Use Microsoft Office for enterprise? Your data is being collected

If you, like many other businesses, use Microsoft’s enterprise-focused Office 365 ProPlus package, you could be volunteering a broad sweep of your employees’ personal data over to the global computing giant.

In a Data Protection Impact Assessment (DIPA) commissioned by the Dutch government, Privacy Company unearthed “alarming” findings; “Microsoft collects and stores personal data about the behavior of individual employees on a large scale, without any public documentation,” reads the report.

That includes the ‘covert’ and ‘systematic’ collection of data about the individual use of Word, Excel, PowerPoint, and Outlook, while Microsoft offers no option to switch off the collection or the ability to see the (encoded) data being collected.

“Similar to the practice in Windows 10, Microsoft has included separate software in the Office software that regularly sends telemetry data to its own servers in the United States,” reads the report.

That includes, for example, information about events in Word, when a user hits the backspace multiple times in a row, signaling that they don’t know the correct spelling. It would also include the sentence before and after a word looked up in the online spelling checker or translation service.

The big worry is that this telemetry data— automatically fed back for Microsoft to help optimize programs— will be at higher risk as Microsoft pushes more of its services onto the cloud.

This concern was raised in the DPIA, in particular, given the sensitive nature of governmental institutions it was commissioned to guide, which includes 300,000 workstations across, ministries, the judiciary, the police and tax authorities deploying the Office enterprise software.

So far, these groups have stored data locally, but are piloting storage on Microsoft Cloud, SharePoint, and OneDrive, which the DPIA flagged as coming with “high data protection risks for data subjects.”

Since the report was published, Microsoft has allegedly committed to making adjustments to software to accommodate privacy concerns, including a tools allowing users to view and adjust the telemetry data that’s being sent, and a ‘zero-exhaust setting’.

While these measures aren’t a failsafe— Privacy Company lists six areas which remain a ”protection risk”— a representative of Microsoft told TNW that the company was committed to finding a solution to concerns.

“We are committed to our customers’ privacy, putting them in control of their data and ensuring that Office ProPlus and other Microsoft products and services comply with GDPR and other applicable laws.

“We appreciate the opportunity to discuss our diagnostic data handling practices in Office ProPlus with the Dutch Ministry of Justice and look forward to a successful resolution of any concerns.”

Meanwhile, Privacy Company lists a number of measures admins of the enterprise version of Office ProPlus can take to mitigate data privacy risks in the Netherlands— although many of these will be applicable to other markets.  

• Apply the new zero-exhaust settings
• Centrally prohibit the use of Connected Services
• Centrally prohibit the option for users to send personal data to Microsoft to ‘improve Office’
• Do not use SharePoint Oneline / OneDrive
• Do not use the web-only version of Office 365
• Periodically delete the Active Directory account of some VIP users, and create new accounts for them, to ensure that Microsoft deletes the historical diagnostic data
• Consider using a stand-alone deployment without Microsoft account for confidential/sensitive data
• Consider conducting a pilot with alternative software, after having conducted a DPIA on that specific processing This could be a pilot with alternative open source productivity software. This would be in line with the Dutch government policy to promote open standards and open source software.