The news relating to Germany opens up a larger conversation regarding Microsoft’s use of data collected from minors across the globe. Given that the Facebook and Amazon privacy scandals are still buzzing, Microsoft may need reconsider its collection of school children data, according to Ray Walsh, digital privacy expert at ProPrivacy.
In conversation with Digital Journal, Walsh provides context as to why Microsoft 365 poses a concern to schools that use the service. He also offers insight into to how parents can prevent their children’s data from being collected and stored by Microsoft products.
Digital Journal: Why has a German state banned Microsoft Office 365?
Ray Walsh: The Hesse Commissioner for Data Protection and Freedom of Information (HBDI) has decided to ban Microsoft’s Office 365 in schools due to concerns that the tech giant is collecting Personally Identifiable Information from German students and teachers. According to HBDI, Office 365 is not compatible with GDPR or German data protection laws, and concerns have been raised that US authorities might have access to children’s sensitive private data.
Data privacy concerns appear to center around two issues; the high levels of corporate surveillance Microsoft is known to engage in. And the knowledge that Microsoft previously worked hand in hand with US authorities to help the NSA perform mass surveillance on citizens from the US and around the world (including on German citizens).
Where Microsoft products and services are concerned, the Windows 10 operating system has been heavily criticized since its inception; often leading privacy and security experts to call it the most privacy-eroding Windows OS ever.
Windows 10 comes with many invasive features that are activated by default, which cause the operating system to send telemetry data back to Microsoft’s servers. And, even if you make the effort to dial back as many of Windows 10’s invasive features as possible it will still perform some surveillance (because you can’t switch all tracking off).
Microsoft’s Office 365 has similarly invasive habits of sending back telemetry data to Microsoft servers, which HBDI claims are in contravention of German data protection laws; in part due to Microsoft’s failure to gain parental consent from parents to collect children’s data.
DJ: What data is the German case based on?
Walsh: HBDI’s decision to ban Office 365 seems to center around the fact that Microsoft’s cloud services are not compatible with GDPR and German data protection regulations.
The data that the commissioner from Hesse has called into question is the telemetry data sent back to Microsoft’s servers in the US. This includes email subject lines, phrases entered into Microsoft’s translation software and other information about children that is gathered in the process of using the cloud services: Such as system crash reports that have been known to contain sensitive personal information about users.
However, the commission also pointed out that while this ban specifically affects Office 365, it also technically applies to Google Accounts and Apple cloud services, which HBDI has stated are also incompatible with local data protection regulations.
One issue surrounds parental consent to collect data. In Europe, consent must be sought from parents if a child is under the age of 16, and the HBDI claims this is not occurring when kids use these cloud-based services in school. However, the commissioner also pointed out that even improving how consent is granted would not be enough to make Office 365 acceptable for use in schools.
DJ: Is the cloud platform really a security risk?
Walsh: Whether allowing U.S. authorities to access German students’ personally identifiable information is a “security risk” is largely down to personal interpretation.
On the one hand, Germany is a member of the greater Nine Eyes surveillance agreement, which, in theory, means the two nations are supposed to work together to perform mutually beneficial intelligence for national security purposes. Some might consider this to mean that as an ally the US only has German’s best interests at heart.
In practice, this perspective is overly optimistic. In 2014, Wikileaks released reports that allegedly uncovered evidence that the NSA had been snooping on members of Germany’s government.
The Edward Snowden leaks independently revealed that the US had spied on German citizens as part of its PRISM program. These secret programs were not undertaken as part of a mutually beneficial program, but rather as direct espionage carried out by the U.S.
Bearing these things in mind, it seems fair to say that data collected by Microsoft does create certain security risks, particularly if the telemetry sent back to its servers includes personally identifiable information about children.
Even without throwing the US government into the mix, the risk exists that data held on Microsoft servers could be accessed by Microsoft employees or subcontractors. This could lead to abuse at the hands of those employees, and could even result in data leaks.
These potential risks exist because Office 365 does not provide end-to-end encryption for its services. Instead, Microsoft retains control of encryption keys on the user’s behalf, and, because they are held on company servers they could theoretically be abused by Microsoft employees or stolen by cybercriminals. This would include the ability to access personal documents and the contents of emails.
These security threats are amplified by the possibility that data is being shared with US intelligence agencies. The US has a terrible track record of keeping sensitive private data secure. As a result, HBDI is right to opine that US authorities can’t be trusted to secure German children’s data.
Furthermore, since the ruling by the New York Southern District court in the United States v. Microsoft Corp. case, and the subsequent introduction of the CLOUD Act, US firms can be forced to provide access to all information stored on company servers – irrespective of where those servers are located around the globe.
DJ: Should parents globally be concerned about the data Microsoft holds on children?
Walsh: Yes. Any service that holds the keys to your data on your behalf is not secure and could be infiltrated by company employees, or by the authorities using warrants and gag orders (at any point). Plus, because the encryption key to access the data is held on company servers – it is possible that it could be hacked or leaked and used maliciously.
This is why it is always much better to opt for secure email providers and cloud storage services that provide full end-to-end encryption with zero knowledge. This gives the user full control over the security of their data.
DJ: Given the ubiquitous nature of Microsoft products, what can concerned parents do? Also, are there other technology companies with similar data privacy issues?
Walsh: Any child that is using a computer with Windows 10 is sending some data back to Microsoft’s servers. Windows 10 is designed to perform corporate surveillance. However, it is possible to dial back the amount of surveillance that is taking place so that it is not as personalized and invasive.
Beyond that, parents can ensure that their child stays away from email services such as Yahoo, Google, Apple, and Outlook, which are all controlled by US firms and have been shown to work with US authorities in the past.
