Tag: Microsoft

Microsoft violates the GDPR on a massive scale

20. November 2018

A Data Protection Impact Assessment (DPIA) outsourced by the Dutch Ministry of Justice and Security, concluded that Microsoft collects and stores personal data of Office users on a large scale without informing them. According to this report, Microsoft thus violates the General Data Protection Regulation (GDPR) on a massive scale.

The DPIA was carried out to probe the use of Microsoft Office in the public sector. Most of the Dutch authorities use Microsoft Office 2016, Office 365 or an older version. The Dutch judiciary, police, various ministries and tax offices use Word, Excel, Outlook and PowerPoint. The DPIA found that Microsoft not only collects and stores personal data but also send them to the US. In addition, users are not informed and it is not offered to switch off the collection or to see what data are collected. The Assessment outlined eight different risks and possible risk mitigating measures. One example is the “Lack of Transparency”. A possible measure recommended for Microsoft is the public documentation and the implementation of a data viewer tool because at the moment the content of the diagnostic data (i.e. “all observations stored in event logs about the behaviour of individual users of the services”) is not accessible.

Microsoft stated that -for the examined Office versions- between 23,000 and 25,000 event logs are sent to Microsoft servers and that 20 to 30 development teams analyse the data. The company agreed to change its practices by April 2019 and until then offers “zero exhaust” settings to shut down the data collection. A Microsoft spokesperson told The Register: “We are committed to our customers’ privacy, putting them in control of their data and ensuring that Office ProPlus and other Microsoft products and services comply with GDPR and other applicable laws.”

In addition to applying the new settings, the DPIA encourages users to deactivate Connected Services and Microsoft’s data sharing system, not use the web-based Office 365, SharePoint, or OneDrive, delete the directory of the system, and consider using alternative software.

UK government to meet tech giants after Westminster attack

28. March 2017

In consequence of the Westminster Bridge attack in London, Home Secretary Amber Rudd announced that she wants to meet several tech giants in order to make sure law enforcement is able to access encrypted data for terrorism investigation.

The topic came up as the attacker reportedly used the messaging application WhatsApp shortly before his attack began. As WhatsApp uses end-to-end encryption, neither law enforcement nor WhatsApp itself can read messages. The same applies to Apple’s iMessage. While Rudd did not want to make public which tech companies she will meet in detail, Google confirmed that it will be meeting the UK government.

“We need to make sure that organisations like WhatsApp, and there are plenty of others like that, don’t provide a secret place for terrorists to communicate with each other,“ Rudd said. Labour leader Jeremy Corbin, however, stated that law enforcement already had enough powers and that there needed to be a balance between the right to know and the right to privacy.

In the meantime, Microsoft confirmed that it had provided email information relating to the Westminster Bridge attack to the British authorities after it had received lawful orders.

Existing concerns on Windows data protection laws infractions

22. February 2017

There still exists a European data protection authorities´ concern on the data collection practices in Windows 10. Even though the letter to Microsoft has been sent by the Article 29 Working Party (or WP29), the UK Information Commissioner’s Office (ICO) has expressed its serious worries.

Microsoft was therefore asked to explain in a very clear way the purposes and kinds of personal data, which are under processing, as this is still an issue, which remains unclear.

Last July even France`s CNIL has demanded Microsoft to “halt the excessive collection of data and the tracking of users’ browsing without their consent”, as it accused Microsoft of numerous data protection laws infractions, such as too wide personal data collection under the telemetry programme and tracking tool default activation (intended to the targeted advertising delivery) without consent or user knowledge.

As a response Microsoft has released to the market (in January) a new Windows 10 update – so called “Creators Update”. It includes a dashboard based on web, which allows users to choose the desired data-sharing level.

At the conference in Australia, which took place this Monday, Microsoft has also announced a second major Windows 10 release this year (with the Neon user-interface design elements project).

According to the WP29 though: “Even considering the proposed changes to Windows 10, the Working Party remains concerned about the level of protection of users’ personal data”.

“Microsoft should clearly explain what kinds of personal data are processed for what purposes. Without such information, consent cannot be informed, and therefore, not valid.”

Apart from Windows, the WP29 has also taken Facebook, WhatsApp and Yahoo under its magnifier, which are being suspected of data-protection laws violations.

Category: Article 29 WP · EU · Personal Data · UK
Tags:

Decision in Microsoft case about to be challenged

18. October 2016

As the Washington Post reported, the Justice Department asked the appeals court for the Southern District of New York to look at the decision concerning Microsoft’s refusal to comply with a search warrant for an alleged drug trafficker’s emails stored on a server in Ireland.

The case which this ruling was based on dealt with Microsoft receiving a warrant in December 2013. However, although it originally has been a case of compliance with a federal law enforcement request, now turned out to be a discussion over government access to digital data held overseas. This is due to increasing challenges to governments if they try to intercept data across borders.

Therefore, Microsoft and a number of tech firms and privacy groups reason that in case the government’s view will be applied, the outcome will be that U.S.-american businesses might lose billions of dollars in revenue.

 

Privacy Shield: the first applications were submitted

4. August 2016

Although companies began submitting their application to join the EU-U.S. Privacy Shield, the U.S. Department of Commerce did not immediately list their compliance.

Among others, Microsoft was one of the first businesses to certify that it complied with the new rules for transferring European Union citizens’ personal data to the U.S.

On its blog Microsoft published a statement by Vice President for EU Government Affairs John Frank saying “We expect it to be approved in the coming days”.  Furthermore, he said “Going forward, any data which we will transfer from Europe to the U.S. will be protected by the Privacy Shield’s safeguards.”

The process for joining the EU-U.S. Privacy Shield includes a self-certification, which is charged by the U.S. Department of Commerce. The fee for processing their annual applications and adding them to the register ranges from $250 for organizations with revenue under US$5 million up to $3,250 for those with revenue over $5 billion.

However, organizations also have to pay in order to join an arbitration service or in terms of data protection authorities dealing with complaints.

 

Category: EU · EU-U.S. Privacy Shield · USA
Tags:

Microsoft cannot be compelled to turn over customer emails stored outside the U.S.

27. July 2016

Last week the U.S. Court of Appeals for the Second Circuit held that Microsoft Corporation cannot be compelled to turn over customer emails stored outside the U.S. to U.S. law enforcement authorities.

The original case addressed a search warrant concerning the contents of all emails, records and other information regarding one of Microsoft’s email users. Although Microsoft generally complied, it refused to turn over the contents of the emails stored on a server in Ireland. Microsoft opinion was that U.S. courts are not authorized to issue such warrants. However, in April 2014 a judge in the U.S. District Court for the Southern District of New York held that Microsoft has to turn over the contents of the emails to U.S. law enforcement in case of search warrant is issued under the Stored Communications Act and although the data is stored outside of the U.S.

The Second Circuit ruled that “Congress did not intend the (Stored Communications Act’s) warrant provisions to apply extraterritorially…(and) the Stored Communications Act does not authorize a U.S. court to issue and enforce an Stored Communications Act warrant against a United States‐based service provider for the contents of a customer’s electronic communications stored on servers located outside the United States.”

Microsoft acquires LinkedIn: privacy issues arise

16. June 2016

Early this week, Microsoft announced the acquisition of LinkedIn, a professional network with more than 400 million users. This makes LinkedIn to be one of the largest databases worldwide. The acquisition will allow Microsoft to have access to the professional profiles of LinkedIn users.

According to Microsoft´s CEO, Satiya Nadella, this operation will make possible that, for example, LinkedIn´s newsfeed shows articles related to the project the user is working on and on the other hand, Office may suggest professionals in LinkedIn who are experts in the task that is being completed at the time.

However, privacy related issues have aroused upon the acquisition, especially regarding the amount of personal data that LinkedIn processes. Dimitri Sirota, CEO of BigID, a customer data protection company, states that Microsoft should show that this acquisition “can enrich the software offerings from Microsoft in areas such as CRM, communication, productivity, etc.” He also remarks the importance of personal data management, so that there is no infringement of local data privacy legislations.

Software companies, such as Microsoft, gain marketing, sales and intelligence value through these kind of operations, but they also have to deal with privacy risk and compliance legislation.

In this scenario, LinkedIn should continue handling personal data as stipulated in its terms of service. This does not prevent Microsoft from signing a data transfer agreement with LinkedIn in order to have access to the data. Such access would allow Microsoft to analyze the personal data received.

Several IT-Security experts agree on the fact that data privacy and data protection should stay at the foreground.