It’s happened, and it can happen again at any time: According to a report by the Dutch government, Microsoft is the first major IT corporation to violate EU data protection regulations. According to the report, the company stored private data of Office users on a large scale – even on US servers and without informing the users or even requesting their consent.
The report “DIAGNOSTIC DATA IN MICROSOFT OFFICE PROPLUS” proved to the company that information from around 300,000 government employees was processed by Microsoft’s Office ProPlus suite. The software is installed on PCs and synchronizes itself constantly with the Office 365 servers.
The authors found out that the software mainly collected so-called telemetry data from Office applications. These include e-mail content in which translations or spell-checking were performed. Word, Excel and Powerpoint also transmitted this data. For example, if a user presses the backspace key several times to correct a word, the application captures both the sentence before and after that word. This was the typical data that was then sent to Microsoft.
“Microsoft systematically collects data on a large scale about the individual use of Word, Excel, PowerPoint and Outlook. Covertly, without informing people. Microsoft does not offer any choice with regard to the amount of data, or possibility to switch off the collection, or ability to see what data are collected, because the data stream is encoded”, the institute that conducted the study stated in a blog post.
“Microsoft provides services over the Internet. From a technical perspective, it is inevitable that you have to provide data to Microsoft, such as the header of your e-mail and your IP address in order to be able to use the services. But Microsoft should not store these transient, functional data, unless the retention is strictly necessary, for example, for security purposes.”
The incident alone is basically enough to classify the company’s data processing practice as illegal. However, this is made particularly delicate by the fact that some data was “secretly” transmitted to the USA, stored on servers there and analysed by a team of 30 employees. Of course, data stored on US servers is also automatically subject to US jurisdiction – and thus to access by US authorities on the basis of the Cloud Act. A process that the reporters of the British “Register” quite correctly classify as “No-No”.
According to the report, this is a clear violation of the GDPR, which can lead to high penalties for the company. The Dutch authorities therefore already work together with Microsoft to clarify the situation.
Protected source code as basic problem
The most recent breach of data protection is mainly due to a significant circumstance: The fact that Microsoft generally does not disclose what information about users is actually collected. Users are forced to trust the company and can only guess which of their data is stored in which location. The proprietary source code does not allow them to check the data sent to the company by their own office software – or even to decide which data should be transmitted at all. The protection of personal data thus remains a matter of trust for the user.
After the end of Microsoft’s Deutschland Cloud, which was supposed to guarantee via a trust model that the company – and thus the US security authorities on the basis of the Patriot Act and Cloud Act – did not have access to the users’ data, this incident shows once more: Data security that can really be trusted only exists with Open Source. With open software, the level of data protection can be adapted to one’s own requirements at any time. Users always have complete transparency about what happens to their data and can decide individually which information should be stored on their own servers, in data centers of their choice, or at large providers. Solutions such as ownCloud support them in not having to make any compromises by being able to manage and consolidate all this data via a central interface.
ownCloud is the largest Open Source File Sharing solution in the world with 200.000 installations and more than 25 million users. The Open Platform for Secure Enterprise File Sharing combines consumer-grade usability with enterprise-grade security. It enables users to access data no matter where it is stored or which device is used. By giving organizations the visibility and control required to manage sensitive data while offering users the modern collaboration experience they demand, productivity and security are increased at the same time. For more information, visit: http://www.owncloud.com