Slashdot Mirror

← Back to Stories (view on slashdot.org)

Dutch Government Report Says Microsoft Office Telemetry Collection Breaks EU GDPR Laws (theregister.co.uk)

Posted by BeauHD on from the big-no-no dept.

"The Register reports that Microsoft has been accused of breaking EU's GDPR law by harvesting information through Office 365 and sending it to U.S. servers," writes Slashdot reader Hymer. "The discovery was made by the Dutch government." From the report: The dossier's authors found that the Windows goliath was collecting telemetry and other content from its Office applications, including email titles and sentences where translation or spellchecker was used, and secretly storing the data on systems in the United States. Those actions break Europe's new GDPR privacy safeguards, it is claimed, and may put Microsoft on the hook for potentially tens of millions of dollars in fines. The Dutch authorities are working with the corporation to fix the situation, and are using the threat of a fine as a stick to make it happen.

The investigation was jumpstarted by the fact that Microsoft doesn't publicly reveal what information it gathers on users and doesn't provide an option for turning off diagnostic and telemetry data sent by its Office software to the company as a way of monitoring how well it is functioning and identifying any software issues. Much of what Microsoft collects is diagnostics, the researchers found, and it has seemingly tried to make the system GDPR compliant by storing Office documents on servers based in the EU. But it also collected other data that contained private information and some of that data still ended up on U.S. servers.

8 of 87 comments (clear)

  1. It is SPYING! by Futurepower(R) · · Score: 5, Insightful

    Spying should not be called "Telemetry".

    1. Re:It is SPYING! by Anonymous Coward · · Score: 2, Insightful

      did you not get the new microsoft dictionary:

      Telemetry = The collecting of personal data such that we can sell it to advertisers

      Improved customer experience = Allowing the customers to be our testing partners thus giving them an improved insight into how our software is developed.

      keep it going.

  2. The Register used a sloppy title and headline. by Futurepower(R) · · Score: 2

    The Register story title and headline:

    Microsoft menaced with GDPR mega-fines in Europe for 'large scale and covert' gathering of people's info via Office
    Telemetry data slurp broke the law, Dutch govt eggheads say

    Better:

    Microsoft may have to pay huge GDPR fines in Europe for 'large scale and covert' gathering of people's info via Microsoft Office.
    Microsoft spying broke the law, Dutch government officials say.

  3. Microsoft counter claims. by 140Mandak262Jamuna · · Score: 4, Funny
    The Dutch government Report was written in MS-Office build 20283 (registered to -name redacted-) and was collaboratively edited by instals 02383-48485-4857-ab (registered to ---) ....

    Of all the installs that created the document only the version used by the second assistant junior sub flunkie is actually verified and authorized install. We have located at least 22 unauthorized windows installations and 42 unauthorized Ms Office installation. We will be suing the government under anti-piracy laws for compensation of 3.3 billion euros

    Also Microsoft Windows 10 does not collect any data, telemetry or otherwise. We challenge the government to prove that we collect data instead of engaging in idle speculation.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  4. The GDPR is a good thing by Qbertino · · Score: 5, Insightful

    I'm glad activists got through with the GDPR. They did a good job.

    Whilst the US has basically just come up with TCPA ( no law but still) , PATRIOT, DMCA and other orwellian f*ck- you laws and regulations, here some activists with close affiliation to FOSS and similar movements basically got their version of the EU GDPR law through. It would be nice to see the GDPR serve as an example to the US and if the US would get its own version of it.

    As for MS: they have been regaining karma with me lately but I still think it would send the right signal if they get fined into next Wednesday to show that the EU isn't f*cking around and will have any corporations head on a stick should someone choose to question the applicability of the law.

    On the job I've been the GDPR guy after taking seminars and reading through a stack or regulations. And while some parts of it can be tedious to deal with, it does force everyone on ship to keep an eye out on how, when and where personal data is handled. And that was the laws intention and that's a good thing.

    My 2 eurocents.

    --
    We suffer more in our imagination than in reality. - Seneca
  5. MS is misleading. Subject line is unecrypted, logg by raymorris · · Score: 4, Informative

    Microsoft is being misleading by calling it "publicly accessible".

    Their "excuse" for saying that may be that the subject is in fact less secured than the email body, by protocol standards. Consider an encrypted email, sent from me to you. Only you and I can read the contents of the email. However, the email has to be handled by various mail servers between us in order to get from me to you. The mail servers need to be ablr to read at least to To: and From: addresses in order to route it, and really some other headers as well. Therefore the email headers can't be encrypted, only the body can be encrypted end-to-end.

    Any mail servers between us can see the subject line, and in most cases so can any routers, switches, IDS systems, etc.

    In order to be able to troubleshoot problems with emails, compute statistics, etc, headers could also be logged. Typically the log does NOT include the subject line, but it can.

    So that wording by Microsoft is a bit deceptive. It is, however, true that if you encrypt your email the subject line and other headers aren't encrypted end-to-end. They can be encrypted per-hop with smtps.

  6. Here we go again... by jenningsthecat · · Score: 2

    ... may put Microsoft on the hook for potentially tens of millions of dollars in fines

    When are the authorities going to understand that a mere 'tens of millions of dollars' represents a chump-change cost of business for companies like Microsoft? Wake me up when the fines start getting into the multi-billion dollar range - that's the kind of fine that might deter big corps from acting out their rampant psychopathic attitudes and anti-social practices. Until then, stories like this are just yawn-worthy, formulaic excuses for churning out yet more reams of journalistic boilerplate.

    --
    'The Economy' is a giant Ponzi scheme whose most pitiable suckers are the youngest among us and the yet-unborn.
  7. Try it and see by raymorris · · Score: 2

    Try it for yourself. Have someone send you an encrypted email using any random key that you don't have. You'll see the subject line. If you know how to in your mail reader, you can see all of the other headers too.

    Even easier, have a look at what's stored for any of your existing email. You'll see the MUA has the email headers amd bodies - it doesn't have the SMTP conversation. That's because MUAs don't receive mail via SMTP.

    Guess what else - you can send email via IMAP. Outlook uses MAPI. Protocols that aren't SMTP, yet magically they send encrypted email, without an SMTP envelope. Guess why.

    The reason why is that pgp is a mime type like image/jpeg or text/HTML. Look at the source of any of your emails to see where the mime types start.