Slashdot Mirror
Dutch Government Report Says Microsoft Office Telemetry Collection Breaks EU GDPR Laws (theregister.co.uk)
"The Register reports that Microsoft has been accused of breaking EU's GDPR law by harvesting information through Office 365 and sending it to U.S. servers," writes Slashdot reader Hymer. "The discovery was made by the Dutch government." From the report: The dossier's authors found that the Windows goliath was collecting telemetry and other content from its Office applications, including email titles and sentences where translation or spellchecker was used, and secretly storing the data on systems in the United States. Those actions break Europe's new GDPR privacy safeguards, it is claimed, and may put Microsoft on the hook for potentially tens of millions of dollars in fines. The Dutch authorities are working with the corporation to fix the situation, and are using the threat of a fine as a stick to make it happen.
The investigation was jumpstarted by the fact that Microsoft doesn't publicly reveal what information it gathers on users and doesn't provide an option for turning off diagnostic and telemetry data sent by its Office software to the company as a way of monitoring how well it is functioning and identifying any software issues. Much of what Microsoft collects is diagnostics, the researchers found, and it has seemingly tried to make the system GDPR compliant by storing Office documents on servers based in the EU. But it also collected other data that contained private information and some of that data still ended up on U.S. servers.
The investigation was jumpstarted by the fact that Microsoft doesn't publicly reveal what information it gathers on users and doesn't provide an option for turning off diagnostic and telemetry data sent by its Office software to the company as a way of monitoring how well it is functioning and identifying any software issues. Much of what Microsoft collects is diagnostics, the researchers found, and it has seemingly tried to make the system GDPR compliant by storing Office documents on servers based in the EU. But it also collected other data that contained private information and some of that data still ended up on U.S. servers.
Microsoft is being misleading by calling it "publicly accessible".
Their "excuse" for saying that may be that the subject is in fact less secured than the email body, by protocol standards. Consider an encrypted email, sent from me to you. Only you and I can read the contents of the email. However, the email has to be handled by various mail servers between us in order to get from me to you. The mail servers need to be ablr to read at least to To: and From: addresses in order to route it, and really some other headers as well. Therefore the email headers can't be encrypted, only the body can be encrypted end-to-end.
Any mail servers between us can see the subject line, and in most cases so can any routers, switches, IDS systems, etc.
In order to be able to troubleshoot problems with emails, compute statistics, etc, headers could also be logged. Typically the log does NOT include the subject line, but it can.
So that wording by Microsoft is a bit deceptive. It is, however, true that if you encrypt your email the subject line and other headers aren't encrypted end-to-end. They can be encrypted per-hop with smtps.