Office 365 customers will be seeing a set of opening screens about how Microsoft gathers and uses customer data. Those screens are carefully worded to avoid some hard truths about modern cloud connections and cover Microsoft from legal liability.
Cloud features can be great and very useful. Companies do their best to hide the problems, privacy leaks and protect themselves from legal liability.
Powering your experiences
The obfuscation starts with the title of the first privacy screen. It’s called ‘Powering your experiences’ which is less confronting than anything about privacy or data disclosure. Cloud features are now ‘Connected Experiences’ <sigh>.
The last sentence mentions, almost in passing, about Office cloud services which get a copy of your document, worksheet or presentation content.
Performing as expected
This screen is about diagnostic information that’s sent to Microsoft. A lot of info goes to Microsoft, probably a lot more than you realize.
The first part is a reminder that Office will always send some operational info to Microsoft, supposedly to ‘keep Office secure, up-to-date and performing as expected’.
What’s not specifically mentioned is that the data keeps Office 365 fully activated and licensed. Office 365 software has to check with Microsoft at least every 30 days to keeping working as fully licensed product.
In Office Privacy options (see below) Microsoft says is compulsory information “Without this basic information … Office can’t run” but that’s not entirely right. Microsoft chooses to make Office inoperable without the data sent to them. Office could be changed to send a lot less data and less often if Microsoft chose to do so.
The second section is about the option to send more and more detailed information to Microsoft. In an ideal world, that information helps developers understand the different ways people use Office and make future releases better.
On the other hand, customers might not be comfortable giving even more information to Microsoft. Because of that uncertainty many customers turn this option OFF.
If you missed this choice, it’s always available in the Office 365 software Privacy Settings (now moved and revamped).
Your data, controlled by you
Another carefully worded screen. Our highlighting of a key phrase.
“It’s our policy not use, or let other use, it for advertising purposes.” ‘Advertising’ is an important limitation which hides the wider truth.
While it’s true that Office 365 customers are owners of their data, that’s not the detail that should concern customers. It’s how data sent to Microsoft is used by the company and forwarded to others.
Microsoft has used customer cloud data for their own investigations and benefit. In various countries, notably the USA, Microsoft is required to supply customer data to governments and law enforcement often without a warrant or notice to the customer. Storing data outside the USA is no protection.
Just this year we’ve learnt how a Microsoft staffer’s account was hacked and an enormous amount of customer data was leaked. Microsoft’s initial statements about that leak weren’t entirely true and we still can’t be sure what data was disclosed and for how long.
Term and Conditions
The careful assurances on screens in Office don’t matter – they are just words.
“Microsoft reserves the right to review materials posted to the Communication Services and to remove any materials in its sole discretion. ….
Microsoft reserves the right at all times to disclose any information as Microsoft deems necessary to satisfy any applicable law, regulation, legal process or governmental request, or to edit, refuse to post or to remove any information or materials, in whole or in part, in Microsoft’s sole discretion.”
Review is a deliberate weasel word often used by Microsoft – it means read. Others have called it ‘Sniffing’, ‘Snooping’ or ‘Scanning’. Edit includes copying. Sole Discretion means Microsoft gets to decide what to do with customer files/information and change their policies at any time.
See what Office is sending to Microsoft
Some data sent to Microsoft is fairly clear and obvious but other personal or corporate information isn’t apparent.
Documents and files saved on OneDrive or SharePoint are accessible by Microsoft.
Email and attachments on Outlook.com (including Hotmail and other names) or Office 365 hosted email can also be read by Microsoft. The recent data breach involved Outlook.com customers.
Did you know about this data send to Microsoft?
The Outlook apps for Apple and Android send your email logins and data via Microsoft servers. The apps work quite differently and are less secure than Outlook for Windows or Mac. See The Many Faces of Microsoft Outlook.
On a Windows computer a lot more than you realize is sent by Windows, Office and other apps.