Dutch government report says Microsoft Office telemetry collection breaks GDPR

The telemetry data collection mechanism used by Microsoft Office breaks the EU General Data Protection Regulation (GDPR), Dutch authorities said yesterday in a report.

The report raises eight issues that investigators found in ProPlus subscriptions of Office 2016 and Office 365, but also with the web-based version of Office 365.

Investigators said they've identified the "large scale and covert collection of personal data" through Office's built-in telemetry collection capabilities.

They said Microsoft engages in this telemetry collection covertly and without properly informing users.

ZDNet: Black Friday 2018 deals: Business Bargain Hunter's top picks | Cyber Monday 2018 deals: Business Bargain Hunter's top picks

The report said investigators didn't find any official documentation about what information Microsoft collects through Office and no way of turning Office telemetry off, raising a serious privacy concern for all current Office users, regardless of geographical location.

Investigators admitted that Microsoft collected functional and diagnostics data that is usually a standard practice among software developers, but they also found that Office applications also collected actual content from users' applications, such as email subject lines and sentences from documents where the company's translation or spellchecker tools were used.

While Microsoft has tried to make Office products GDPR compliant by storing EU users' Office documents on EU servers, the report found that the telemetry collection system sent Dutch user data to US servers, opening it to the possibility of having the information seized or queried by US law enforcement.

The Dutch government is extremely worried because sensitive Dutch government-related information that might have been grabbed part of the telemetry collection system may have also ended up on those US servers. The Dutch government runs Office apps on over 300,000 computers, according to the latest public figures.

Further, the investigation also found that Office telemetry collection is also far more expansive than the one in Windows 10.

Investigators said that Microsoft collects up to 25,000 types of Office events, data which is made available to up to 30 engineering teams. In contrast, Windows 10 is known to collect up to 1,200 event types, data that is shared with up to only 10 engineering teams.

The report's full findings are available below, along with possible countermeasures proposed by investigators, for both Microsoft and Office users.

Dutch investigators said they've already been in contact with Microsoft about their findings. According to the report, Microsoft has already rolled out a "zero exhaust" telemetry collection setting for Office users to address issues #1 and #2, from above. ZDNet was unable to identify this setting, at this moment, and is unclear if this option has been made available to all users, globally.

The Redmond-based company is still working with authorities on addressing items #3 through #8, and, potentially, avoiding a huge GDPR fine.

Microsoft also told investigators it intends to provide documentation about the Office telemetry it collects, more clear options so users can select the desired level of telemetry collection, and a data viewer tool so sysadmins and users can view the raw telemetry data collected via Office.

Microsoft's proposed countermeasures are similar to how the company addresses the privacy issues reported with the Windows 10 telemetry collection back in 2016. The next year, in 2017, the company released documentation about the type of telemetry data it collects, allowed users to select between Basic and Full telemetry collection levels during Windows 10 installations/upgrades, and also released a Windows 10 telemetry viewer app.

The report was commissioned by the Dutch government and conducted by a local company named Privacy Company. It is available for download from here.

Simple steps to erase your digital footprint

Related coverage:

• Many free mobile VPN apps are based in China or have Chinese ownership
• Microsoft research shows online social circles are getting riskier CNET
  
• Microsoft patches Windows zero-day used by multiple cyber-espionage groups
• Facebook patches another bug that could have allowed harvesting of user data
  
• Why Kaspersky believes tech nationalism is on our doorstep
• Google traffic hijacked via tiny Nigerian ISP
• Microsoft Surface Go: A cheat sheet TechRepublic
• Microsoft working on porting Sysinternals to Linux

Best Black Friday 2018 deals:

• Amazon Seven Days of Black Friday Deals: All-time lows on office devices
• Amazon Black Friday 2018 deals: See early sales on Echo, Fire HD
• Best Buy Black Friday 2018 deals: Deep discounts on Apple Mac, Microsoft Surface
• Target Black Friday 2018 deals: $250 iPad mini 4, $120 Chromebook
• Walmart Black Friday 2018 deals: $99 Chromebook, $89 Windows 2-in-1
• Dell Black Friday 2018 deals: $120 Inspiron laptop, $500 gaming desktop
• Newegg Black Friday 2018 deals: $50 off Moto G6, $70 off Nest thermostat
• Office Depot Black Friday 2018 deals: $300 off Lenovo Flex, $129 HP Chromebook
• eBay Black Friday 2018 deals: See early sales on Galaxy Watch, Chromecast
• Lenovo Black Friday 2018 deals: ThinkPad laptops and more
• Microsoft Store Black Friday 2018 deals: Ad showcases Surface, laptop deals
• Windows laptops Black Friday deals: Dell, HP, Lenovo
• Chromebook Black Friday 2018 deals: Dell, Google, HP
• Best tablet Black Friday deals: Apple iPad, Amazon Fire
• Black Friday 2018 iPhone deals: $400 iPhone X gift card, BOGO iPhone XR
• Black Friday 2018 smartphone deals: OnePlus 6T, LG G7