
Microsoft’s enterprise products covertly gather personal data on users - Quanttek
https://thenextweb.com/microsoft/2018/11/15/report-microsofts-enterprise-products-covertly-gather-personal-data-on-users/
======
esotericn
The base version of Windows 10, their flagship product (if not in terms of
revenue, then mindshare) is stuffed full of adverts and defaults on about 6+
options related to telemetry the last time I installed a VM.

I think it would benefit large companies like Microsoft to realise that this
sort of behaviour has knock-on effects. Every MS product is tainted by this
because it ultimately has effects on trust.

If it's not making them, or can't be linked to, significant amounts of
revenue, it would surely be beneficial in terms of customer numbers to stop
doing this. Why?

I don't understand, or believe, that they're making significant amounts from
this. It feels like bean-counter style decision making that doesn't take in to
account the wider picture.

Anyone from MS willing to chime in?

~~~
eternalny1
I'm not supporting the Windows-10 style telemetry (I have it turned off) but I
don't think this is about money.

Let's take a hypothetical example of where you assign a given user a random
ID, based on something (machine ID). You then track what this user is doing,
in general, in the operating system.

You can find data points such as what % of users discover/use X feature, how
many pin applications to the taskbar, use X app with Y app, have night mode
enabled, etc.

This allows you to expend resources where they are actually needed, to improve
the features that the majority of people would find benefit in.

And at the end of the day, none of the above features require knowing anything
about WHO that person is. Sure, they can be classified into groups based on
how they use the software, such as "business user", "power user", or "gamer"
... but not "John Doe at 123 Main Street, Hollywood, California".

This is likely all for product improvement and not for $$$. Why do they
subject end-users and not opt-in testers for this? To get real world data at
scale.

~~~
bunderbunder
To expand on that last bit -

The reason they might want to just collect all data without asking is that
there's a chance that making it opt-in could cause bigger bias problems in the
data you collect. For example, what if "power users" are significantly more or
less likely to opt-in? You could end up with a very distorted view of what
features are most popular, or are giving people the most trouble.

Not saying that this concern is well-founded (I really don't know), or that
this choice makes sense from a business perspective (I'm skeptical).
_Definitely_ not saying that this is the ethical choice to make (it isn't).
Just trying to shed light on a possible thought process.

~~~
bunderbunder
It's also worth mentioning that Microsoft is, to the best of my knowledge,
relatively scrupulous about keeping their telemetry data anonymous. Meaning
that they're still being _way_ less sketchy about this stuff than your average
e-tailer, or mass market retailers like Wal-Mart and Target.

~~~
olyjohn
Except they are taking things like file names, e-mail headers, recipients, and
even in some cases they are taking documents. The recent recommendation from
them was as follows:

From -
[https://www.theregister.co.uk/2018/11/16/microsoft_gdpr/](https://www.theregister.co.uk/2018/11/16/microsoft_gdpr/)

"...[Microsoft] also recommends simply not using the web-only version of
Office 365, or SharePoint Oneline. And it recommends periodically deleting the
Active Directory accounts of VIP users and creating new accounts for them so
that the diagnostic data associated with those accounts is eventually
deleted."

Seriously, we should be deleting and recreating accounts in our own fucking
domain to keep the data anonymous? Why is that on us?

They have you AD account info, and diagnostic data directly tied to it.
There's no anonymization going on here at all. They're gathering it
recklessly.

Also from that link:

"Much of what Microsoft collects is diagnostics, the researchers found, and it
has seemingly tried to make the system GDPR compliant by storing Office
documents on servers based in the EU. But it also collected other data that
contained private information and some of that data still ended up on US
servers."

------
moontear
Not commenting on the article itself, but the chosen title which is clickbait
to me.

The assessment is about Office ProPlus (actually called Office 365 ProPlus - I
don't know why it's called "Office ProPlus Enterprise" in the
article/assessment which doesn't exist as a product). The assessment also
complains about Office collecting data so I wouldn't say it is fair to say
that "Microsoft’s enterprise products covertly gather personal data on users"
(which really includes _a lot_ more products than just Office). The blog posts
title is actually "Impact assessment shows privacy risks Microsoft Office
ProPlus Enterprise" which is more specific than "enterprise products".

~~~
birksherty
I don't see "Office ProPlus Enterprise" in the article.

>I wouldn't say it is fair to say that "Microsoft’s enterprise products

It also includes sharepoint and onedrive which are used in enterprises in the
article.

------
laurent123456
Maybe governments should start looking at open source alternatives rather than
being more and more vendor locked by US companies. It would take time to
switch and won't be that easy but it's certainly doable, as the French
Gendarmerie shown when they've switched everything to Linux.

~~~
naikrovek
Maybe the open source alternatives are often not usable for any one of a
million reasons that are easily dismissed by free software advocates.

------
amaccuish
This displeased me recently with Office on the Mac. To even set the level of
data to "basic", I had to fiddle with plists, and it's not even possible to
switch it off completely. Luckily just finishing our migration to Libreoffice
and ODF.

~~~
naikrovek
Get ready for a world of pain if you interact with anyone using MS office.
"LibreOffice" (FFFUCK I hate that name) will gleefuly just strip anything it
doesn't understand in the documents it opens. It doesn't just ignore formulae
that an MS Office user carefully wrote, it straight up deletes that stuff.
Without notice.

OpenOffice is cancer to MS Office users.

~~~
Doxin
MS Office supports the open document format these days. LibreOffice does its
best on the monstrosity that is docx if you ask it to, but you're better off
using open formats.

------
isoprophlex
Advice to corporate users (quote from the article)

> Periodically delete the Active Directory account of some VIP users, and
> create new accounts for them, to ensure that Microsoft deletes the
> historical diagnostic data

The fact that this is necessary is beyond retarded. Imagine you're a big
corporate, paying money for a software product, and you have to jump through
silly hoops to protect your privacy. I'd have a good laugh watching MS account
execs explain this to me...

------
mxuribe
Among the recommendations is to not use SharePoint, and to not use oneDrive?
Wow, those are kind of important products for many enterprises. I see the
recommendations around these two as quite damning.

~~~
lwkl
The title is missleading. The report is about Office 365 and for the Dutch
Government. Since they are a government they probably have stronger legal
requirements than your standard small business owner around the corner. So
they probably can‘t use the SaaS Sharepoint offering by Microsoft to store
their data.

I have worked for companies and with goverment contracts in the past and you
had to use special hardware provided by the goverment to work on those
projects. So it doesn‘t surprise me at all they they themselfes can‘t use SaaS
offerings.

~~~
Digital-Citizen
Perhaps but I think that point misses the underlying issue at hand -- with
proprietary software users don't get any real control over the software. Even
the corporate-friendly computer press reported plenty of stories about
Microsoft's software which bear this out:

Microsoft repeatedly switches a flag which urges Windows users to "upgrade" to
Windows 10 when users had said no.
[http://www.computerworld.com/article/3012278/microsoft-
windo...](http://www.computerworld.com/article/3012278/microsoft-
windows/microsoft-sets-stage-for-massive-windows-10-upgrade-strategy.html)

Microsoft forces some Windows systems to switch to Windows 10 by silently
downloading Windows 10
[https://www.theguardian.com/technology/2015/sep/11/microsoft...](https://www.theguardian.com/technology/2015/sep/11/microsoft-
downloading-windows-1)

This forced "upgrade" had adverse effects on some users with poor
connectivity.
[https://www.theregister.co.uk/2016/06/03/windows_10_upgrade_...](https://www.theregister.co.uk/2016/06/03/windows_10_upgrade_satellite_link/)

Once the switch to Windows 10 was accepted there was no way out
[https://www.theregister.co.uk/2016/06/01/windows_10_nagware_...](https://www.theregister.co.uk/2016/06/01/windows_10_nagware_no_way_out/)

Windows 10 is quite nasty for many reasons all of which boil down to being
nonfree, proprietary software. For example, it by default sent core dumps to
Microsoft or whatever organization Microsoft chooses.
[http://betanews.com/2016/11/24/microsoft-shares-
windows-10-t...](http://betanews.com/2016/11/24/microsoft-shares-
windows-10-telemetry-data-with-third-parties)

Windows 10 ignores users' so-called "security" settings putting a fine point
on how insecure they are.
[https://www.eff.org/deeplinks/2016/08/windows-10-microsoft-b...](https://www.eff.org/deeplinks/2016/08/windows-10-microsoft-
blatantly-disregards-user-choice-and-privacy-deep-dive) and
[https://archive.fo/2ey80](https://archive.fo/2ey80)

[https://www.gnu.org/proprietary/malware-
microsoft.html](https://www.gnu.org/proprietary/malware-microsoft.html) is
filled with more references to still more stories of how Windows runs against
user's security interests and control over their own computer.

So when the Privacy Company "recommends admins of the enterprise version of
Office ProPlus in the Netherlands (although many of them should also be
applicable to other countries) [...] Apply the new zero-exhaust settings"
there is no reason to believe that one gains privacy from Microsoft in so
doing. Ultimately one's control over proprietary software only goes so far as
the proprietor will allow. This remains true notwithstanding user's
requirements or willingness to investigate and implement whatever the computer
owner wants changed.

Microsoft is merely illustrating the inherent and unjust control over one's
computer proprietary software has. It is this power that is at the heart of
what's so wrong with these recommendations, nothing to do with a relatively
minor quibble over whether one set of users has different requirements for
privacy or security than other users.

------
Quanttek
Full report [PDF]:
[https://www.rijksoverheid.nl/binaries/rijksoverheid/document...](https://www.rijksoverheid.nl/binaries/rijksoverheid/documenten/rapporten/2018/11/07/data-
protection-impact-assessment-op-microsoft-
office/DPIA+Microsoft+Office+2016+and+365+-+20191105.pdf)

------
pasbesoin
Seriously, could Microsoft work any harder to drive me away?

People are going to look at their bottom line and decide this money-grabbing
maximal-ism just makes them greedy, unconscionable bastards.

Of course, that's never stopped their juggernaut, before.

For my part, watching this behavior, I'm all the more convinced that de facto
UEFI control and the like need to be ripped away from them. They will exploit
anything. The problem is, who can and will serve as a neutral steward -- of
implementations and not just theory and maybe design?

------
TheRealDunkirk
As someone who installed a bunch of Ubiqiti equipment at a large church, I can
see that once we have 1000 phones in the building, there's a non-trivial
baseline of network activity that I attribute to Facebook, et. al., phoning
home. In my company of 46K employees, it can't be a non-zero cost to have this
telemetry activity leaching on our WAN connections, many of which are
struggling to keep up with demand already.

------
whatshisface
Is it possible to firewall Microsoft products using only the things that the
average person has access to? (A telecom-supplied router and a Windows
computer.)

~~~
esotericn
I don't believe it's possible to firewall Microsoft products in the general
case of a power user that has access to an edge router.

You'd have to do something insane like IP whitelisting only for services you
care about, hope that none of them use MS services like Azure, disable Windows
Update entirely, etc.

It might be possible in the abstract sense of "right now nothing is getting
out" but they have root on your box, it's closed source proprietary software,
and you've basically broken the OS with this firewalling anyway.

You need to be able to trust them.

~~~
lwkl
You can Firewall Windows services. There is a inbuilt firewall and there may
be default rules but you can customize it the way you want. It would be a
pretty big security flaw if they let their services bypass the firewall. They
may be profit oriented but not stupid.

~~~
laumars
As discussed in the other thread, Windows firewall is garbage for this
particular type of problem:

1/ it's not novice friendly (your best suggestion thus far required users to
input dozens off lines of code into cmd.exe)

2/ it's defaults still allow Windows telemetry to get through (which was the
exact thing the GP was trying to protect against)

3/ it's a pain in the arse to keep updated compared to any of the other
suggestions made in this thread.

If the only option was Windows firewall or nothing, then I'd suggest people go
with a PiHole since it takes an equal amount of technical know how to get the
initial set up done. But at least once PiHole is set up, it's self managing
(unlike Windows firewall) and will have much saner defaults too.

Thankfully though, there are other software firewalls for Windows that address
the limitations I've described above. I've named one, another poster has
listed a few others. If the option is software firewall or nothing, then I'd
strongly recommend that user go with a third party one instead of relying
solely on Windows firewall.

------
trendia
There are many regulations that affect data, like HIPPA and ITAR.

How can Windows be used in such an environment if the data collection can’t be
stopped?

~~~
josteink
If the data collection is “anom-user-123456789 launched the built in email-
client 20 times and sent 30 mails”, I suspect that’s not exactly HIPPA or
ITAR-regulated data.

------
grezql
There was another case recently with Indian enterprise customers which had me
worrying.
[https://www.theinquirer.net/inquirer/news/3065535/microsoft-...](https://www.theinquirer.net/inquirer/news/3065535/microsoft-
shared-indian-bank-data-with-us-intelligence-without-warning-customers)

At my work we are considering moving to the cloud with exchange and other
services. I will make sure these articles will certainly be topic at next
meeting

------
ljoshua
The article didn't necessarily clarify what type of data was being reported
back, which I think is key. It mentions diagnostic data (I'm assuming crash
logs and such), but it says "personal data" without specifying.

I think that would be a very helpful bit to surface before a solid judgement
call can be made. Anyone with more info?

------
cptskippy
> Microsoft collects and stores personal data about the behavior of individual
> users

I feel like this sentence is phrased maliciously. The adjective "personal" is
applied to the more generic term data, rather than the more specific term
behavior.

By placing the adjective on data, it encourages the reader to imagine the
worst possible scenario. By simply moving the adjective you can more
accurately describe what Microsoft is doing and avoid allowing the reader's
imagination to run wild.

> Microsoft collects and stores data about the personal behavior of individual
> users

You could also remove the adjective entirely because the term individual has
the same implication. This makes it sound even more innocuous.

> Microsoft collects and stores data about the behavior of individual users

~~~
Wowfunhappy
Personally, I don't find any of your revised phrases to be less disconcerting
at a gut level. "Personal data", "personal behavior", etc is all the same to
me.

~~~
cptskippy
Personal data could be anything like your SSN, CC# or other secrets.

Personal behavior is a more specific classification like "user scratches his
butt every morning" or "user picks nose".

In the context of Office Applications it's going to be even more specific
things like "user always tries to click on URLs in emails before CTRL+clicking
them."

------
foepys
Maybe Microsoft will be the first company that has to pay 4% of their global
revenue to the EU under GDPR. Microsoft will have a hard time arguing against
a government report

~~~
thrower123
It's too bad Microsoft, Google, Apple, Amazon and Facebook won't ever stand
firm together and tell the EU regulators to get bent and go home.

~~~
JustSomeNobody
Interesting that you think mere tech companies are more powerful than a
government union.

~~~
thrower123
I don't think that we are that far away from that being a reality.
Particularly one as shaky and with teeth as small as the EU possesses.

The kind of cash that Silicon Valley corps can throw around could be a serious
shot in the arm for Eurosceptic political parties hoping to weaken or separate
from the union.

~~~
gpvos
The EU has more power than individual European countries at least. This is
basically the most important reason we still need the EU.

------
sweetp
any word on VSCode? should I be worried and switch back to Atom

~~~
tozeur
Serious question: Why do you care Microsoft (or any company for that matter)
collects your code editor telemetry?

Addendum: Check our Google Analytics, Hotjar, and Facebook ad targeting if you
_really_ want to see “violation of privacy”. In reality, companies want to
know how users use their products to make them better.

~~~
mikro2nd
> Why do you care Microsoft collects your code editor telemetry?

How about, "Because it's none of their fucking business."

Microsoft has clearly gone all-in on the SV surveillance-capitalism model of
doing business, and _this_ is exactly what motivated their acquisition of
GitHub imho.

------
ConceptJunkie
Of course, they do. Microsoft never fails to jump on other companies'
bandwagons, and in this case they are imitating Google and Facebook.

------
gerrard00
I definitely think this should be opt-in but I also think that it's silly to
focus on just this scenario. I'd bet dollars to doughnuts that Google Docs and
every other web based business tool use similar telemetry data to guide their
UX and product investments as well as to preemptively address bugs.

~~~
kenjackson
Don't ALL web/internet based products have to collect some base level
telemetry to simply function?

~~~
josteink
> Don't ALL web/internet based products have to collect some base level
> telemetry to simply function?

No. Not at all. There’s no technical reason which drives such a demand. A big,
fat no.

But it can help making the company hosting the site money. By selling your
data to others. And that’s another question entirely.

------
driverdan
This should be switched to the original source:
[https://www.privacycompany.eu/en/impact-assessment-shows-
pri...](https://www.privacycompany.eu/en/impact-assessment-shows-privacy-
risks-microsoft-office-proplus-enterprise/)

------
sarcasmOrTears
Instead of useless things like GDPR we need laws that prohibit forced
telemetry in software. Instead of just a 20mil+ fine, we need a fine plus jail
time for the people involved. This is malicious software. This is a person
spying on you, stalking, industrial espionage, etc all in one. But of course,
making a very simple and clear law would actually make life difficult for bug
business. They would be forced to stop bad practices for real. Also goverments
love the idea of having access to that sweet, juicy, "encrypted" data if
needed.

~~~
swiftcoder
I'm not sure that a blanket ban on automatic opt-in to telemetry is the right
call. Most consumers don't have the requisite knowledge to make an informed
decision when to opt-in.

I would like to see laws requiring transparency in telemetry, though. Require
all telemetry to be in plain text, and auditable by 3rd-party software (say,
by antivirus/privacy software).

------
yuhong
AFAIK SQM dates back to Office 2003.

