The government of The Netherlands recently commissioned the Privacy Company to perform a data protection impact assessment regarding the government’s use of Microsoft Office products, and the results of this assessment are alarming.
The SLM Rijk conducts negotiations with Microsoft for approximately 300.000 digital work stations of the national government. The Enterprise version of the Office software is deployed by different governmental organisations, such as ministries, the judiciary, the police and the taxing authority.
The results of this Data Protection Impact Assessment (DPIA) are alarming. Microsoft collects and stores personal data about the behaviour of individual employees on a large scale, without any public documentation. The DPIA report (in English) as published by the Ministry is available here.
This shouldn’t surprise anyone, but it’s good to see governments taking these matters seriously, and forcing technology companies to change their policies.
The report looks very thorough, and uses a surprisingly strict understanding of personal data, and it seems to me that this is exactly the sort of analysis employers should be doing when they mandate their employees to use certain products or services. After all it’s our individual right to privacy that’s affected by their decisions. The report talks about a “chilling effect” if people were aware of the sort of diagnostic data that’s sent to Microsoft.
But if this stuff applies to Microsoft, it applies just as much to the tech industry more widely. Google is an obvious target, but in practice diagnostics and data collection are so entrenched in current business models and processes across the board that I don’t see how the tide can be turned. If you’re using any third-party functionality, it’s very hard to set up a website or write an app that doesn’t collect personal data.
> but in practice diagnostics and data collection are so entrenched in current business models and processes across the board that I don’t see how the tide can be turned.
It’s not necessarily about changing practice, it’s about informed consent, and not moving data outside the agreed legal jurisdiction.
It’s the same as food labelling – you have to be clear on the label what’s in the product. Same goes for Office online – they simply need to be honest about what you are signing up to.
For example as a corporation we went with MS online over alternatives because they could regional guarantees on where they kept the data. Now it turns out they are shipping telemetry data with content outside the region. Is that fraudulent? – I don’t know.
I think there is going to be a period of adjustment for tech companies where they get their heads around this – as I suspect historically they collect loads of stuff and internally perhaps don’t have a good handle where the data goes.
This is exactly the sort of scenario that the regulation is trying to avoid!
A Dev,
I imagine their lawyers have done their jobs in terms of the law. However from an ethical position it’s all up for debate. Obviously hiding behind thousands of words of poorly understood legalize is not particularly ethical. There are users who wish to avoid data collection, yet I’m positive much of their data ends up in corporate databases anyways, which is highly unethical. I think the law ought to force companies to respect user privacy wishes, and for that I tip my hat to Europe because over here in the US we bend backwards and let corporations own us.
Only if you assume their lawyers knew what legal ass they needed to cover. I suspect it’s more likely that MS is such a large company that left and right hands don’t know what they are doing. Also things like telemetry are put in by engineers to improve products, not necessarily a high level decision.
This lack of control is what will need to change. Sadly this will make such companies less fun to work in, and perhaps inhibit innovation – but other industries – classic example is health care – have had to deal with consent and data confidentiality forever.
Tech companies just need to grow up.
For example, there have been reported incidences of google/facebook engineers abusing data to stalk/harass people. Clearly they have some internal controls – but are they good enough?
A.Dev,
I’ve heard some of those cases too. It’s actually very hard to protect data from the engineers themselves. There is a very robust solution to this problem: client-side encryption. When the company and employees can’t access our data, many of these privacy problems go away, but for better or worse our privacy is in conflict with their business models. This is why they’ve focused more on HTTPS-style security and securing our pipe to them rather than securing our data from them.
I much prefer Libre Office, I can have the source and see for myself how secure it is or isn’t
Can you?
Like, you have the skill to do so? You understand the Libre Office code base enough to actually do this and understand what’s going on?
And, have you done it?
I doubt anyone of them ever did. If they had any skill to do this type of verification they would earn enough not to give crap about typing document in Word.
That’s one of those things that sounds great but rarely if ever, actually happens. As you questioned however, who has both the skill, experience and unpaid motivation to sift through massive lines of source code?
Nefarious code has been discovered in open source before and it took years to find.
LibreOffice does not send telemetry except if you choose to send a crash report. (It will ask first.)
Let’s say there was “nefarious code” in LibreOffice. It’s true that no user of LibreOffice (not even a few people) will check the entire source code and find the problem that way. But it’s extremely likely that someone would notice the unexpected communication to the LibreOffice servers. And some of these people would use the source code to find out why that is happening. And then they would find the code. It’s also possible that they would not look at the source code, but report the behaviour as a bug, and because the bug reports are public, someone else would then find the “nefarious code”. It really is almost impossible that such code would go undetected.
(That only applies to telemetry code. Let’s say someone–an intelligence agency, perhaps–would hide “nefarious code” in a LibreOffice improvement that allows them to take over a victim’s PC by hiding special directives in a LibreOffice file. Assuming the code would not be found by the people who check the patches for correctness, this code could really go undetected for some time, because it won’t call attention to itself. Hidden telemetry code, on the other hand, has to cause unexpected traffic for many people, because otherwise it would be useless.)
Edited 2018-11-18 09:11 UTC
That’s a nice theory. Unfortunately, it doesn’t reflect reality however. Nefarious code doesn’t automatically mean you have a regular stream of communication occurring that sticks out like a sore thumb. There are tons of ways to extract/move data without creating a huge flashing “VIRUS AT WORK – NOTHING TO SEE HERE” sign.
That’s not a theory. We’re talking about uncontrolled telemetry like in Microsoft Office, not about some veiled way to extract important information from very few targeted machines. The latter could affect LibreOffice as well (even though it would still be much more likely that it’s detected eventually than in the case of a closed-source product). The former is practically impossible to hide in an open-source product.
Kondor337,
I hear what you’re saying: we have to take corporations at their word with regards to closed source data collection, which is troubling for many people since official spokespersons have a tendency to distort the truth. But ilovebeer is also right that open source advocates often exaggerate the ability of open source communities to really audit the entire code base because it’s just not a given that they’ll have the resources and organization to do so. Even companies that have the resources may not be committed to auditing their code either. Being open or closed source doesn’t really imply much about security either way.
On the other hand it does change a great deal about the role of trust, which I think it what you are getting at. With closed source, we are largely dependent on corporate executives to tell us what’s true whereas with open source code we can see for ourselves.
Edited 2018-11-19 10:12 UTC
I like LibreOffice a lot but the recent versions made my life a lot harder by changing the way they support macros. Since version 5 (at least it is when I remember it affected me) they stopped supporting a subset of vba syntax in worksheets, resulting on codes I wrote specifically to have compatible behavior on both suites to not work anymore int it and, worst, failing silently. Even if their motives are understandable, they are working on have a consistent set of methods between the languages they support, i.e. python, javascript and LibreOffice basic, the silent failing was not nice.