New DPIA on Microsoft Office and Windows software: still privacy risks remaining (long blog)
On behalf of the Dutch Ministry of Justice and Security, Privacy Company has investigated the privacy risks related to the use of Microsoft Windows 10 Enterprise, Office 365 ProPlus and Office Online, as well as the mobile Office apps. With the Ministry’s permission, we are publishing two blogs about our findings, this long blog post, as well as a short blog post. For questions about the research, please contact SLM Rijk ((Strategisch Leveranciersmanagement Microsoft Rijk), which can be contacted via the Ministry of Justice’s press spokesperson, +31 (0)70 370 73 45.
Results of negotiations between central government and Microsoft
At the beginning of May 2019, SLM Rijk and Microsoft concluded negotiations about new privacy terms for the 300,000 digital workplaces of the central government. These are the corporate versions of the Office and Windows 10 software, which are used by the ministries, the Tax and Customs Administration, the police, the judiciary and independent administrative bodies. Three new DPIAs (data protection impact assessments, written in English), which Privacy Company has carried out for the central Dutch government, show that Microsoft has mitigated the eight previously identified privacy risks for Office 365 ProPlus through a combination of technical, organisational and contractual measures. See the previous blog post about these risks. In a recent letter to the Dutch House of Representatives, the results of the negotiations that SLM Rijk has conducted with Microsoft are listed: Microsoft only acts as a processor for all its online services, processes the personal data for only three purposes, does not process the usage data for profiling, data analytics, market research or advertisements, and grants effective audit rights to the central Dutch government.
However, the new privacy conditions for the central Dutch government do not yet apply to the data processing via Windows 10 Enterprise or the mobile Office apps. Moreover, certain technical improvements that Microsoft has implemented in Office 365 ProPlus are not (yet) available in Office Online. From at least three of the mobile apps on iOS, data about the use of the apps is sent to a US-American marketing company that specializes in predictive profiling.The Dutch government will continue to negotiate with Microsoft to bring Windows and the mobile apps within the scope of the new privacy terms and to implement the same technical improvements for Office Online.
Therefore, SLM Rijk advises government institutions to, for the time being, refrain from using Office Online and the mobile Office apps, and to opt for the lowest possible level of data collection in Windows 10, namely Security.
Companies and organisations outside the central Dutch government can take a number of mitigating measures themselves (see the list at the bottom of this blog), but only Microsoft is able to eliminate the high privacy risks. This is why these organisations should negotiate privacy guarantees similar to those of the national government, preferably via an umbrella organisation or professional association. It would do no harm to refer to the European Data Protection Superviser’s ongoing investigation into the contract terms that Microsoft offers to European institutions. Apart from that, organisations could also carry out their own DPIA, based on the reports from the Dutch government, and submit the residual risks to the Data Protection Authority, as referred to in Article 36 of the GDPR.
Data collection via the installed versions of the software and on Microsoft's own servers
Microsoft Office can be used in three ways: installed on users' computers and laptops (Office 365 ProPlus), installed on smartphones and tablets (mobile Office apps for iOS and Android), and in the form of online applications running in the browser (Office Online). From all three types of Office, users have access to online microservices such as the spelling checker, translation module, or the ability to insert images from the Internet. These are the so-called Connected Experiences.
Almost all Dutch government organisations use the Office software in combination with Windows 10 as their operating system. Many government organisations also use Microsoft's cloud services: SharePoint Online and OneDrive for Business, and sometimes also the online mail server, Exchange Online. In that case, the use of the Azure Active Directory service is mandatory (for the authentication of the professional accounts).
Through its software and operating system, Microsoft collects and stores personal data about user behavior, so-called diagnostic data, on a large scale. Microsoft collects this data in various ways: via system-generated logs of events on its own servers and via the so-called telemetry client in Windows 10, in Office 365 ProPlus, and in the mobile Office apps. These telemetry clients systematically collect diagnostic data on the user's device and regularly send this information to Microsoft's servers in the United States.
The DPIAs assess the risks for data subjects resulting from the processing of these diagnostic data. Therefore, they do not examine the risks associated with the content data that users allow Microsoft to process, such as text, photos, and videos. The diagnostic data are also different from the functional data that Microsoft must (temporarily) process in order to enable users to use Microsoft's online services.
New privacy terms and conditions for the Dutch central government
SLM Rijk has negotiated contractual privacy guarantees with Microsoft for all Online Services and for Office 365 ProPlus. In the new agreement with the central Dutch government, Microsoft acknowledges that it may only act as a data processor for the data it receives about the use of Office 365 ProPlus, most Connected Experiences and the cloud services, and that these data are personal data. Microsoft may only process the data for three authorized purposes, and only if this is proportional. The purposes are: (1) to provide and improve the service, (2) keeping the service up-to-date, and (3) secure. Previously, Microsoft processed the data for eight purposes, including any purposes that they themselves considered to be compatible with the other specified purposes.
This strict purpose limitation applies both to the Customer Data and to all types of diagnostic data, including the system-generated event logs on Microsoft's own servers. Microsoft has also warranted that it will never use either type of data for profiling, data analytics, market research, or advertising, unless the customer explicitly requests it. Specifically, this includes a prohibition on the use of diagnostic data to show "recommendations" about Microsoft products that the customer has not purchased or used.
The Government has negotiated effective audit rights, and has also committed itself to having an independent auditor perform an annual audit to verify compliance with these measures and agreements. SLM Rijk will publish a summary of the findings.
Measures taken in Microsoft Office 365 ProPlus
Over the past six months, following the publication of the first DPIA on Office 365 ProPlus, Microsoft has implemented a large number of technical and organisational measures to reduce the privacy risks identified for Office 365 ProPlus worldwide.
Since May 2019, Microsoft has been publishing comprehensive documentation on the diagnostic data relating to the use of Office ProPlus. Microsoft has adapted its existing Data Viewer Tool for Windows 10 to also display the Office 365 ProPlus telemetry data. This allows data subjects to view the Office ProPlus data that Microsoft collects from their device.
Since May 2019, Microsoft has offered a large number of frequently used and indispensable Connected Experiences such as the spell check, the translation module, and the Office help function as a processor, and no longer as a controller. There are 14 Connected Experiences for which Microsoft remains the controller (the additional Connected Experiences), but Microsoft enables system administrators of Office ProPlus to centrally disable the use of these Controller Connected Experiences. Centrally disabling these services avoids the risk of Microsoft asking the employees for consent to collect data about the use of these services, while consent is not a valid basis for this data processing.
Since the release of the Office 365 ProPlus version 1904, as made available by Microsoft on 29 April 2019, Microsoft has built in a choice for system administrators to minimize the telemetry level. Microsoft offers three options: Required, Optional, and Neither.
The technical research for this DPIA, limited to the Required and Neither levels, shows that Microsoft collects a limited number of telemetry data about the use of the (new versions of) Office ProPlus software. Both the Required and Neither levels contain no file, e-mail, or conversation content, and no directly identifying information such as usernames or email addresses. The messages related to the Processor Connected Experiences such as the spell check and the translation module also do not contain fragments of the content.
Some Required-level messages do contain more sensitive information, such as the exact number of pages, paragraphs, lines, words, characters, spaces, pictures, and quotes in a Word file.
There seems to be little difference between the two telemetry levels, despite Microsoft's explanation that if ‘Neither’ is chosen, no diagnostic data about the use of the installed software will be sent to Microsoft.
In response to the findings, Microsoft indicated that, regardless of the telemetry choice, it always collects two other types of diagnostic data via Office ProPlus, namely data about the use of the Connected Experiences and data about what Microsoft calls Essential Services (such as authentication and license verification). There is a lack of information about these processing operations.
The report concludes: "If the government administrators take the recommended measures in this DPIA, as a result of the contractual and technical improvements there are no more known high data protection risks for data subjects related to the collection of data about the use of Microsoft Office 365 ProPlus.”
Results of the DPIA on Office Online and the mobile Office apps
Microsoft has not yet implemented these improvements in Office Online and the mobile Office apps, and the measures do not (yet) apply to the mobile Office apps either.
Microsoft has not yet made available a technical opt-out alternative to prohibit the use of the Controller Connected Experiences in Office Online and the mobile Office apps. Microsoft also has not published any information about the diagnostic data from the mobile Office apps or Office Online, and does not offer administrators a chance to minimize the data flow from these software versions.
Microsoft regards itself as a data controller for the mobile Office apps. This means that the contractual improvements that SLM Rijk has negotiated with Microsoft do not apply, despite Microsoft's assurance that all privacy safeguards will effectively apply to all data it processes about users who are logged in with their Azure Active Directory account.
Although the technical analysis of data traffic from Office Online and the mobile apps shows that Microsoft does not collect much diagnostic data, and no content data from the contents of files, e-mails or chats, Microsoft does send diagnostic data to a marketing company in the United States via at least three of the iOS apps (Word, Excel, and PowerPoint). This processing takes place without the user's knowledge and without any information about the presence or purpose of this processing. Although the data, which is revealing that a unique employee has worked with a specific application at a specific time, is not sensitive in nature, it is transferred to a company in the United States that is not bound by the privacy safeguards that Microsoft is bound by. The company in question specializes in predictive profiling of individuals for commercial purposes.
The report concludes: "Currently, the processing of diagnostic data about the use of the mobile Office apps and the Controller Connected Experiences leads to five high data protection risks. Only Microsoft can effectively mitigate these risks. Government organisations are advised to create policies for their employees to not use Office Online and the mobile Office apps. SLM Rijk will continue its negotiations with Microsoft to ensure that Microsoft realises the negotiated improvements for all services included in the Office 365 license."
Results of the DPIA on Windows 10 Enterprise
Microsoft considers itself (as with the mobile Office apps) as the (sole) controller for data processing via Windows 10 Enterprise. As a result, the processing of diagnostic data on the use of the operating system is not covered by the new privacy guarantees for the Dutch government.
In its technical documentation, Microsoft mentions specific purposes for the processing of diagnostic data about the individual use of the Windows 10 software. However, this information is not legally binding. Under the agreement with customers, Microsoft can process the diagnostic data for almost all of the very broad purposes set out in its general privacy statement. The 16 relevant purposes include the use of personal data for personalized advertisements in Windows 10 and in apps, to make commercial offers, and to use customer contact information for recruitment purposes via email, SMS, mail, and telephone.
The processing of diagnostic data for so many broad and undefined purposes is contrary to the principle of purpose limitation. Additionally, in most cases, there is no legal basis for processing the diagnostic data for these purposes. As (sole or joint) controller, Microsoft cannot rely on the consent of employees as referred to in the GDPR because of the dependent position of employees. At the same time, consent is required under Section 11.7a of the Dutch Telecommunications Act for retrieving data via the Internet, through built-in software, if such processing is not strictly necessary.
Organisations can eliminate the risk of unlawful processing by opting for the Security telemetry level. The technical analysis of telemetry data traffic shows that Microsoft processes very little personal data if telemetry is set at this level, and no sensitive personal data. The report concludes that if the telemetry is set to Security (or the telemetry traffic is blocked), and if the administrators centrally prohibit the use of the cloud synchronization functionality via Windows timeline, there are no known high data protection risks.
SLM Rijk is providing significant input to Microsoft for an upcoming structural solution for Windows 10 Enterprise customers which is being designed for Windows 10 Enterprise 1809 and later versions. This will allow government organisations to have a simplified compliance solution for Windows 10 Enterprise at diagnostic data levels above Security. This solution will be ready in the foreseeable future, and Microsoft plans to make an announcement about this structural solution later this year.
Taking privacy-enhancing measures yourself
All administrators of the Enterprise versions of the Office and Windows software can take a number of concrete measures to reduce the privacy risks for employees and other data subjects whose personal data may be processed by employees:
- Upgrade to version 1905 or higher of Office 365 ProPlus and set the telemetry level to the 'Neither' option.
- Make use of the possibility to prohibit the use of the Controller Connected Experiences in Office 365 ProPlus (disable additional Connected Experiences).
- Disable the Customer Experience Improvement Program (CEIP) in Office ProPlus.
- Disable LinkedIn integration for Microsoft employee accounts in Office ProPlus.
- Establish policies to warn employees not to use the mobile Office apps and the Controller Connected Experiences in Office Online until the five high risks have been mitigated.
- Choose the lowest, minimum level of diagnostic data collection in Office Online and the mobile apps as soon as technically possible.
- Update the internal privacy policy for handling employee personal data with specific information about for which purposes and under which circumstances the organisation may view different types of diagnostic data from Microsoft's different services and products.
- Perform DPIAs prior to using Workplace Analytics and Activity Reports in the Microsoft 365 admin center, and before employees can use MyAnalytics and Delve.
- Consider the use of Customer Lockbox and Customer Key, depending on the sensitivity of the content data.
- Upgrade to version 1903 of Windows 10 Enterprise to use Intune with Securitytelemetry.
- Set the telemetry level in Windows 10 Enterprise to Security, or block telemetry traffic and do not allow users to synchronize their activities through the Timeline functionality.
- Take into account changes in the validity of data transfer tools (such as the EU-US Privacy Shield) following future case law of the European Court of Justice. It is up to the European Court of Justice to assess the risks of mass surveillance in the United States and up to the European legislator to reduce the remaining risks of transmitting diagnostic data from the EU to the US.
The how and why of these recommendations is explained in the three separate DPIAs for SLM Rijk. See also the detailed Dutch summaries of the reports on Office 365 ProPlus, Office Online and the mobile apps, and Windows 10 Enterprise.
Privacy Company has also published a short blog post about these three reports.