back to article Dutch cheesed off at Microsoft, call for Rexit from Office Online, Mobile apps over Redmond data slurping

A report backed by the Dutch Ministry of Justice and Security is warning government institutions not to use Microsoft's Office Online or mobile applications due to potential security and privacy risks. A report from Privacy Company, which was commissioned by the ministry, found that Office Online and the Office mobile apps …

  1. Dan 55 Silver badge

    My precious data, it's ours

    Microsoft did not respond to a request for comment on the report and its recommendations.

    Microsoft are dragging their heals on this but all the work is done already, there is a special version of Office 365 for Germany with the telemetry disabled which talks to servers located in Germany.

    Maybe they decided not to comment because they can't think of a good reason why this shouldn't be offered to the Netherlands apart from them wanting to hoard it.

    1. Pascal Monett Silver badge

      Re: My precious data, it's ours

      That is a good point. How come Microsoft hasn't extended that to all of Europe already ? Yeah, I get that you won't have the data in the US any more, but that's the way the wind is blowing, so it'll end up that way anyway.

      Microsoft could perfectly well base its telemetry gathering in Europe for European customers, and send itself sanitized reports to Redmond.

      But why bother doing things right before having a gun to the head ?

      1. Dan 55 Silver badge

        Re: My precious data, it's ours

        That said, the CLOUD Act means that even that is not enough, so whatever MS do they will still have to deal with constant complaints from countries which take privacy seriously like Germany and the Netherlands.

        1. Mike007

          Re: My precious data, it's ours

          The CLOUD Act does contain a constraint. US courts can only request data stored on non-US servers when disclosing that information would not be a violation of national legislation in the country the data is stored in.

          Presumably this is why the German contract states that data will be stored in Germany, it is subject to German law so data can only be disclosed in situations that comply with German law.

          Whereas a generic contact that allows storage in any compliant datacentre will permit Dutch data to be stored in an Irish datacentre. Irish law does not subject Dutch data to the constraints of Dutch law.

      2. Khaptain Silver badge

        Re: My precious data, it's ours

        "But why bother doing things right before having a gun to the head ?"

        I would presume that is is because until such times as the trigger is actually pulled that MS must be making money out of the data, or they are being"requested" by a TLA" to hold the data for reason X.

        One thing is for sure, you don't need user details for application telemetry.

        1. Nick Kew

          Re: My precious data, it's ours

          I wouldn't presume any such thing. Of course it's possible, but maybe Cockup rather than Conspiracy should be prime suspect. That is to say, the management responsible for .NL just has its head in the sand. Or should that be the dyke?

      3. John Brown (no body) Silver badge

        Re: My precious data, it's ours

        "But why bother doing things right before having a gun to the head ?"

        At which point, a spokedroid will "welcome the findings".

    2. cdrcat

      Re: My precious data, it's ours

      > there is a special version of Office 365 for Germany with the telemetry disabled which talks to servers located in Germany.

      There was.

      Microsoft is no longer accepting new customers or deploying any new services from the currently available Microsoft Cloud Germany:

    3. eldakka Silver badge

      Re: My precious data, it's ours

      Microsoft are dragging their heals on this but all the work is done already, there is a special version of Office 365 for Germany with the telemetry disabled which talks to servers located in Germany.

      Nope, not anymore there isn't. See The Register article and this Ars one I've quoted from below:

      the Hessian commissioner for Data Protection and Freedom of Information (HBDI) isn't just saying that schools would prefer not to use Microsoft, he's stating that their use of Office 365 is outright illegal. In August 2017, the HBDI ruled that Office 365 could legally be used by schools so long as the back end for the school accounts was stored in Microsoft's German-located cloud. A year later,Microsoft ceased offering the Microsoft Cloud Germany data trustee model, which was a partnership with Deutsche Telekom, and schools migrated their accounts to the European cloud. Now, the HBDI states that the European cloud may offer access to US authorities; with no way for the German government to monitor such access; this makes use of that cloud illegal without specific consent being granted by its individual users.

      As of right now, MS doesn't have a German data centre for office 365, therefore it is illegal. They had one, but they closed it.

      They apparently are in the process of creating 2 new data centres in Germany, but they aren't active yet, therefore MS has no active data centre for office 365 in Germany.

  2. Anonymous South African Coward Silver badge

    Microsoft has maintained that it would work with customers and governments in EU to get all of its products in compliance.

    And porkers will fly. And there'll be Unicorns farting Rainbows.

    1. Paul Crawford Silver badge

      I'm sure if they were being fined €100M/day there would be a fix already...

    2. John G Imrie

      Change the code or change the law, either will bring them into compliance.

      1. Zippy´s Sausage Factory

        Depends which Microsoft considers to be cheaper. They might consider the value of the data* enough to spend millions lobbying for changes in the law, of course...

        * although for what purpose, I've no idea. Blackmail, maybe?

  3. NATTtrash Silver badge

    Nice headline, but did you look at source?

    A report backed by the Dutch Ministry of Justice and Security is warning government institutions not to use Microsoft's Office Online or mobile applications due to potential security and privacy risks.

    Isn't this a bit steep, even for ElReg standards? Because, looking at the source documentation, it looks (to me) like the words on a blog of a contractor (a commercial privacy consultancy) is equalled to the (implemented) policy of a national government.

    From the letter of the Minister of Justice and Safety, Fred Grapperhaus, together with the Home Secretary, Kajsa Ollongren, (hit Download and you get the original .docx (!)) to the Dutch House of Representatives, dated 1 July 2019 (scroll down for English translation):

    De minister van BZK bevordert vanuit de verantwoordelijkheid voor het Rijksinkoopstelsel, een gecoördineerde benadering van strategische ICT-leveranciers van de rijksoverheid. De verantwoordelijkheid voor de uitvoering hiervan is, conform de governance van het Rijksinkoopstelsel, bij verschillende ministeries belegd. Het aanspreekpunt voor Microsoft is SLM Microsoft Rijk en wordt voor het Rijk uitgevoerd door het ministerie van Justitie en Veiligheid.

    SLM Microsoft heeft in 2018 een Data Protection Impact Assessment (DPIA) laten uitvoeren op diagnostische dataverzamelingen (dat is data over het gebruik van de software) in nieuwe versies van Microsoft Office. Met de DPIA is vastgesteld dat er via het product 'Microsoft Office ProPlus' diagnostische gegevens van en over de gebruiker verzameld en opgeslagen werden in een database in de VS. Het verzamelen, opslaan en gebruik van deze gegevens is niet conform de Algemene Verordening Gegevensbescherming (AVG).


    Zowel in het product Office ProPlus als ook Windows 10 Enterprise heeft Microsoft wereldwijd de beloofde verbeteringen doorgevoerd.


    Hiermee zijn de in de DPIA genoemde risico’s in voldoende mate geadresseerd zodat er geen AVG-overtredingen meer hoeven te zijn als een Rijksorganisatie -aangesloten bij SLM Microsoft Rijk- de Microsoftproducten en -diensten besluit te gebruiken en daarbij de implementatierichtlijnen aanhoudt.


    Gezien de behaalde resultaten zoals hierboven beschreven ziet SLM Microsoft Rijk, vanuit AVG-perspectief geen bezwaren voor bij SLM Microsoft aangesloten organisaties Microsoft Office ProPlus, Windows 10 Enterprise en Azure te gebruiken. Het blijft altijd de eigen afweging van een organisatie als verwerkingsverantwoordelijke om te besluiten of en welk product of dienst geschikt is voor een specifieke toepassing.

    This translates as:

    The Minister of the Interior and Kingdom Relations, who is responsible for the National Purchasing System, promotes a coordinated approach to strategic ICT suppliers to the national government. In accordance with the governance of the National Procurement System, the responsibility for the implementation of this approach has been assigned to various ministries. The contact point for Microsoft is SLM Microsoft Rijk and is carried out by the Ministry of Justice and Security for the central government.

    In 2018, SLM Microsoft commissioned a Data Protection Impact Assessment (DPIA) on diagnostic data collections (i.e. data on the use of the software) in new versions of Microsoft Office. The DPIA has established that diagnostic data from and about the user were collected and stored in a database in the US via the product 'Microsoft Office ProPlus'. The collection, storage and use of this data is not in accordance with the General Data Protection Ordinance (AVG).


    Both in the product Office ProPlus and Windows 10 Enterprise, Microsoft has implemented the promised improvements worldwide.


    This means that the risks referred to in the DPIA have been addressed sufficiently, meaning no more AVG infringements will be committed if a national organisation - affiliated to SLM Microsoft Rijk- decides to use the Microsoft products and services, while adhering to the implementation guidelines.


    In view of the achieved results described above, SLM Microsoft Rijk sees no objection from an AVG point of view to use Microsoft Office ProPlus, Windows 10 Enterprise and Azure for organisations affiliated with SLM Microsoft. It always will remain an organisation's own decision as data controller to decide whether and which product or service is suitable for a specific application.

    Now, that doesn't sound like the Dutch Minister responsible for this is asking the Dutch civil servants to format their drives (which would be in line with their previous actions, decisions, and affinities TBH).

    1. Sjoera

      Answer from your commercial contractor

      Allow me to reply as your villainous commercial contractor :-)

      The letter from the two Ministers predates the publication of the 3 DPIA reports.

      The letter describes the (impressive) results of the negotiations between Microsoft and the Dutch government. Microsoft has implemented technical, organisational and contractual measures to lower the 8 high data protection risks for Office 365 ProPlus and other Online Services.

      The new contractual measures only apply to the Dutch government. They ensure that Microsoft behaves as a data processor, and only processes the data for 3 authorised purposes (in stead of the 8 purposes for which Microsoft processes the data for all other Enterprise customers). Because of these new privacy guarantees, the ministers were able to conclude that Dutch government organisations could continue to use Microsoft Enterprise products, as long as they would follow the recommendations from the DPIAs, for example to set the telemetry collection to the lowest level ('Security' in Windows 10 and 'Neither' in Office 365 ProPlus).

      However, these new guarantees do not apply to Windows 10 Enterprise and the mobile Office apps, since Microsoft considers itself to be a data controller for these services. And it turns out Microsoft has not (yet) enabled the admins of Office Online (the browser based applications) to turn of the Controller Connected Experiences, for which Microsoft is also a data controller.

      Together with the DPIA reports, the central Microsoft procurement organisation has published a memo for all Dutch government organisations with an update about the current state of affairs, dated 17 July 2019. This memo (in Dutch only, sorry) contains the conclusive point of view of the Dutch government.


      1. NATTtrash Silver badge

        Re: Answer from your commercial contractor

        @Sjoera Cheers for that! Although my Dutch is somewhat rusty (has been 15 years ago for me, but fortunately we have DeepL), this was very informative! BTW, you do realise that the "villainous" adjective sprouted from your own pen, right? ☺

        Since you are (clearly) familiar with this process, can I ask you...

        [ 1 ] As some suggested here, has there to your knowledge ever been any consideration at all to look at alternative offerings? As you no doubt have seen some commentards here have suggested an OpenOffice alternative. Or is the Dutch Governments attention firmly Microsoft product locked?

        [ 2 ] I see mentions of (by sys admins I assume) switching off specific MS products and services (e.g. LinkedIn integration, MS employee work accounts). That sounds a bit like the famous Dutch story of the little boy with his finger in the dyke to stop the Netherlands from flooding. However, from that, do we have to conclude that most, if not all actions actually depend on the Dutch making the necessary adjustments/ switches, and this will not be done/ delivered "default" by MS? Or perhaps better: I realise MS seems to have made "satisfactory changes", but looking at the list of "still open issues", "7 risks" and so on, it looks more like it still hinges significantly on actions to be taken by the Dutch than MS delivering a "satisfactory" product.

        [ 3 ] With that one in mind: I suppose it's fair to say that the Dutch Public Sector is more than just "central government". It stretches from Miniseries in The Hague, via the Tax Offices in Limbourg, to your friendly local community civil servant in Friesland giving you info on rubbish collection times in your community. I assume they are all affected by this matter because they can still acquire access all your tied together data with your citizens number (was is called sofi?). Did you have any indication how absolute unified functionality and compliance with regard to these findings can and will be ensured throughout the whole public sector?

        [ 4 ] I see a mention of audits and MS agreeing to cooperate. Will this also include audits of MS servers? Being cheeky: Are Dutch officials going to check those servers in the US MS product is connecting with? And if not, what would such an audit be worth in your opinion?

        [ 5 ] This case found itself trapped in the spotlight because it concerns "the Government". However, privacy/ GDPR applies to ALL EU subjects, including a hospital, GP office, your insurer, or Jane/ Joe Average typing letter to their nan. Do you think this will be followed up, extended, and have consequences for others, including "the average customer/ consumers"? Or do your interactions suggest the Dutch Government is just/ only concerned with itself?

        [ 6 ] And since villainous contractors have to make sure there is business continuation: have you guys been asked to continue your work on this, e.g. the "open" issues as in the SLM Advice (e.g. Workplace Analytics, Activity Reports, Delve, maybe even Skype use), or compliance of the current agreements?

        1. naive

          Re: Answer from your commercial contractor

          Being Dutch myself, I was surprised such a report is published at all. Holland is the country where all but one banks went bust in 2008 because employees of the National Bank where too busy attending parties organized by those they were supposed to keep in check, leaving the tax payer with a bill of 40 billion dollar. It is the country where all HTTPS certificates of the government were outsourced at, owned by the US based VASCO Data security, leaving excellent opportunities for MITM attacks. It is the country where Linux is taboo in the government because decisions are made by hired people from big IT service companies, who receive kick backs from MS.

          Many semi governmental institutions outsourced their email scanning to companies like mimecast without even factoring in what this means for the privacy of their customers. Legislation or guidelines for this type of outsourcing is non existent, leaving the privacy of citizens to the grabs of the cheapest offer for outsourcing, or lemming like behave of decision makers.

          The Microsoft discussion in Dutch government is moot anyway, since on the level of communities, a company named Centric has over 90% market share in software solutions for communal administration and services. Centric is a MS only solution provider and a Platinum/Diamond MS reseller. Within 10 years, all these solutions will only work in Azure, so is all the data of citizens kept by communities.

          In the end "we the people" get what we asked for, a total loss of power and privacy because we allowed them to give it away, seduced by the false promise "privatizing would make us all rich and happy".

          1. A.P. Veening Silver badge

            Re: Answer from your commercial contractor

            Holland is the country where all but one banks went bust in 2008 because employees of the National Bank where too busy attending parties organized by those they were supposed to keep in check, leaving the tax payer with a bill of 40 billion dollar.

            All but one is a bit of an exageration, it was only three out of four major banks, lots of smaller banks had no problems whatsoever. The major bank not going bust was Rabobank, which still had an AAA+ rating in 2009. Another Dutch bank not going bust was a bit less well known, but quite profitable and supporting a foreign parent bank with problems by name of Bank of Tokyo-Mitsubishi UFJ N.V., statuarliy seated in Amsterdam (and not operating under that name anymore).

        2. Sjoera

          Re: Answer from your commercial contractor

          That's quite the list of questions!

          I can't speak for, or on behalf of, the Dutch government. Just a few remarks.

          There is a major difference constitutionally in the Netherlands between the central government and local authorities. That's decentralisation for you. So while I completely agree that Microsoft should make improvements globally, the Dutch central government can only negotiate on behalf of its own institutions and its own 300.000 civil servants.

          I agree that advice to switch off certain settings does not comply with the GDPR privacy by default requirements, but I am not in a position to enforce, only in a position to provide advice. However, there is an ongoing investigation by the European Data Protection Supervisor into the contract terms, let's see what their outcomes will be later this year...

  4. naive

    ... It is scary

    Checking the log of any proxy handling traffic for an idling windows 10 PC reveals excessive amounts of "call home" activities.

    The volume of this telemetry information is such, that it may impact weak internet connections.

    People who have the opportunity to configure their proxy should perhaps block these sites, the ones I blocked have lines with DENIED in it.

    This is the traffic of Windows PC, without active browser windows open. It is sent every minute.


    TCP_DENIED/403 3786 CONNECT - HIER_NONE/- text/html


    TCP_DENIED/403 3786 CONNECT - HIER_NONE/- text/html

    TCP_TUNNEL/200 7894 CONNECT - HIER_DIRECT/52.109.88.

    TCP_MISS/503 4523 GET - HIER_NONE/- text/html

    TCP_DENIED/403 3801 CONNECT - HIER_NONE/- text/html







    TCP_DENIED/403 3801 CONNECT - HIER_NONE/- text/html

    TCP_DENIED/403 3801 CONNECT - HIER_NONE/- text/html

    TCP_DENIED/403 3801 CONNECT - HIER_NONE/- text/html


    TCP_MISS/200 4613 GET - HIER_DIRECT/ text/xml




    1. overunder Silver badge

      Re: ... It is scary

      That makes a BSOD look like a security feature.

    2. adnim

      Re: ... It is scary

      I must check my router, it's been a while since I checked my block list.

      I suspect MS would bypass the hosts file for the above addresses?

    3. A.P. Veening Silver badge

      Re: ... It is scary

      People who have the opportunity to configure their proxy should perhaps block these sites

      And if you don't have a proxy (or can't configure it), get a Raspberry Pi and install Pi-Hole. Just blocking the telemetry traphic will increase your connection speed significantly.

  5. Rich 2 Silver badge

    Hark! Is that the sound of a heel being dragged?

    I love it when you get responses like "we're working on making bla bla compliant..."

    ...and then take months or years to actually (usually not) achieve it.

    Compliance is dead easy - just stop f***ing spying on your customers!!!! I'm sure the necessary code changes could be done in an afternoon, and a new release made for the next day.


    1. Stoneshop Silver badge
      Big Brother

      Re: Hark! Is that the sound of a heel being dragged?

      I'm sure the necessary code changes could be done in an afternoon,


  6. Will Godfrey Silver badge

    How does that song go?

    "Never gonna give you up..."

  7. Howard Hanek

    Sherlock Was Forever Telling Watson He Was Wrong

    Sir Arthur perhaps had a glimpse of the future?

  8. Anonymous Coward
    Anonymous Coward


    Maybe Microsoft should change the name of their OS to Barn Door?

    (Sorry, no Joke or Penguin Icon as Anon)

  9. JohnFen Silver badge

    That's fair

    The spying nature of Microsoft products is one of the primary reasons why I avoid using Microsoft products.

  10. Long John Silver

    This is not just about Microsoft

    Governments, commerce, other organisations, and individuals, ought bear in mind that (nearly) complete control over confidential information is possible only when all electronic apparatus resides physically with the owner of the data, and software deployed cannot of its own volition make contact with an external body/vendor. For better lock-down there should be no real-time physical connection to the Internet. Even those steps offer no guarantee of an employee or physical intruder bypassing security.

    Although encryption enhances security, it too is particularly vulnerable when reliance is placed upon third parties at remote sites to provide it. Depositing in-house encrypted data, perhaps using a preferred algorithm, on an external repository is better but also imperfect for two reasons. First, a determined adversary may consider time and electricity spent on breaking encryption worthwhile; in which case one merely has delayed release of the information and must hope that by the time it's readable elsewhere it has ceased to be of importance. Second, an adversary can learn a lot from merely perusing encrypted files and associated metadata; it may be possible to identify/guess algorithms in use and, if these differ among files in the data trove, to focus upon files, i.e. those most heavily encrypted, most likely to be of interest.

    Obviously adherence to all the strictures above would hamper many organisations. Their internal and external information 'transactions' would be slowed down. Yet, that might not be a bad thing given today's frenetic activity which cynics, such as I, suggest has little to do with other than an illusion of productivity.

    More practicable is to accept imperfection but tailor measures for protecting data according to consequences likely to flow from breach of particular categories of data. Whether explicitly or implicitly this is what many organisations do. Even so, there are basic precautions all should take.

    1. Don't trust external data stores, and their operators, housed beyond local legal jurisdiction. That ought apply to all transnational companies despite promises they will store one's own data only within one's geographical jurisdiction.

    2. Don't trust closed source operating systems and closed source software to run on them unless they are maintained wholly in one's own legal jurisdiction. In practice this implies existence of many cottage industry software manufacturers and risks introducing a global 'Tower of Babel'. Better is to stick with open source operating system software and 'office tools' kept under scrutiny by trusted local experts; 'local' in this context could be the EU. Specialised needs are best catered for by commissioning bespoke software.

    Recent reports suggest withdrawal of some organisations (e.g. city administrations) from trials of open source software and return to the clammy grasp of proprietary software vendors. Being willing to pay/rent over the odds for cleverly marketed proprietary software is one thing. Sacrificing data security quite another. International proprietary software vendors may at heart be trustworthy but they can be suborned by powerful governmental agencies.

  11. Disk0
    Thumb Up

    Vinger in de dijk [ATTN: Title is not in english. Translation may be needed.]

    This might be a quirky local cultural thing, but our representative government has indeed set forth that when dealing with technology providers it is reasonable to consider how much spying they do for themselves, their government and 3d parties, especially when there is an increasingly dodgy regime in said technology providrer’s home country, a regime which has no regard for its own citizen’s privacy, let alone the privacy of forners in rando Euro-Shitholes cuz dems not even real gummints, there all like socialisms ’n shit and there are no good golf courses there anyway. Bless. So, it may be somewhat of a nuisance to have metadata about our citizens being used for marketing purposes, but a foreign, compromised entity guaranteed to lose, leak, sell or hand over metadata of government workers is a serious breach. I guess a vast majority of the viewers here can totally live without a sequel to the “Cosy Bear” reality TV show, it was boring and scary.

  12. Anonymous Coward
    Anonymous Coward



    1. Charlie van Becelaere

      Re: "Cloggies"



      Agreed. (though I'm not a cloggy/cloggie, I have been mistaken for one at times.)

  13. Unbelievable!

    Telemetry.. it's not's not even needed. Why is it allowed?

    Telemetry .. ha. There's no need for telemetry. Whats wrong with "report an issue" button, or just "feedback and suggestions?"

    MS is just a business. Greengrocers, petstores, clothing outlets, etcetc.. are equally businessess. They don't refuse to let you buy a product unless you submit to EVERYTHING about YOU and EVERYTHING you do.

    Telemetry is plain simple spying. It's not needed. Whereever the data is stored doesn't matter. The results of the analysis will be transmitted to where ever they like, and the data itself can remain in-situ.

    We're all bogged down so much in the tiny detail that the bigger picture is slipping by. WHY does anything or anyone need so much information without users being able to stop or prevent it?

    1. T. F. M. Reader

      Re: Telemetry.. it's not's not even needed. Why is it allowed?

      [Greengrocers] don't refuse to let you buy a product...

      Unlike your friendly neighbourhood greengrocer MSFT[1] refuse to let you "buy a product" with or without telemetry. They let you use their "groceries" until they decide they won't let you anymore. Among the multitude of conditions you must agree to to get their permission to stroke a cucumber sending them the data on yourself and your friends and colleagues and casual acquaintances[2] looks like just a detail indeed.


      [1] MSFT are not the only ones, to be fair - looks like SOP nowadays. And while your friendly neighbourhood greengrocer may still accept cash supermarket chains make serious efforts to encourage/force you to use traceable means of payment - for slurping and for adjusting prices/discounts not in your favour , Governments, too, actively seek ways to legislate cashless societies, partly for getting all the taxes, partly for "telemetry", because "terrrism", because "think of the children", whatever.

      [2] That, IMHO, is even worse than slurping your data. You, at least, agreed to EULA (sort of).

      1. John Brown (no body) Silver badge

        Re: Telemetry.. it's not's not even needed. Why is it allowed?

        "supermarket chains make serious efforts to encourage/force you to use traceable means of payment"

        Which ones? Which country? I can't say I've noticed that at all.

        Even their loyalty cards are giving fewer "rewards" than they used to. It seems as though they are devaluing the data collected, possibly after massively overvaluing it in recent years. What they really need to know, and is valuable, is the items of stock sold, when and how often. They really don't need to know the incredibly fine detail of which specific customer bought a pint of milk and when they bought it.

  14. steviebuk Silver badge

    Well then

    "Microsoft has maintained that it would work with customers and governments in EU to get all of its products in compliance. "

    Give us some boutons, checkboxes and/or group policies that allows us to fucking turn it off then.

  15. Anonymous Coward
    Anonymous Coward

    Fly free... fly free

    Sorry Flying Dutchman... every port is a Microsoft port.

  16. nijam

    > Microsoft has maintained that it would work with customers and governments in EU to get all of its products in compliance.

    Why does it even need to? It is well aware that it should never have been collecting this information.

    How surprised are we?

  17. Frank Thynne

    Is any Microsoft software safe?

    Yet another reason for official bodies to ban all Microsoft software products on the grounds of unverifiable Quality Assurance.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020