'Microsoft updatet Office
wereldwijd na privacyklacht Nederland'
Laatste update: 08 februari 2019 18:58
Microsoft zou van plan zijn om
zijn kantoordienst Office ProPlus in april wereldwijd te
updaten bij de tegemoetkoming aan privacybezwaren van de
Nederlandse overheid. Dat meldt
Politico vrijdag.
Het ministerie van Justitie en
Veiligheid maakte in november bekend dat het gebruik van het
Microsoft-product een risico vormde, omdat gebruikers geen
controle hebben over welke diagnostische gegevens naar de
Verenigde Staten worden gestuurd.
Microsoft en het ministerie zijn
in oktober overeen gekomen om de update voor de Nederlandse
overheid uit te voeren, maar volgens Politico heeft
Microsoft niet kenbaar gemaakt dat andere gebruikers geen
aangepaste versie krijgen. Daarmee zouden alle Microsoft
Office ProPlus-gebruikers meer privacyopties krijgen.
Onder Microsoft Office ProPlus
vallen meerdere kantoordiensten, zoals tekstverwerker Word,
spreadsheetbewerker Excel, presentatiebewerker PowerPoint en
e-maildienst Outlook.
"In de komende weken ondernemen
we aanvullende stappen om het voor klanten duidelijker te
maken welke data naar Microsoft gaan en waarom, en waar het
delen van gegevens optioneel is", zegt Microsoft-topvrouw
Julie Brill tegen Politico.
Het ministerie van Justitie en
Veiligheid zegt tegen Politico dat de overheid alsnog
naar Europese privacytoezichthouders kan stappen als de
maatregelen van Microsoft na april onvoldoende blijken.
Microsoft Nederland kon
vrijdagmiddag niet direct op het bericht van Politico
ingaan.
Microsoft to update Office Pro Plus after Dutch ministry
questions privacy
The Netherlands' justice ministry was
concerned popular programs were sending diagnostic data from
Europe to the US without adequate user controls.
Updated 4/19/19, 1:19 AM CET
Microsoft plans to update its Office Pro Plus products by
the end of April to address a series of privacy concerns
raised in an audit commissioned by the Dutch justice
ministry that flagged what the auditors called "high risks"
to government users' privacy.
The update for many of the company's Office Pro Plus
customers, which has been confirmed by Microsoft, will
address concerns relating to a package of popular Microsoft
programs-namely that they were sending diagnostic data
from Europe to the United States
without adequate documentation and user controls over what
was sent.
Microsoft and the Dutch justice ministry agreed on the
changes as part of an "improvement plan" with an April
deadline. A ministry spokesman told POLITICO that if
Microsoft's responses proved "unsatisfactory," the ministry
could raise the concerns with European data protection
authorities for further action that could include
"enforcement measures."
In a statement, Microsoft's top privacy and
regulatory counsel, Julie Brill, underscored that the Dutch
ministry had commissioned the audit as
a customer of Microsoft and had not sought regulatory action
against the company.
"The ministry commissioned the report in its capacity as
a customer to clarify how our services are run and we're
working with the ministry's staff to share additional
information and help resolve its questions as we would for
all enterprise customers," Brill said.
She added that the issues raised in the report, conducted
by the Privacy Company, a Hague-based consultancy, relate to
"diagnostic
data in one product," Office Pro Plus, and that the
company is "confident this is consistent with Dutch law and
GDPR," Europe's General Data Protection Regulation privacy
law. Office Pro Plus includes a range of Microsoft programs.
"We feel good about what we're doing to give customers transparency and choice on the diagnostic data they share with us, but we always want to do more,"Brill said. "In the coming weeks we will take additional steps to make it easier for customers to understand what data needs to go to Microsoft to run our services and why, and where data-sharing is optional"
When Microsoft updates products, the update usually takes
place worldwide for users of the product and the company
gave no indication that would be different in this case.
Under the EU's data protection laws, the Irish Data
Protection Commission is the "lead supervisory authority" in
charge of making sure Microsoft complies with the rules. If
the Netherlands chose to escalate its concerns, it could
forward a request on the relevant issues to the Irish
regulator. Meanwhile, any issues would be closely monitored
by the European Data Protection Board, which gathers all EU
data regulators, and the European Data Protection
Supervisor, which may in turn start their own investigations
that could lead to enforcement action.
A spokesperson for the Irish Data Protection Commission said it is "aware of this matter and its significance to companies using the Microsoft product in question. On becoming aware, the DPC immediately engaged with Microsoft seeking further information on the processing of telemetry data, in response to which Microsoft is providing detailed responses."
Audit revelations
The Privacy Company, a consulting firm that the ministry contracted to do the audit, said in a blog summary of the findings that "Microsoft systematically collects data on a large scale about the individual use of Word, Excel, PowerPoint and Outlook."
It added: "Covertly, without informing people ...
Microsoft does not offer any choice with regard to the
amount of data, or possibility to switch off the
collection, or ability to see what data are collected,
because the data stream is encoded." A major concern of the
Dutch was that the company sends the data back to its
servers in the U.S.
Microsoft doesn't agree with some of the assertions of
the Privacy Company's report but is making changes to its
products as it routinely does to accommodate customers. The
company has previously disclosed to customers its use of
diagnostic data.
The new focus on privacy comes as different components of
Microsoft, one of the world's most valuable companies, have
recently faced scrutiny for a variety of privacy concerns,
especially LinkedIn, which Microsoft bought in late 2016 for
$26 billion.
Nicole Leverich, a spokesperson for LinkedIn, said
"member data is never shared with customers on an
individually identifiable level, only in aggregate for ad
sales."Last November, Ireland's Data Protection Commission found that
LinkedIn used the email addresses of around 18 million
non-LinkedIn members to target individuals with ads on
Facebook all in an effort to grow its customer base.
The regulators noted that LinkedIn's actions violated its
protection standards, although the dispute was amicably
resolved.
Leverich said the company "fully cooperated with the
DPC's 2017 investigation of a complaint about a European
advertising campaign and found the global processes and
procedures we had in place were not followed. We took
appropriate action and have made the internal changes to
help protect against this happening again."In Brazil last
year, federal prosecutors said Microsoft
had violated local laws with its collection of Windows 10
users' data without getting proper consent. In 2016, France ordered
Microsoft to cut back its collection of user data and to
halt tracking of the web browsing habits of Windows 10 users
without getting permission.
Despite these privacy dustups, Brill touted the recent
steps Microsoft has made to improve users' privacy,
including "new features in the Windows setup process,
enhanced options for error data reporting in Xbox, a feature
called Lockbox for Azure, and updates to our Privacy
Dashboard including new tools for parents to manage their
children's settings," she said.
Saint or sinner?
Microsoft has been the subject of a number of complaints
to the Irish Data Protection Commission, according to a
commission spokesman, but none were serious enough to
warrant a statutory investigation, and of the 16 open
investigations into multinational tech companies, none are
related to Microsoft. There have been 3,500 complaints to
the commission in total.
Unlike other tech companies, like Facebook, that have
drawn fire for privacy issues and problems spreading fake
news, Microsoft has set itself up as a paragon of good
behaviour, welcoming scrutiny into the company and the
broader tech industry. Company leadership routinely
highlights its proactive investments in privacy. Last year,
the U.S. Supreme Court
heard arguments after Microsoft challenged an American
search warrant for a customer email that resided in
Microsoft's servers in Ireland, and last May, the company
announced it was extending the privacy rights that are at
the core of GDPR to its worldwide consumer customer base.
"Having the scrutiny is actually good, I think," CEO Satya Nadella told the Washington Post last October. He urged the tech sector to improve its behavior. "Anyone who is providing a very critical service needs to raise the standards of the safety of that technology and the security of that technology."
The huge problems affecting Facebook have touched other
companies as well, including Microsoft. The New York Times
reported in December that Facebook gave Bing,
Microsoft's search engine, the ability to view the names of
almost all Facebook users' friends without permission and
also had data-sharing arrangements with companies including
Netflix, Spotify, Amazon and Yahoo.
"Bing did not maintain profiles based on Facebook data
for advertising or personalization purposes, and we took
significant engineering steps beyond what Facebook required
to ensure this could not happen," said Brill.
"We ended our contract with Facebook in February 2016 and data stopped appearing in search results."