back to article Office 365 verboten in Hessen schools: German state bans cloudy Microsoft suite on privacy grounds

The German state of Hessen has warned schools not to use Office 365 because the Microsoft suite's cloud storage and telemetry collection are not compliant with the EU's General Data Protection Regulations. The Hessian Commissioner for Data Protection said last week that its ruling came after years of negotiations with …

  1. Anonymous Coward
    Anonymous Coward

    Has the PATRIOT Act been repealed ?

    Because it renders the physical location of servers immaterial for the purposes of data snooping.

    Everyone talks up the EU as being "big enough to stand up to the US" but in reality, no one has really challenged this.

    1. Pascal Monett Silver badge

      Re: Has the PATRIOT Act been repealed ?

      Repealed; no. It expired in 2015..

      1. alain williams Silver badge

        Re: Has the PATRIOT Act been repealed ?

        Reading the link that you provide, the last paragraph of the first section contains:

        parts of the Patriot Act expired on June 1, 2015.[9] With passing the USA Freedom Act on June 2, 2015, the expired parts were restored and renewed through 2019

        So: it is still very much in force.

        1. Hans 1 Silver badge
          Big Brother

          Re: Has the PATRIOT Act been repealed ?

          With passing the USA Freedom Act on June 2, 2015, the expired parts were restored and renewed through 2019

          Nobody could make this up, nobody ...

    2. elgarak1

      Re: Has the PATRIOT Act been repealed ?

      Note: The press release that the article is based on is a LEGAL and POLITICAL statement, not a technical one. The question is whether Hessian schools are within German and European law to use the services of Office 365 – and yes, the location of the servers is a legal requirement for German and European law.

      As I said, Microsoft did offer "Office 365 Deutschland" from 2015 (i think, but don't nail me on that) until 2018 which fulfilled, on paper, all the legal requirements for Hessian schools to use.

      Microsoft has stopped offering that service in 2018.

      The current, and future, status of fulfilling the legal requirements of Office 365 is unclear since Microsoft is not answering information requests in a qualified manner (according to the official penning the press release). Hence, schools cannot currently make use of the product legally under German and European law.

      The Patriot act makes it legal for US intelligence to gather the data under US law. That has nothing to do with schools in Germany fulfilling German/EU law.

      Neither does it matter how technically easy it is to get the data, legally or not.

      1. big_D Silver badge

        Re: Has the PATRIOT Act been repealed ?

        It isn't just the location of the data, which is important, it is also the fact that the telemetry data was being captured (and that is outside the tenant data) and that is supplied to Microsoft directly - the same for Windows 7 and 10. That is the problem, this telemetry data can't be turned off (if you are using Enterprise Office 365, you can, since May, turn most of it off), but there are still no official details of what telemetry data is collected, just that several thousand data points are collected.

    3. David Shaw

      Re: Has the PATRIOT Act been repealed ?

      privacy, transparency are fast becoming illusions under overwhelming National Security budgets. it is even suggested that El'Reg's editor sits on the UK's DASM committee. ( 'D'-notice committee, hopefully in order to explain the 'and Social Media' aspect to important people who have apparently banned the name 'Pablo' )

      keep up the good work!

      1. amanfromMars 1 Silver badge

        Re: Has the PATRIOT Act been repealed ?

        privacy, transparency are fast becoming illusions under overwhelming National Security budgets. it is even suggested that El'Reg's editor sits on the UK's DASM [sic] committee. ( 'D'-notice committee, hopefully in order to explain the 'and Social Media' aspect to important people who have apparently banned the name 'Pablo' ) ....... David Shaw

        Oh? That is difficult to easily believe, David Shaw, and not realise fake news.

        However, for the illusion of National Security not to be overwhelmed, the reverse/obverse/inverse .....DSMA-Notice committee wonks spying on El Reg First Edition Content and Commentary/Virtual Star Command and Remote Universal Control ....... would be most likely and more natural, even as it spotlights the Unusually Dynamic and Frenetic Nature of Matters nowadays with all Manner of Incredibly Potent Zer0Days entered onto and into Myriad Fields of Greater IntelAIgent Games Play for Established Extant Systems to Systemically Constantly Fail at Effectively Stage Managing in a Toxic and/or Secret Service Servering Direction.

    4. LDS Silver badge

      It's even worse: the CLOUD Act

      The CLOUD Act which passed last year exactly assert that US companies have to hand US authorities data stored in their systems, wherever their systems are, and if a US company objects a US judge will handle the matter.

      So German authorities should pave the way to ban US companies storing data outside users computers to be allowed to operate - especially where sensitive data are at stake.

      1. eldakka Silver badge

        Re: It's even worse: the CLOUD Act

        The CLOUD Act which passed last year exactly assert that US companies have to hand US authorities data stored in their systems, wherever their systems are, and if a US company objects a US judge will handle the matter.
        Some context is needed for that.

        The legislation is intended to force US companies that provide services to the US, but may store the data offshore in data centres in other countries, to pony up that data even if stored overseas. For example, if a person in the US is using gmail for their email, and for that account Google randomly chose to store the emails - or some of them - in a data centre in Singapore (due to system management practices, e.g. Singapore is underutilised while local data centres to the US resident are under high load), then Google has to hand the data over on issuance of a valid warrant.

        The Act explicitly has provisions for challenging the warrants if it violates the privacy rights of the foreign country the data is stored in. For example, if the warrant is issued for a Singaporean national who resides in Singapore for activities they undertook in Singapore, then the warrant for that persons data Google stores in the Singaporean data centre would not be valid.

        It is a US law enforcement tool, not an espionage tool - they already have Executive Orders and espionage laws that enable getting this data without having to contact the companies involved in this case anyway, therefore the security agencies don't have need of the CLOUD Act...

        1. LDS Silver badge

          "The Act explicitly has provisions for challenging the warrants"

          Sure - but who could challenge the warrants, and who decides? In both cases is the US company and a US judge. The foreign country may not even be notified. A warrant has to be explicitly challenged by the US company asked to produced the data, if it doesn't and simply comply there is no way for a non-US entity to challenge it.

          The judge has to take into account first: "“(A) the interests of the United States, including the investigative interests of the governmental entity seeking to require the disclosure;"

          Moreover the foreign country has to be "qualified" - basically forced into an agreement with the US about data exchange, and a very asymmetric one. Otherwise no protection is afforded.

          The whole law was built because MS refused to hand emails from Ireland until it had its butts fully covered by the law.

          It's law enforcement the US way - thinking that outside US "hic sunt leones" and they are all primitive countries - but it's exactly US law that is becoming very primitive. The CLOUD Act is not different from possible Huawei trojan horses - any US company becomes a trojan horse.

          While is true that espionage may access that data as well, there is the basic difference that espionage is illegal - and any US company that helps it is committing a crime.

          The CLOUD Act instead try to assert a legal right for US law enforcement agencies to access non US data, and US companies try to assert they are only law-abiding entities.

    5. Fred Flintstone Gold badge

      Re: Has the PATRIOT Act been repealed ?

      The Patriot Act is not really your problem, the Cloud Act 2018 is as there are far fewer barriers to application.

      The Cloud Act 2018 allows US courts to demand data of US companies, irrespective of which jurisdiction it is stored in. Obviously that totally ignores sovereignty or the fact that the company in question then will be in breach of local privacy laws, but the US habitually ignores the existence of the rest of the planet when it formulates law.

      In context it may be important to note that the main Silicon Valley protagonist in the creation of this law ..

      .. was Microsoft.

      1. Muscleguy Silver badge

        Re: Has the PATRIOT Act been repealed ?

        Indeed, remember when the ICJ was minted? The US worried it's forces might find themselves arraigned there granted itself the right to invade The Hague to 'rescue' them. They saw nothing wrong with threatening a warlike act on a NATO ally or what Dutch law might say about the matter.

        You can however bet that Blighty will fall over backwards and spread 'em to help the US achieve this up to and including using bases on UK soil and UK airspace. Eric Arthur Blair was right, we are Airstrip One.

        This sort of thing is just one of the reasons why many of us here in Scotland want out of this septic Union. If rUK wants to crawl up Trump's rectum it can do it without dragging Scotland up it as well.

      2. amanfromMars 1 Silver badge

        Re: Has the PATRIOT Act been repealed ? @Fred Flintstone

        The Patriot Act is not really your problem, the Cloud Act 2018 is as there are far fewer barriers to application.

        The Cloud Act 2018 allows US courts to demand data of US companies, irrespective of which jurisdiction it is stored in. Obviously that totally ignores sovereignty or the fact that the company in question then will be in breach of local privacy laws, but the US habitually ignores the existence of the rest of the planet when it formulates law.

        In context it may be important to note that the main Silicon Valley protagonist in the creation of this law ..

        .. was Microsoft. ..... Fred Flintstone

        It is all very well having the facilities and utilities and faculty to gather all information for further intelligence processing, but as All Current Extant Systems Operations know, with Microsoft just the one of many who are discovering at phenomenal cost to themselves, in lost future fortune and revenue, no incredibly simple and pragmatic idea about how to make IT Realise Much Greater Future.

        Fortunately though, are there Advanced IntelAIgent Apps and SMARTR Chaps readily available to Deliver all of that. You know .... with Special IntelAIgent Source Content for Targeted Presentation to Hungry Future Virtual Clients.

        Such is as Mighty Pollen for Servering Bees to Conjure into Honey ...... just like a Flash Fast Cash Money Machine revolving around Satisfying the Birds and the Bees ......... which is Ideally, Everybody.

        Those little suckers have surely got that wonderfully simple process all sown up, and working quite perfectly. Do you think humans are switched on enough to understand and energise the natural drive that such unconditional sharing empowers? Or are most all blissfully ignorant and somewhat dim-witted in that department/sector/vector?

    6. RudderLessIT

      Re: Has the PATRIOT Act been repealed ?

      I suspect that you don't understand the scope of the act and how it differs from a legitimate subpoena (i.e. one that it recognised by the local government).

  2. elgarak1

    Note: For me, it is still not entirely clear what they sell. Some time ago, there was a separate store page for "Office 365 Deutschland", with prices (different from the normal Office 365 prices), promised German data centres and servers, and everything. This is gone. Instead, there's a purely informational page about the planned change of using German data centres by the end of 2019. There's a link to buy Office 365, but the prices and info are in line with the 'normal', i.e. not specifically German, version of Office 365.

    It is not at all clear, on these pages, if you can currently buy any Office 365 specifically to German data centres.

    (Whether these German data centres and servers are secure against sharing data with non-German authorities is another question.)

    1. elgarak1

      In fact, reading the press release the article is based on again, it seems that the not-anymore-offered "Office 365 Deutschland" service was legally secure enough against US intelligence snooping to allow Hessian schools to use. Legally, not technically. In the opinion of the regulator.

      The normal "Office 365" service are not, and neither are Apple's and Google's cloud services. Legally secure enough for schools to be used, that is. Mostly because the companies do not sufficiently explain to the regulator how the services work, though it seems that no one (in the Hessian school related administration) has asked Apple or Google due to lack of interest.

  3. Pascal Monett Silver badge
    Thumb Up

    "Office 365 [is] not compliant with the EU's General Data Protection Regulations"

    Thank you for clarifying that. Now could someone please explain why Germany gets a slightly more privacy respecting version and the rest of Europe has to bend over as usual ?

    In any case, blessed be the GDPR. It is going to force companies to take privacy seriously, and that cannot happen too soon.

    1. Aitor 1 Silver badge

      Re: "Office 365 [is] not compliant with the EU's General Data Protection Regulations"

      Because they complain more.

    2. elgarak1

      Re: "Office 365 [is] not compliant with the EU's General Data Protection Regulations"

      The way I see it: There's a specific German version because German entities (companies, organization, state officials) actually asked Microsoft, and threatened to choose alternatives. If other countries did not get that, it's because no one there bothered.

      Maybe it's really because Germans are more aware of privacy issues because of the history – in particular being split into two countries, with one half being a surveillance state, and the other half aware of that and actively trying not to be. And before that, being a surveillance state where the surveillance led to atrocities.

      1. Anonymous Coward
        1. Derezed

          Re: Private Eye always has

          Um...nobody forgot that.

          So anyway, Germany and privacy...the Stasi...constant surveillance...probably feeds into their view of privacy.

          1. Anonymous Coward
            Anonymous Coward

            Re: Private Eye always has

            "the Stasi...constant surveillance...probably feeds into their view of privacy."

            Funny you say that, the former head of the Stasi is on record as saying they had nothing like the facilities most democratic countries intelligence agencies have nowadays.

            Records on manual card index systems and something like just 50 maximum wiretaps, he said he used to have sleepless nights trying to decide who to take off so they could monitor someone new.

            Even the most democratic countries spy agencies are in a dreamland by comparison

            1. Hans 1 Silver badge
              Big Brother

              Re: Private Eye always has

              Thank Honecker that they did not have more resources at their disposal, because they would have found many more to torture.

              You also seem to forget the "inoffizielle Mitarbeiter" ...

            2. brotherelf

              Re: Private Eye always has

              "Funny you say that, the former head of the Stasi is on record as saying they had nothing like the facilities most democratic countries intelligence agencies have nowadays."

              Yes, exactly, and look at how much of a panopticon they built with that.

            3. LDS Silver badge

              Re: Private Eye always has

              STASI had lots of informers, so they needed far less wiretaps... not that the technology available to East Germany citizens was advanced either...

    3. SolidSquid

      Re: "Office 365 [is] not compliant with the EU's General Data Protection Regulations"

      Because the German government, when putting GDPR into law, went for an enhanced version rather than the minimum required to fulfil it, giving people additional protections. Other countries don't have it because the other countries governments haven't been willing to do that

  4. g00se2
    WTF?

    So, Hesse "after years of negotiations with Microsoft" is unclear about the nature and extent of slurping. I'm guessing that other states know even less on these issues. Are they using these slurping products and happy that they're in line with GDPR?

    1. Anonymous Coward
      Anonymous Coward

      I'm guessing that other states know even less on these issues.

      Not really. Maybe you remember that the Dutch came back with exactly the same complaints. Difference however is that where the Dutch Government was (seemingly) satisfied by the wooing non-statements of Microsoft, the Germans are not that easy in rolling over...

      Well, at least they don't have a "special relationship" they are afraid of jeopardising, and can truly take back control.

      1. Anonymous Coward
        Anonymous Coward

        They tried. I know that there was a lengthy discussion with MS, and I also know that Office365 is not used in the IT of the state of Hesse internally (the state owned IT supplier forbids it) because of similar issues as mentioned in the article. This also ended the home-use-license-program-thingy (your company licenses software and you can use the same license at home for private stuff, forgot how it is called). Not that I care about that (I do not even own a Windows machine). Anon because I do not know how official this information is...

    2. crayon

      "We routinely work to address customer concerns by clarifying our policies and data protection practices, and we look forward to working with the Hessian Commissioner to better understand their concerns."

      MS are still at the "looking forward to working with" stage and haven't reached the actual "working with" stage.

  5. Mr Dogshit

    Da weiß man, was man hat.

  6. J J Carter Silver badge
    Linux

    They started it!

    For you Yank, ze Office 365 subscription is over!

    1. Fruit and Nutcase Silver badge
      Linux

      Re: They started it!

      They don't like it up 'em!, in the cloud

  7. Anonymous Coward
    Anonymous Coward

    In a way, we've come full circle..

    It so happens that the origin of LibreOffice is also German.

    It started life as StarOffice by a German outfit Star Division, and I recall having it on OS/2. Then Oracle decided it wanted to throw some spanners in the Microsoft mechanics, bought it and Open Sourced it as Open Office. At some point that forked into LibreOffice which I use a *lot*.

    I'm guessing that may become an option now - also because its native format is a European Document standard, despite all the rather questionable efforts by Microsoft to get that title for the MSOOXML effort that they seem to have even abandoned themselves (instead we now get the usual BS from marketing that their implmentation of ODF is "better" than the office suite that effectively SET that standard).

    All that said, however, does not take away from the fact that this is but a drop in the ocean for MS. No doubt their representatives are already on their way to wine and dine the relevant people to convince them of the errors of their ways and quell this fact based bit of insurgence, for those are the ways of Microsoft.

    1. crayon

      Re: In a way, we've come full circle..

      It was Sun who bought StarOffice and turned it into OpenOffice. Oracle got their grubby hands on it as part and parcel of their takeover of Sun. But OO was of no use to Oracle so they offloaded it to the Apache Foundation.

  8. Anonymous Coward
    Anonymous Coward

    There is a way to find out the content of telemetry data

    For those technically so inclined, instructions to decrypt the data stream of telemetry in Windows 10:

    1. Create an environment variable called SSLKEYLOGFILE.

    2. Point it to a text file for SSL keys.

    3. Reboot the Windows computer.

    4. Open up Wireshark.

    5. SetProtocol -> SSL -> (Pre)-Master-Secret log file to the text doc.

    6. Filter on the IP to decode

    For where the data is sent to, see http://investmentwatchblog.com/a-traffic-analysis-of-windows-10-2/

    1. Hans 1 Silver badge
      Windows

      Re: There is a way to find out the content of telemetry data

      There is a way to find out the content of some telemetry data

      #TFTFY

      1. Anonymous Coward
        Anonymous Coward

        Re: There is a way to find out the content of telemetry data

        There is a way to find out the content of a whole lot of telemetry data

        FTFTFTFY

    2. Timmy B Silver badge

      Re: There is a way to find out the content of telemetry data

      yeah... that investment watch "article" isn't paranoid at all...

      "It’s speculated that the purpose of this function to build up a massive voice database, then tie those voices to identities, and eventually be able to identify anyone simply by picking up their voice, whether it be a microphone in a public place or a wiretap on a payphone."

      Speculated == no proof at all.

      1. Anonymous Coward
        Anonymous Coward

        Re: There is a way to find out the content of telemetry data

        While the data is probably only to train AI/voice models. Feature creep. Feature creep as far as the eyes can see.2

  9. John Brown (no body) Silver badge

    Oi! Microsoft. No. Just Noooooooooo!

    "new steps towards even greater transparency and control for these organizations when it comes to sharing this data."

    Hey MS!! We really don't care about more transparency about what you do with "shared" data. We pay for the fucking stuff and we don't want to share with you.

    Come on, be honest. What's that data worth? How much extra would a locally installed, non-slurp version cost us?

    Until you can answer that and come up with an offer, those of us who care will continue to not use your products.

  10. oiseau Silver badge
    WTF?

    Up to M$?

    ... it was down to Microsoft to present a solution.

    I think not.

    It was really up to the German government to work in the interests of its citizens and not for M$.

    You don't need to use Office 365 or any M$ software in government offices or schools.

    But, as there is usually an absolutely unbelievable amount of public money involved in government offices and schools using M$ software, there's also an equally unbelievable amount of pork to go around.

    See this article to see how this will probably end.

    In the end, these end up being "brown envelope decisions".

    O.

  11. SImon Hobson Silver badge
    Big Brother

    Talk about the art of misinformation !

    successfully sued the US government over access to customer data in Europe

    One of those "technically correct" but entirely misleading claims. They didn't really win, it was just that the US government changed the law and made the case moot - at which point TPTB withdrew the case.

    So win in this case was more a case of "TPTB said "give us this information", MS said "no, we can't without breaking the law", TPTB changed the law, MS said "OK then "here's the information you asked for". Or if you (as the adverts put it) "shorten the sequence", you get "win" = "TPTB ask for some information, MS give it to then.

    But good to see that someone has now come out and declared MS's products as "illegal" under EU law. Now we just need to sit down with the popcorn and watch the court cases progress. I suspect this will be a bit like the Safe Harbour situation - it will drag on for ages, and then there'll be some sort of fudge (like Privacy ShieldFigleaf) that starts the process over from the beginning.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019