Westphal Johansen Advocaten

Sneaky software

Sneaky software from Microsoft? Yes, sneaky software. On 5 November 2018, The Privacy Company conducted a Data Privacy Impact Assessment (DPIA) on the (diagnostic) data in Microsoft Office Pro Plus on behalf of the Ministry of Justice and Security. The findings and conclusions of this voluminous, well-founded, 91-page report are downright shocking. After all, they show that Microsoft systematically secretly collects data on a large scale on individual use of Word, Excel, PowerPoint and Outlook. Secretly. Without informing people about it. Sneaky software, in other words.

Mysterious data streams

This covertly collected data is encrypted and sent to Microsoft's own servers in the United States or elsewhere. Microsoft did not give the researchers access to the type and sort of data that is collected and transmitted. Until Microsoft provides evidence to the contrary, the researchers therefore assume that it concerns both metadata and content.

Microsoft under the privacy microscope

SLM Rijk, a separate purchasing department within the Ministry of Justice and Security, is responsible for purchasing - among other things - Microsoft software. That department buys the software for 300,000 digital workstations of the central government. For example, for ministries, the tax authorities, the police and the judiciary. Currently, only versions of Office 2016 and Office 365 are used, and the data of the various ministries and other government agencies are stored on local servers and computers. These versions will no longer be supported in the near future, and the transition to the cloud will have to be made.

The report shows clearly that Microsoft has a completely different, American approach to privacy. An approach that, according to the authors of the report, is at odds and in conflict with European attitudes to privacy and the General Data Protection Regulation (GDPR).

The report also provides a detailed description of 8 high risks for those involved, such as civil servants, contact persons, applicants and people who are discussed in the reports of civil servants or who make use of the Office products of the State. Translated to, for example, the tax authorities and the judiciary, this means that there are high risks associated with the use of Microsoft software by taxpayers and litigants.

Response of Microsoft: zero-exhaust settings

Microsoft has responded to the report by announcing a number of global changes to reduce risks. In addition, it has developed so-called zero-exhaust settings, that SLM Rijk can make available exclusively to government institutions, subject to an obligation of confidentiality.

According to Microsoft, these settings will ensure that no network traffic (diagnostic or other data) is transferred from Windows to public IP addresses without the express permission of the user.

Remaining high risks

But even after the use of zero-exhaust settings, according to the report, there are still 6 high risks for those involved:

• The unlawful storage of sensitive, classified or special personal data by Microsoft, both in the traffic data and in the content of diagnostic data;
• The misrepresentation of Microsoft as a processor, instead of as a joint controller;
• Insufficient control of sub-processors and the actual data processing;
• The lack of purpose limitation of the data collection;
• The transfer of all types of diagnostic Office data outside Europe, based on the Privacy Shield that is under discussion at the European Court;
• The unrestricted retention period of the diagnostic data and the absence of a means to delete these data (other than by destroying the user's account).

It's not just personal data that are at risk, but also business secrets.

It is not just personal data that are at risk because of Microsoft's sneaky software. Business secrets may also be less secure than is generally assumed if they are stored or otherwise processed using Microsoft's software. After all, it is not clear what information Microsoft collects and transmits to its own servers in the United States or elsewhere in the world. Moreover, the report shows that Microsoft itself does not know exactly what data it has and where that data is located.

Different approaches to privacy and third party doctrine

What is striking about reading the report is that Microsoft has and takes a completely different attitude to privacy than we are used to in Europe. A position that can probably be traced back to the U.S. third party doctrine, which means that a person cannot have a legitimate expectation of privacy if he or she voluntarily transfers information to a third party. These days, this is very quickly the case when data is stored in the cloud (read: on the server of a third party).

CLOUD Act

However, data collected by Microsoft is also threatened by an American law adopted last year, the Clarifying Lawful Overseas Use of Data (CLOUD) Act. This law is the U.S. response to the Microsoft/FBI case in which a U.S. court ruled that Microsoft had rightly refused to provide the FBI with data (email messages) stored in its European data centers. This Cloud Act has put an end to the Microsoft/FBI case before the US Supreme Court and Microsoft has reportedly now transferred the requested data to the FBI.

System Administrators: Take action!

In view of the privacy and security risks that have been identified, The Privacy Company recommends that administrators of Microsoft software take a number of measures to reduce the privacy risks. These can include:

• Asking Microsoft how to prevent or limit 'emissions' of personal data and other sensitive information (zero exhaust);
• Central prohibition of the use of voluntary Connected Services;
• Centrally turning off the ability to "Improve Office";
• Prohibiting the use of SharePoint online/Onedrive;
• Prohibiting the use of the web-only version of Office 365;
• Destroying the Active Directory Account;
• Using local accounts (without Microsoft account) and
• Looking for alternative software.

The privacy supervisor EDPS is also carrying out research.

The European Data Protection Supervisor (EDPS) has also started an investigation into Microsoft's software. The EDPS will examine whether Microsoft's products and services comply with the law.

No privacy by design and default

The report shows that Microsoft has not exactly applied privacy by design and privacy by default. In fact, in view of the fact that data-collecting settings are enabled by default, the very broad objectives pursued by Microsoft with regard to data processing and the aforementioned recommendations of the researchers, privacy piracy or privacy violation by default appears to be a more accurate description of Microsoft's working method.

Interesting questions with far-reaching consequences

The researchers have established that Microsoft has not only not applied privacy by design or privacy by default, but also that Microsoft is wrongly presenting itself as processor of personal data, while together with the customer of the software it is in fact the joint controller.

In my opinion, the questions that European privacy supervisors and - perhaps also - judges will have to answer over the next few years are:

• Does Microsoft, as a software supplier or SaaS service provider acting with due care, have to meet the requirements of privacy by design and privacy by default?
• Or does Microsoft, as the (joint) controller, have to comply with these requirements?
• And is the absence of privacy by design and privacy by default reason to impose a ban on the processing of personal data on Microsoft as referred to in article 58(2)(f) of the GDPR?

Another question which, in my view, is more urgent and which the European contracting authorities will have to answer, is whether they can still allow Microsoft to compete for public contracts. Indeed, recital 78 of the GDPR shows that the principles of data protection by design and by default should be taken into consideration in the context of public tenders. If the contracting authorities do indeed take these principles into consideration and take them seriously, then exclusion of Microsoft would be obvious and logical.

The big problem.

The big problem, however, is that not using Microsoft software is currently extremely problematic. This is because there is no (real) alternative, resulting in an extreme case of vendor lock in.

European headache: Microsoft unplugged?

The key question is therefore: what will the Dutch Data Protection Authority, the other European privacy regulators and the contracting authorities do about Microsoft's sneaky software? Will they opt for the easy way out and only impose fines on Microsoft? Or will they really show their teeth and prohibit Microsoft from processing personal data in whole or in part, permanently or temporarily, and from taking part in tenders until the software is privacy proof? In other words, will Microsoft be unplugged?

Interesting challenge

Will privacy pirate Microsoft finally be tackled or will it remain software business as usual? Will the data hunger of the big tech companies be stopped or will (European) privacy be lost? Or will this be an interesting challenge for a European software developer who appreciates the importance of privacy and will seize the opportunity to become a world-class software supplier? Time will tell.