back to article Microsoft accused of sharing data of Office 365 business subscribers with Facebook and its app devs

Microsoft is being sued for allegedly sharing its Office 365 customers' business data with Facebook app developers, partners, and subcontractors in violation of its data privacy promises. The lawsuit was filed in US District Court in San Francisco, on behalf of plaintiffs Frank Russo, Koonan Litigation Consulting, and Sumner …

  1. oiseau Silver badge
    Facepalm

    Anyone surprised?

    ... means Microsoft has violated the US Wiretap Act, the US Stored Communications Act, and consumer protection laws in the State of Washington.

    Whaaat?

    Nooooo ...

    Impossible.

    Really now ...

    Is anyone at all surprised?

    I mean, if you're using Office 365 or Exchange Online, it's expected to happen, with or without your consent. ie: basic common sense should have told you that it would.

    O.

    1. Zippy´s Sausage Factory
      Facepalm

      Re: Anyone surprised?

      I wonder if there are any bright, ambitious young prosecutors looking at this and thinking "I could make a name for myself here"?

      I think if I owned shares in Micros~1 I'd be selling them right now.

  2. elDog

    Please keep this story updated and on the front page, if accurate.

    This is huge. Not unexpected from the corporate world run amok.

    1. NoneSuch Silver badge
      Mushroom

      Re: Please keep this story updated and on the front page, if accurate.

      People did nothing when the Snowden revelations came out.

      People did nothing when the NSA lied to Congress.

      People did nothing when millions of phone calls were monitored and recorded.

      Now there's nothing you can do. You've just been sold into slavery for the price of your indifference.

      1. LDS Silver badge
        Devil

        Re: Please keep this story updated and on the front page, if accurate.

        Well, people did nothing when Google started to slurp their data, and the willingly gave them to Facebook.

        At least the government tried to hide what it was doing...

  3. ratfox Silver badge
    Paris Hilton

    Wait. The claim is that by default, unless you turn off an option somewhere in some disused-leopard-lavatory settings screen, Microsoft sends the email address of its paying customers to Facebook? If it's true, wow. Just wow.

    1. hitmouse

      I read the 38pp complaint from the plaintiff (who has a $120/yr Office Business Premium account*) and cannot find anywhere where it says this happens, just that it is "alleged more specifically below" and "below" never comes.

      * "Plaintiff Davenport is investigating replacing its [$120/yr] Microsoft subscription with a"different solution, a transition that would require significant time and money. " and is looking for $5million.

  4. Anonymous Coward
    Anonymous Coward

    Just waiting for the email from corp IT...

    We've got the one saying uninstall Zoom from laptops and work phones, we've got the one saying uninstall TikTok from work phones and your own phones if you BYOD, but I ain't holding my breath for the one about not using Office 365 since they've gone all-in and drunk the MS kool aid.

    Still, at least working at a place which has locked themselves into Office 365 means I can have some downtime every couple of weeks.

  5. Anonymous Coward
    Anonymous Coward

    Check the small print

    Microsoft is not sharing your data, it's the internet that's sharing your data...

    For example, you can state that you are not sharing your customers data with anyone, but you sell access to the data logs to anyone. You're not "sharing" the data, they are reading your logs and paying you for it. Legally you can document this on page 94 of the user privacy agreement that everyone clicks the box "yes I read the document" to use the app.

    1. oiseau Silver badge
      WTF?

      Re: Check the small print

      Microsoft is not sharing your data, it's the internet that's sharing your data...

      Really?

      O.

  6. beep54
    Happy

    LibreOffice

    Yet another perfectly satisfied customer.

    1. slartybartfast

      Re: LibreOffice

      My Smart TV I bought last year allows you to connect with streaming services but doing so, they force you to accept data sharing. There’s no opt-out option. Obviously I choose not to use the ‘smart’ part of my TV.

      It’s disappointing that so much software and online services have links to unethical businesses like Facebook and Google. This is why we need standalone software like Libre Office and not subscription software with it’s reliance on online connectivity leaving us vulnerable to data sharing.

  7. Anonymous Coward
    Anonymous Coward

    Cloud based idiocy

    It's like telling a secret. As soon as you put your valuable data in the cloud, on somebody else's servers, you have lost control of that data forever. It's not your data any more. You have no way of knowing, let alone controlling who has access to it or what they do with it. You can't take it back, you can't delete it. You can't even access it yourself unless you keep up the payments.

    If your data is supposed to be confidential, then keep it confidential. Do not put it in the cloud. Keep it on your own servers. Employ competent and trustworthy people to manage it. It baffles me how many people don't understand this.

    1. Keythong
      Big Brother

      Re: Cloud based idiocy

      To be blunt these crooks want people on cloud services so that the can abuse them more, with the cheek of effectively steal a lot more user data for commercial purposes without proper informed consent, which is even worse if a subscription fee is charged, because they discontinued the local product, so that they can make an even greater and growing profit margin!

      The customer can also suddenly discover loss of access to applications, if for any reason they lose access to the cloud site, which can be because they need to VPN into a private network, which is not connected to the internet!

    2. ThatOne Silver badge
      Holmes

      Re: Cloud based idiocy

      > It baffles me how many people don't understand this.

      There are the happy-go-lucky "I have nothing to hide" people.

      There are the "I can't be bothered, cloud seems easier/cheaper" people.

      Of course there are the "Oooh, shiny!!!..." people.

      But in the end there are also the "It's not like I've been given a choice" people. Adobe customers understand what I mean.

    3. Zakhar
      Linux

      Re: Cloud based idiocy

      There is absolutely no issue whatsoever using cloud storage... provided you encrypt your files locally before you store them. Obviously, you need a local O.S. you can trust to do that without leaking your local encryption keys, which rules out W$

  8. mmm_yeah

    Sounds scary...

    But if I understand it correctly, “sharing data with Facebook” only happens when Facebook contact sync in Exchange Online is turned on (by default) and a user sets up a Facebook connection.

    The only place in the complaint where I found _how_ “Facebook-sharing” is done is in paragraph 76, on page 18:

    > Even if a customer discovers and disables this Facebook-sharing “feature” after activating Office 365 or Exchange Online services, the damage has already been done. At that point, the business customer’s contacts have been shared with Facebook. As Microsoft explains in an obscure technical instruction, “[o]nce contacts are transferred to Facebook, they cannot be deleted from Facebook’s systems except by Facebook.”

    Googling the quote leads you to an outdated document titled “Office 365 Midsize Business, Office 365 Enterprise, Office 365 Education & Office 365 Government Advanced Privacy Options for Administrators”, on a non-Microsoft domain. The quote appears in a section named “Facebook Contact Sync” (next to “LinkedIn Contact Sync”). These two features are still documented on the current Microsoft Docs website.

    1. ThatOne Silver badge

      Re: Sounds scary...

      > only happens when Facebook contact sync in Exchange Online is turned on (by default) and a user sets up a Facebook connection

      That's not what I understood reading the article. It says: "whether or not the customers or their contacts are Facebook users". So actually it happens always, all the time, no matter if somebody in the group is a Facebook user.

      1. mmm_yeah

        Re: Sounds scary...

        > That's not what I understood reading the article. It says: "whether or not the customers or their contacts are Facebook users".

        Sure, that was my understanding as well, until I read the legal complaint itself.

      2. Norro

        Re: Sounds scary...

        You are overlooking the fact that so far it is just an accusation that seems very unlikely to be true.

    2. slartybartfast

      Re: Sounds scary...

      WhatsApp users, even if not on Facebook will have their data harvested. Yes Facebook own WhatsApp but there’s nothing to suggest non-Facebook users are safe from any data slurping by Facebook if the software company have any agreements going with Facebook.

      1. mmm_yeah

        Re: Sounds scary...

        > […] but there’s nothing to suggest non-Facebook users are safe from any data slurping by Facebook if the software company have any agreements going with Facebook.

        Yeah, so um… So how can Microsoft’s business user data be “slurped” by Facebook, other than by using this “Facebook contact sync” feature (which requires the user explicitly creating a Facebook connection first)? I read the legal complaint and didn’t find any.

  9. alain williams Silver badge

    What about non-business users ?

    This article was all about business users, what about home/personal users ? I suspect that Microsoft sold their personal information as well ?

    Me: happy to use Libreoffice on my Linux boxes but unhappy to realise that I have likely had my private information harvested from anything that my O-365 using friends have recorded about me.

    The GDPR talks about clarity in agreements - but I doubt that most O-365 users are aware. Time for a huge fine from the data protection people.

  10. low_resolution_foxxes Bronze badge

    Trying to decide how serious this is.

    I mean, it is quite plain to see that Linkedin is integrated into the 365 world (I switched that off earlier). But by default, this largely just seems to connect your email inbox to people's registered LinkedIn account profile pic, name and job title (unless you then go onwards to connect, whereby you can get some notifications in the e-mail contact window).

    Facebook integration... I mean that is more serious. Is it now? (imagine CEO's sharing email contacts - and I'm sure the US never spy on content huh?).

    I can see that there is an option in older Outlook to decide to integrate Facebook. Probably using the Facebook Graph API. Sounds like a shit idea.

    It also claims the process is that Facebook graph API would send Microsoft the contact details, not the other way around (I am open minded to it going both ways). It also claims Microsoft had to roll back access to various elements of this API in 2015...

    FFS.

    1. This post has been deleted by its author

  11. Ashto5

    Whose Benefit ?

    Just ask yourself “ to whose benefit is this?”

    If the answer is NOT resoundingly MINE

    Then your about to be shafted by {insert company name}

  12. Che2

    Exchange Settings

    This is odd.

    Exchange Admin Centre in O365 lists Facebook Contact Sync as being enabled under the Default OWAMailbox Policy but when you edit the policy there is no Facebook Contact Sync option listed.

    MS Support say that Facebook sync is no longer available - which is born out by a quick search:

    https://support.microsoft.com/en-us/office/facebook-connect-is-no-longer-available-f31c8107-7b5a-4e3d-8a22-e506dacb6db6

    But that's referring to Facebook Connect from 2013! Is that the same thing?

    Confirming that with MS Support.

    They have said you need to run a Powershell command to check settings:

    Set-OwaMailboxPolicy -Identity <Name of the Policy> FaceBookEnabled $False

  13. slartybartfast

    Just another reason why subscription software is a bad idea.

  14. low_resolution_foxxes Bronze badge

    MS published the below document on January 2020. It seems quite explicit and on their own website? Does Microsoft really find it necessary to assist Facebook with the "people you may know" API????

    https://docs.microsoft.com/en-us/exchange/recipients-in-exchange-online/manage-facebook-contact-sync

    "Facebook contact synchronization lets people set up a connection between their Facebook account and their Microsoft 365 or Office 365 account by using Outlook on the web (formerly known as Outlook Web App). After they set up a Facebook connection, all their Facebook friends are listed as contacts in People in Microsoft 365 or Office 365. They can then interact with their Facebook friends as they do with their other contacts. Facebook contact sync is turned on by default if the feature is available in your region."

    The information for each Facebook friend is stored as a read-only contact record in the Facebook folder in People. The information that's synchronized between Facebook and Outlook on the web includes first name, last name, all phone numbers, all email addresses, and all street addresses. Facebook contacts are stored in the user's mailbox and are retained in accordance with the Microsoft 365 or Office 365 service agreement.

    "During the Outlook on the web and Facebook connection setup, the contacts in the user's default contacts folder are uploaded to Facebook as part of a one-time synchronization with Facebook. Facebook uses this contact information as part of the "People you may know" friend suggestions on Facebook. The one-time upload of information also allows Facebook to include the information for your users' Outlook on the web contacts in Facebook applications that your users may choose to use, for example, mobile phone applications."

    Would this refer to all e-mail contacts I exchange email with (including spam), or just my actual formal contacts list?

    1. Dan 55 Silver badge
      FAIL

      There is also:

      You can't disable Facebook contact sync for your Office 365 organization

      Which says:

      Make sure that users don't have the option to connect to Facebook by using the steps that are described in Add Facebook friends as contacts. If users don't have the option to add their Facebook friends as contacts, you can safely ignore the error message.

      Click on that link and you get:

      Sorry, the page you’re looking for can’t be found.

      You may have clicked an old link or the page may have moved.

      Yeah, great MS. See icon.

      1. low_resolution_foxxes Bronze badge

        I'm quite willing to accept giving the user informed consent to share contacts, for obvious purposes.

        But the ... sheer idea that any of the following options are sensible baffles me:

        a) My IT manager has permission to default my business and facebook contacts syncing up (could theoretically result in Outlook being used to spy on LinkedIn recruitment activity). Or giving my IT manager backdoor admin to my FB contacts list? Or in more serious legal territory: insight to sexual/health/unionised behaviour

        b) My IT manager wants my business email contacts shipped to Facebook for any reason whatsoever

        1. Dan 55 Silver badge

          Facebook contact sync is turned on by default if the feature is available in your region.

          Yes, I do hope it's not turned on by default in GDPR countries.

      2. mmm_yeah

        That page also tells you why in the “Causes” section, right above what you quoted.

        “This issue occurs if Facebook integration isn't available for your organization. Validation rules block access to features that don't apply to certain organizations. Even though you can't disable the feature, you don't have to be concerned about the feature being used by people in your organization. If the Facebook contact sync feature isn't available for your organization, this means that the feature is blocked at a deeper level.”

        I’m not sure how you could’ve missed it, quite honestly.

        1. Dan 55 Silver badge

          So the default on but it may be turned off by MS, the page which tells you how to actually check if it's on or not is not available, and I should just trust MS to get it right for me according to their criteria which is not explained either?

  15. Binraider

    I've noticed an awful lot of traffic from our corporate mandated windows 10 / O262 messes trying to go to Microsoft Aria and associated addresses. Pihole blocks these addresses. What exactly do they want to phone home? At what point did I agree to phone home, or indeed when did the corporation do so? What GDPR violations are being made accidentally or otherwise by the telemetry? Had quite enough of this bollocks.

    1. Recluse

      Blocking Microshaft - that's what you think

      Going off at a tangent - I run a Windows 10 Pro (2004) VM on my Linux Mint desktop. I also run a pfsense firewall with the pfblockerNG package installed.

      Obviously I have blocked Microsoft at a DNS level but have also blocked all Microsoft ASN I can find (25 so far). I will allow access to Microshaft but only when I decide its appropriate (eg Windows update check) otherwise the VM Win 10 client is blocked.

      As soon as I booted the Windows 10 VM this afternoon pfsense reported that it tried to establish a connection (443) to these IP's

      52.114.128.43

      52.114.77.33

      Whois shows they are both Microshaft

      NetRange: 52.96.0.0 - 52.115.255.255

      CIDR: 52.96.0.0/12, 52.112.0.0/14

      NetName: MSFT

      NetHandle: NET-52-96-0-0-1

      Parent: NET52 (NET-52-0-0-0-0)

      NetType: Direct Assignment

      OriginAS:

      Organization: Microsoft Corporation (MSFT)

      RegDate: 2015-11-24

      Updated: 2015-11-24

      Ref: https://rdap.arin.net/registry/ip/52.96.0.0

      Conclusion

      You may block Microsfaft at an DNS level but it appears to have some hard coding for IP addresses to circumvent this.

      As I am somewhat neurotic I operate a similar ASN policy for Facebook. Google, Oracle, Adobe, Yahoo. Twitter, Telegram and Amazon. It can be a bit wearing at times but at least I decide who has access to what.

      Whilst I am only a home user I also operate a default block outbound policy on pfsense - stops any IOT devices phoning home unless specifically authorised.

      Think I'll go for a lie down now ....

    2. Martin an gof Silver badge

      On another tangent, "corporate" and "PiHole" in the same sentence? Is PiHole really up to that task on a corporate level? Asking for interest really - I'm thinking of sticking one in at home but am worried about the potential performance hit...

      M.

      1. Binraider

        The performance difference is undetectable in my experience, if anything slightly better because less traffic. The corporate stuff gets pushed over a VPN anyways so it's just an extra crap-filter before the request goes into the VPN.

      2. jtaylor

        I get the impression that Binraider is using pihole on a home network, not a corporate network.

        If an organization is big enough to run their own nameservers, they probably use something more robust than pihole, like BIND or MS DNS.

        1. BenDwire Silver badge
          Go

          Don't use a Pi

          Whilst there is nothing wrong with using a Pi (apart from the occasional corrupt SD card now and again) I installed it on an existing Debian box instead. It's happily coped with 30+ users in an SME and nobody noticed any performance issues. I did the same at home too.

        2. Binraider

          Yep home>pihole>VPN>corp.

          I’m intrigued by the hard wired ip usage. Might be added to the block list too.

          1. Recluse

            ASN blocking, not individual IP, is the way to go

            @Binraider

            If I have understood your intentions correctly, I think that blocking individual Microsoft IP addresses will be akin to "wack a mole" much better to block at the ASN level.

            As indicated in my original post one of the third party packages I use in pfsense is called pfblockerNG (pfBlockerNG-devel v2.2.5_33) which allows DNS and ASN blocking. Amongst its killer features is it will automatically check and update ASN lists so as additional subnets are added/removed from an ASN it will update the firewall block lists without any further intervention.

            Looking at my firewall logs this morning (post Windows 10 VM boot) I can see the following IP addresses (all Microshaft) on port 443 blocked

            52.114.75.79

            13.69.68.25

            13.80.7.77

            52.114.132.73

            These are different from those I listed yesterdays and would not be blocked via DNS (no entries listed for IP's)

            Personally, if you can, I would recommend switching to pfsense full stop. It is very sophisticated and also free open source software! While pi-hole is good (and has a very low hardware requirement) pfsense is IMHO streets ahead in functionality.

            For pfsense higher specification hardware will be required but its still relatively modest. I use an Intel NUC (see here https://www.mini-itx.com/~JBC313) which is powered by a 36w supply. Whatever hardware you use for pfsense its strongly recommended that it has Intel NIC’s and AES-NI on the chipset.

            Frankly (whilst I am only a home user) I would feel naked without pfsense. Its also excellent for configuring VPN inbound/outbound connections.

  16. Just Enough

    Non-denial

    "we’re confident that our use of customer data is consistent with the instructions of our customers and our contractual commitments."

    I've searched carefully, but I can't find the bit where they say they do not share their data with Facebook. Am I missing it somewhere?

  17. EnviableOne Silver badge

    EDPB will watch this with interest

    Looks like microsoft cloud's Equivelence dicision will be under review and the Office for the Data Commisioner in Ireland may be getting a call to investigate.

    Not like they'll actually do anything, but they might go through a tonne of boxes to look like they are doing something....

  18. Anonymous Coward
    Anonymous Coward

    "Microsoft is being sued for allegedly sharing its Office 365 customers' business data with Facebook app developers, partners, and subcontractors in violation of its data privacy promises"

    No need in my company... they use 'Workplace by Facebook" as well as Office 365

    (I've looked at Workplace a couple of times, but it's just a mess... 'important' messages from the CEO jumbled up with pictures of Sally from Account's dog and a picture of a company van, just in case we'd forgotten what they look like!)

  19. Anonymous Coward
    Anonymous Coward

    Busted

    I doubt they sold it to Zuck. I will bet it was a trade, we give you this bundle of info for a large bundle of your unique info (which just happens to violate the individual privacy.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020