Petri Newsletter Sign-up
Tech Tuesday

Subscribe to Tech Tuesday, the latest insights from Petri.com for IT Pros.

    See All Petri Newsletters

    Microsoft Responds to Dutch DPIA with Privacy Control for Office ProPlus

    Posted on by Tony Redmond in Office, and Office 365 with 2 Comments

    Office, the Dutch Government, and Telemetry

    Last November, I reported that a Data Protection Impact Assessment (DPIA) report done on behalf of the Dutch Government slammed Microsoft because of the way that Office apps transmitted so much data back to the Redmond mother ship. The report referred to the “large-scale and covert collection of personal data,” a big no-no in the era of GDPR.

    Yesterday, Microsoft announced that they will include additional privacy controls to allow Office 365 tenants to manage the data Office ProPlus for Windows (version 1904 onwards) sends to Microsoft (Figure 1).

    Figure 1: Microsoft says Office ProPlus gets extra privacy controls

    Microsoft also says that “work is underway to enable these (privacy) controls for Office on other platforms.” My assumption is that this statement refers to Office for Mac and the Office mobile apps. Microsoft is only delivering the privacy controls for the click-to-run version of Office. There’s no word about if customers running the MSI version of Office will see the same kind of privacy controls and when. If forced to guess, I’d say no because Microsoft is doing as much as they can to influence customers to move to the click-to-run version of Office.

    Privacy and the Office 365 Server Apps

    Microsoft’s announcement contains nothing about what they might do to control telemetry transmitted back by the Office 365 server apps: Exchange Online, SharePoint Online, Teams, OneDrive for Business, Planner, and so on gather a heap of data about how people work, collaborate, share, and interact. Some of that data is surfaced in applications like Delve and MyAnalytics, but there’s much more captured in the Microsoft Graph and other telemetry to help Microsoft engineering groups understand how their software works in different circumstances.

    Going forward, as Microsoft seeks to include more artificial intelligence in Office 365, I think respecting customer privacy is one of the biggest challenges they face. Everyone loves new functionality, but only if it’s delivered in such a way that Microsoft lives up to their commitment that customer data is owned by customers.

    Sometimes in the past, as in the ill-fated attempt to create Office 365 groups for managers and their direct reports, that commitment has wavered. On the surface, the proposal seemed to deliver lots of value, but creating a batch of objects in customer directories without approval is unacceptable, as was the more recent idea to create a transport rule to encrypt some messages, something that could have affected business logic implemented in other transport rules.

    The Balancing Act

    Gathering telemetry helps Microsoft improve their software. It’s something people always probably knew was happening without ever realizing just how pervasive the acquisition and analysis of data had become. The Dutch DPIA did everyone a favor by highlighting the issue and forcing Microsoft to respond. It will now be interesting to see how organizations use the new privacy controls.

    BECOME A PETRI MEMBER:

    Don't have a login but want to join the conversation? Sign up for a Petri Account

    Register

    Register for this Petri Webinar!

    Software-Defined Backup Storage: Agnostic, Easy and Cloud-Ready

    Tuesday, August 27, 2019 @ 1:00 pm EDT

    A Scale-Out Backup storage infrastructure is a must-have technology for your backups. In this webinar, join expert Rick Vanover for a look on what real-world problems are solved by the Scale-Out Backup Repository.

    Register Now

    Sponsored By