back to article EU parliament bans Outlook app over cloudy security: report

The EU Parliament has blocked politicians from using the Microsoft mobile Outlook app in the wake of security and privacy concerns centred on the siphoning of corporate credentials to a third party, according to reports. The Parliament's IT department, DG ITEC, has reportedly told staff to delete the app and reset corporate …

  1. Khaptain Silver badge

    The application is not the problem

    If users are storing passwords or confidential information in email folders the problem is with the user not with the application/device.

    It's about the equivalant of writing a password on a post-it and putting it in the top drawer hoping that no-one will look in there. Even if the drawer is locked the cleaner might have the key, or you forget to lock the drawer, or you forget that you put it in the drawer etc etc .....

    They either have to learn to use encryption or to not store confidential information in a clear text format.....

    1. Anonymous Coward
      Anonymous Coward

      Re: The application is not the problem

      tl;dr? An AWS based server will suck your email out of your corporate account, slice it and dice it and then send the result to your phone.

      Read the article before commenting (this isn't /.) The concern is that the app servers act as a middle man between Exchange and the phone, not that people are storing credentials in email folders (which is not mentioned.)

      Just think - they could insert ads directly into your email - hooray 8) Also, anyone needing a copy of all your email could simply request it. I doubt very much that the AWS systems are based in Europe for EU citizens nor in the US likewise.

      There are more grey areas with this app than usual.

      1. Khaptain Silver badge

        Re: The application is not the problem

        If the text that they are sucking out contains unencrypted passwords/info then the problem is not the app. The text should not be available in the first place.

        Why are unencrypted passwords or other confidential details being stored in such an easy to get manner.

        We have partners that refuse to deal with use unless the entire contents of the emails are encrypted. We are not an IT company, we deal with medical information and credit card information, if we can do it why can't the government.

        1. Anonymous Coward
          Anonymous Coward

          Re: The application is not the problem

          If the text that they are sucking out contains unencrypted passwords/info then the problem is not the app. The text should not be available in the first place.

          Why are unencrypted passwords or other confidential details being stored in such an easy to get manner.

          That is a question for Microsoft to answer, but that gets you into a weird sort of territory where lots of people will tell you that MS has all these wonderful experts (which they tend to roll out at presentations to, for instance UK MoD) but that never appears to translate into any improvement. It's really not rocket science to do it right, but Microsoft's inability to fix pretty basic problems has passed the excuse of complexity right into "they do this deliberately" territory. I mean, it's not like it's news that anything on the Net needs security, nor is how to do this a closely guarded secret, and they have the people. Draw your own conclusions.

          We have partners that refuse to deal with use unless the entire contents of the emails are encrypted. We are not an IT company, we deal with medical information and credit card information, if we can do it why can't the government.

          You're lucky if they just ask for crypto. We ended up developing our own service to ensure we could meet transparency and audit requirements. On the plus side, we don't have to ask for any trust..

        2. big_D Silver badge

          Re: The application is not the problem

          @Khaptain

          This isn't passwords in emails, it is the password for the EMAIL ACCOUNT itself that is being stored on AWS servers.

          As Exchange provides both push and pull services anyway, the question is why does the app need a proxy to collect the mail for you in the first place?

          1. Khaptain Silver badge

            Re: The application is not the problem

            "This isn't passwords in emails, it is the password for the EMAIL ACCOUNT itself that is being stored on AWS servers."

            Shit, I'm having a bad day, diagonal reading and all that . My bad...

    2. Chris Fox

      The application is a problem (given EU data protection obligations)

      This should be seen in the context of compliance with EU data protection regulations and legislation. It is relatively easy to ensure internal email systems comply with EU data protection requriements, assuming secure protocols and good password policies are adopted, and servers are physically secure. And Microsoft has gone to great lengths to provide legal cover for EU-based organisations to allow them to outsource internal corporate email to Office365 (although there may be questions about how robust these assurances are). Either way, this app makes the whole thing moot by operating in a way that clearly in breach of data protection regulations; any EU-based organisation that allows staff to use this app for corporate email will almost certainly be in breach of data protection legislation.

      1. Khaptain Silver badge

        Re: The application is a problem (given EU data protection obligations)

        Unless I am mistaken the EU data protection regulations do not oblige companies to use encryption they only advise it.

        The principal "Security:" does not define "how" data should be kept safe and secure. This is vague and open to abuse.

        The 7 EU data protection regulations principals:

        •Notice: subjects whose data is being collected should be given notice of such collection.

        •Purpose: data collected should be used only for stated purpose(s) and for no other purposes.

        •Consent: personal data should not be disclosed or shared with third parties without consent from its subject(s).

        •Security: once collected, personal data should be kept safe and secure from potential abuse, theft, or loss.

        •Disclosure: subjects whose personal data is being collected should be informed as to the party or parties collecting such data.

        •Access: subjects should granted access to their personal data and allowed to correct any inaccuracies.

        •Accountability: subjects should be able to hold personal data collectors accountable for adhering to all seven of these principles.

        Rogue Admins can have full access to email systems and unless the emails are encrypted you have to consider your data as being "public".

        ....

        1. Anonymous Coward
          Anonymous Coward

          Re: The application is a problem (given EU data protection obligations)

          Your requirement to protect information hides in these two aspects:

          •Consent: personal data should not be disclosed or shared with third parties without consent from its subject(s).

          •Security: once collected, personal data should be kept safe and secure from potential abuse, theft, or loss.

          You're looking at a duty of care issue on top of violation of Data Protection principles if such data is transported without encryption.

      2. Anonymous Coward
        Anonymous Coward

        Re: The application is a problem (given EU data protection obligations)

        Microsoft has gone to great lengths to provide legal cover for EU-based organisations to allow them to outsource internal corporate email to Office365 (although there may be questions about how robust these assurances are)

        These assurances are not worth very much now Safe Harbor is dead. The problem is not so much that data is hosted in Europe (which was at least a small fix), but that Microsoft is actually a US company, and thus subject to the revolving door legal structure out there. That's why Microsoft is trying to get the EU to fight its battles with that request for data held in Ireland - if they lose that (and I honestly cannot see them win this) it's pretty much game over for them in Europe, and not just for Microsoft.

  2. Anonymous Coward
    Meh

    meanwhile....

    ...they are free to install any other data slurping app, you know the flashlight app that needs an internet connection, access to your contacts and to read text messages and phone info.

  3. thondwe

    Where else is this username/password kept anyway

    So the creds are kept on AWS, they are also on iCloud (via backup settings?), or Google (Android), cached in a web browsers somewhere (OWA), in your handy Password Manager, on the Laptop which gets left on the train...

    The only way to keep data secure is to not allow the users near it! E-mail is probably now the least safe place to store anything??

    Paul

    1. Anonymous Coward
      Anonymous Coward

      Re: Where else is this username/password kept anyway

      E-mail has never been that safe to use. Ever assuming that you are fine sending that highly confidential missive over it is naive. Or your significant secret other. Like talking on the telephone.

      PGP really should be used by standard. At least the content will be safe. *

      *For a given value of safe

      1. Anonymous Coward
        Anonymous Coward

        Re: Where else is this username/password kept anyway

        E-mail has never been that safe to use. Ever assuming that you are fine sending that highly confidential missive over it is naive. Or your significant secret other. Like talking on the telephone.

        You have to be precise here, I assume you mean plain text email over the Internet.

        PGP/GPG isn't a solution either as that does not protect meta data. And we kill people based on meta data (verbatim quote of the former head of NSA and CIA General Michael Hayden)...

        1. Anonymous Coward
          Anonymous Coward

          Re: Where else is this username/password kept anyway

          "PGP/GPG isn't a solution either as that does not protect meta data. And we kill people based on meta data (verbatim quote of the former head of NSA and CIA General Michael Hayden)..."

          Whereas you are quite right, however, if the United Spooks of America are going to off someone on Meta-data alone, you can be sure that they can get that from anywhere they want, even if you didn't use email. PGP, at least, offers content encryption. If you are that dangerous* to the Free World(tm), I wouldn't expect you to be using the internet to communicate in any direct form.

          *Or rather, perceived to be. Due process seems to be treated like a nice to have.

  4. Anonymous Coward
    Anonymous Coward

    Stupid MS... just babble about "it's a cloudy thing", and everything would have been right...

    If Microsoft had sold that crappy product "this is an hyperconvergent cloud enabled mail solution offered as SaaS to enable the modern CIO/CTO to cloud empower its company and deliver outstanding TCO results" nothing of this would have been happened, sysadmin would have forced that damned app down your throat... for "clouds sake!"

  5. Dan 55 Silver badge
    Happy

    The sound of a pin dropping

    Good lord, is that what the cloud really means... sensitive stuff stored half a world away which lots of people can get at?

  6. keith_w

    AWS? Where does the Article say anything about AWS?

    A lot of the commenters on here do not seem to have very good reading skills. Beyond no mention of storing passwords in text files in email, there is no mention of AWS (Amazon Web Services) in the article. Considering that this is an article about a Microsoft product, one would expect that the information, if stored in a cloud environment, to be stored on Azure.

    1. Anonymous Coward
      Anonymous Coward

      Re: AWS? Where does the Article say anything about AWS?

      MS bought that company, which was using AWS for its proxy. Probably it would have been moved to Azure as soon as possible, but right now it still runs on AWS.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like