back to article Microsoft menaced with GDPR mega-fines in Europe for 'large scale and covert' gathering of people's info via Office

Microsoft broke Euro privacy rules by carrying out the "large scale and covert" gathering of private data through its Office apps. That's according to a report out this month [PDF] that was commissioned by the Dutch government into how information handled by 300,000 of its workers was processed by Microsoft's Office ProPlus …

What about Windows 10 that Office is sitting on?

Surely the telemetry of both Office and Windows 10 is of concern here, not just Office?

The easiest way to comply with GDPR is to not collect the data, or at a minimum give us back the ability to say 'no' to data collection of any kind. I'm hoping this will focus some attention on Windows 10 and have Microsoft put back the ability to stop telemetry from the OS, and with all the update screw ups, maybe give us back update control too?

It all 'worked fine' up until Windows 7, so maybe if it wasn't broken, it didn't need fixing.

Silver badge

Re: What about Windows 10 that Office is sitting on?

The easiest way to get MS to stop fucking around is to fine them so hard it makes their shareholders bleed like badly butchered pigs. A slap on the wrist won't even make them blink, a few million dollars will make them laugh, but a few hundred BILLION will shove that laughter right back down their throats so they choke on it.

Give MS a hard date for improvements to be made, test the hell out of the whole thing (OS & office) to make sure it complies, & fine the fuck out of them if it doesn't.

This "fix it or we fine you to death" tactic is perfect for pretty much *every* company that thinks it can thumb its nose at you. Don't write a stern letter, don't fine them what amounts to sixty seconds of profit on a slow day, fine them so much their shareholders jump up out of their cushy chairs & howl for the situation to change else they get a CEO's head on a pike.

Silver badge
Thumb Up

Re: "get a CEO's head on a pike"

I like the way you think.

Re: What about Windows 10 that Office is sitting on?

The Law is a maximum 20 million Euro fine, or 20% of turnover - whichever is GREATER. Microsoft could in theory be hit very hard indeed by an unremedied breach of GDPR.

LDS
Silver badge

Re: What about Windows 10 that Office is sitting on?

It's 4% of turnover... still a not small amount.

Silver badge
Thumb Up

Re: What about Windows 10 that Office is sitting on?

"Surely the telemetry of both Office and Windows 10 is of concern here, not just Office?"

see icon

EVP

Re: What about Windows 10 that Office is sitting on?

“A slap on the wrist won't even make them blink, a few million dollars will make them laugh, but a few hundred BILLION will shove that laughter right back down their throats so they choke on it.“

Exactly. Anything else is pointless.

What is appalling to me, is that big companies with enormous resources (i.e. they do know what they are doing) are allowed to break the law time after time and get away with it by ”oops, didn’t mean/know/whatevermuttermutter, let me fix it in six months, or maybe in twelve if we feel like it” (yet never fixing it).

If I, say, accidentally exceed the speed limit because I didn’t spot a sign, no amount of explaining will make any difference if I get caught.

Silver badge

Re: What about Windows 10 that Office is sitting on?

Remember that telemetry has been retrofitted to Windows 7 and 8 if you aren't extremely careful about how you install it, services run, etc. So, no, everything is not fine now with Windows 7.

Anonymous Coward

Re: What about Windows 10 that Office is sitting on?

Of course, if you ever installed Windows 8 in the first place, all bets are off.

Alert

Re: What about Windows 10 that Office is sitting on?

The report (the pdf) itself gives some "amusing" insight...

Page 12 of 91...

Technical limitations

"The technical lab was unable to inspect the contents of the outgoing data stream. As an essential security measure, Microsoft encodes the outgoing traffic to its own servers. Microsoft did not provide tools to the lab to decode the outgoing data stream."

How surprising...

"It was not (yet) possible to view the contents of the traffic in another way, because Microsoft had not yet developed a tool to be able to view the diagnostic data in a way similar to the Data Viewer Tool provided for the Windows 10 telemetry data."

Really..? So MS gathers, encrypts, sends, and stores data they can't view?

"However, Privacy Company is working with Microsoft to analyse the collected telemetry data. Microsoft has also offered a test version of a data viewer tool to be teste <sic> by SLM Rijk."

Yours sincerely, your helpful Government.

Flame

Re: What about Windows 10 that Office is sitting on?

And for those reminiscing on (the division of) the power of government in today's world...

On the same page...

"When asked how to deal with secret but authoritative answers, Microsoft has specified that SLM Rijk may not share the document, but may use the facts."

Emphasis by your humble commentard.

"Resistance is futile".

Silver badge
Devil

Re: "get a CEO's head on a pike"

How would putting it on a fish help?

Silver badge

Re: What about Windows 10 that Office is sitting on?

All we need is everyone from European countries here to report MS to their equivalent of the UK's ICO over this, then sit back and watch as 28 simultaneous charges of breaching the GDPR occur at once. It would be most excellent if each country could fine MS 4% of annual turnover in turn.

Then follow it up with Apple and Google.

Anonymous Coward

Re: What about Windows 10 that Office is sitting on?

The minimum is not to give back the answer to say no, it is not to enable it in the first place unless we say yes.

Anonymous Coward

Re: What about Windows 10 that Office is sitting on?

No idea why people lump Apple in with this lot, they aren't anywhere near to the level of Microsoft, let alone Google.

Silver badge

Re: What about Windows 10 that Office is sitting on?

fine them in holland. then get germany to fine them too. And france.

soon i suspect they will get the message.

Re: "get a CEO's head on a pike"

don't tell him!

Re: What about Windows 10 that Office is sitting on?

Off topic but....

"If I, say, accidentally exceed the speed limit because I didn’t spot a sign, no amount of explaining will make any difference if I get caught."

Even more unfair if the speed limit is not related to any accident black spot, road safety or road condition but because it's a 'smart motorway' and they can, in an attempt to get air pollution down to EU requirements. Millions spent on smart motorways and we have to travel at 60 mph. (South Yorks., Notts, and Derbys.)

Back on topic.....

In my view the GDPR failed because it did not mandate a users right to clearly say NO to all this data snooping. The rule still seems to be "If you want to use my SW you have to accept me snooping, I just have to ask you to note that I do these things - even if it's not relevant to the SW operation" Android Apps being the worst offenders.

Silver badge
Holmes

Re: What about Windows 10 that Office is sitting on?

Didn't you know that Apple is persona non grata in these parts?

They are the company that everyone loves to hate simply because they are so successful.

From what Tim Cook has stated may times, they are small fry in the data slurp league when compared to MS, Google, Facebook and others but... he could be telling porkies. We simply don't know so we carry on with the guilty until proven beyond all doubt hate of Apple that is the norm and has been the case for years on this site.

Re: What about Windows 10 that Office is sitting on?

It allows you to request the information that Microsoft has collected and to demand that it be deleted or corrected. There are substantial costs associated with those activities so if Microsoft gets requests and incurs those costs it will be quick to provide opt outs rather than incur them. If you object to the data collection in the first place just ask for the information. If people don't do so Microsoft can only conclude that people don't care.

I gave up using Microsoft products after Windows 7 precisely because I do care (I now use Linux and mostly open source software).

Anonymous Coward

Re: What about Windows 10 that Office is sitting on?

Apple are spin masters, alot of the Google data slurp noise is created by Apple and their shill army, the more noise they can fire at Google, the better it makes them look in the eyes of consumers.

If you look at their data harvesting policy, it's no different at all to what Google do. Apple privacy policy states they collect location data to improve maps for example. So Apple are tracking your every movement, and unlike Google, it's not optional. You agreed to it when you accepted the software licence on your iPhone. At least Google location services can be switched off.

Anonymous Coward

Re: What about Windows 10 that Office is sitting on?

Apple privacy policy states they collect location data to improve maps for example

Judging by the appalling state of Apple maps it appears you have picked the one thing that Apple is not snooping on. :)

At least Google location services can be switched off.

Settings - privacy - location services. Has been giving control over location data for quite some time, including Apple Maps. For each app, it gives you the choice of always, only when you're actively using the app or off.

Silver badge

Re: What about Windows 10 that Office is sitting on?

From what Tim Cook has stated may times, they are small fry in the data slurp league when compared to MS, Google, Facebook and others but...

Many times during my school career I heard a whiny child-like voice saying "but he did it too!" as if that somehow excused bad behaviour. Even sometimes a similar whiny kiddy voice saying "but she did it worse".

That sort of behaviour should be gone by the time of your 10th birthday. It's not a fitting excuse for any adult, let alone the CEO of a large corporation.

Yet the fans will consider it to be a reasonable excuse regardless of who uses it.

Silver badge

At Aqua Marina, re: fining MS multiple times.

If MS is a $950B company then 4% would be $38B. Twenty-Eight separate GDPR fines would thus result in a *One Trillion Sixty-Four Billion* dollar fine.

I like the way you think & bow before your awesomeness. Please remind me to never piss you off. =-D

Silver badge

Re: "get a CEO's head on a pike"

At Trollslayer, putting their head on a fish.

Perhaps bragging rights for the fish?

"Look at me! I've got SatNad's head grafted to my ass!"

Why does that make you happy?

"Because now when I squeaze my cheeks I can do this!"

*Picture of the Pike reaching Mach 1 on an exhaust plume of marketing bullshit & hot air bubbles*

COOL! I want one of those, too!

=-)p

Silver badge
Thumb Up

Re: What about Windows 10 that Office is sitting on?

28 *4, 112% -> BINGO, MS DEAD all we need is to do it in turns ... who wants to start ? UK, because they are leaving ...

Silver badge
FAIL

Re: What about Windows 10 that Office is sitting on?

"At least Google location services can be switched off."

I'll just leave this here...

LDS
Silver badge

"At least Google location services can be switched off."

Did you miss the article about the fact they can't truly be switched off easily?

https://www.theregister.co.uk/2018/08/13/google_location_tracking/

LDS
Silver badge

"GDPR failed because it did not mandate a users right to clearly say NO"

I wish people read GDPR at least once.... that kind of snooping is illegal under GDPR. There was no informed consent, and if's far beyond the "lawful basis for processing". GDPR also requires any consent can be withdrawn at any time - and it must be simple to do. Moreover, you can't refuse a service requiring to consent to more data than those strictly required to deliver a service.

The real question is how much governments are going to go after big companies. They now have the instruments - the will?

Silver badge
Facepalm

Re: "GDPR failed because it did not mandate a users right to clearly say NO"

The problem is, most companies seem to have taken the stance that whatever they don't feel like turning off is now "essential" and there's no way to change that short of actually challenging that.

Also, while most are now actually offering the option to turn of _some stuff_, the actual deal is "either click here to accept maximum slurping, endure a literal third of your screen being obscured by a mega-banner until you do, or manually untick 135 pre-ticked checkboxes on the provided settings page (and do it all over again next time unless you're comfortable with us knowing that it's _you_ visiting every damn time you look at any of our pages)".

Why the hell isn't there an _anonymous_ setting / cookie / whatever I can use to simply proactively declare to each website I visit "only technically unavoidable cookies please"? Or if there is (considering DNT sounds an awful lot like that) why wasn't that made legally binding...?

LDS
Silver badge

Re: "GDPR failed because it did not mandate a users right to clearly say NO"

They are testing the will to go after them - each "practice" you pointed out is illegal under GDPR. What is essential is not at the whims of companies. Consent must be opt-in, so you can't pre-tick checkboxes.

Each law, even the best one, is useless if no one is going to enforce it effectively. Some companies believe they grow too big to be forced to abide to the law. Probably they also hope that with a EU Commission that is going to be renewed next year, with EU elections looming (and for many parties it's a test of their relative strength within their own countries), and Brexit issues, no body will try to enforce GDPR seriously. Hope they'll find they're wrong.

"Why the hell isn't there an _anonymous_ setting"

Well the "Do Not Track" flag wasn't very effective, was it? Without a law to enforce it, there's no way such options could work.

Anonymous Coward

Re: If I, say, accidentally exceed the speed limit because I didn’t spot a sign

I'm sure MS lawyers and execs are so poorly paid and thus ill-informed about the law, they can be let off for this "accidental" speeding! :D

Silver badge

Re: What about Windows 10 that Office is sitting on?

It's 4% of turnover... still a not small amount.

Technically, it's either 2% or 4% (depending on teh type of infraction) of global turnover. One wonders how easy it would be to actually calculate MS's global turnover, and also where the limit is on determining what applies (i.e. parent and related companies). I expect MS's corporate structure is less complex than some (for instance, a different legal entity in each jurisidiction it operates in, rather than the labyrinthine structures employed by some multinationals to avoid tax), but if they do get fined, this could be an interesting test case.

Re: What about Windows 10 that Office is sitting on?

Depends- global annual turnover or Europe? Judging by how much tax these monoliths pay, their declared euro turnover is quite small irrespective of how big their actual euro turnover is

Anonymous Coward

Re: What about Windows 10 that Office is sitting on?

In my view the GDPR failed because it did not mandate a users right to clearly say NO to all this data snooping. The rule still seems to be "If you want to use my SW you have to accept me snooping, I just have to ask you to note that I do these things - even if it's not relevant to the SW operation"

No, see this: https://www.theregister.co.uk/2018/11/19/ico_washington_post/

Just because people break the law, doesn't mean that that the law's what pepole are doing (just that it's ineffectively enforced).

LDS
Silver badge

"Depends- global annual turnover or Europe?"

Global means "global" - aka whole planet. Which means what appears in their balance sheets they publish for Wall Street, in MS case - where they can't say "our revenues are zero and our profit negative" - because of course shares and executive bonuses will crumble instantly... nor turnover is easily affected by the tricks they can use to pay less taxes - investors want to see increasing revenues, profits, dividends, and share prices - and executives payouts depends on them too.

I believe that's why those who wrote the GDPR chose that value, companies can employ a lot of tricks to hide money, but they have to surface them somewhere eventually....

Re: What about Windows 10 that Office is sitting on?

The GDPR Explicitly calls out that you're not allowed to make access to a service contingent on granting consent to have your data processed, unless it's an essential part of providing the service

Eg not ads, telemetry, etc... Just the core functionality.

Silver badge

Re: What about Windows 10 that Office is sitting on?

"it's no different at all to what Google do"

It's not? So Apple has weaponized all of their products to be surveillance machines, and is following me around both the internet and meatspace, spying on everything I do that they can see in order to compile an ongoing dossier about me even if I don't use any of their products?

Somehow, I seriously doubt that.

"At least Google location services can be switched off."

Yes, and doing so doesn't actually make that data collection stop.

Re: "get a CEO's head on a pike"

"Don't give him your name, Pike!"

Stop

"The Dutch authorities are working with the company to fix the situation"

Instead of trying to fix the unfixable, maybe it's time they work with LibreOffice instead...

Anonymous Coward

Re: "The Dutch authorities are working with the company to fix the situation"

Hear hear! Because let's be honest, we're focussing on Microsoft here (by default). And yes, they do deserve it. But think about this; you've got access to the cream of the IT crop in your country. You've the resources to do it right (after all, governments don't have money, it's their citizens). There are all these rumours flying around about "data slurp". And still, with all these opportunities, info, and resources, you (vendor) lock yourself in and afterwards moan about Microsoft doing something EVERYBODY knows they do.

BOO-HOO!

You pitiful government! My heart bleeds for you. Especially with your "it wasn't me" arrogant remark about "exploring open standards". If you really knew what you were doing you'd have done that long ago. Ah well, go talk to the city of Munich. They tried it there too, only to reverse it for a zillion euros after Uncle Steve paid them a personal visit. And promised them "advantages" like financial support and HQs in the city... And as we know (Dutch) government officials never ever are sensitive to persuasion. As history shows...

Oh, and for the cloggers taking offence to my comments: ever taken a good look at the IT of your "Belasting Dients"? Guess they are so committed "to serving the community", that's why they are having issues now with "all employees using the opportunity to leave with a huge bag of money..." Or even try to run their code in VM or without js. Yes, indeed, you can't. I should stop, take my pill and a coffee. I'm getting to old for this sh*t...

Silver badge

Re: "The Dutch authorities are working with the company to fix the situation"

@Sleep deprived

Munich, and other German places, tried that. The problem was that they had to exchange lots of documents every day with other German places still using Microsoft Office.

The word "compatible" has a special meaning in the computer industry: good enough for salesmen but not good enough for actual screen bashers.

So Libre Office will not be a practical choice until the vast majority are using it.

Silver badge

Re: "The Dutch authorities are working with the company to fix the situation"

Munich was doing just fine with Linux, until one PHB with a vested interest showed up

Silver badge

Re: "The Dutch authorities are working with the company to fix the situation"

we have started to move to libreoffice. Ironically its because we get a cheaper deal with office 365 outlook (i disable everything else on the tenant). so its 365 outlook and libreoffice.

Silver badge

Re: "The Dutch authorities are working with the company to fix the situation"

The word "compatible" has a special meaning in the computer industry: good enough for salesmen but not good enough for actual screen bashers.

So Libre Office will not be a practical choice until the vast majority are using it.

Because everyone needs the funky razmatazz of mental disorder driven formatting overkill to bash out a (nowadays practically white, illustration laden and mostly content-free) robo-memo about some shit organization that no-one cares about.

Silver badge

Re: "The Dutch authorities are working with the company to fix the situation"

The word "compatible" has a special meaning in the computer industry

It means compatible with the current version of the software and no guarantees about past of future versions.

There is, however, an open standard for word processing, spreadsheets etc. which is well defined and ensures that your future self, or your successors, will be able to open those documents. Because it's an open, well defined document it means that even if your current product is discontinued it will be possible for someone else to write equivalent S/W so that your access to your old documents will not be blocked. That should be a fairly important consideration for governments whose documents might will have legal significance in decades or even centuries to come.

Oddly enough that's not Microsoft Office's format, it's the one used by the software you imply has problems when being exchanged.

The risk of future incompatibility wasn't in the terms of reference of this report and hence is only alluded to in passing. If one were to do a full risk analysis it should be one of the highlights.

Silver badge

Re: Oddly enough that's not Microsoft Office's format

I, or rather, a client of mine had an odd experience with Excel some while ago. They maintain a daily Foreign Exchange spreadsheet which is emailed to all staff. Very simple structure - nothing odd about it at all. One day the calculations weren't working properly, I was called out, given a demonstration of the problem - in simplistic terms Excel was emphatic that 1+1=3. Scratching my head I tried a few things (e.g., the long forgotten Recalculate function, and taking into consideration the rows/columns recalculate order), but the problem persisted.

It was then that I noticed that the user had inadvertently saved the spreadsheet in one of the non-proprietary formats on the Save As.. list, rather than XLS* format. Going back to Excel format solved the problem, but this experience made me think that Microsoft are not participating in a level playing field here.

My thought is that they are concentrating on their own formats for testing and paying mere lip service to so-called Open Document formats. It calls into question the methodology MS use to develop applications with: it's almost as if they have an IF file_format='xls' then do_this ELSE do_that in their programs, which for me is a Big Red Flag.

Has anyone else encountered similar anomalies with MS applications?

Silver badge

Re: Oddly enough that's not Microsoft Office's format

Has anyone else encountered similar anomalies with MS applications?

Many times. However, usually when transitioning from Microsoft Office version N to version N+2.

It's almost like MS don't fully understand their own formats.

Silver badge

Re: "The Dutch authorities are working with the company to fix the situation"

A nice solution, but we need to go a step further.

Libreoffice as a solution relies on the goodwill of Libreoffice to not snoop. I want an OS which can block application access at the network level. I want an OS which can enforce, "Application X gets access to my file server for file-serving protocols. Application X also only gets access to disk subtree Y." That way I can give my browser widr network access but no disk and my wordprocessor disk access, but little network.

For those on linux who want a MS options and are willing to go non-free, edrawmax (visio) and wpsoffice (chinese?) look like nice options. I can't vouch for their security and non-snoopiness, but they are far more usable than Libreoffice in an MSOffice environment.

Anonymous Coward

Re: "The Dutch authorities are working with the company to fix the situation"

Instead of trying to fix the unfixable, maybe it's time they work with LibreOffice instead...

Not until they manage to create a decent installer. The current installer is IMHO an abomination whose user unfriendliness must have inspired by the ribbon is in Microsoft Office. Until they fix that, it is simply not usable in an Enterprise setting, also because updating an anything-but-English is a pain too as a consequence of what they cobbled together.

I have no idea what they were using when they came up with this approach, but as far as I can tell they got the dosage wrong.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2018