Dutch Government Report Says Microsoft Office Telemetry Collection Breaks EU GDPR Laws (theregister.co.uk) 87
"The Register reports that Microsoft has been accused of breaking EU's GDPR law by harvesting information through Office 365 and sending it to U.S. servers," writes Slashdot reader Hymer. "The discovery was made by the Dutch government." From the report: The dossier's authors found that the Windows goliath was collecting telemetry and other content from its Office applications, including email titles and sentences where translation or spellchecker was used, and secretly storing the data on systems in the United States. Those actions break Europe's new GDPR privacy safeguards, it is claimed, and may put Microsoft on the hook for potentially tens of millions of dollars in fines. The Dutch authorities are working with the corporation to fix the situation, and are using the threat of a fine as a stick to make it happen.
The investigation was jumpstarted by the fact that Microsoft doesn't publicly reveal what information it gathers on users and doesn't provide an option for turning off diagnostic and telemetry data sent by its Office software to the company as a way of monitoring how well it is functioning and identifying any software issues. Much of what Microsoft collects is diagnostics, the researchers found, and it has seemingly tried to make the system GDPR compliant by storing Office documents on servers based in the EU. But it also collected other data that contained private information and some of that data still ended up on U.S. servers.
The investigation was jumpstarted by the fact that Microsoft doesn't publicly reveal what information it gathers on users and doesn't provide an option for turning off diagnostic and telemetry data sent by its Office software to the company as a way of monitoring how well it is functioning and identifying any software issues. Much of what Microsoft collects is diagnostics, the researchers found, and it has seemingly tried to make the system GDPR compliant by storing Office documents on servers based in the EU. But it also collected other data that contained private information and some of that data still ended up on U.S. servers.
It is SPYING! (Score:5, Insightful)
The Register used a sloppy title and headline. (Score:3)
Microsoft menaced with GDPR mega-fines in Europe for 'large scale and covert' gathering of people's info via Office
Telemetry data slurp broke the law, Dutch govt eggheads say
Better:
Microsoft may have to pay huge GDPR fines in Europe for 'large scale and covert' gathering of people's info via Microsoft Office.
Microsoft spying broke the law, Dutch government officials say.
Re: (Score:2)
But your title doesn't offer sufficient amounts of fellatio to Microsoft!
Seriously, that original title and blurb just reeks of trying to mock the EU for wanting an American company to play by the rules.
Re: The GDPR is just for xenophobic witch hunts... (Score:2)
Re: (Score:2)
Please don't say that all Europeans did that unless you want us to say that all Americans voted for their current president.
Re: (Score:2)
Upholding the institutions of democracy [wikipedia.org] is another one.
Re: (Score:2)
It will be used against the largest companies with the most impact first. And Microsoft, Facebook, Google, and Amazon rank pretty high on the lists. The US wouldn't be in this pickle if it didn't have the interesting but toxic cocktail of zero respect for user privacy, the US patriot act making it official that foreigners don't have any rights on their data when it resides in the USA, and a history of abusing information gotten through intelligence work to give US companies a leg up. Combine that with a US
Re: The GDPR is just for xenophobic witch hunts... (Score:2)
"the US patriot act making it official that NO ONE has any rights on their data"
FTFY
Re: (Score:2, Insightful)
did you not get the new microsoft dictionary:
Telemetry = The collecting of personal data such that we can sell it to advertisers
Improved customer experience = Allowing the customers to be our testing partners thus giving them an improved insight into how our software is developed.
keep it going.
I'm not sure... (Score:2, Interesting)
The thing is we have no idea what this data is used for. If it were Google I would think advertising, but with Microsoft I would actually be more inclined to think it's something technical.
Personally I think the GPDR is a good idea but perhaps goes too far. Certainly the click-though messages about privacy you have to go through on every website now are stupid and do nothing to help anyone. Also I think there is valid technical need to collect some data for just technological advancement, and I worry tha
Re: (Score:2)
Having a good reason to collect data is one thing.
It's just that it should not be a surprise to anyone, ie. you're supposed to do it in a transparent, obvious, and common sense manner.
Not quite what I was after (Score:1)
I'll accept the first part of your statement as being true for the sake of argument, but how would requiring active consent overly hamper that?
In practice it probably does not, since everyone clicks through GPDR agreements like they do all other consumer noise. So there is probably more than enough collectible data to go around for research and advancement.
That brings up a deeper concern though - it's more annoying to users, and if you think it about it you could be agreeing to far more potentially egregio
Re: (Score:1)
In practice it probably does not, since everyone clicks through GPDR agreements like they do all other consumer noise.
Not everyone does. Careful with the generalizations.
That brings up a deeper concern though - it's more annoying to users, and if you think it about it you could be agreeing to far more potentially egregious uses of data than were currently allowed under an old system where you didn't have to give consent...
You haven't thought that through.
Just because one gives consent to something does not imply that said something is legal and thus allowed. Such is the case with GDPR, where in addition to requiring consent in several cases, what can then be done with the data - given with consent or not - is a lot more strictly regulated now than it was before.
So no, you could *not* be doing that which you suggest.
I personally would have been more for same kind of law that restricted more what companies could use data collected like that for, or perhaps to more carefully control sharing of data.
GDPR does that, clicky boxes or not.
Re: (Score:2)
They do admit to logging keystrokes so they determine best usage of menu options and to provide hints on how you can be more productive through keyboard shortcuts.
Others fear they might be collecting code fragments to provide as "Snippets" for others to use.
Fear? (Score:1)
Others fear they might be collecting code fragments to provide as "Snippets" for others to use.
I have exactly the farthest reaction away from "fear" to that. Wouldn't it be amazing if Microsoft, or Apple, actually detected code fragments super commonly typed in order to figure out how to eliminate us all having to type them?
Even in the most modern of languages boilerplate code is common, and it would be great to at least snippet that as much as possible, or have code completion melt a lot of that work away
Re: (Score:2)
Most application developers build their own shell applications that load in the commonly used libraries (OpenCV, OpenGL, CUDA, maths libraries) and then run a basic application rendering loop. Then there are file parsers, object serializers, libraries to simply data transfer between hosts
Re: (Score:2)
The GDPR is nowhere near perfect. It has given websites the excuse to demand you click and accept an EULA (which you can't read because their popover covers it) before you visit.
However, it is a start. Right now, a company getting hacked actually can make the top brass rich, just because the CxOs can short their stock before the announcement, and most people forget about the intrusion, so stock bobs back up in a few months. The GDPR actually makes companies actually be concerned about security to actuall
Re: (Score:2)
The GDPR is nowhere near perfect. It has given websites the excuse to demand you click and accept an EULA (which you can't read because their popover covers it) before you visit.
However, it is a start..
This is in itself a GDPR violation and will end up resulting in fines. Websites that default to all cookies choices tickets as default are also in violation of at least two EU directives - one that choices for contact *must* be opt-in only, and the second for not making the choices clear.
Re: (Score:2)
Honestly, I'm not sure I'll ever forgive Microsoft for giving telemetry such a bad name. I've already seen the fallout from this when people have a knee-jerk reaction to any discussion of telemetry, assuming it's only used for slurping up personal information for less-than-honorable purposes (and unfortunately, we've seen that happen). When it's optional and clearly disclosed to the user, it can be a valuable tool to help developers improve their software.
But when users can't opt out or easily see what's
In other news (Score:2)
Who knew?
Re: (Score:2)
And you knew Microsoft was a snake when you took it in.
Use Powershell (Score:1)
Then type:
stop-service diagtrack
set-service diagtrack –startuptype disabled
MS is misleading. Subject line is unecrypted, logg (Score:5, Informative)
Microsoft is being misleading by calling it "publicly accessible".
Their "excuse" for saying that may be that the subject is in fact less secured than the email body, by protocol standards. Consider an encrypted email, sent from me to you. Only you and I can read the contents of the email. However, the email has to be handled by various mail servers between us in order to get from me to you. The mail servers need to be ablr to read at least to To: and From: addresses in order to route it, and really some other headers as well. Therefore the email headers can't be encrypted, only the body can be encrypted end-to-end.
Any mail servers between us can see the subject line, and in most cases so can any routers, switches, IDS systems, etc.
In order to be able to troubleshoot problems with emails, compute statistics, etc, headers could also be logged. Typically the log does NOT include the subject line, but it can.
So that wording by Microsoft is a bit deceptive. It is, however, true that if you encrypt your email the subject line and other headers aren't encrypted end-to-end. They can be encrypted per-hop with smtps.
Try it and see (Score:3)
Try it for yourself. Have someone send you an encrypted email using any random key that you don't have. You'll see the subject line. If you know how to in your mail reader, you can see all of the other headers too.
Even easier, have a look at what's stored for any of your existing email. You'll see the MUA has the email headers amd bodies - it doesn't have the SMTP conversation. That's because MUAs don't receive mail via SMTP.
Guess what else - you can send email via IMAP. Outlook uses MAPI. Protocols tha
Re: (Score:1)
However if you're a sensible adult, you ought to be able to realize that two wrongs don't make a right. Just because your neighbour A dog shits on the lawn of neighbour B, and you don't do anything about it, it doesn't give neighbour B the right to let their dog shit on your lawn. If neighbour B lets their dog shit onto your lawn, you've got every right to bitch about it.
Microsoft counter claims. (Score:5, Funny)
Of all the installs that created the document only the version used by the second assistant junior sub flunkie is actually verified and authorized install. We have located at least 22 unauthorized windows installations and 42 unauthorized Ms Office installation. We will be suing the government under anti-piracy laws for compensation of 3.3 billion euros
Also Microsoft Windows 10 does not collect any data, telemetry or otherwise. We challenge the government to prove that we collect data instead of engaging in idle speculation.
Re: (Score:2)
The GDPR is a good thing (Score:5, Insightful)
I'm glad activists got through with the GDPR. They did a good job.
Whilst the US has basically just come up with TCPA ( no law but still) , PATRIOT, DMCA and other orwellian f*ck- you laws and regulations, here some activists with close affiliation to FOSS and similar movements basically got their version of the EU GDPR law through. It would be nice to see the GDPR serve as an example to the US and if the US would get its own version of it.
As for MS: they have been regaining karma with me lately but I still think it would send the right signal if they get fined into next Wednesday to show that the EU isn't f*cking around and will have any corporations head on a stick should someone choose to question the applicability of the law.
On the job I've been the GDPR guy after taking seminars and reading through a stack or regulations. And while some parts of it can be tedious to deal with, it does force everyone on ship to keep an eye out on how, when and where personal data is handled. And that was the laws intention and that's a good thing.
My 2 eurocents.
Re: (Score:2)
Santa Claus (Score:2)
A joke I read on Twitter a couple of days ago;
He's Making a List,
He's Checking It Twice,
He's Gonna Find Out
Who's Naughty and Nice.
Santa Clause is in contravention of Article 4 of the GDPR.
Here we go again... (Score:3)
... may put Microsoft on the hook for potentially tens of millions of dollars in fines
When are the authorities going to understand that a mere 'tens of millions of dollars' represents a chump-change cost of business for companies like Microsoft? Wake me up when the fines start getting into the multi-billion dollar range - that's the kind of fine that might deter big corps from acting out their rampant psychopathic attitudes and anti-social practices. Until then, stories like this are just yawn-worthy, formulaic excuses for churning out yet more reams of journalistic boilerplate.
Re: (Score:2)
They can fine a percentage of the global income of the company. I'm going to go out on a limb here, but my guess is that that would hurt even Microsoft. Another guess is that this was introduced specifically for companies like Microsoft.
"What is the maximum administrative fine under the GDPR? There are two tiers of administrative fines that can be levied as penalties for non-compliance: Up to €10 million, or 2% annual global turnover – whichever is higher. Up to €20 million, or 4% annual glo
Re: (Score:2)
No, the incident is not measured by number of victims.
GDPR definition: "Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
It is the breach that matters, not how many people are affected, although you can bet that that will affect the size of the fines. If say, a hospital, has a breach and all patients files are freely shared on the inter
Use LibreOffice (Score:1)
Re: (Score:1)
...The USA just keeps on creating great products people want to use.
You owe me a keyboard [youtube.com]
Re: (Score:1)
>The USA just keeps on creating great products people want to use.
ROFL. Bitch please... antitrust laws were gutted and here we are.