November 24, 2020 | 10:11
Reading-Time: ca. 2 Min

Microsoft, again

What comes after a privacy violation? Of course further violations. I’ve update my list of violations and infringements because of this Heise Article “Anwenderüberwachung durch Microsofts Office-Software”:

Here is the full list (free to copy/use):

  • The collection of user data in a Windows 10 based corporate network cannot be prevented by proportional resources.1
  • With 23,000 to 25,000 data points, a Microsoft Office package collects significantly more metrics than a Windows 10.2
  • Collecting metrics also includes document content.3
  • Using mobile devices with O365 or Azure Cloud offerings, Microsoft by Design gets direct access to the mailboxes of local Exchange server instances and stores data (emails, contacts, appointments) unencrypted on its own servers.4
  • Dependence on Microsoft products, also known as lock-in5, blocks technological progress and increasingly represents a structural disadvantage.6
  • Microsoft systematically undermines best practice recommendations and EU standards7 in procurement and competition law.8
  • Microsoft does not manage to explain on what basis it claims its own interests, including the transfer of data to third parties, as a data processor on behalf of a client.9
  • Microsoft collects users' work-related habits and provides companies with a detailed, personalized “Productivity Score” for employee monitoring.10

This new addition of employee monitoring is just a recycled version of an existing feature Microsoft has been using internally for years. It is not very surprising that it has now become a product called “Workplace Analytics”. It is a well-known anti-pattern called “Function Creep”.11

Since in the last few days the news has been circulating that Microsoft allegedly has reached an agreement with data protectionists, I show this legal 5-minute analysis by Max Schrems:12

Legal bullshit made by Microsoft

Data protection is not a feature! It is an obligation and a matter of principle. The way Microsoft (and others!) emphasize privacy so much and even try to promote it is quite bizarre. It’s kind of like the way a chef emphasizes that he uses a clean spoon to stir (and not a finger).


  1. https://www.bsi.bund.de/DE/Themen/Cyber-Sicherheit/Empfehlungen/SiSyPHuS_Win10/AP4/SiSyPHuS_AP4_node.html ↩︎

  2. https://www.privacycompany.de/datenschutz-folgenabschatzung-zeigt-risiken-bei-microsoft-office-proplus-enterprise/ ↩︎

  3. part 16.1.2 in https://www.rijksoverheid.nl/binaries/rijksoverheid/documenten/rapporten/2018/11/07/data-protection-impact-assessment-op-microsoft-office/DPIA+Microsoft+Office+2016+and+365+-+20191105.pdf ↩︎

  4. https://docs.microsoft.com/en-us/Exchange/clients/outlook-for-ios-and-android/use-hybrid-modern-auth?view=exchserver-2019 ↩︎

  5. https://en.wikipedia.org/wiki/Vendor_lock-in ↩︎

  6. https://programm.ard.de/TV/daserste/das-microsoft-dilemma/eid_28106504116395 ↩︎

  7. https://ec.europa.eu/newsroom/dae/document.cfm?doc_id=14434 ↩︎

  8. https://www.tagesspiegel.de/gesellschaft/cyber-attacken-auf-staatliche-it-europas-fatale-abhaengigkeit-von-microsoft/19628246.html ↩︎

  9. https://www.heise.de/news/Microsoft-Office-365-Die-Gruende-fuer-das-Nein-der-Datenschuetzer-4919847.html ↩︎

  10. https://www.heise.de/news/Anwenderueberwachung-durch-Microsofts-Office-Software-4968615.html ↩︎

  11. https://www.collinsdictionary.com/dictionary/english/function-creep ↩︎

  12. https://nitter.net/maxschrems/status/1329802283341770752 ↩︎

© 2021 Tomas Jakobs - Imprint and Legal Notice