Report Uncovers Microsoft Office Data Collection Mechanism
November 20, 2018
By Paula Bernier, Executive Editor, TMC
The Dutch government recently commissioned a study to look at how Microsoft (News - Alert) Office software aligns with new Europe Union General Data Protection Regulation requirements and other privacy concerns. The results weren’t pretty.
“Even thought Microsoft has as a policy that diagnostic data should not include content, some system generated event logs do include content, such as the subject line of e-mails and titles of documents,” the report explains.
The report also illustrates how machine learning, if not implemented with care and transparency, can pose a real challenge for data privacy. “Microsoft may also store and analyse sentences surrounding words for a variety of purposes that include product development and product innovation,” the report states. “Microsoft can also use the data for inferred learning, as training sets for machine learning.”
The report goes on to say: “Similar to the metadata, there is an additional risk for some types of government employees if the subject lines of emails reveal classified or otherwise government sensitive materials.” This part of the report illustrates that the Dutch government is not just interested this topic from a regulatory standpoint. The government itself runs Office apps on an estimated 300,00-plus computers. And it reportedly fears that some of its own information was collected via Office’s telemetry features and ended up on U.S. servers.
The Microsoft Office telemetry data collection mechanism was reportedly found in ProPlus subscriptions of Office 2016 and Office 365, and the web-based version of Office 365. Yet the report done at the behest of the Dutch government notes Microsoft’s lack of transparency about that data collection.
“Currently, Microsoft provides no documentation or data viewer tool for the Office telemetry data,” the report says. “There is limited documentation about the audit logs and system-generated event logs, but no information about the telemetry data. In the absence of information, the likelihood of the occurrence of all five risks is more likely than not, while the impact may range from minimal to serious harm.”
Dutch government officials from the Ministry of Justice and Security and investigators from Privacy Company, which carried out the report, informed Microsoft of these issues. And representatives from these parties met several times between late August and Nov. 1.
The ZDNet article linked to above indicates that Microsoft has stated it now offers a zero exhaust telemetry collection to address parts of the concern. But the Nov. 14 article adds that “ZDNet was unable to identify this setting, at this moment, and is unclear if this option has been made available to all users, globally.”
Edited by Maurice Nagle