back to article Microsoft menaced with GDPR mega-fines in Europe for 'large scale and covert' gathering of people's info via Office

Microsoft broke Euro privacy rules by carrying out the "large scale and covert" gathering of private data through its Office apps. That's according to a report out this month [PDF] that was commissioned by the Dutch government into how information handled by 300,000 of its workers was processed by Microsoft's Office ProPlus …

Silver badge

Re: "The Dutch authorities are working with the company to fix the situation"

Munich were not doing fine, not even close. It over ran by years and by millions of pounds. At the "end" of the project they had people unable to perform their job roles because software still wasn't working.

It took them a decade to migrate circa 15k end user machines, and related back end, at this point things still had major issues.

From that point it took them 4 years to bite the bullet and move back, mainly citing the MS office alternatives as the issue.

Yes, they had an MS fanboy come in, but that was not the primary driving factor. They recruited them *because* of the issues, and because that after a decade long project they were being told they had to switch to *another* open source office suite and try that for a bit.

2
6
Reply
Silver badge
Coat

Re: "The Dutch authorities are working with the company to fix the situation"

Gendbuntu

0
0
Reply
Anonymous Coward

Re: The word "compatible" has a special meaning in the computer industry

and it has a specially ueberspecial meaning in Germany, in general ;)

0
0
Reply
Anonymous Coward

Re: "The Dutch authorities are working with the company to fix the situation"

"Not until they manage to create a decent installer. "

It depends a lot on who packaged it. - I've never used the windows installer, so I suspect that's what you used.

I didn't find it very hard at all for the last two libreoffice installations I did.... on one of my laptops, I typed "emerge libreoffice" and waited a *very* long time :-) and on the other one I typed "apt-get install libreoffice".

1
0
Reply
Anonymous Coward

Re: "The Dutch authorities are working with the company to fix the situation"

"Gendbuntu"

From experience, don't mix .deb files and gentoo unless you *really* know what you're doing...

1
0
Reply
Anonymous Coward

Re: "The Dutch authorities are working with the company to fix the situation"

"Not until they manage to create a decent installer. "

It depends a lot on who packaged it. - I've never used the windows installer, so I suspect that's what you used.

The problem starts when you use a different language. The installer only speaks English, and you have to manually set the UI language after installing the language pack instead of making that a default option ("option" as in "ask the user", just in case). Worse, when you update you have to go through that again. Appalling, and totally NOT end-user friendly, which is the one thing it has to be to generate widespread adoption. Instead, it provides the *perfect* argument for people to fall back to MS Office.

0
0
Reply
Anonymous Coward

Zero Exhaust?

How do you turn off the slurping?

Following the link to https://www.privacycompany.eu/en/impact-assessment-shows-privacy-risks-microsoft-office-proplus-enterprise/, what it actually says is:

Starting today, and with the help of Microsoft, SLM Rijk offers zero exhaust settings to admins of government organisations.

Sounds like only governments benefit from this :-(

30
1
Reply
Silver badge

Re: Zero Exhaust?

How do you turn off the slurping?

Add a single configuration parameter. All right, maybe one in each application that makes up the Office package. All it needs to do is to control whether the telemetry port is written to or not. If Office programs are well-structured code this should be quite easy: the sort of thing that one competent programmer can install and test in time for the following month's Patch Tuesday. So why do they need five months to do something that should be so simple?

35
0
Reply
Anonymous Coward

Re: Zero Exhaust?

> > How do you turn off the slurping?

> Add a single configuration parameter.

Of course MS could *add* such a configuration parameter. But it was implied that they've already done so - in which case it's a question of how to find it.

11
0
Reply
Silver badge

Re: Zero Exhaust?

Of course MS could *add* such a configuration parameter. But it was implied that they've already done so - in which case it's a question of how to find it.

Yes and No. In two places the article says there is no way to disable slurping and then the Zero Exhaust system is mentioned with an (apparently) documented slurp control switch. The crux of the biscuit is: if that's already out then they could simply make the Zero Exhaust version the mainstream product and put it on immediate release. So, if this is the case, then why does M$ think it will take until April next year to make it generally available?

Fish? I can smell it.

36
1
Reply
Silver badge
Facepalm

"If Office programs are well-structured code"

Yeah, how likely is that?

13
1
Reply
Silver badge

Re: "If Office programs are well-structured code"

The history of Star Office -> Open Office -> Libre Office suggest that it is a mountain of quick fixes, with zero logical integrity. MSO will be the same.

8
10
Reply
JLV
Silver badge

Re: Zero Exhaust?

>why does M$ think it will take until April next year to make it generally available?

Easy. 5 months of desperate lobbying and Doublespeak ahoy explaining how _customers_ need slurping, they value our privacy and are always out to listen to customers.

Maybe that horse will sing by then.

Me I’m wondering who the lucky ones to benefit will be: Euro area only or Canadians too? (we already “benefit” from cookie warnings)

7
1
Reply
Silver badge

Re: Zero Exhaust?

"So why do they need five months to do something that should be so simple?"

Because it will take at least that long for the committee to decide exactly what shade of pale grey the user request box must be and exactly how many angstroms up the scale the slightly less pale grey text will be.

7
1
Reply
Silver badge

Re: "If Office programs are well-structured code"

"The history of Star Office -> Open Office -> Libre Office suggest that it is a mountain of quick fixes, with zero logical integrity."

The early stages of the move from OpenOffice -> LibreOffice involved paying down a lot of that technical debt. No doubt there's still some way to go but then there always is.

12
0
Reply
Silver badge

Re: Zero Exhaust?

"Easy. 5 months of desperate lobbying and Doublespeak ahoy explaining how _customers_ need slurping, they value our privacy and are always out to listen to customers."

Or simply hoping it will get forgotten. Or it will break several bits of functionality and will have to be removed in order to make everything work properly. It's going to take time to ensure enough functionality gets broken.

3
1
Reply
FAIL

Re: Zero Exhaust?

Permanently disconnect your PC from the internet. That would do it.

FAIL icon because teacher doesn't accept this answer.

0
0
Reply
LDS
Silver badge

Even if data were stored in EU, MS would be still in breach of GDPR.

Because the data gathering is too broad, automatic, without user knowledge, and without any way to turn it off.

54
1
Reply
Silver badge

Re: Even if data were stored in EU, MS would be still in breach of GDPR.

"Because the data gathering is too broad, automatic, without user knowledge, and without any way to turn it off."

It is worse than that because there are some options to turn data collection off in various places in Windows 10 - but these only turn a few things off and leave all the other data collection running. It is designed to give the user the false impression that data collection has been comprehensively disabled, when it has not - it is incredibly dishonest.

42
0
Reply
Silver badge

Re: Even if data were stored in EU, MS would be still in breach of GDPR.

plus enterprise get a separate set of GPO settings that really limit telemetry (but still not disable) and common users are specifically told in the gpo that they cant disable. That should also be in breach.

6
0
Reply
Silver badge
Facepalm

I'm really, really (really, really, really) hoping that this stymies forced software telemetry...

I'm fine with my software validating that it is properly paid for and valid. I'm fine with the option to send telemetry data that may be useful in bug fixes and customer support tickets. However, the idea that MS is storing sections of documents because they are being spellchecked is just nuts.

Look at your average couple page word-processed document. You probably spellcheck it in 5-10 places, maybe more. If those sections are being stored, then you have a significant security risk, because I could piece together a good deal of what a competitor is doing if you were to give me 20 or 30 sentences from said couple-page document.

42
0
Reply

What about Azure AD...

Copying PII to the US?

9
0
Reply
Anonymous Coward

Re: What about Azure AD...

I was under the impression that it was limited to specific regions that you selected. ps. GDPR is not about PII it is about personal information, doesn't need to be identifiable.

4
0
Reply
Anonymous Coward

Why on earth was a government ever using a cloud-hosted wordprocessor?

37
0
Reply
Silver badge

What do you think is used by UK Parliament?

8
1
Reply

government using cloud-hosted

"Why on earth was a government ever using a cloud-hosted wordprocessor?"

In this case: entrapment. Please consider the government involved. Please also consider the nationality of that EU Commissioner to penalize Microsoft with a pretty hefty fine the last time (Neelie Kroes, Dutch).

2
8
Reply
Silver badge

Re: government using cloud-hosted

It's not entrapment if the perp is already doing the deed without you egging him on.

Something OT from the depths of time: Judge Jackson is a big fat idiot: But MS is hardly in the clear

6
0
Reply

Entrapment

I concede your point where it comes to legality, but I'd say that knowingly letting something go on in the knowledge you will reap the rewards later is still entrapment from a moralistic point of view. Having said that, I don't have any problem with it.

1
1
Reply
Anonymous Coward

re. Why on earth was a government ever using a cloud-hosted wordprocessor?

because: CLOUD COMPUTING! SAFE & SECURE! COST EFFECTIVE! EVERYBODY DO IT! LOL!

3
0
Reply
Silver badge

"Head on a pike"

For CPHBs at Slurps having the heads on a pike would not be a fitting punishment, something much more medieval should be used as there is no punishment to'cruel or unusual' for their crimes against humanity. Seriously, the Dutch should turn pursue the maximum fines under the GPDR against Slurp as punishment.

9
6
Reply
Silver badge
Devil

Re: "Head on a pike"

how about we just fine them instead? then the CEO gets fired over it, when the board members get sick and tired of losing money.

It's a fair bet that "the fix" will eventually become public knowledge, so that ALL of us can apply 'the fix', not just EU members.

And THAT is what they (Micro-shaft, etc.) fear.

20
1
Reply
Silver badge

Re: "Head on a pike"

Just need to make the board, personally and jointly liable for fines equal to a proportion of the company fine, so fine the company €100m and each director €10m. Fines are not normally expensable - as it encourages the board to behave legally/ethically if they have to pay for their misdemeanors personally.

9
0
Reply
Silver badge

Re: "Head on a pike"

Or it just convinces their legal team to lawyer their way out of it. Bet you credits to milos they'll find a way to reduce the fines and liabilities, perhaps hang a threat of incompatibility in the government the future, perhaps a change of emphasis to Asia if they have to disconnect things. That's the thing with transnationals: they can play sovereignty against you, and few things are lawyer-proof.

0
4
Reply
Silver badge

Re: "Head on a pike"

thing is, individuala can file an ICO complaint. These are taken on a case by case basis. Just because the gov settles doesnt mean john smith is covered under that breach.

3
0
Reply
Silver badge

Not wishing to exonerate MS in the slightest but don't the Dutch Government have any responsibilities in this? AFAICS it's they who required their employees to work with this. It may well be that MS did this sneakily behind their customer's back but I rather think that if it were any other employer it would be the employer who would be facing charges and taking out civil proceedings against their supplier for breach of contract, always providing that the contract said they wouldn't do such things. And if the contract was silent on such issues then the employer might even lose.

11
4
Reply
Silver badge

they do, and they have taken up the fight as part of their responsibilities. What more would you have them do? They cant drop a signed contract over this as MS wont have broken any laws until proven.

5
0
Reply

Multi-million fine not likely to undo damage

I have yet to see a multi-million Euro fine undo the privacy violations that have resulted from knowingly violating privacy law and decency. As history has shown when Microsoft or other companies reap billions in revenue annually from violating law a few million in fines is just the cost of doing business. It does not change the corporate mentality or suddenly make them ethical and law abiding. It appears that anything short of a triple annual revenue fine results in a change in business practices. That triple annual revenue should be sent to all of the people violated by Microsoft.

20
0
Reply

Re: Multi-million fine not likely to undo damage

I concur that a multi-million fine is unlikely to change matters, but this is going to be a multi-Billion fine.

9
1
Reply
Silver badge

Re: Multi-million fine not likely to undo damage

yup. if it is shown to be wilful then thats 4% of takeover bracket (upto yes but that bracket was designed as punishment).

4
0
Reply
Silver badge

25,000 "events"

>>>Microsoft tracks around 25,000 different types of "event"...techies are also able to add new events to be recorded<<< how many types of events are left?

The report is worth reading.

>>>until recently there were no central rules governing the collection of the Office telemetry data<<<

>>data may also include the content of a query sent to search engine Bing, or the content of text you want to have translated. In that case, Microsoft may collect the sentence before and after the sentence you mark for translation, to provide a better translation.<<<

Talking about targeted recommendations (adverts) >>>protect the monetisation of the Office product, and we accept we have to disrupt the attention of the users.<<< basically MS admitting in writing that trying to get more money out of the punters is more important than letting them use the ones they've paid for already.

I'll refrain from expletives, they're not adequate to convey the contempt.

22
0
Reply
Gold badge
WTF?

"tracks around 25,000..types of "event"..techies are also able to add new events to be recorded."

25 000 types.

F88k me sideways.

Do we need to wonder why networks are running slower than they used to in actual throughput?

13
0
Reply
LDS
Silver badge

Re: "tracks around 25,000..types of "event"..techies are also able to add new events"

And be aware it's not only Windows or Office. Today most developer tools offer libraries to add telemetry to applications, and not only Microsoft is abusing it. Obviously, whatever you do in a web application is easily tracked, bot more and more native applications, on mobiles or desktops, and even servers (and of course IoT), are instrumented to record and transmit telemetry. Some companies offer 'telemetry as a service' packages. We have to hope some highly visible investigations and frees will put a stop to this trend making it not legal.

8
1
Reply

How the effity-eff-eff does any Govt. or company permit cloudy Office?

Strikes me that this is a security hole large enough to drive a super tanker through sideways.

When a client has no effective control over what data is sent to an off site server, they also have no control over who might ultimately view that data. What is to stop some rogue state (ie. my own bloody minded data slurping Australia) requiring document duplication?

Yes, you may use Office 365 offline, but from my reading, it appears that certain "features" kick in automatically/uncontrollably whenever an internet connection is present.

20
0
Reply
Anonymous Coward

mmmm... my spelling is pretty bad, and my hands seem to type at different speeds.

Microsoft can you sent me my documents that I’ve accidentally deleted.

Thanks in advance.

P.S. If you’d grammar check them first, I’d appreciate it.

12
0
Reply
Silver badge

The standard solution with all things MS is a packet filter firewall on OpenBSD, but why bother with MS junkware in the first place? The alternatives are so much better and Free.

19
3
Reply

You paid

... good money for this computer. Now, keep paying the Danegeld, and give thanks to Microsoft for each day that you are permitted to use the computer.

[just posted on another thread, but it seems apropos here as well]

14
0
Reply
DJV
Silver badge

Re: You paid

Glad you added the final paragraph - I thought I was having a deja vu moment!

6
0
Reply
Joke

But you don't understand...

The telemetry is just MacroShaft being helpful. It saves the beta-test community (i.e. everyone) from having to manually submit manual bug reports.

2
5
Reply
Anonymous Coward

Re: But you don't understand...

I'm afraid your sarcasm fell on dead ears, which is a shame. But then, what do you expect, it's only pre-post-brexit-weekend Monday ;)

0
0
Reply
Silver badge

Microsoft wouldn't get away with it if a few big licensees (such as governments and big corps) told them, remove your telemetry or we will walk. But by continuing to pay ever year for licenses for Windows and Office rather than taking their money elsewhere MS know they can continue to get away with it.

7
0
Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2018