In November 2018, a Data Protection Impact Assessment (DPIA) report written for the Dutch Government slammed Microsoft for multiple GDPR violations. Most of the problems were in how Office applications gathered personal information and sent it back to Microsoft. The GDPR violations are around the lack of consent from the data owners and the inability to disable data collection. The DPIA largely focused on Office desktop apps, but Office 365 wasn’t blameless with personal data accumulating in the Office 365 audit log and other places.
Office ProPlus Privacy Controls
In March, Microsoft responded to say that they would add privacy controls to the Office ProPlus applications. Those controls are now available in Office ProPlus version 1904 (I see them in build 11601.20144 for Windows) and can be accessed by going to your account settings and then choosing Account Privacy. You can then disable “connected experiences” as shown in Figure 1.
If you disable the optional connected experiences, Microsoft says that either the ribbon or menu command for those experiences will be grayed out or users will see an error message when they try to use the feature.
Connected experiences obviously has something to do with an application making use of network (cloud) resources. In a blog posted on April 30, Julie Brill, Microsoft VP and Deputy General Counsel, divides the data collected by Microsoft into two categories: required and optional.
Required data is necessary to make sure that products work as expected and are secure. For example, before Office can download a new version of ProPlus to a workstation, it needs to know what version is already present.
Optional data is not essential to getting work done. You don’t need Microsoft to collect this data before you can create a document or presentation, but the data that is collected is needed for those “connected experiences” to work. For example, I like using the Design option in PowerPoint to format slides. I can still format slides without the option, but the slides look much better when PowerPoint can transmit data to Office 365 to understand what slide layouts are best appropriate for whatever content I have entered for the slide.
Microsoft has posted a list of connected experiences that depend on user content, download online content for Office, or consume user content in features. Some of the experiences are very understandable, like the way Outlook’s Focused Inbox depends on understanding how users deal with new message. Some are less (I can’t figure out why rights management is on the list). But it’s good to have the list.
What’s interesting about the list of connected experiences is that most of these features didn’t exist a few short years ago. It’s the ability to collect and analyze information from millions of people working around the world that has allowed Microsoft to build this functionality.
The pages posted by Microsoft are just the start. According to Brill, Microsoft will “improve upon our existing documentation practices, to describe what we collect in these two categories, in ways that are easy to understand, and to explain why data in the required category is necessary.” The Microsoft Privacy Center is the hub for this information. Microsoft also promise a new biannual report to describe any changes they make to data collection.
Office 365 Needs Better Privacy Controls Too
Although it’s good to see progress in Office ProPlus and that Microsoft says that similar changes will happen in Windows 10, Xbox, and Dynamics 365, I was disappointed to see no mention about the server side of Office 365.
Customers have asked about controls over the signals captured in what was then the Office Graph and is now the Microsoft Graph for years. SharePoint Online, OneDrive for Business, Teams, Yammer, Exchange Online, Office 365 Groups, Planner, and the Office 365 administrative interfaces all generate signals that are then used by apps for different purposes. Delve uses signals to bring documents of high relevance to the attention of users. Teams and Groups use signals to suggest new teams or groups for users to join, and so on.
As mentioned above, the Office 365 audit log also collects information (as does Office 365 Cloud App Security), some of which could be deemed as personal (like document titles).
And then there’s the information stuffed away in the non-IPM section of Exchange Online mailboxes. Some of this data is used for obvious purposes, like the Files folder. Others, as discovered by MVP Vasil Michev, is less obviously explainable. Mailboxes now seem to be a dumping ground for information that Office 365 apps need to store. This is fine, but it would be good to understand what Office 365 stores in mailboxes and how the data is used. Perhaps Microsoft’s new commitment to document what it collects will solve the mystery.
Privacy is a Journey
Five years ago, privacy didn’t have quite the focus and attention it has today. Microsoft is slowly responding to the need for better controls and documentation. The controls now available for Office ProPlus are welcome. Time will tell if Microsoft lives up to its commitment across the rest of the Office 365 ecosystem.