back to article Microsoft menaced with GDPR mega-fines in Europe for 'large scale and covert' gathering of people's info via Office

Microsoft broke Euro privacy rules by carrying out the "large scale and covert" gathering of private data through its Office apps. That's according to a report out this month [PDF] that was commissioned by the Dutch government into how information handled by 300,000 of its workers was processed by Microsoft's Office ProPlus …

          1. Richard 12 Silver badge

            Re: Oddly enough that's not Microsoft Office's format

            Has anyone else encountered similar anomalies with MS applications?

            Many times. However, usually when transitioning from Microsoft Office version N to version N+2.

            It's almost like MS don't fully understand their own formats.

      1. Anonymous Coward
        Anonymous Coward

        Re: The word "compatible" has a special meaning in the computer industry

        and it has a specially ueberspecial meaning in Germany, in general ;)

    1. P. Lee

      Re: "The Dutch authorities are working with the company to fix the situation"

      A nice solution, but we need to go a step further.

      Libreoffice as a solution relies on the goodwill of Libreoffice to not snoop. I want an OS which can block application access at the network level. I want an OS which can enforce, "Application X gets access to my file server for file-serving protocols. Application X also only gets access to disk subtree Y." That way I can give my browser widr network access but no disk and my wordprocessor disk access, but little network.

      For those on linux who want a MS options and are willing to go non-free, edrawmax (visio) and wpsoffice (chinese?) look like nice options. I can't vouch for their security and non-snoopiness, but they are far more usable than Libreoffice in an MSOffice environment.

    2. Anonymous Coward
      Anonymous Coward

      Re: "The Dutch authorities are working with the company to fix the situation"

      Instead of trying to fix the unfixable, maybe it's time they work with LibreOffice instead...

      Not until they manage to create a decent installer. The current installer is IMHO an abomination whose user unfriendliness must have inspired by the ribbon is in Microsoft Office. Until they fix that, it is simply not usable in an Enterprise setting, also because updating an anything-but-English is a pain too as a consequence of what they cobbled together.

      I have no idea what they were using when they came up with this approach, but as far as I can tell they got the dosage wrong.

      1. Anonymous Coward
        Anonymous Coward

        Re: "The Dutch authorities are working with the company to fix the situation"

        "Not until they manage to create a decent installer. "

        It depends a lot on who packaged it. - I've never used the windows installer, so I suspect that's what you used.

        I didn't find it very hard at all for the last two libreoffice installations I did.... on one of my laptops, I typed "emerge libreoffice" and waited a *very* long time :-) and on the other one I typed "apt-get install libreoffice".

        1. Anonymous Coward
          Anonymous Coward

          Re: "The Dutch authorities are working with the company to fix the situation"

          "Not until they manage to create a decent installer. "

          It depends a lot on who packaged it. - I've never used the windows installer, so I suspect that's what you used.

          The problem starts when you use a different language. The installer only speaks English, and you have to manually set the UI language after installing the language pack instead of making that a default option ("option" as in "ask the user", just in case). Worse, when you update you have to go through that again. Appalling, and totally NOT end-user friendly, which is the one thing it has to be to generate widespread adoption. Instead, it provides the *perfect* argument for people to fall back to MS Office.

  1. Anonymous Coward
    Anonymous Coward

    Zero Exhaust?

    How do you turn off the slurping?

    Following the link to https://www.privacycompany.eu/en/impact-assessment-shows-privacy-risks-microsoft-office-proplus-enterprise/, what it actually says is:

    Starting today, and with the help of Microsoft, SLM Rijk offers zero exhaust settings to admins of government organisations.

    Sounds like only governments benefit from this :-(

    1. Martin Gregorie

      Re: Zero Exhaust?

      How do you turn off the slurping?

      Add a single configuration parameter. All right, maybe one in each application that makes up the Office package. All it needs to do is to control whether the telemetry port is written to or not. If Office programs are well-structured code this should be quite easy: the sort of thing that one competent programmer can install and test in time for the following month's Patch Tuesday. So why do they need five months to do something that should be so simple?

      1. Anonymous Coward
        Anonymous Coward

        Re: Zero Exhaust?

        > > How do you turn off the slurping?

        > Add a single configuration parameter.

        Of course MS could *add* such a configuration parameter. But it was implied that they've already done so - in which case it's a question of how to find it.

        1. Martin Gregorie

          Re: Zero Exhaust?

          Of course MS could *add* such a configuration parameter. But it was implied that they've already done so - in which case it's a question of how to find it.

          Yes and No. In two places the article says there is no way to disable slurping and then the Zero Exhaust system is mentioned with an (apparently) documented slurp control switch. The crux of the biscuit is: if that's already out then they could simply make the Zero Exhaust version the mainstream product and put it on immediate release. So, if this is the case, then why does M$ think it will take until April next year to make it generally available?

          Fish? I can smell it.

          1. JLV

            Re: Zero Exhaust?

            >why does M$ think it will take until April next year to make it generally available?

            Easy. 5 months of desperate lobbying and Doublespeak ahoy explaining how _customers_ need slurping, they value our privacy and are always out to listen to customers.

            Maybe that horse will sing by then.

            Me I’m wondering who the lucky ones to benefit will be: Euro area only or Canadians too? (we already “benefit” from cookie warnings)

            1. Doctor Syntax Silver badge

              Re: Zero Exhaust?

              "Easy. 5 months of desperate lobbying and Doublespeak ahoy explaining how _customers_ need slurping, they value our privacy and are always out to listen to customers."

              Or simply hoping it will get forgotten. Or it will break several bits of functionality and will have to be removed in order to make everything work properly. It's going to take time to ensure enough functionality gets broken.

      2. Omgwtfbbqtime
        Facepalm

        "If Office programs are well-structured code"

        Yeah, how likely is that?

        1. Primus Secundus Tertius

          Re: "If Office programs are well-structured code"

          The history of Star Office -> Open Office -> Libre Office suggest that it is a mountain of quick fixes, with zero logical integrity. MSO will be the same.

          1. Doctor Syntax Silver badge

            Re: "If Office programs are well-structured code"

            "The history of Star Office -> Open Office -> Libre Office suggest that it is a mountain of quick fixes, with zero logical integrity."

            The early stages of the move from OpenOffice -> LibreOffice involved paying down a lot of that technical debt. No doubt there's still some way to go but then there always is.

      3. John Brown (no body) Silver badge

        Re: Zero Exhaust?

        "So why do they need five months to do something that should be so simple?"

        Because it will take at least that long for the committee to decide exactly what shade of pale grey the user request box must be and exactly how many angstroms up the scale the slightly less pale grey text will be.

    2. codger
      FAIL

      Re: Zero Exhaust?

      Permanently disconnect your PC from the internet. That would do it.

      FAIL icon because teacher doesn't accept this answer.

  2. Anonymous Coward
    Anonymous Coward

    Even if data were stored in EU, MS would be still in breach of GDPR.

    Because the data gathering is too broad, automatic, without user knowledge, and without any way to turn it off.

    1. JohnG

      Re: Even if data were stored in EU, MS would be still in breach of GDPR.

      "Because the data gathering is too broad, automatic, without user knowledge, and without any way to turn it off."

      It is worse than that because there are some options to turn data collection off in various places in Windows 10 - but these only turn a few things off and leave all the other data collection running. It is designed to give the user the false impression that data collection has been comprehensively disabled, when it has not - it is incredibly dishonest.

      1. Danny 14

        Re: Even if data were stored in EU, MS would be still in breach of GDPR.

        plus enterprise get a separate set of GPO settings that really limit telemetry (but still not disable) and common users are specifically told in the gpo that they cant disable. That should also be in breach.

  3. Anonymous Coward
    Facepalm

    I'm really, really (really, really, really) hoping that this stymies forced software telemetry...

    I'm fine with my software validating that it is properly paid for and valid. I'm fine with the option to send telemetry data that may be useful in bug fixes and customer support tickets. However, the idea that MS is storing sections of documents because they are being spellchecked is just nuts.

    Look at your average couple page word-processed document. You probably spellcheck it in 5-10 places, maybe more. If those sections are being stored, then you have a significant security risk, because I could piece together a good deal of what a competitor is doing if you were to give me 20 or 30 sentences from said couple-page document.

  4. dotslash

    What about Azure AD...

    Copying PII to the US?

    1. Anonymous Coward
      Anonymous Coward

      Re: What about Azure AD...

      I was under the impression that it was limited to specific regions that you selected. ps. GDPR is not about PII it is about personal information, doesn't need to be identifiable.

  5. Anonymous Coward
    Anonymous Coward

    Why on earth was a government ever using a cloud-hosted wordprocessor?

    1. Voland's right hand Silver badge

      What do you think is used by UK Parliament?

    2. A.P. Veening Silver badge

      government using cloud-hosted

      "Why on earth was a government ever using a cloud-hosted wordprocessor?"

      In this case: entrapment. Please consider the government involved. Please also consider the nationality of that EU Commissioner to penalize Microsoft with a pretty hefty fine the last time (Neelie Kroes, Dutch).

      1. Destroy All Monsters Silver badge

        Re: government using cloud-hosted

        It's not entrapment if the perp is already doing the deed without you egging him on.

        Something OT from the depths of time: Judge Jackson is a big fat idiot: But MS is hardly in the clear

        1. A.P. Veening Silver badge

          Entrapment

          I concede your point where it comes to legality, but I'd say that knowingly letting something go on in the knowledge you will reap the rewards later is still entrapment from a moralistic point of view. Having said that, I don't have any problem with it.

    3. Anonymous Coward
      Anonymous Coward

      re. Why on earth was a government ever using a cloud-hosted wordprocessor?

      because: CLOUD COMPUTING! SAFE & SECURE! COST EFFECTIVE! EVERYBODY DO IT! LOL!

  6. a_yank_lurker

    "Head on a pike"

    For CPHBs at Slurps having the heads on a pike would not be a fitting punishment, something much more medieval should be used as there is no punishment to'cruel or unusual' for their crimes against humanity. Seriously, the Dutch should turn pursue the maximum fines under the GPDR against Slurp as punishment.

    1. bombastic bob Silver badge
      Devil

      Re: "Head on a pike"

      how about we just fine them instead? then the CEO gets fired over it, when the board members get sick and tired of losing money.

      It's a fair bet that "the fix" will eventually become public knowledge, so that ALL of us can apply 'the fix', not just EU members.

      And THAT is what they (Micro-shaft, etc.) fear.

      1. Omgwtfbbqtime

        Re: "Head on a pike"

        Just need to make the board, personally and jointly liable for fines equal to a proportion of the company fine, so fine the company €100m and each director €10m. Fines are not normally expensable - as it encourages the board to behave legally/ethically if they have to pay for their misdemeanors personally.

        1. Charles 9

          Re: "Head on a pike"

          Or it just convinces their legal team to lawyer their way out of it. Bet you credits to milos they'll find a way to reduce the fines and liabilities, perhaps hang a threat of incompatibility in the government the future, perhaps a change of emphasis to Asia if they have to disconnect things. That's the thing with transnationals: they can play sovereignty against you, and few things are lawyer-proof.

          1. Danny 14

            Re: "Head on a pike"

            thing is, individuala can file an ICO complaint. These are taken on a case by case basis. Just because the gov settles doesnt mean john smith is covered under that breach.

  7. Doctor Syntax Silver badge

    Not wishing to exonerate MS in the slightest but don't the Dutch Government have any responsibilities in this? AFAICS it's they who required their employees to work with this. It may well be that MS did this sneakily behind their customer's back but I rather think that if it were any other employer it would be the employer who would be facing charges and taking out civil proceedings against their supplier for breach of contract, always providing that the contract said they wouldn't do such things. And if the contract was silent on such issues then the employer might even lose.

    1. Danny 14

      they do, and they have taken up the fight as part of their responsibilities. What more would you have them do? They cant drop a signed contract over this as MS wont have broken any laws until proven.

  8. Big Al 23

    Multi-million fine not likely to undo damage

    I have yet to see a multi-million Euro fine undo the privacy violations that have resulted from knowingly violating privacy law and decency. As history has shown when Microsoft or other companies reap billions in revenue annually from violating law a few million in fines is just the cost of doing business. It does not change the corporate mentality or suddenly make them ethical and law abiding. It appears that anything short of a triple annual revenue fine results in a change in business practices. That triple annual revenue should be sent to all of the people violated by Microsoft.

    1. A.P. Veening Silver badge

      Re: Multi-million fine not likely to undo damage

      I concur that a multi-million fine is unlikely to change matters, but this is going to be a multi-Billion fine.

      1. Danny 14

        Re: Multi-million fine not likely to undo damage

        yup. if it is shown to be wilful then thats 4% of takeover bracket (upto yes but that bracket was designed as punishment).

  9. Wellyboot Silver badge

    25,000 "events"

    >>>Microsoft tracks around 25,000 different types of "event"...techies are also able to add new events to be recorded<<< how many types of events are left?

    The report is worth reading.

    >>>until recently there were no central rules governing the collection of the Office telemetry data<<<

    >>data may also include the content of a query sent to search engine Bing, or the content of text you want to have translated. In that case, Microsoft may collect the sentence before and after the sentence you mark for translation, to provide a better translation.<<<

    Talking about targeted recommendations (adverts) >>>protect the monetisation of the Office product, and we accept we have to disrupt the attention of the users.<<< basically MS admitting in writing that trying to get more money out of the punters is more important than letting them use the ones they've paid for already.

    I'll refrain from expletives, they're not adequate to convey the contempt.

    1. John Smith 19 Gold badge
      WTF?

      "tracks around 25,000..types of "event"..techies are also able to add new events to be recorded."

      25 000 types.

      F88k me sideways.

      Do we need to wonder why networks are running slower than they used to in actual throughput?

      1. Anonymous Coward
        Anonymous Coward

        Re: "tracks around 25,000..types of "event"..techies are also able to add new events"

        And be aware it's not only Windows or Office. Today most developer tools offer libraries to add telemetry to applications, and not only Microsoft is abusing it. Obviously, whatever you do in a web application is easily tracked, bot more and more native applications, on mobiles or desktops, and even servers (and of course IoT), are instrumented to record and transmit telemetry. Some companies offer 'telemetry as a service' packages. We have to hope some highly visible investigations and frees will put a stop to this trend making it not legal.

  10. Black Betty

    How the effity-eff-eff does any Govt. or company permit cloudy Office?

    Strikes me that this is a security hole large enough to drive a super tanker through sideways.

    When a client has no effective control over what data is sent to an off site server, they also have no control over who might ultimately view that data. What is to stop some rogue state (ie. my own bloody minded data slurping Australia) requiring document duplication?

    Yes, you may use Office 365 offline, but from my reading, it appears that certain "features" kick in automatically/uncontrollably whenever an internet connection is present.

  11. Anonymous Coward
    Anonymous Coward

    mmmm... my spelling is pretty bad, and my hands seem to type at different speeds.

    Microsoft can you sent me my documents that I’ve accidentally deleted.

    Thanks in advance.

    P.S. If you’d grammar check them first, I’d appreciate it.

  12. herman

    The standard solution with all things MS is a packet filter firewall on OpenBSD, but why bother with MS junkware in the first place? The alternatives are so much better and Free.

  13. Adair Silver badge

    You paid

    ... good money for this computer. Now, keep paying the Danegeld, and give thanks to Microsoft for each day that you are permitted to use the computer.

    [just posted on another thread, but it seems apropos here as well]

    1. DJV Silver badge

      Re: You paid

      Glad you added the final paragraph - I thought I was having a deja vu moment!

  14. The Boojum
    Joke

    But you don't understand...

    The telemetry is just MacroShaft being helpful. It saves the beta-test community (i.e. everyone) from having to manually submit manual bug reports.

    1. Anonymous Coward
      Anonymous Coward

      Re: But you don't understand...

      I'm afraid your sarcasm fell on dead ears, which is a shame. But then, what do you expect, it's only pre-post-brexit-weekend Monday ;)

  15. mark l 2 Silver badge

    Microsoft wouldn't get away with it if a few big licensees (such as governments and big corps) told them, remove your telemetry or we will walk. But by continuing to pay ever year for licenses for Windows and Office rather than taking their money elsewhere MS know they can continue to get away with it.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like