Slashdot Mirror
Dutch Government Report Says Microsoft Office Telemetry Collection Breaks EU GDPR Laws (theregister.co.uk)
"The Register reports that Microsoft has been accused of breaking EU's GDPR law by harvesting information through Office 365 and sending it to U.S. servers," writes Slashdot reader Hymer. "The discovery was made by the Dutch government." From the report: The dossier's authors found that the Windows goliath was collecting telemetry and other content from its Office applications, including email titles and sentences where translation or spellchecker was used, and secretly storing the data on systems in the United States. Those actions break Europe's new GDPR privacy safeguards, it is claimed, and may put Microsoft on the hook for potentially tens of millions of dollars in fines. The Dutch authorities are working with the corporation to fix the situation, and are using the threat of a fine as a stick to make it happen.
The investigation was jumpstarted by the fact that Microsoft doesn't publicly reveal what information it gathers on users and doesn't provide an option for turning off diagnostic and telemetry data sent by its Office software to the company as a way of monitoring how well it is functioning and identifying any software issues. Much of what Microsoft collects is diagnostics, the researchers found, and it has seemingly tried to make the system GDPR compliant by storing Office documents on servers based in the EU. But it also collected other data that contained private information and some of that data still ended up on U.S. servers.
The investigation was jumpstarted by the fact that Microsoft doesn't publicly reveal what information it gathers on users and doesn't provide an option for turning off diagnostic and telemetry data sent by its Office software to the company as a way of monitoring how well it is functioning and identifying any software issues. Much of what Microsoft collects is diagnostics, the researchers found, and it has seemingly tried to make the system GDPR compliant by storing Office documents on servers based in the EU. But it also collected other data that contained private information and some of that data still ended up on U.S. servers.
Spying should not be called "Telemetry".
Who knew?
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
Then type:
stop-service diagtrack
set-service diagtrack –startuptype disabled
The Register story title and headline:
Microsoft menaced with GDPR mega-fines in Europe for 'large scale and covert' gathering of people's info via Office
Telemetry data slurp broke the law, Dutch govt eggheads say
Better:
Microsoft may have to pay huge GDPR fines in Europe for 'large scale and covert' gathering of people's info via Microsoft Office.
Microsoft spying broke the law, Dutch government officials say.
Only if you're a moron who thinks that whataboutism trumps all logic.
However if you're a sensible adult, you ought to be able to realize that two wrongs don't make a right. Just because your neighbour A dog shits on the lawn of neighbour B, and you don't do anything about it, it doesn't give neighbour B the right to let their dog shit on your lawn. If neighbour B lets their dog shit onto your lawn, you've got every right to bitch about it.
Of all the installs that created the document only the version used by the second assistant junior sub flunkie is actually verified and authorized install. We have located at least 22 unauthorized windows installations and 42 unauthorized Ms Office installation. We will be suing the government under anti-piracy laws for compensation of 3.3 billion euros
Also Microsoft Windows 10 does not collect any data, telemetry or otherwise. We challenge the government to prove that we collect data instead of engaging in idle speculation.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
I'm glad activists got through with the GDPR. They did a good job.
Whilst the US has basically just come up with TCPA ( no law but still) , PATRIOT, DMCA and other orwellian f*ck- you laws and regulations, here some activists with close affiliation to FOSS and similar movements basically got their version of the EU GDPR law through. It would be nice to see the GDPR serve as an example to the US and if the US would get its own version of it.
As for MS: they have been regaining karma with me lately but I still think it would send the right signal if they get fined into next Wednesday to show that the EU isn't f*cking around and will have any corporations head on a stick should someone choose to question the applicability of the law.
On the job I've been the GDPR guy after taking seminars and reading through a stack or regulations. And while some parts of it can be tedious to deal with, it does force everyone on ship to keep an eye out on how, when and where personal data is handled. And that was the laws intention and that's a good thing.
My 2 eurocents.
We suffer more in our imagination than in reality. - Seneca
The thing is we have no idea what this data is used for. If it were Google I would think advertising, but with Microsoft I would actually be more inclined to think it's something technical.
Personally I think the GPDR is a good idea but perhaps goes too far. Certainly the click-though messages about privacy you have to go through on every website now are stupid and do nothing to help anyone. Also I think there is valid technical need to collect some data for just technological advancement, and I worry that the GPDR hampers that overly.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Microsoft is being misleading by calling it "publicly accessible".
Their "excuse" for saying that may be that the subject is in fact less secured than the email body, by protocol standards. Consider an encrypted email, sent from me to you. Only you and I can read the contents of the email. However, the email has to be handled by various mail servers between us in order to get from me to you. The mail servers need to be ablr to read at least to To: and From: addresses in order to route it, and really some other headers as well. Therefore the email headers can't be encrypted, only the body can be encrypted end-to-end.
Any mail servers between us can see the subject line, and in most cases so can any routers, switches, IDS systems, etc.
In order to be able to troubleshoot problems with emails, compute statistics, etc, headers could also be logged. Typically the log does NOT include the subject line, but it can.
So that wording by Microsoft is a bit deceptive. It is, however, true that if you encrypt your email the subject line and other headers aren't encrypted end-to-end. They can be encrypted per-hop with smtps.
In practice it probably does not, since everyone clicks through GPDR agreements like they do all other consumer noise.
Not everyone does. Careful with the generalizations.
That brings up a deeper concern though - it's more annoying to users, and if you think it about it you could be agreeing to far more potentially egregious uses of data than were currently allowed under an old system where you didn't have to give consent...
You haven't thought that through.
Just because one gives consent to something does not imply that said something is legal and thus allowed. Such is the case with GDPR, where in addition to requiring consent in several cases, what can then be done with the data - given with consent or not - is a lot more strictly regulated now than it was before.
So no, you could *not* be doing that which you suggest.
I personally would have been more for same kind of law that restricted more what companies could use data collected like that for, or perhaps to more carefully control sharing of data.
GDPR does that, clicky boxes or not.
A joke I read on Twitter a couple of days ago;
He's Making a List,
He's Checking It Twice,
He's Gonna Find Out
Who's Naughty and Nice.
Santa Clause is in contravention of Article 4 of the GDPR.
Fuck off, toiletscum; taking privacy seriously is one of the few things the Euros are doing better than us at.
... may put Microsoft on the hook for potentially tens of millions of dollars in fines
When are the authorities going to understand that a mere 'tens of millions of dollars' represents a chump-change cost of business for companies like Microsoft? Wake me up when the fines start getting into the multi-billion dollar range - that's the kind of fine that might deter big corps from acting out their rampant psychopathic attitudes and anti-social practices. Until then, stories like this are just yawn-worthy, formulaic excuses for churning out yet more reams of journalistic boilerplate.
'The Economy' is a giant Ponzi scheme whose most pitiable suckers are the youngest among us and the yet-unborn.
Try it for yourself. Have someone send you an encrypted email using any random key that you don't have. You'll see the subject line. If you know how to in your mail reader, you can see all of the other headers too.
Even easier, have a look at what's stored for any of your existing email. You'll see the MUA has the email headers amd bodies - it doesn't have the SMTP conversation. That's because MUAs don't receive mail via SMTP.
Guess what else - you can send email via IMAP. Outlook uses MAPI. Protocols that aren't SMTP, yet magically they send encrypted email, without an SMTP envelope. Guess why.
The reason why is that pgp is a mime type like image/jpeg or text/HTML. Look at the source of any of your emails to see where the mime types start.
Easy to use, just good, protects privacy, company support from Colabora too.
Please don't say that all Europeans did that unless you want us to say that all Americans voted for their current president.
-=This sig has nothing to do with my comment. Move along now=-
It will be used against the largest companies with the most impact first. And Microsoft, Facebook, Google, and Amazon rank pretty high on the lists. The US wouldn't be in this pickle if it didn't have the interesting but toxic cocktail of zero respect for user privacy, the US patriot act making it official that foreigners don't have any rights on their data when it resides in the USA, and a history of abusing information gotten through intelligence work to give US companies a leg up. Combine that with a US president who states outright that the interest of companies IS the national interest, and you can probably guess why the GDPR is in place.
Not that the EU doesn't have its own share of bad companies, but in general they're smaller. And they'll get their turn on the wheel, don't worry. The finance industry had better beware, they're on everyone's shitlist right now so I guess they will be the next targets.
But all this is just circumstance. The main problem with Microsoft is that it is not appreciated that civil servants, including intelligence operatives and high ranking Brexit negotiators, find their e-mail subjects and misspelled lines posted to the US. "For diagnostics". Which can legally be obtained by the US intelligence community without Microsoft even being able to indicate they have to hand over the data.
If the US keeps making laws that just outright discriminate against foreigners so blatantly, then don't look surprised when the world retaliates in kind. Be happy the GDPR is merely defensive. The EU could have banned companies from putting ANY data in the hands of ANY non-EU controlled company. Exit WeChat. And if the US and China continue on their chosen paths of trying to alienate everyone, eventually something like that will happen.
Therefore, by the (faulty) logic you're using, you're just a cow with a keyboard - osu-neko (2604)
Upholding the institutions of democracy is another one.
When all you have is a hammer, every problem starts to look like a thumb.
...The USA just keeps on creating great products people want to use.
You owe me a keyboard
"the US patriot act making it official that NO ONE has any rights on their data"
FTFY
>The USA just keeps on creating great products people want to use.
ROFL. Bitch please... antitrust laws were gutted and here we are.
Most application developers build their own shell applications that load in the commonly used libraries (OpenCV, OpenGL, CUDA, maths libraries) and then run a basic application rendering loop. Then there are file parsers, object serializers, libraries to simply data transfer between hosts
Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads