On behalf of the Ministry of Security and Justice, Privacy Company carried out a DPIA on DPIA on Microsoft Office ProPlus (Office 2016 MSI and Office 365 CTR). At the request of the Ministry, we publish this blog about the findings. For questions about the research you can contact SLM Rijk (Strategic Vendor Management Microsoft Rijk), accessible via press release from the Ministry of Justice, 070 370 73 45.
The SLM Rijk conducts negotiations with Microsoft for approximately 300.000 digital work stations of the national government. The Enterprise version of the Office software is deployed by different governmental organisations, such as ministries, the judiciary, the police and the taxing authority.
The results of this Data Protection Impact Assessment (DPIA) are alarming. Microsoft collects and stores personal data about the behaviour of individual employees on a large scale, without any public documentation. The DPIA report (in English) as published by the Ministry is available here
Starting today, and with the help of Microsoft, SLM Rijk offers zero exhaust settings to admins of government organisations. During the writing of this DPIA, Microsoft has committed to take a number of other important measures to lower the data protection risks.
Most government organisations in the Netherlands use versions of Office 2016 and Office 365 (or even older versions) that are installed on the computers of the government employees. The organisations store the content data locally, in their own data centres (on premise). But this will change. SLM Rijk conducts a pilot with data storage in the Microsoft cloud, in SharePoint, and in OneDrive. There is also a test with the web-only version of Office 365, where the software is no longer installed on the end-user devices.
Microsoft systematically collects data on a large scale about the individual use of Word, Excel, PowerPoint and Outlook. Covertly, without informing people. Microsoft does not offer any choice with regard to the amount of data, or possibility to switch off the collection, or ability to see what data are collected, because the data stream is encoded. Similar to the practice in Windows 10, Microsoft has included separate software in the Office software that regularly sends telemetry data to its own servers in the United States. For example, Microsoft collects information about events in Word, when you use the backspace key a number of times in a row, which probably means you do not know the correct spelling. But also the sentence before and after a word that you look up in the online spelling checker or translation service. Microsoft not only collects use data via the inbuilt telemetry client, but also records and stores the individual use of Connected Services. For example, if users access a Connected Service such as the translate service through the Office software, Microsoft can store the personal data about this usage in so called system-generated event logs.
Microsoft provides services over the Internet. From a technical perspective, it is inevitable that you have to provide data to Microsoft, such as the header of your e-mail and your IP address in order to be able to use the services. But Microsoft should not store these transient, functional data, unless the retention is strictly necessary, for example, for security purposes. In this DPIA report (data protection impact assessment report), the data which Microsoft collects via Office ProPlus are divided in three categories:
In the report, Privacy Company uses these three categories of data in analogy with the division of communications data in ePrivacy law in Europe. This legislation distinguishes between (i) content, (ii) traffic/location data that are generated as a result of using the communication services, and (iii) data that are strictly necessary to transmit the communication, but have to be erased or anonymised immediately afterwards.
Microsoft emphasises that the company does not use these categories. Microsoft uses, amongst others, the categories of ‘Customer Data’ and ‘Personal Data’. Microsoft only uses the term Diagnostic Data for the specific telemetry data collected via the inbuilt software client in the locally installed Office software.
Microsoft does not (yet) offer a possibility to inspect the contents of the diagnostic data flow. Microsoft has explained that 23.000 to 25.000 types of events are sent to Microsoft’s servers, and that 20 to 30 engineer teams work with these data. The engineers can dynamically add new events to the data stream from all computers with Office ProPlus. This collection of data is much more specific than in Windows 10 telemetry. If the telemetry is set to ‘full’ in Windows 10, it involves one thousand up to twelve hundred types of events. And 10 teams with engineers. The Dutch DPA conducted an investigation in 2017 of the processing of telemetry data in the consumer and small business versions of Windows 10 (Home and Pro).
The Dutch DPA concluded that Microsoft violated data protection law on many counts, amongst others through the lack of transparency and purpose limitation, and the lack of a legal ground for the processing.
In response to that investigation, Microsoft made some adjustments in the spring 2018 release of the software. The Dutch DPA concluded (prior to the actual release of the software, press release in Dutch only) that the improvement plan presented by Microsoft would end all violations. The Dutch DPA did not investigate data processing via the Office software.
Microsoft determines the purposes of the processing of the diagnostic data in the Office software, and the retention period of the data (30 days up to 18 months, or even longer if deemed necessary by Microsoft). The DPIA report shows that Microsoft processes the diagnostic data for 7 purposes, and for all other purposes Microsoft deems to be compatible with those purposes. Because Microsoft determines the purposes and the means (of the retention period), Microsoft acts as a controller, and not as a data processor.
The 7 purposes are:
The Office ProPlus software includes the use of a number of online services. But Microsoft also offers so called ‘discretionary’ (voluntary) Connected Services, such as the online spelling checker and the translation service. Microsoft only considers itself to be a data controller when people use these discretionary Connected Services. In that case, Microsoft processes the personal data about the use of these services for all 12 purposes listen in its general privacy statement.
The DPIA report provides an extensive description of 8 high data protection risks for data subjects. The government organisations that use Office should, however, determine themselves what the specific risks are, based on the specific personal data they process. This DPIA report is meant to assist, not to replace.
During the writing of this DPIA report, Microsoft has already made commitments to SLM Rijk to make important adjustments to lower the risks. Microsoft has developed zero-exhaust settings. Microsoft also intends to provide adequate information, include a data viewer tool for the telemetry data from Office and provide an option to administrators to determine the desired level of telemetry. Additionally, SLM Rijk and Microsoft office will jointly work on the correct qualification of Microsoft as a (joint) controller or data processor.
Some residual risks can be mitigated if the government organisations will use the newly developed settings to minimise the processing of telemetry data. There are 6 remaining high risks for data subjects.
What can the admins do now to lower the risks? Admins of the Enterprise version of Office ProPlus can already take a number of specific measures to lower the privacy risks for employees and other people in the Netherlands.
These measure are not in all cases realistic or feasible. It is not possible for the (Enterprise) customers of Office to solve all problems. With regard to the contracts and transfer of personal data to the USA, a European solution must be sought.