back to article Microsoft menaced with GDPR mega-fines in Europe for 'large scale and covert' gathering of people's info via Office

Microsoft broke Euro privacy rules by carrying out the "large scale and covert" gathering of private data through its Office apps. That's according to a report out this month [PDF] that was commissioned by the Dutch government into how information handled by 300,000 of its workers was processed by Microsoft's Office ProPlus …

Getting away with it

But those government will claw back those license fees with usurious interest, calling it fines.

1
2
Reply
Silver badge

Re: Getting away with it

Not necessarily. Their lawyers will have to content with Microsoft's lawyers, and which do you think are better paid?

0
6
Reply
Anonymous Coward

Re: Getting away with it

Lawyers can only win if the law is in their favour, no matter how much they are paid. Governments set the law.

9
1
Reply
Silver badge

Re: Getting away with it

"which do you think are better paid?"

I spent a lot of time in courts early in my career. I never heard a judge asking each side how much they paid their lawyers and deciding the case on that. Given that these cases will be heard in the EU they will be out of range of the finest government money can buy. Sad to think that from next March we'll not have that protection in the UK; that's what happens when you have a Home Sec resident in No 10.

Following the line of Home Secs, what does the panel think about Rudd going to DWP? Isn't that great for them? They really need someone with such technical nous running things there.

7
0
Reply
Silver badge

Re: Getting away with it

And who do you think runs the governments...or has the know-how to "grease the wheels"?

0
1
Reply
Silver badge

It seems that this covert data gathering may be more reliable...

...than the arguably more important facility for users to be able to connect to resources on their LAN.

https://www.theregister.co.uk/2018/11/16/windows_10_update/

And I quote: Microsoft says it'll sort out the issues "in the 2019 timeframe."

4
0
Reply
LDS
Silver badge
Devil

"users to be able to connect to resources on their LAN."

THERE ISN'T YOUR LAN - ONLY OUR CLOUD.

Repeat until it sinks in your soul...

(an excerpt from Nadella's thoughts....)

2
0
Reply
Anonymous Coward

Hey EU... See that book? Well throw it hard

at MS.

Those of us in IT know and have known for years that MS slurps our data and there is nowt that we can do about it.

I fully expect a few million 'give me all the data you have on me and then delete it' requests.

4
0
Reply
Silver badge

Re: Hey EU... See that book? Well throw it hard

"I fully expect a few million 'give me all the data you have on me and then delete it' requests."

That's going to prove interesting as the report makes quite clear that there's no way to get the telemetry stuff back out and the only way to delete it is to cancel the user ID. Even then individual teams within Microsoft in the US could have made their own copies and there's even less means of knowing about that and getting it deleted. And then there are all the sub-processors such as CDNs.

I can't imagine even IBM in its pomp getting away with this sort of stuff. And it's only because customers won't face up to their responsibilities and walk away.

2
0
Reply
Anonymous Coward

Mirosoft Teams

Does the same thing and I've been "reassured" by our workplace security team that it doesn't slurp data hahaha

Do I still use Microsoft Applications anymore? Only assuredly e.g. draft email/doc in Notepad++ then Copy/paste into MShite application, save and send..

If I HAVE to

3
1
Reply

Fine the maximum amount. Use the fine to switch 90% to linux.

Check the remaining 10%. Fine again the maximum amount. Use it to switch 90% of the remaining 10% to linux.

Repeat till they get the message.

6
1
Reply

What is wrong with Europe?

It used to be that us Americans were the ones constantly accused of forcing the rest of the world to abide by our laws, our social norms, and our cultural institutions. How is it that the GDPR and the more recent copyright reforms (specifically article 13 and article 11 measures) currently being considered by the EU any different? I am giddy with anticipation for the moment when Microsoft and Google finally decided the cost of doing business with you lunatics is too high. What are you going to do if they pull the plug and cut you off. Good luck with your open source initiatives, because that always works... or hey, maybe try to develope your own software solutions bahahhahaha. Sorry couldn't hold it together at the thought of actual innovation in a real marketplace (you know, like the USA) happening in the EU. Nigel Farage does his best to remind you (Europe) of this all the time.

1
17
Reply

Re: What is wrong with America?

American corporations are in cahoot with politicians like nowhere else in the world. They benefit from an immense unfair advantage through corruption (that you insist on calling lobbying) which provides them with very tiny taxes on huge profits and therefore allowing them to grow more easily and protectionist laws (pushed internationally using political/military pressure) making it more difficult for smaller entities to enter the sector/industry, when the latter are not flat removed from competing by simply acquiring them, or other measures "in the interest of national security" to block or stifle competition. Not to mention the added benefit of shares buyback which again increases their market value and allows for even more fictional money to be used to acquire the competition. And not to mention the unfair practices like the one in this article which obviously grants them inside knowledge on competitors or on the market in general and can then be used to win international contracts or blackmail the competition in other ways.

9
0
Reply
Silver badge

Abide by their rules or GTFO

That's the right of any sovereign nation.

The EU is about 28% of the global market, roughly the same size as the USA.

So yes, MS, Google et al are indeed free to GTFO, but only by halving their turnover.

Good luck selling that to the shareholders.

9
0
Reply
Silver badge

Re: What is wrong with Europe?

I'm not sure what the OPs point is here. As best as I can make out, he seems to be complaining that the EU laws, applicable in the EU, should not apply to US companies operating in the EU.

He might also like to look at the impact GDPR has had in the US, where California and others are now looking seriously at implementing similar privacy rights for citizens.

Or is he just a shill for US corporate data slurping? I thought US people were all for citizens rights and privacy?

12
0
Reply

Re: Abide by their rules or GTFO

1. 28% of the total global market, but guess what, neither MS, google, or FB derive 28% of their revenue from the EU. So they can afford to tell you where to stick it.

2. A fine of 4% of gross tips the scales to the point where it is cheaper not to have to worry about the risk of fines, so no more office for you

3. I wouldn't expect the EU to be 28% of the global marketplace for long when you idiot's cant create or send excel files

0
13
Reply

Re: What is wrong with Europe?

The point my slow witted friend is that the EU has no business trying to enforce local regulation on a global scale. Doing so is ad repugnant as what the US has been doing for years. Also, the most significant impact of the gdpr has been the revenue increases for insurance companies and lawyers. Though we shouldn't forget how great a tool it is for censorship. It is now trivial to remove factual information from the net under the guise of RTBF or potential GDPR violations. I would link to several examples but the techdirt.com links keep getting my comments flagged.

0
12
Reply

Re: Abide by their rules or GTFO

Assigning share of global profit for any of these global companies is

very problematic. Do not treat any numbers as accurate.

3
0
Reply
LDS
Silver badge

"EU has no business trying to enforce local regulation on a global scale"

EU is only enforcing local regulation to its citizens and residents. It really doesn't care about what happens to US citizen if they not happen to be EU residents, or Chinese or Russian or whatever.

Unlike US which with its CLOUD Act is seeking access to data of foreign citizens stored abroad...

Evidently, if you want to sell your product and service to EU citizens, or within EU. you have to abide to "local regulations". Of course you can decide not to sell them - sure, you can decided to get out from EU - and lose billions of sales and take a big hit on shares value - you just need to explain it to your shareholders....

9
0
Reply
Silver badge

Re: What is wrong with Europe?

"The point my slow witted friend is that the EU has no business trying to enforce local regulation on a global scale. Doing so is ad repugnant as what the US has been doing for years. "

The EU, with GDPR is not exporting local regulation on a global scale. GDPR only applies inside the EU. Part of the regulation is that personal data may not be exported unless it's properly protected as per the GDPR. Any multi-national that feels it can't comply with the export regulations is free to collect and process that data WITHIN the EU. They can do what they like outside the EU with non-EU data. No one is forcing them to follow GDPR outside the EU. They have a choice.

2
0
Reply
Silver badge
Windows

What are they smoking?

Can you imagine these cloggy pen-pushers trying to get a job in the real world? Oh, my sides!

0
10
Reply
Silver badge

Mise à jour de nos conditions d'utilisation

Is this why I just got an email in French claiming to come from Microsoft? I'm guessing they've seen me logging in to Skype in the EU and figured it was the best language to use.

Not written off it being a scam though.

4
0
Reply

"We welcome ... diagnostic data ..."

Yeah, right.

1
0
Reply
Anonymous Coward

Office365 and Children

Under GDPR there are special provisions for the protection of children's data and consent has to be obtained from parents. Given that most secondary and college schools have been using Office365 for the last couple of years.

This would make the material breach of GDPR even more severe. Given that this information is now known, education organisations need to address this breach of information by

a) requesting from Microsoft under GDPR what information was collected for each student and informing the parents

b) Upon request of the parents making an request for the deletion of all personal data held by Microsoft or third parties which may have been sold the data (that would be a separate breach)

c) and look for an alternative supplier which is not in breach of GDPR

Then a class action for damages can be launched for the loss of privacy

11
1
Reply

Not at all surprising

Looking at data usage on our firewall/filtering device, Microsoft's servers now top the chart for data usage every day - more so than Youtube even (we're a group of schools).

Windows 10, Office 365, etc... are incredibly noisy with their data usage. You just have to look at the massive number of IP address ranges and domains they recommend unblocking when you use Office 365 to realise how much data usage there will be.

9
0
Reply
Silver badge

Re: Not at all surprising

@LocalzUK it can make geoblocking on firewalls etc a pain too.

We had a very security conscious customer with a sophos X type FW. It offers geoblocking based on a country by country basis.

"everything off apart from countries we do business with" was the cry. The reality was DOZENS of countries needing to be unblocked or you'd get periodical, random failures of MS office Products and an email from the sophos unit saying it was a blocked country.

2
0
Reply
Anonymous Coward

Wrong approach

The Dutch authorities are working with the corporation to fix the situation, and are using the threat of a fine as a stick to make it happen.

That's entirely the wrong approach to take.

Step 1) Big fines now. Make sure MS and others know they can't keep flouting the laws and then expecting governments to bribe them to fix it later. Make breaking the law hurt, like it does for the rest of us.

Step 2) Continuing painful fines until it is fixed. Arrest warrants for relevant executives should they take too long to fix (eg "not fixed after 48 hours"). Also, make the warrants remain until the issue is fixed even if the exec retires from the company. If, for some reason the exec needs to travel for some meeting, let them travel but on strict conditions and with 24/7 chaperones (who have the power to arrest them) that the execs themselves have to pay for. The chaperones can stay outside of meeting rooms so long as they can confirm before hand that all possible exits are covered.

Step 3) IF and when the issue is decently fixed, end all sanctions.

For too long these types have been able to get away with massive crimes without punishment.

6
0
Reply
Silver badge

Re: Wrong approach

You'll also have to make them lawyer-proof and make sure you don't trigger retaliatory actions (tit-for-tats).

0
1
Reply
Anonymous Coward

Re: Wrong approach

Lad, when you grow up some you'll realise that no matter how expensive a lawyer is, once a law is clear that's it.

As another poster here said, judges don't ask lawyers for proof of income.

0
0
Reply
Silver badge

Re: Wrong approach

"...once a law is clear that's it."

That's the problem. With lawyers, it's NEVER that clear. Laws can be changed, reinterpreted. Even judicial precedent can be challenged in future.

Put it this way. I'll believe it when the courts can make the Hugh Jass fine final and binding with criminal culpability attached for good measure.

0
1
Reply
Silver badge

Isn't that what "The Cloud" is all about?

If you work with Office365 then you are effectively working with a web application that's based in the cloud. There might be local storage at a company but its effectively just cached data.

I'm quite sure that the people who designed these products never intended for customer's data to be visible to the company, they just want to provide users with a useful product while incidentally locking them into their subscription business model. The fact that the traffic to their servers, even if encrypted, could give Microsoft an insight into a customer's business isn't central to Office but it could very well become so if there was a business case (or a government warrant) to do so. I'm just surprised that the EU's GDPR wasn't written with cloud applications in mind, it seems to be stuck in the era of floppies and PCs.

Personally, I regard cloud based applications with a lot of suspicion. Its not privacy that's uppermost but rather the idea that they assume a reliable, high speed, low latency network infrastructure -- there's just too many points where the system can fail leading you in the lurch, unable to do anything.

(I also don't get this penchant for shaking down - fining -- large corporations huge sums of money. If you allow your government to get into extortion on a large scale don't complain when they realize that it can be used effectively on a smaller scale. OK. Microsoft is big and bad, I'm no fan of that company and its products, but just turning a blind eye to this because 'they deserve it' or 'they can afford it' really isn't a good idea.)

5
1
Reply
Anonymous Coward

Re: Isn't that what "The Cloud" is all about?

"they just want to provide users with a useful product while incidentally locking them into their subscription business model."

Actually I think it's more likely to be "locking them into their subscription business model while incidentally providing users with a useful product."

6
0
Reply
Anonymous Coward

Re: Isn't that what "The Cloud" is all about?

I'm quite sure that the people who designed these products never intended for customer's data to be visible to the company, they just want to provide users with a useful product while incidentally locking them into their subscription business model.

Long ago, when MS took over Hotmail, I had a look at the T&Cs. It was quite clearly written in there that MS considered themselves to own the copyright and any other rights to all material that went through HM's servers. IIRC it's where I first saw the importance of being aware of what these things say before you hand over your valuable (or not) data.

Stuff like this very strongly suggests all along that the intention was for the information to be fully visible and utilised by MS, otherwise why make it even remotely possible for such information to be accessed, and why make the irrelevant information get stored rather than deleted after use? I can understand a translation service using more than just the sentence in question to get a better idea of the context of the topic, but the moment the translated text is returned the lot should be removed from the servers. After that point there is no ethical reason to keep it.

It's not that hard to code stuff from an intention of being rid of unwanted information and only keeping what is absolutely necessary, and it's fairly easy to code with a view of "destroy by default" and only add in stuff as it becomes clear it's needed. MS has no excuse in this.

Personally, I regard cloud based applications with a lot of suspicion.

A good way to go. With the likes of Nextcloud you can do a lot of that on your own, with some inspection of the code (and plugins). Always keep your own copies of the data, and give careful consideration to stuff involving other's privacy. (how does GDPR get around off-site backups and the like?)

(I also don't get this penchant for shaking down - fining -- ... I'm no fan of that company and its products, but just turning a blind eye to this because 'they deserve it' or 'they can afford it' really isn't a good idea.)

Make the penalty for a crime low, and crime can flourish. This is seen often, just look at the amount of traffic violations such as using phones while driving. Sometimes for a law to be effective the punishment has to hurt. Used to be around these parts that rich people would speed with impunity because they could afford the fines. Then the demerit points system was brought in, and now while they can afford the fines they will eventually lose their license if they get caught too often.

MS and other large corps can often easily afford the fines in many of these laws. It's been claimed that various companies will continue breaking the law and paying daily fines that're worth millions if the behaviour is worth 10s of millions. So make the punishments effective.

0
0
Reply

So much for Microsoft applying GDPR globally

When GDPR was being implemented it was refreshing to hear that Microsoft would implement GDPR compliant policies globally. This is quite a unique position compared to the other US tech giants.

Alas, I guess that was just PR optics and Microsoft will just do whatever they like wherever they like.

5
0
Reply
Anonymous Coward

GDPR BDSM

If you can't beat 'em, then errr, beat 'em.

2
0
Reply
Silver badge

In a statement, a Microsoft spokesperson told us: "We are committed to our customers’ privacy, putting them in control of their data and ensuring that Office ProPlus and other Microsoft products and services comply with GDPR and other applicable laws.

I wonder how the people working in PR are able to look at them in a mirror without puking? Ablation of moral conscience probably helps.

3
0
Reply
Silver badge
FAIL

Oh dear...

Oh, Microsoft...

You had such an opportunity.

You could have tested Windows 10 to death, possibly even set up a "revert to Win7" theme (for the UGLY FLATSO haters), and above all, focused on security and privacy, and limited telemetry to crash reporting at the absolute most... with Google and Facebook increasingly coming into question about how they use the data they gather, you did have a shot at re-inventing yourselves to all but the like of those who are still stuck in the browser wars...

... but no. You had to try and do the same damn thing as Google and Facebook. And you had to do it badly. Is it that you just can't stand someone else being the villains or something???

2
2
Reply
Anonymous Coward

may put Microsoft on the hook for potentially tens of millions of dollars in fines

10 years later, after a 100M Euro court case: a fine (maybe)

1
0
Reply

Lawful basis - contract

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/

Microsoft will probably have a contract with the Dutch Gov that gives them the right to collect the data.

As far as the report goes, there has been no breach, so no reason for the Dutch Info Commission to get involved with Microsoft.

The Dutch government, however, may be breaking GDPR by sending data to Microsoft without its worker's consent. Dutch GDP - 826.2 billion USD - now that is quite some fine they can impose on themselves...

1
0
Reply
Silver badge

In a statement, a Microsoft spokesperson told us: "We are committed to our customers’ privacy, putting them in control of their data and ensuring that Office ProPlus and other Microsoft products and services comply with GDPR and other applicable laws.

Caught for snooping and you that statement?!?!

You might as well have released "We are committed to privacy, blah, blah, blah, yeah bored now"

2
0
Reply

I believe the Office telemetry is sent via a scheduled task, so you can always disable this.

Still, MS should have an option within Office to disable this and be clear what data it's sending.

0
0
Reply

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2018