Dutch Government Report Says Microsoft Office Telemetry Collection Breaks EU GDPR Laws

"The Register reports that Microsoft has been accused of breaking EU's GDPR law by harvesting information through Office 365 and sending it to U.S. servers," writes Slashdot reader Hymer. "The discovery was made by the Dutch government." From the report: The dossier's authors found that the Windows goliath was collecting telemetry and other content from its Office applications, including email titles and sentences where translation or spellchecker was used, and secretly storing the data on systems in the United States. Those actions break Europe's new GDPR privacy safeguards, it is claimed, and may put Microsoft on the hook for potentially tens of millions of dollars in fines. The Dutch authorities are working with the corporation to fix the situation, and are using the threat of a fine as a stick to make it happen.

The investigation was jumpstarted by the fact that Microsoft doesn't publicly reveal what information it gathers on users and doesn't provide an option for turning off diagnostic and telemetry data sent by its Office software to the company as a way of monitoring how well it is functioning and identifying any software issues. Much of what Microsoft collects is diagnostics, the researchers found, and it has seemingly tried to make the system GDPR compliant by storing Office documents on servers based in the EU. But it also collected other data that contained private information and some of that data still ended up on U.S. servers.

It is SPYING!

[Futurepower(R)]

Spying should not be called "Telemetry".

Microsoft counter claims.

[140Mandak262Jamuna]

The Dutch government Report was written in MS-Office build 20283 (registered to -name redacted-) and was collaboratively edited by instals 02383-48485-4857-ab (registered to ---) ....

Of all the installs that created the document only the version used by the second assistant junior sub flunkie is actually verified and authorized install. We have located at least 22 unauthorized windows installations and 42 unauthorized Ms Office installation. We will be suing the government under anti-piracy laws for compensation of 3.3 billion euros

Also Microsoft Windows 10 does not collect any data, telemetry or otherwise. We challenge the government to prove that we collect data instead of engaging in idle speculation.

The GDPR is a good thing

[Qbertino]

I'm glad activists got through with the GDPR. They did a good job.

Whilst the US has basically just come up with TCPA ( no law but still) , PATRIOT, DMCA and other orwellian f*ck- you laws and regulations, here some activists with close affiliation to FOSS and similar movements basically got their version of the EU GDPR law through. It would be nice to see the GDPR serve as an example to the US and if the US would get its own version of it.

As for MS: they have been regaining karma with me lately but I still think it would send the right signal if they get fined into next Wednesday to show that the EU isn't f*cking around and will have any corporations head on a stick should someone choose to question the applicability of the law.

On the job I've been the GDPR guy after taking seminars and reading through a stack or regulations. And while some parts of it can be tedious to deal with, it does force everyone on ship to keep an eye out on how, when and where personal data is handled. And that was the laws intention and that's a good thing.

My 2 eurocents.

MS is misleading. Subject line is unecrypted, logg

[raymorris]

Microsoft is being misleading by calling it "publicly accessible".

Their "excuse" for saying that may be that the subject is in fact less secured than the email body, by protocol standards. Consider an encrypted email, sent from me to you. Only you and I can read the contents of the email. However, the email has to be handled by various mail servers between us in order to get from me to you. The mail servers need to be ablr to read at least to To: and From: addresses in order to route it, and really some other headers as well. Therefore the email headers can't be encrypted, only the body can be encrypted end-to-end.

Any mail servers between us can see the subject line, and in most cases so can any routers, switches, IDS systems, etc.

In order to be able to troubleshoot problems with emails, compute statistics, etc, headers could also be logged. Typically the log does NOT include the subject line, but it can.

So that wording by Microsoft is a bit deceptive. It is, however, true that if you encrypt your email the subject line and other headers aren't encrypted end-to-end. They can be encrypted per-hop with smtps.