Microsoft updates Privacy Statement, addressing concerns from critics

Windows 10 isn't the only Redmond-based product that got a big update in the past few weeks. Microsoft recently revised its global Privacy Statement, with a few minor changes and some significant additions aimed at cooling overheated privacy concerns. Here are the details.
Written by Ed Bott, Senior Contributing Editor

Just ahead of last week's launch of Windows 10 version 1511, Microsoft quietly updated its Privacy Statement.


The current version of the statement has a "last updated" date of October 2015, and based on archived pages was posted to Microsoft's website in mid-October. A close comparison of the October statement with its July 2015 predecessor reveals some noteworthy additions and a few changes.

Some of the revisions are routine, intended to accommodate changes in services, like the renaming of Xbox Music to Groove and the retirement of some MSN apps. There's a fix for at least one typo and some simple wording changes.

In addition, the new statement includes multiple sections that distinguish between personal Microsoft accounts and "work or school" accounts, where an organization controls access to services and may impose its own rules.

But several sections of the new Privacy Statement are clearly intended to answer critics who insist that the company is "spying" on users.

The new document is, by necessity, even longer than its predecessors. Here's a summary of what's inside.


The Content section adds two examples to emphasize that personal data is only collected in connection with the provision of online services you request,


Device encryption

Several critics have fretted over Microsoft's practice of automatically backing up BitLocker encryption keys to OneDrive to allow recovery on personal devices. The new statement adds this sentence: "Microsoft doesn't use your individual recovery keys for any purpose."


Disclosing personal files

The most extreme allegation based on misreading of the original privacy statement is that Microsoft is scanning personal files on local hard disks running Windows 10. The revised version adds a qualifier that the phrase "files in private folders" refers only to those stored on OneDrive. The section also includes a new link to the Law Enforcement Transparency Report.


In the OneDrive section, a newly added sentence specifically notes that OneDrive scans the contents of personal files for the purpose of "indexing the contents of your OneDrive documents so that you can search for them later and using location information to enable you to search for photos based on where the photo was taken."

Providing and improving services

Under the "Providing and improving our services" heading, the new statement adds several sentences to cover the information Microsoft collects for customer support and product activation purposes. The same section adds references to features that "confirm the validity of software licenses" and "disrupt the operation of malicious software."


Telemetry and error reporting

There are no changes to the section that governs collection of telemetry data, which includes a list of the data collected as part of the telemetry program.

It's worth noting here that a reader sent email earlier this week asking me if Windows 10 Pro satisfies cyber security compliance regulations for financial businesses: "FINRA, SEC and FTC regulations require companies to protect the sensitive personal information of clients," he wrote. "Since Microsoft mandates [basic] telemetry for Win 10 Pro, is it compliant with cyber security regulations?"

A Microsoft spokesperson provided this response:

Small businesses subject to FINRA, SEC and FTC cyber security regulations can upgrade to Windows 10 Pro with confidence in the collection of telemetry data at the Basic level. As customers can confirm for themselves, the data collected at Basic level includes data about the user's device only and does not include the content of documents, emails, or any other sensitive personal information about them or their clients.

Enterprise services

A new section on enterprise services notes that the terms in customer contracts win if there's a conflict with the general Microsoft Privacy Statement:

Enterprise Services are those Microsoft services and related offerings that that are offered or designed primarily for use within an enterprise, including Office 365, Microsoft Azure, Microsoft Dynamics CRM Online, Microsoft Intune and Yammer, for which an organization (our "customer") contracts with Microsoft for the services. In the event of a conflict between a Microsoft privacy statement and the terms of any agreement(s) between a customer and Microsoft, the terms of those agreement(s) will control.


The section on Cortana includes some fascinating additions that reflect how this service is evolving (in parallel with rivals from Google, Apple, and others) to be able to predict behavior based on your location, your communications history, and the ability of the Cortana service to understand your "user intent" with a specific action.


Microsoft Health Services

This is a new section covering the Microsoft Band, Health Services, and HealthVault. It includes this straightforward statement about the privileged status afforded to health information:

Health data you provide through Microsoft Health services or store in HealthVault is not combined with data from other Microsoft services, or used for other purposes without your explicit consent. For example, Microsoft does not use your health record data to market or advertise to you without your opt-in consent.

Translation features

And finally, a new section covers translation features in some Skype applications that also offer audio or IM translation features. "When enabled," the new section says, "audio conversations are translated, converted to text and provided as a transcript. Voice and text data are used to provide and improve Microsoft speech recognition and translation services."

Editorial standards