CYBER NEWS

Would you be surprised to find out that Microsoft is not complying with the data collection rules established by the GDPR?

More specifically, at fault of breaking the EU regulations is the telemetry data collection mechanism utilized by Microsoft Office, as reported by Dutch authorities.









Large Scale Collection of Personal Data through Office 2016 and Office 365

Investigators outlined eight issues in ProPlus subscriptions of Office 2016 and Office 365, as they identified a “large scale and covert collection of personal data”. The covert data collection is possible thanks to MS Office’s built-in telemetry, and users are not aware of it. Furthermore, the authorities couldn’t find any official documentation outlining the type of data that is being collected. To top that off, they also didn’t find a way to turn off the telemetry.

This is a serious violation not only of GDPR but also of the privacy of all MS Office users.Not surprisingly, Microsoft is collecting diagnostics data which is considered a standard practice. But the real issue is located in the way that Office apps collect the content from users’ apps.

This type of data includes email subject lines, and whole sentences from documents collected by Microsoft’s translation and spellchecker tools.

The report also says that Microsoft’s telemetry system sent Dutch user data to US servers, thus creating a possibility for US law enforcement to seize the data.

This finding has made the Dutch government extremely concerned, as government-related information may have also been collected via the telemetry system, ending up on US servers. According to statistics, MS Office apps are used on more than 300,000 computers.

It is curious to note that the investigators discovered Office telemetry data collection is far more expensive than Windows 10 telemetry.

Apparently, Microsoft collects up to 25,000 types of Office events data which is accessible to at least 30 engineering teams. Windows 10, on the other hand, is said to collect not more than 1,200 event types, with this data being shared with approximately 10 engineering teams.