The telemetry data collection mechanism used by Microsoft Office breaks the EU General Data Protection Regulation (GDPR), Dutch authorities said yesterday in a report.
The report raises eight issues that investigators found in ProPlus subscriptions of Office 2016 and Office 365, but also with the web-based version of Office 365.
Investigators said they've identified the "large scale and covert collection of personal data" through Office's built-in telemetry collection capabilities.
They said Microsoft engages in this telemetry collection covertly and without properly informing users.
The report said investigators didn't find any official documentation about what information Microsoft collects through Office and no way of turning Office telemetry off, raising a serious privacy concern for all current Office users, regardless of geographical location.
Investigators admitted that Microsoft collected functional and diagnostics data that is usually a standard practice among software developers, but they also found that Office applications also collected actual content from users' applications, such as email subject lines and sentences from documents where the company's translation or spellchecker tools were used.
While Microsoft has tried to make Office products GDPR compliant by storing EU users' Office documents on EU servers, the report found that the telemetry collection system sent Dutch user data to US servers, opening it to the possibility of having the information seized or queried by US law enforcement.
The Dutch government is extremely worried because sensitive Dutch government-related information that might have been grabbed part of the telemetry collection system may have also ended up on those US servers. The Dutch government runs Office apps on over 300,000 computers, according to the latest public figures.
Further, the investigation also found that Office telemetry collection is also far more expansive than the one in Windows 10.
Investigators said that Microsoft collects up to 25,000 types of Office events, data which is made available to up to 30 engineering teams. In contrast, Windows 10 is known to collect up to 1,200 event types, data that is shared with up to only 10 engineering teams.
The report's full findings are available below, along with possible countermeasures proposed by investigators, for both Microsoft and Office users.
Image from SLM Rijk report
Dutch investigators said they've already been in contact with Microsoft about their findings. According to the report, Microsoft has already rolled out a "zero exhaust" telemetry collection setting for Office users to address issues #1 and #2, from above. ZDNet was unable to identify this setting, at this moment, and is unclear if this option has been made available to all users, globally.
The Redmond-based company is still working with authorities on addressing items #3 through #8, and, potentially, avoiding a huge GDPR fine.
Microsoft also told investigators it intends to provide documentation about the Office telemetry it collects, more clear options so users can select the desired level of telemetry collection, and a data viewer tool so sysadmins and users can view the raw telemetry data collected via Office.
Microsoft's proposed countermeasures are similar to how the company addresses the privacy issues reported with the Windows 10 telemetry collection back in 2016. The next year, in 2017, the company released documentation about the type of telemetry data it collects, allowed users to select between Basic and Full telemetry collection levels during Windows 10 installations/upgrades, and also released a Windows 10 telemetry viewer app .
The report was commissioned by the Dutch government and conducted by a local company named SLM Rijk. It is available for download from here .