Microsoft plans to update its Office Pro Plus products by the end of April to address a series of privacy concerns raised in an audit commissioned by the Dutch justice ministry that flagged what the auditors called “high risks” to government users’ privacy.
The update for many of the company’s Office Pro Plus customers, which has been confirmed by Microsoft, will address concerns relating to a package of popular Microsoft programs — namely that they were sending diagnostic data from Europe to the United States without adequate documentation and user controls over what was sent.
Microsoft and the Dutch justice ministry agreed on the changes as part of an “improvement plan” with an April deadline. A ministry spokesman told POLITICO that if Microsoft’s responses proved “unsatisfactory,” the ministry could raise the concerns with European data protection authorities for further action that could include “enforcement measures.”
In a statement, Microsoft’s top privacy and regulatory counsel, Julie Brill, underscored that the Dutch ministry had commissioned the audit as a customer of Microsoft and had not sought regulatory action against the company.
“The ministry commissioned the report in its capacity as a customer to clarify how our services are run and we’re working with the ministry’s staff to share additional information and help resolve its questions as we would for all enterprise customers,” Brill said.
She added that the issues raised in the report, conducted by the Privacy Company, a Hague-based consultancy, relate to “diagnostic data in one product,” Office Pro Plus, and that the company was “confident this is consistent with Dutch law and GDPR,” Europe’s General Data Protection Regulation privacy law. Office Pro Plus includes a range of Microsoft programs.
“We feel good about what we’re doing to give customers transparency and choice on the diagnostic data they share with us, but we always want to do more,” Brill said. “In the coming weeks we will take additional steps to make it easier for customers to understand what data needs to go to Microsoft to run our services and why, and where data-sharing is optional.”
When Microsoft updates products, the update usually takes place worldwide for users of the product and the company gave no indication that would be different in this case.
Under the EU’s data protection laws, the Irish Data Protection Commission is the “lead supervisory authority” in charge of making sure Microsoft complies with the rules. If the Netherlands chose to escalate its concerns, it could forward a request on the relevant issues to the Irish regulator. Meanwhile, any issues would be closely monitored by the European Data Protection Board, which gathers all EU data regulators, and the European Data Protection Supervisor, which may in turn start their own investigations that could lead to enforcement action.
A spokesperson for the Irish Data Protection Commission said it was “aware of this matter and its significance to companies using the Microsoft product in question. On becoming aware, the DPC immediately engaged with Microsoft seeking further information on the processing of telemetry data, in response to which Microsoft is providing detailed responses.”
The Privacy Company, a consulting firm that the ministry contracted to do the audit, said in a blog summary of the findings that “Microsoft systematically collects data on a large scale about the individual use of Word, Excel, PowerPoint and Outlook.”
It added: “Covertly, without informing people … Microsoft does not offer any choice with regard to the amount of data, or possibility to switch off the collection, or ability to see what data are collected, because the data stream is encoded.” A major concern of the Dutch was that the company sends the data back to its servers in the U.S.
Microsoft doesn’t agree with some of the assertions of the Privacy Company’s report but is making changes to its products as it routinely does to accommodate customers. The company has previously disclosed to customers its use of diagnostic data.
The new focus on privacy comes as different components of Microsoft, one of the world’s most valuable companies, have recently faced scrutiny for a variety of privacy concerns, especially LinkedIn, which Microsoft bought in late 2016 for $26 billion.
Nicole Leverich, a spokesperson for LinkedIn, said “member data is never shared with customers on an individually identifiable level, only in aggregate for ad sales.” Last November, Ireland’s Data Protection Commission found that LinkedIn used the email addresses of around 18 million non-LinkedIn members to target individuals with ads on Facebook all in an effort to grow its customer base.
The regulators noted that LinkedIn’s actions violated its protection standards, although the dispute was amicably resolved.
Leverich said the company “fully cooperated with the DPC’s 2017 investigation of a complaint about a European advertising campaign and found the global processes and procedures we had in place were not followed. We took appropriate action and have made the internal changes to help protect against this happening again.” In Brazil last year, federal prosecutors said Microsoft had violated local laws with its collection of Windows 10 users’ data without getting proper consent. In 2016, France ordered Microsoft to cut back its collection of user data and to halt tracking of the web browsing habits of Windows 10 users without getting permission.
Despite these privacy dustups, Brill touted the recent steps Microsoft has made to improve users’ privacy, including “new features in the Windows setup process, enhanced options for error data reporting in Xbox, a feature called Lockbox for Azure, and updates to our Privacy Dashboard including new tools for parents to manage their children’s settings,” she said.
Saint or sinner?
Microsoft has been the subject of a number of complaints to the Irish Data Protection Commission, according to a commission spokesman, but none were serious enough to warrant a statutory investigation, and of the 16 open investigations into multinational tech companies, none are related to Microsoft. There have been 3,500 complaints to the commission in total.
Unlike other tech companies, like Facebook, that have drawn fire for privacy issues and problems spreading fake news, Microsoft has set itself up as a paragon of good behaviour, welcoming scrutiny into the company and the broader tech industry. Company leadership routinely highlights its proactive investments in privacy. Last year, the U.S. Supreme Court heard arguments after Microsoft challenged an American search warrant for a customer email that resided in Microsoft’s servers in Ireland, and last May, the company announced it was extending the privacy rights that are at the core of GDPR to its worldwide consumer customer base.
“Having the scrutiny is actually good, I think,” CEO Satya Nadella told the Washington Post last October. He urged the tech sector to improve its behavior. “Anyone who is providing a very critical service needs to raise the standards of the safety of that technology and the security of that technology.”
The huge problems affecting Facebook have touched other companies as well, including Microsoft. The New York Times reported in December that Facebook gave Bing, Microsoft’s search engine, the ability to view the names of almost all Facebook users’ friends without permission and also had data-sharing arrangements with companies including Netflix, Spotify, Amazon and Yahoo.
“Bing did not maintain profiles based on Facebook data for advertising or personalization purposes, and we took significant engineering steps beyond what Facebook required to ensure this could not happen,” said Brill.
“We ended our contract with Facebook in February 2016 and data stopped appearing in search results.”