Slashdot Mirror
Dutch Government Report Says Microsoft Office Telemetry Collection Breaks EU GDPR Laws (theregister.co.uk)
"The Register reports that Microsoft has been accused of breaking EU's GDPR law by harvesting information through Office 365 and sending it to U.S. servers," writes Slashdot reader Hymer. "The discovery was made by the Dutch government." From the report: The dossier's authors found that the Windows goliath was collecting telemetry and other content from its Office applications, including email titles and sentences where translation or spellchecker was used, and secretly storing the data on systems in the United States. Those actions break Europe's new GDPR privacy safeguards, it is claimed, and may put Microsoft on the hook for potentially tens of millions of dollars in fines. The Dutch authorities are working with the corporation to fix the situation, and are using the threat of a fine as a stick to make it happen.
The investigation was jumpstarted by the fact that Microsoft doesn't publicly reveal what information it gathers on users and doesn't provide an option for turning off diagnostic and telemetry data sent by its Office software to the company as a way of monitoring how well it is functioning and identifying any software issues. Much of what Microsoft collects is diagnostics, the researchers found, and it has seemingly tried to make the system GDPR compliant by storing Office documents on servers based in the EU. But it also collected other data that contained private information and some of that data still ended up on U.S. servers.
The investigation was jumpstarted by the fact that Microsoft doesn't publicly reveal what information it gathers on users and doesn't provide an option for turning off diagnostic and telemetry data sent by its Office software to the company as a way of monitoring how well it is functioning and identifying any software issues. Much of what Microsoft collects is diagnostics, the researchers found, and it has seemingly tried to make the system GDPR compliant by storing Office documents on servers based in the EU. But it also collected other data that contained private information and some of that data still ended up on U.S. servers.
Spying should not be called "Telemetry".
Who knew?
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
Then type:
stop-service diagtrack
set-service diagtrack –startuptype disabled
The Register story title and headline:
Microsoft menaced with GDPR mega-fines in Europe for 'large scale and covert' gathering of people's info via Office
Telemetry data slurp broke the law, Dutch govt eggheads say
Better:
Microsoft may have to pay huge GDPR fines in Europe for 'large scale and covert' gathering of people's info via Microsoft Office.
Microsoft spying broke the law, Dutch government officials say.
"Microsoft has not provided an explanation with regard to the subject line of e-mails (which is a brief summary of the content),
other than the reminder that it is up to users and tenants to be careful with the information they
share via publicly accessible headers."
I'm trying to understand what they mean by "publicly accessible". That would seem to imply that I can access anyone in the world's email headers, even from intra-company emails. This is news to me.
Outlook is a fucking garbage application. Mozilla Thunderbird is objectively better in every way imaginable. The only thing that prevent Thunderbird from being an Outlook slayer is full MS Exchange support and polishing some of the less savory UI choices such as the screen that appears when you haven't set up any accounts at all and the recent change away from having a "From" column in your folders to having "Correspondents" instead. The learning curve going from Outlook to Thunderbird is very shallow because Thunderbird is a pretty damn easy program to figure out. Oh, and with gContactSync and Provider for Google Calendar, you've got a complete Gmail-based replacement solution for Exchange for individuals and small businesses.
Kind of makes all those americans bitching about China spying sound kind of stupid now, doesn't it?
Of all the installs that created the document only the version used by the second assistant junior sub flunkie is actually verified and authorized install. We have located at least 22 unauthorized windows installations and 42 unauthorized Ms Office installation. We will be suing the government under anti-piracy laws for compensation of 3.3 billion euros
Also Microsoft Windows 10 does not collect any data, telemetry or otherwise. We challenge the government to prove that we collect data instead of engaging in idle speculation.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
I'm glad activists got through with the GDPR. They did a good job.
Whilst the US has basically just come up with TCPA ( no law but still) , PATRIOT, DMCA and other orwellian f*ck- you laws and regulations, here some activists with close affiliation to FOSS and similar movements basically got their version of the EU GDPR law through. It would be nice to see the GDPR serve as an example to the US and if the US would get its own version of it.
As for MS: they have been regaining karma with me lately but I still think it would send the right signal if they get fined into next Wednesday to show that the EU isn't f*cking around and will have any corporations head on a stick should someone choose to question the applicability of the law.
On the job I've been the GDPR guy after taking seminars and reading through a stack or regulations. And while some parts of it can be tedious to deal with, it does force everyone on ship to keep an eye out on how, when and where personal data is handled. And that was the laws intention and that's a good thing.
My 2 eurocents.
We suffer more in our imagination than in reality. - Seneca
Must get their consent first and forget about them if they ask you to.
I don't keep anything sensitive on my Win 10 machine or any personal details. All of it would be swooped up. As far as Microsoft is concerned, my machine is just an anonymous gaming computer somewhere on the internet.
The thing is we have no idea what this data is used for. If it were Google I would think advertising, but with Microsoft I would actually be more inclined to think it's something technical.
Personally I think the GPDR is a good idea but perhaps goes too far. Certainly the click-though messages about privacy you have to go through on every website now are stupid and do nothing to help anyone. Also I think there is valid technical need to collect some data for just technological advancement, and I worry that the GPDR hampers that overly.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Microsoft is being misleading by calling it "publicly accessible".
Their "excuse" for saying that may be that the subject is in fact less secured than the email body, by protocol standards. Consider an encrypted email, sent from me to you. Only you and I can read the contents of the email. However, the email has to be handled by various mail servers between us in order to get from me to you. The mail servers need to be ablr to read at least to To: and From: addresses in order to route it, and really some other headers as well. Therefore the email headers can't be encrypted, only the body can be encrypted end-to-end.
Any mail servers between us can see the subject line, and in most cases so can any routers, switches, IDS systems, etc.
In order to be able to troubleshoot problems with emails, compute statistics, etc, headers could also be logged. Typically the log does NOT include the subject line, but it can.
So that wording by Microsoft is a bit deceptive. It is, however, true that if you encrypt your email the subject line and other headers aren't encrypted end-to-end. They can be encrypted per-hop with smtps.
I'll accept the first part of your statement as being true for the sake of argument, but how would requiring active consent overly hamper that?
In practice it probably does not, since everyone clicks through GPDR agreements like they do all other consumer noise. So there is probably more than enough collectible data to go around for research and advancement.
That brings up a deeper concern though - it's more annoying to users, and if you think it about it you could be agreeing to far more potentially egregious uses of data than were currently allowed under an old system where you didn't have to give consent...
In a world where every single website interaction is "do you agree to these four pages of three-point text", consumers will probably end up giving away a lot more privacy than before.
It's almost as though you're not really arguing that some data needs to be collected, but that it needs to be collected surreptitiously.
Just to cover this point in relation to my original - I wouldn't say it *needs* to be collected sneakily (really the word you meant). I just don't see anything wrong with collecting data like that in bulk when it's just meant to advance something like a learning model. I personally would have been more for same kind of law that restricted more what companies could use data collected like that for, or perhaps to more carefully control sharing of data. Any law that resulted in a world of pop-up clicky boxes as we have today was an obvious failure all-around.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
A joke I read on Twitter a couple of days ago;
He's Making a List,
He's Checking It Twice,
He's Gonna Find Out
Who's Naughty and Nice.
Santa Clause is in contravention of Article 4 of the GDPR.
This is known on /.
What we do not understand why writing email on corporate machine, sending via internal email servers Corp1_Server1 Corp1_Server2 to Corp2_ServerA
headers, subject should go via Microsoft servers.
No surprise to see big goverment coming out of old europe infringing the fundamental rights of corporations. No dobt the liberal leftist SJW's on slashdot will fall over selfs to praise them for so much outrageous anti-free-market laws.
Fuck off, toiletscum; taking privacy seriously is one of the few things the Euros are doing better than us at.
It's odd that at least one EU country is beating you in every category except guns and prisioners.
From the nation that voted for#maga - talk about double standards.
And you wonder why we say your world order is for shit..
... may put Microsoft on the hook for potentially tens of millions of dollars in fines
When are the authorities going to understand that a mere 'tens of millions of dollars' represents a chump-change cost of business for companies like Microsoft? Wake me up when the fines start getting into the multi-billion dollar range - that's the kind of fine that might deter big corps from acting out their rampant psychopathic attitudes and anti-social practices. Until then, stories like this are just yawn-worthy, formulaic excuses for churning out yet more reams of journalistic boilerplate.
'The Economy' is a giant Ponzi scheme whose most pitiable suckers are the youngest among us and the yet-unborn.
You're a bit mistaken. The subject along with the content of the message is part of the message body. Specifically, it follows the SMTP DATA command. Nothing after the DATA command is needed for routing returns or anything else. In an encrypted message the subject is encrypted also. The subject is NOT part of the envelope.
Some/most systems utiize teh subject, as well as the content of the body, for spam scanning. But, exposing teh subject is not a requirement and never has been.
Any claim form Microsoft that thy need to use the subject fr anything but spam scanning is a flat out lie.
SMTP commands:
EHLO PoSSendingServer.tld
MAIL FROM:
RCPT TO:
DATA
To, from, date, subject, message...
.
QUIT
Others fear they might be collecting code fragments to provide as "Snippets" for others to use.
I have exactly the farthest reaction away from "fear" to that. Wouldn't it be amazing if Microsoft, or Apple, actually detected code fragments super commonly typed in order to figure out how to eliminate us all having to type them?
Even in the most modern of languages boilerplate code is common, and it would be great to at least snippet that as much as possible, or have code completion melt a lot of that work away even more so than it does today.
Granted collection should probably be consented to, so just wrap it in the 100 page legal document you have to agree to to use any piece of modern software.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
then it doesn't have to be disclosed or get consent.
Try it for yourself. Have someone send you an encrypted email using any random key that you don't have. You'll see the subject line. If you know how to in your mail reader, you can see all of the other headers too.
Even easier, have a look at what's stored for any of your existing email. You'll see the MUA has the email headers amd bodies - it doesn't have the SMTP conversation. That's because MUAs don't receive mail via SMTP.
Guess what else - you can send email via IMAP. Outlook uses MAPI. Protocols that aren't SMTP, yet magically they send encrypted email, without an SMTP envelope. Guess why.
The reason why is that pgp is a mime type like image/jpeg or text/HTML. Look at the source of any of your emails to see where the mime types start.
Easy to use, just good, protects privacy, company support from Colabora too.
Please don't say that all Europeans did that unless you want us to say that all Americans voted for their current president.
-=This sig has nothing to do with my comment. Move along now=-
Oh, right, that's another category the USA is ahead: nutty conspiracy theories.
Why would MS be targeted by anti-Americanism, when it's pretty much an Indian company now?
It will be used against the largest companies with the most impact first. And Microsoft, Facebook, Google, and Amazon rank pretty high on the lists. The US wouldn't be in this pickle if it didn't have the interesting but toxic cocktail of zero respect for user privacy, the US patriot act making it official that foreigners don't have any rights on their data when it resides in the USA, and a history of abusing information gotten through intelligence work to give US companies a leg up. Combine that with a US president who states outright that the interest of companies IS the national interest, and you can probably guess why the GDPR is in place.
Not that the EU doesn't have its own share of bad companies, but in general they're smaller. And they'll get their turn on the wheel, don't worry. The finance industry had better beware, they're on everyone's shitlist right now so I guess they will be the next targets.
But all this is just circumstance. The main problem with Microsoft is that it is not appreciated that civil servants, including intelligence operatives and high ranking Brexit negotiators, find their e-mail subjects and misspelled lines posted to the US. "For diagnostics". Which can legally be obtained by the US intelligence community without Microsoft even being able to indicate they have to hand over the data.
If the US keeps making laws that just outright discriminate against foreigners so blatantly, then don't look surprised when the world retaliates in kind. Be happy the GDPR is merely defensive. The EU could have banned companies from putting ANY data in the hands of ANY non-EU controlled company. Exit WeChat. And if the US and China continue on their chosen paths of trying to alienate everyone, eventually something like that will happen.
Therefore, by the (faulty) logic you're using, you're just a cow with a keyboard - osu-neko (2604)
Upholding the institutions of democracy is another one.
When all you have is a hammer, every problem starts to look like a thumb.
Because making America great means Whites Only to you? Why do you hate brown people?
...The USA just keeps on creating great products people want to use.
You owe me a keyboard
"the US patriot act making it official that NO ONE has any rights on their data"
FTFY
They don't, the report when discussing emails is talking about the use of Office 365.
So if one uses a "cloudy" version of Office (that is, Office 365 or Office 2016; and, presumably later "cloudy" versions) that version of office will store a bunch of shit in the "cloud"?
This seems like a foregone conclusion to me and is more a display of the idiocy, incompetence, ignorance and stupidity of those who pursue such ill-conceived courses of action than anything else.
If one were able to "disable" all the "cloudiness" and the data was still stored in the "cloud" (ie, not on the local computer), then there is a problem. But it would only take $10 and one page to say this which would not be beneficial to the bureaucrats (and consultants) and their spending or fortunes to generate stacks of paper to state the obvious.
Move along, nothing to see here but a bunch of morons felating themselves ...
Microsoft is being misleading by calling it "publicly accessible".
Their "excuse" for saying that may be that the subject is in fact less secured than the email body, by protocol standards. Consider an encrypted email, sent from me to you. Only you and I can read the contents of the email. However, the email has to be handled by various mail servers between us in order to get from me to you. The mail servers need to be ablr to read at least to To: and From: addresses in order to route it, and really some other headers as well. Therefore the email headers can't be encrypted, only the body can be encrypted end-to-end.
Any mail servers between us can see the subject line, and in most cases so can any routers, switches, IDS systems, etc.
In order to be able to troubleshoot problems with emails, compute statistics, etc, headers could also be logged. Typically the log does NOT include the subject line, but it can.
So that wording by Microsoft is a bit deceptive. It is, however, true that if you encrypt your email the subject line and other headers aren't encrypted end-to-end. They can be encrypted per-hop with smtps.
Türkiye'de firmalarnzn Buulunmasn istiyorsanz https://www.buul.com.tr adresine gidip firmalarnz kaydedebilirsiniz. böylelikle internnette bulunma ihtimaliniz artar
>The USA just keeps on creating great products people want to use.
ROFL. Bitch please... antitrust laws were gutted and here we are.
why are americans such racist fuckwits - that ever comment has to be racist?
It's that simple, Microsoft could, maybe, possibly gain users trust back if they got rid of the evil.