
Report on Microsoft Office and Windows software: still privacy risks remaining - GordonS
https://www.privacycompany.eu/en/new-dpia-on-microsoft-office-and-windows-software-still-privacy-risks-remaining-short-blog/
======
starsinspace
Microsoft is really shooting themselves in the foot with their terrible
approach to privacy ever since Win10. Given that they earn money by selling
actual products, they _could_ stand right next to Apple as a defender of
privacy if they wanted to (unlike Google, which has a business model which
depends on data collection)... but they choose not to.

It's not so long ago, in 2011, they had this video, targeting Google's privacy
problems:
[https://www.youtube.com/watch?v=9x4_dozWkq0](https://www.youtube.com/watch?v=9x4_dozWkq0)

Now they're no better than Google. What happened?

~~~
danieldk
Indeed, this is surprising for many reasons:

\- B2B is a large part of their income, telemetry has probably damaged their
reputation as a business vendor.

\- They have mostly failed at social media (except LinkedIn and Skype, which
they have bought). So, there is no strong need for them to collect all this
data to profit off (otherwise free) social media.

\- They have a strong developer story with WSL, Azure, etc. They could have
replaced Apple as the darling of developers. But not with telemetry, start
menu ads, etc.

\- At least in the EU, more privacy is where the puck is going. They could
take on Google's weaknesses.

~~~
tpush
> \- At least in the EU, more privacy is where the puck is going. They could
> take on Google's weaknesses.

Ironically, it's Europe where privacy championing Apple is way less of a
player than Google when it comes to smartphones and services, especially
compared to the US market.

So I'm not sure if a privacy conscious approach would buy them much in the EU,
at least among consumers.

~~~
fruffy
I was not able to find concrete sources but I think that has more to do with
the expensive pricing of iPhones and Apple's former image as a somewhat
invasive and consumerist company. I remember there being a decent amount of
distrust against their vendor-lock-in techniques.

Overall, I would say consumers' privacy-sensitivity in Europe expresses itself
largely in the increased usage of Telegram, Tor, Firefox, and Linux compared
to the US.

~~~
vezycash
None of my friends stick with Telegram for long simply because of andorid's
battery saver apps. Notifications simply wont show unless they open the
telegram app.

~~~
gvurrdon
I don't use Telegram or Android at the moment and so can't be sure, but I
wonder if this would help: [https://www.techrepublic.com/article/how-to-
remove-android-a...](https://www.techrepublic.com/article/how-to-remove-
android-apps-from-the-battery-optimization-list/)

------
Someone1234
This is fantastic. Not only have they effectively pushed Microsoft to improve
things for everyone (in 1905 of Office and 1903 of Windows specifically, via
new [lower] telemetry options), but now Data Viewer supports Microsoft
Office's telemetry, and we have more data on what Office's telemetry is doing.

Overall well done PrivacyCompany and the Dutch Ministry of Justice and
Security. Still seems to be fights left to have, but this is definitely a step
in a positive direction.

~~~
spinningslate
Agree it's great that the Dutch Government is pushing Microsoft to be more
transparent.

> Still seems to be fights left to have, but this is definitely a step in a
> positive direction.

Indeed. From the article:

"The Dutch government’s new privacy terms and conditions do not (yet) apply to
data processing via Windows 10 Enterprise or the mobile Office apps. It is not
possible to minimize data traffic in Office Online. From at least three of the
mobile apps on iOS, data about the use of the apps goes to a US-American
marketing company that specializes in predictive profiling. This is done
without providing any information about the purposes of this processing, and
without giving the users or administrators any possibility to prevent this
processing."

So: use Office on iOS, and it'll send usage data off to some predictive
profiling marketing firm.

Why, as a (presumably) paying user, is it OK for Microsoft to do that?

~~~
TeMPOraL
Holy shit, that quote. Did absolutely not expect that (even though I assumed
thorough telemetry is sent to Microsoft itself).

I've been sitting for months on this article explaining my belief that
advertising is a cancer on modern society, and I can't get myself to publish
it, because literally every other day brings another thing I want to include
on the list of damage being done. I'm not even actively looking for examples
anymore; I just open HN and - lo and behold - top story tells me that MS
Office mobile apps send data to US predictive profiling company, _because of
course they do_.

~~~
Ascetik
A thought you could add to your article. In the medieval period in Europe,
advertising outside your shop was strictly forbidden because it was considered
an assault on your senses. I totally agree with this sentiment.

~~~
TeMPOraL
Thanks for that thought! Definitely fits in there. Do you have a link to some
source about that, though? I'd love to know about this in more detail.

~~~
Ascetik
Phillip Campbell (aka Boniface) of
[http://unamsanctamcatholicam.blogspot.com/](http://unamsanctamcatholicam.blogspot.com/)
should be able to point you in the right direction, he is a medieval scholar.

Edit: Sorry I don't have any exact citations, he said it in an interview wit
Ryan Grant, so I'm sure he has a source he read somewhere.

~~~
ckozlowski
All good, thanks!

------
driverdan
> From at least three of the mobile apps on iOS, data about the use of the
> apps goes to a US-American marketing company that specializes in predictive
> profiling.

Can any MS employees jump in and justify how you find this acceptable?

~~~
bradford
MS employee here (I work with data but not in Office). My opinion: I don't
find this acceptable. At the end of the day, sending data to a third party
without the customers awareness is a violation of trust, regardless of how
narrow in scope that data might be.

I'm curious to see how MS responds. There are several unanswered questions
that I'd like answered. Specifically:

1\. Any disputes about the factual nature of these claims?

2\. If not, what is the third party doing with the data?

~~~
cameronbrown
I wish we had more honest opinions like this on HN, from tech workers about
their own company's flaws.

------
speeder
Awesome, maybe will give data so I can more easily defend my position to
refuse Win10 (I was on Win8, hoping Win10 would be better... instead telemetry
and forced updates that break everything fairly regularly made me instead
uninstall Win8 and install Win7 instead) or convince me Win10 telemetry
really, really is fine.

Mind you, where I live, political assassinations, industrial espionage and
assassinations and whatnot, although rare, DO exist, so privacy is important
(specially for me since I AM actually registered officially as a politician
although I never won any election)

~~~
frickinLasers
I sure hope you're keeping on top of all the Win7 telemetry updates, then.

[https://www.overclock.net/forum/132-windows/1587577-windows-...](https://www.overclock.net/forum/132-windows/1587577-windows-7-updates-
list-descriptions-telemetry.html)

[https://betanews.com/2019/07/11/microsoft-adds-telemetry-
win...](https://betanews.com/2019/07/11/microsoft-adds-telemetry-windows-7/)

~~~
mkup
What's the point of collecting telemetry in Windows 7, if there will be no
future versions of Windows 7 (this OS is near its EOL)?

~~~
frickinLasers
That's a good question...

/tinfoilhat

------
anticensor
There are really only two levels of Windows telemetry according to this
report's endpoint analysis:

-Minimum ( _Security_ )

-Full

The report goes into lengthy detail explaining the default level is _Full_ :

« The IT-pro’s (administrators) of the Enterprise version can choose between
three telemetry options (Security, Basic or Full). If the administrator
chooses to suppress the privacy-related set-up experience and does not adjust
the setting otherwise (e.g., by group policy), the default diagnostic data
level setting is Enhanced. 51 At that level, Microsoft explains it collects
“Additional insights, including: how Windows, Windows Server, System Center,
and apps are used, how they perform, advanced reliability data, and data from
both the Basic and the Security levels.” 52 . In that case, the setting for
diagnostic data presented to end-users is set to Full »

------
kerng
Microsoft is all about telemetry to improve its products, and it's a slippery
slope and some of the instances pointed out here are way beyond what one would
consider useful (for feature developmemt) telemetry. This might cost Microsoft
a few billion.

~~~
nfoz
The stated purpose of telemetry is to improve their products. Yet the
telemetry itself is a massive _problem_ in their products.

Does anyone know what, if any, product improvements have been made thanks to
telemetry?

~~~
suby
Microsoft gave two examples where telemetry helped them in an Arstechnica
article a while back. One was fixing a bug in their alarm clock app, the other
was fixing an audio driver issue. If these are their go to examples, seems to
very much not be worth the price of admission in my opinion.

[https://arstechnica.com/information-
technology/2017/04/micro...](https://arstechnica.com/information-
technology/2017/04/microsoft-opens-up-on-windows-telemetry-tells-us-most-of-
what-data-it-collects/)

"As an example the company offered us, there was a problem with the Windows
Alarm app. The Alarm app can have more complicated interactions than one might
think, due to its interactions with system sleep (it can wake a machine up if
necessary) and the notification framework. Some Windows users reported that
their alarms weren't consistently going off. As is often the case with
annoying bugs, the problem was intermittent, appearing to occur randomly and
hence difficult to reproduce for debugging. With information collected at the
Full level from a broad range of affected machines, the company's developers
were able to ascertain the precise combination of factors leading to problems,
and discovered that alarms became more unreliable as they grew older. The bug
was fixed, and a patch was deployed.

Another problem the company described to us was that certain combinations of
audio drivers and audio hardware were resulting in audio that was broken or
missing certain special effects. The telemetry data enabled the exact pairings
of drivers and hardware that had issues to be pinpointed, enabling a fix to be
developed."

~~~
stordoff
> If these are their go to examples, seems to very much not be worth the price
> of admission in my opinion

It's an especially hard sell for me as, anecdotally, I've had _far_ more
issues with Windows 10 than I ever had with 7. Recent one (1903 update) -
virtually all text disappeared (desktop icons, menus, Notepad docs all
appeared blank, and it made the address bar in Chrome take up about half the
screen for some reason). On about 1/10 reboots, it would _eventually_ work if
I restarted explorer.exe (text would start appearing in Task Manager, which
was my cue to restart explorer). Safe Made, clean installing my graphics
divers (assuming it was some sort of rendering bug), and sfc/DISM all failed
to fix it. I eventually fixed it by (which was a shot in the dark more than
anything):

1\. Taking ownership of C:\Windows\Fonts

2\. Deleting everything in \Fonts except files that are in use

3\. Using sfc /scannow to restore to contents of \Fonts

4\. Restoring ownership to Trusted Installer

All in all, not a fun process, and a couple of hours lost. I then wasted
another 20 minutes or so as subsequent Windows Updates were failing, so I
rebooted a few times to retry and was troubleshooting Windows Update.
Apparently it was just installing in the background, but didn't feel like
telling me that (it was just saying "Install now", then giving me a generic
error code).

Similar issues have happened often enough that I'll delay updates until I know
I don't _need_ my machine for at least a day. I never got to that stage with
XP/Vista/7.

------
squarefoot
The article mentions 12 bullet points for the most important measures
organizations should take to mitigate the problem; some seem trivial, others
surely are more complicated requiring time and money (this ain't Joe User's
home gaming PC) and would offer no guarantee of achieving the goal because
it's still closed software. So why not pouring that same amount of money into
a single entity whose only purpose would be to integrate, or create where
necessary, then document and support, FOSS software that does essentially the
same things and services? (ie, not just Linux+Libreoffice).

I would surely donate some quid myself but I'm also 100% sure a lot of big
names would follow making the thing self sustainable, as I'm not the only one
feeling uncomfortable by knowing that my personal data is managed by companies
that profit from people personal data (therefore including Google and others).
This problem hits everyone: I may choose not to use any of their software on
my machines, but I have no chances of convincing either my doctor or my lawyer
to do the same, unless the practice becomes widespread and non technical users
too are made aware of the issues.

------
contravariant
>Upgrade to version 1905 or higher of Office 365 ProPlus and set the telemetry
level to the 'Neither' option.

Well that's a dark pattern if I've ever seen one. Worse it suggests that
before version 1905 there were only two options for telemetry, and neither of
them was _no_ telemetry.

~~~
pndy
A "funny" thing: in Vista and 7 the modal window for Improvement Program had a
"Yes, I want to participate in the program." option set as default and you had
to press bottom option twice so the save button would reactivate from grayed
out state and you could refuse the participation. This little thing worked in
such manner each time no matter of the build (original or with service pack),
showing up to few hours after setting up fresh Windows installation and I'd
say it was aimed at ordinary user who wouldn't try clicking twice on the
option to see if it could be changed.

There was this report posted last year [1] where Norwegian Consumer Council
was reviewing dark patterns used at facebook, Google and Windows.

[1] -
[https://news.ycombinator.com/item?id=17406186](https://news.ycombinator.com/item?id=17406186)

