 5/n
@privacy_company #Microsoft does send #diagnostic data to a #marketing company in the United States via at least three of the iOS apps (Word, Excel, and PowerPoint). 6/n #GDPR #ePrivacy
@privacy_company The best part: The company in question specializes in #predictive #profiling of individuals for commercial purposes. That company is also not bound by any of the privacy #safeguards that Microsoft is bound by. 7/n #GDPR #ePrivacy
@privacy_company This data reveals that a unique user has worked with a specific application at a specific time. The silver lining (maybe): this data is not sensitive in nature - talking (only) in #GDPR terminology. That means: no health info, no info about sexual preferences, etc. 8/n
@privacy_company This processing involving #predictive #profiling takes place without the user's knowledge and without any information about the presence or purpose of this processing. You as the user do not have an opportunity to learn about it. 9/n #GDPR #ePrivacy
@privacy_company And, folks, bear in mind: Our #DPIA reports merely assess the risks for individuals resulting from the processing of the *diagnostic data*. We did not deal with the *content data* that users allow Microsoft to process, (e.g. text, photos, and videos). 10/n #GDPR #ePrivacy
@privacy_company The diagnostic data are also different from the *functional data* that Microsoft must (temporarily) process in order to enable users to use Microsoft's online services - another type of data we did not analyze (this time). 11/n #GDPR #ePrivacy
@privacy_company Based on our reports on #Microsoft products since Nov 2018 for the Dutch government, the gov was able to negotiate a range of technical, organisational & contractual measures that greatly mitigate the various #privacy risks we found in Microsoft's products. 12/n #GDPR #ePrivacy
@privacy_company And over the past six months (following the publication of the first DPIA on Office 365 ProPlus), #Microsoft has implemented a large number of technical and organisational measures to reduce the privacy risks identified for Office 365 ProPlus *worldwide*. These are: 13/n
@privacy_company Since May 2019, Microsoft has been publishing comprehensive documentation on the diagnostic data relating to the use of Office ProPlus. Microsoft has adapted its existing Data Viewer Tool for Windows 10 to also display the Office 365 ProPlus telemetry data. This allows... 14/n
@privacy_company ... data subjects (that's what we call people when we talk #GDPR) to view the Office ProPlus data that #Microsoft collects from their device. Microsoft has offered a large number of frequently used and indispensable Connected Experiences such as the spell check, ... 15/n
@privacy_company the translation module, and the Office help function as a processor, and no longer as a controller. There are 14 Connected Experiences for which Microsoft remains the controller (the additional Connected Experiences). 16/n #GDPR #ePrivacy
@privacy_company Now, Microsoft enables system administrators of Office ProPlus to centrally disable the use of these Controller Connected Experiences. 17/n #GDPR #ePrivacy
@privacy_company Centrally disabling this avoids the risk of Microsoft asking employees of an organisation purchasing a Microsoft license for consent to collect data about their use of these services, since it is not a valid basis for this data processing under GDPR.* 18/n #GDPR #ePrivacy
@privacy_company * (because of the hierarchical imbalance between employer and an employee). 19/n
@privacy_company Since the release of the Office 365 ProPlus version 1904, as made available by Microsoft on 29 April 2019, #Microsoft has built in a choice for system administrators to minimize the telemetry level. Microsoft offers three options: Required, Optional, and Neither. 20/n #GDPR
@privacy_company Our research (limited to the 'Required' and 'Neither' levels) shows that Microsoft collects a limited number of telemetry data about the use of the (new versions of) Office ProPlus software. Both the Required and Neither levels do *not* contain file, e-mail, ... 21/n #GDPR
@privacy_company ... or conversation content, and no directly identifying information like usernames or email addresses. The messages related to the Processor Connected Experiences such as the spell check and the translation module also do not contain fragments of the content. 22/n #GDPR
@privacy_company You have been waiting for the BUT, right? Here it comes: Some 'Required'-level messages *do* contain more sensitive information, like the exact number of pages, paragraphs, lines, words, characters, spaces, pictures, and quotes in a Word file. 23/n #GDPR #ePrivacy
@privacy_company There seems to be little difference between the two telemetry levels, despite Microsoft's explanation that if ‘Neither’ is chosen, no diagnostic data about the use of the installed software will be sent to Microsoft. 24/n #GDPR #ePrivacy
@privacy_company In response to the findings, #Microsoft indicated that (regardless of the telemetry choice), it always collects 2 other types of diagnostic data via Office ProPlus: data about the use of the Connected Experiences and data about what Microsoft calls Essential Services. 25/n #GDPR
@privacy_company Essential Services are, for example, authentication and license verification. There is also a lack of information about these processing activities. 26/n #GDPR #ePrivacy
@privacy_company Now, watch out: #Microsoft has not yet implemented these improvements in Office Online and the mobile Office apps, and the measures do not (yet) apply to the mobile Office apps either. 27/n #GDPR #ePrivacy
@privacy_company #Microsoft has not yet made available a technical opt-out alternative to prohibit the use of the Controller Connected Experiences in Office Online and the mobile Office apps. Microsoft also has not published any information about the diagnostic data from ... 28/n #GDPR #ePrivacy
@privacy_company ... the mobile Office apps or Office Online, and does not offer administrators a chance to minimize the data flow from these software versions. 29/n #GDPR #ePrivacy
@privacy_company Our #DPIA concludes: "Currently, the processing of #diagnostic data about the use of the mobile #Office apps and the Controller Connected Experiences leads to five high data protection risks. Only Microsoft can effectively mitigate these risks ..." 30/n #GDPR #ePrivacy
@privacy_company However, there is something YOU can do! All #administrators of the Enterprise versions of the Office and Windows software can take concrete measures to reduce the privacy risks for employees and other data subjects whose personal data may be processed by employees. 31/n #GDPR
@privacy_company You can: 1) Upgrade to version 1905 or higher of Office 365 ProPlus and set the telemetry level to the 'Neither' option; 32/n #GDPR #ePrivacy
@privacy_company 2) Make use of the option to prohibit the use of the Controller Connected Experiences in Office 365 ProPlus (disable additional Connected Experiences); 33/n #GDPR #ePrivacy
@privacy_company 3) Disable the Customer Experience Improvement Program (CEIP) in Office ProPlus; 4) Disable LinkedIn integration for Microsoft employee accounts in Office ProPlus; 34/n #GDPR #ePrivacy
@privacy_company 5) Establish policies to warn employees not to use the mobile Office apps and the Controller Connected Experiences in Office Online until the five high (see report) risks have been mitigated; 35/n #GDPR #ePrivacy
@privacy_company 6) Choose the lowest, minimum level of diagnostic data collection in Office Online and the mobile apps as soon as technically possible; 36/n #GDPR #ePrivacy
@privacy_company 7) Update your privacy policy for handling employee personal data with specific information about for which purposes and under which circumstances you may view different types of diagnostic data from Microsoft's different services and products; 37/n #GPDR
@privacy_company 8) Perform #DPIAs prior to using Workplace Analytics and Activity Reports in the Microsoft 365 admin center, and before employees can use #MyAnalytics and #Delve; 9) Consider the use of Customer Lockbox and Customer Key, depending on the sensitivity of the content data. 38/n
@privacy_company 10) Upgrade to version 1903 of Windows 10 Enterprise to use Intune with telemetry set to 'Security'; 11) Set the telemetry in Windows 10 Enterprise to 'Security' or block telemetry traffic (and do not allow users to synchronize their activities through the Timeline); 39/n #GDPR
@privacy_company 12) Take into account changes in the validity of data transfer tools like the EU-US Privacy Shield following future case law of the European Court of Justice (which is currently in the making by @NOYBeu). 40/n #GDPR #ePrivacy
@privacy_company @NOYBeu Now, if you're still bearing with me: Read our blog posts (we have a long version and a short version, if your attention span requires) for more context & details of our #DPIAs here: 41/n #GDPR #ePrivacy bit.ly/2K5Ogdq
@privacy_company @NOYBeu ... and you can find the original reports (in English) and their summaries (in Dutch) as published by the Dutch government here: 42/42 #GDPR #ePrivacy bit.ly/2YtmOKD
@privacy_company @NOYBeu BTW: The results of our #DPIA add to the recent finding of #Hesse's Data Protection Authority prohibiting the use of #Microsoft #Office365 in German schools as reported by @golem, @heiseonline & @COMPUTERBILD. Read their finding here (German): bit.ly/2JrRkk2
