The biggest data slurp on your PC ... is not Windows!

Sven Krumrey

Sometimes, it takes government pressure to spur a company into action. For years, there have been rumors that Microsoft Office is a telemetry data hog with little to no transparency as to what is collected and when. The Dutch government had finally had it and prompted an extensive investigation. The result: 91 pages of unfettered and unabated data collection frenzy along with a lack of organizational structure that borders on chaos - enough to shake up even the most consummate of business professionals.

My facial expression exactly

The now public study was carried out by Privacy Company, a large Dutch-based privacy consulting firm. Its findings are alarming and show that Microsoft collect huge amounts of data through their Word, Excel, PowerPoint and Outlook applications - personalized, unregulated data sets, and there is nothing users can do about it! If you thought the telemetry transmissions only included crash reports, the study will definitely teach you otherwise. The numbers are staggering. Data processing itself is triggered by "events" as defined by Microsoft developers. This includes malfunctions but also operations like running a spellchecker or simply using the program in general. While Windows 10 tracks 1,000 events, backed by a team of 10 analysts at Microsoft, MS Office takes the cake with anywhere between 23,000 and 25,000 events and 30 data analysts. Surprised? So am I!

Though Privacy Company were unable to find out precisely what information is sent to Redmond, thanks to encryption, even Microsoft seem to be in the dark about the exact scope of their data collection. Apparently, developers have free reign and there's no expiration date after which data sets are deleted. No binding standards, no documentation! Once a team member deems a program aspect interesting enough, they are able to query the corresponding data through a separate program ("telemetry agent") that comes bundled with each Office installation. And while Windows 10 includes privacy settings, with no shortage of third-party apps to this effect, MS Office phones home unfetteredly, unsolicitedly and in an uncontrollable manner. Naturally, all data (including personal information) ends up on US servers fully accessible by US law enforcement agencies. Not only is this a violation of user privacy, but also a violation of European laws.

Default program, market leader, data hogger Default program, market leader, data hogger

At least investigators were able to identify a few of the events. Translations offered through MS Office and email subject lines are affected. Microsoft also collect information on how long we use Word or PowerPoint. Part of this data is necessary to provide the related services, however, Microsoft were unable to clarify why it's stored indefinitely. There are storage periods in place ranging from 30 days to 18 months in most cases but information considered particularly valuable is never deleted. Data collection is especially rampant in current MS Office versions like 2016 MSI and Office 365 that feature extensive internet-based capabilities. The scope varies, with crash reports being collected from all users while information on other events is limited to small sample sets that roughly affect 2% of users. There is currently no way to object to these practices. If you use MS Office, you're a willing participant.

That's already enough to feel uneasy, but there's more. Initially denied, Microsoft now admit to collecting personal data. With the help of audit logs (originally intended for admins), they can easily obtain email addresses, user ids, subject lines and much more. Time for data protection officers to get that rope ready and brush up on their hangman skills! Sure, Microsoft should (and must) collect data to improve their software or web-based services, but, this time, they've crossed the line. It seems they've completely forgotten that data collection must be governed by transparency and purpose.

One multi-national, many nosy employees One multi-national, many nosy employees

Change is coming, thanks to the Dutch Ministry of Justice and Security, who took action not primarily to protect end users but the 300,000 civil servants who are avid MS Office users, many of them dealing with classified material. To save their reputation, their dominance on business PCs, and to avoid costly lawsuits, Microsoft caved and promised to better themselves. Procedures are said to become documented and more transparent, thanks to a soon to be developed review tool, and admins (and private users?) will receive more control over the extent of the data collection. But there's no definitive schedule for the implementation of these measures yet. It seems, Microsoft were caught slightly off guard. Until a solution is found, privacy-wary users are advised to stay away from SharePoint and OneDrive, refrain from using the web-based version of Office 365, disable all "Help us improve" requests or rely on local user accounts. Rather unsatisfactory, if you just need to drop a few lines in Word. Here's my tip for you: Use a different Office suite!

What I would like to know: How do you view MS Office's data hunger? Are you already using a software alternative?

Back to overview

Write comment

Please log in to comment