New research Microsoft Intune: five low data protection risks

July 9, 2020

On behalf of the Ministry of Justice and Security, Privacy Company analysed the data protection risks of the use of Microsoft's Intune service. This service enables system administrators to encrypt information on end-users' mobile devices, for example. Privacy Company also assessed the risks of the use of the Microsoft Office 365 for the Web and the Office apps for iOS and Android mobile phones. With the Ministry's permission, we are publishing two blogs about our findings, this blog about Intune and the second blog about Office 365 for the Web and the mobile Office apps.

For questions about these reports, please contact SLM Microsoft Rijk (Strategic Vendor Management Microsoft Rijk), via the press spokesperson of the Ministry of Justice, + 31 70 370 73 45.

Worldwide improvement data protection conditions Microsoft

In May 2019, SLM Microsoft Rijk concluded new data protection terms and conditions with Microsoft for the 300,000 digital workplaces of the central Dutch government. These workplaces at the ministries, Tax and Customs Administration, the police, the judiciary, and independent administrative bodies are equiped with the corporate (Enterprise) versions of Microsoft’s online services, such as Office 365.

In January 2020, Microsoft has implemented some of these improvements worldwide in the data protection conditions for its volume licensed online services for businesses and Enterprises. See the Online Service Terms with separate Data protection Addendum of June and January 2020 respectively.

As a result of this Data Protection Impact Assesment (DPIA), Microsoft has committed to mitigate two of the five low risks. These commitments are described at the end of this blog. Additionally, also as a result of the other DPIA on Office for the Web and the mobile Office apps, per 1 August 2020 Microsoft will once again implement worldwide improvements in its data protection conditions.

What is Intune?

Intune is an online management and security service for all kinds of end-user devices. Not only for Windows and macOS desktops and laptops, but also for mobile phones and tablets with the iOS and Android operating system. Government organisations can use Intune to centrally register personal and business mobile devices, and to encrypt the personal data on the devices. Organisations can also use Intune to prevent users from setting their devices to an insecure mode, and completely or selectively wipe the device if it is lost.

Governmentorganisations can use Intune for two different security purposes, namely (1) tocontrol access of apps on the devices to the (personal) data and (2) to enforceinformation security policies when using the devices. Intune's two managementoptions are referred to below as MAM (Mobile Access Management) and MDM (MobileDevice Management).

The DPIA describes two different ways to enroll devices in Intune: (1) by employees themselves, as personal devices, or (2) by system administrators, as corporate devices. Intune also offers the possibility to have devices fully managed (supervised mode), but this type of management falls outside the scope of this report. Employees cannot install personal apps on such devices.

The report covers two types of data processing: the processing of diagnostic data on Microsoft's Intune cloud servers, and data processing via the Intune Company Portal app. Users of self-managed devices must install this app in order to have their devices managed through Intune. Only users of devices running Windows 10 can log in to Intune without the app, using a browser. This DPIA also addresses the use of the Microsoft Azure Active Directory, as its use is mandatory for both types of Intune management: Mobile Device Management (MDM) and Mobile Application Management (MAM).

Result: five low data protection risks

The result of this DPIA is that there are five low risks for data subjects (the users of the terminal equipment). These data protection risks result from the following circumstances:

  • Microsoft behaves as the controller for the Intune Company Portal app, and not as the processor;
  • System administrators can covertly change the status of a device from 'personal' to 'corporate': they can then see all the apps installed on a device;
  • There is no central opt-out for the collection of telemetry data and debugging logs from the Company Portal app;
  • Microsoft is not transparent about the data processing through the Company Portal app;
  • Microsoft processes personal data in the United States.

The fivelow data protection risks are:

  • Unauthorised access by system administrators to private data on personal devices after status change: leads to loss of control and loss of confidentiality;
    Chilling effect on employees if Intune is perceived as a staff monitoring system: restricts the exercise of their fundamental rights;
  • Lack of purpose limitation for data processing via the Company portal app: leads to loss of control, possible re-identification of pseudonymised data and possible loss of confidentiality;
  • Lack of transparency of diagnostic data Company portal app: leads to loss of control and possible loss of confidentiality, as well as the impossibility to exercise your rights as a data subject;
  • Transfer of a limited amount of diagnostic personal data to the U.S.: in the case of direct orders to Microsoft by law enforcement, secret services or security agencies this leads to loss of control, possible re-identification of pseudonymised data and loss of confidentiality.

The low assessment of the risks is mainly due to the relatively innocent nature of the diagnostic data: no content or otherwise sensitive data, and no detailed records of individual behaviour. In addition, government organisations can take effective measures to prevent the collection of sensitive data from the devices.

If the system administrators of the government organisations follow the advice in the report, there are no known high data protection risks when they use Intune.

Recommended measures for government organisations

  • Advise employees to turn off the telemetry and debugging logs in the Company Portal app and to set the telemetry level in Windows 10 to Basic or Security;
  • Add an explicit prohibition to the internal policies for system administration to convert devices from personal to corporate without information and prior warnings;
  • Log system administrators' behaviour and systematically check logs, take additional measures such as requiring a certificate of conduct (VOG);
  • Explain to employees what the organisation can and cannot do with Intune MDM and MAM;
  • Test any expansion with functionalities that may lead to an invasion of employees' privacy against existing internal privacy policies and authorisation matrix;
  • Provide internal privacy information about the types of data that Microsoft and the organisation process based on the actual findings from the DPIA;
  • Follow the advice of SLM Microsoft Rijk on the durability of transfer instruments following EU ECJ case law. (A ruling from the European Court of Justices about the transfer of Facebook-data from Ireland to the USA is expected on 16 july 2020, case C-311/18)

Measures Microsoft

This report was completed on 31 March 2020. As a result of negotiations between SLM Microsoft Rijk and Microsoft between April and June 2020, Microsoft committed to implement measures to mitigate two of the five low protection risks. These measures are:

  1. Microsoft will only act as a data processor for the Intune Company Portal App, with the exception of processing for Microsoft’s own legitimate business purposes, and all processing will be in accordance with the privacy amendment.
  2. Microsoft will publish documentation about the nature of the data collected through the Company Portal app and debug log. This documentation must ensure that customers have a good understanding of the data Microsoft collects.

These measures will have to be implemented at the latest in the fall of 2020. SLM Microsoft Rijk will publish an update about the implementation progress in early 2021, together with an update about the agreed measures in connection with the recent DPIA about processing through Office 365 for the Web and the mobile Office apps.

The how and why of these recommendations are explained in the new DPIA report for SLM Microsoft Rijk. Also see the second new DPIA report on data processing via Office 365 for the Web and the mobile Office apps.