Microsoft accused of sharing data of Office 365 business subscribers with Facebook and its app devs Microsoft is being sued for allegedly sharing its Office 365 customers' business data with Facebook app developers, partners, and subcontractors in violation of its data privacy promises. The lawsuit was filed in US District Court in San Francisco, on behalf of plaintiffs Frank Russo, Koonan Litigation Consulting, and Sumner …
... means Microsoft has violated the US Wiretap Act, the US Stored Communications Act, and consumer protection laws in the State of Washington.
Whaaat?
Nooooo ...
Impossible.
Really now ...
Is anyone at all surprised?
I mean, if you're using Office 365 or Exchange Online, it's expected to happen, with or without your consent. ie: basic common sense should have told you that it would.
O.
People did nothing when the Snowden revelations came out.
People did nothing when the NSA lied to Congress.
People did nothing when millions of phone calls were monitored and recorded.
Now there's nothing you can do. You've just been sold into slavery for the price of your indifference.
I read the 38pp complaint from the plaintiff (who has a $120/yr Office Business Premium account*) and cannot find anywhere where it says this happens, just that it is "alleged more specifically below" and "below" never comes.
* "Plaintiff Davenport is investigating replacing its [$120/yr] Microsoft subscription with a"different solution, a transition that would require significant time and money. " and is looking for $5million.
We've got the one saying uninstall Zoom from laptops and work phones, we've got the one saying uninstall TikTok from work phones and your own phones if you BYOD, but I ain't holding my breath for the one about not using Office 365 since they've gone all-in and drunk the MS kool aid.
Still, at least working at a place which has locked themselves into Office 365 means I can have some downtime every couple of weeks.
Microsoft is not sharing your data, it's the internet that's sharing your data...
For example, you can state that you are not sharing your customers data with anyone, but you sell access to the data logs to anyone. You're not "sharing" the data, they are reading your logs and paying you for it. Legally you can document this on page 94 of the user privacy agreement that everyone clicks the box "yes I read the document" to use the app.
My Smart TV I bought last year allows you to connect with streaming services but doing so, they force you to accept data sharing. There’s no opt-out option. Obviously I choose not to use the ‘smart’ part of my TV.
It’s disappointing that so much software and online services have links to unethical businesses like Facebook and Google. This is why we need standalone software like Libre Office and not subscription software with it’s reliance on online connectivity leaving us vulnerable to data sharing.
It's like telling a secret. As soon as you put your valuable data in the cloud, on somebody else's servers, you have lost control of that data forever. It's not your data any more. You have no way of knowing, let alone controlling who has access to it or what they do with it. You can't take it back, you can't delete it. You can't even access it yourself unless you keep up the payments.
If your data is supposed to be confidential, then keep it confidential. Do not put it in the cloud. Keep it on your own servers. Employ competent and trustworthy people to manage it. It baffles me how many people don't understand this.
To be blunt these crooks want people on cloud services so that the can abuse them more, with the cheek of effectively steal a lot more user data for commercial purposes without proper informed consent, which is even worse if a subscription fee is charged, because they discontinued the local product, so that they can make an even greater and growing profit margin!
The customer can also suddenly discover loss of access to applications, if for any reason they lose access to the cloud site, which can be because they need to VPN into a private network, which is not connected to the internet!
> It baffles me how many people don't understand this.
There are the happy-go-lucky "I have nothing to hide" people.
There are the "I can't be bothered, cloud seems easier/cheaper" people.
Of course there are the "Oooh, shiny!!!..." people.
But in the end there are also the "It's not like I've been given a choice" people. Adobe customers understand what I mean.
But if I understand it correctly, “sharing data with Facebook” only happens when Facebook contact sync in Exchange Online is turned on (by default) and a user sets up a Facebook connection.
The only place in the complaint where I found _how_ “Facebook-sharing” is done is in paragraph 76, on page 18:
> Even if a customer discovers and disables this Facebook-sharing “feature” after activating Office 365 or Exchange Online services, the damage has already been done. At that point, the business customer’s contacts have been shared with Facebook. As Microsoft explains in an obscure technical instruction, “[o]nce contacts are transferred to Facebook, they cannot be deleted from Facebook’s systems except by Facebook.”
Googling the quote leads you to an outdated document titled “Office 365 Midsize Business, Office 365 Enterprise, Office 365 Education & Office 365 Government Advanced Privacy Options for Administrators”, on a non-Microsoft domain. The quote appears in a section named “Facebook Contact Sync” (next to “LinkedIn Contact Sync”). These two features are still documented on the current Microsoft Docs website.
> only happens when Facebook contact sync in Exchange Online is turned on (by default) and a user sets up a Facebook connection
That's not what I understood reading the article. It says: "whether or not the customers or their contacts are Facebook users". So actually it happens always, all the time, no matter if somebody in the group is a Facebook user.
> […] but there’s nothing to suggest non-Facebook users are safe from any data slurping by Facebook if the software company have any agreements going with Facebook.
Yeah, so um… So how can Microsoft’s business user data be “slurped” by Facebook, other than by using this “Facebook contact sync” feature (which requires the user explicitly creating a Facebook connection first)? I read the legal complaint and didn’t find any.
This article was all about business users, what about home/personal users ? I suspect that Microsoft sold their personal information as well ?
Me: happy to use Libreoffice on my Linux boxes but unhappy to realise that I have likely had my private information harvested from anything that my O-365 using friends have recorded about me.
The GDPR talks about clarity in agreements - but I doubt that most O-365 users are aware. Time for a huge fine from the data protection people.
Trying to decide how serious this is.
I mean, it is quite plain to see that Linkedin is integrated into the 365 world (I switched that off earlier). But by default, this largely just seems to connect your email inbox to people's registered LinkedIn account profile pic, name and job title (unless you then go onwards to connect, whereby you can get some notifications in the e-mail contact window).
Facebook integration... I mean that is more serious. Is it now? (imagine CEO's sharing email contacts - and I'm sure the US never spy on content huh?).
I can see that there is an option in older Outlook to decide to integrate Facebook. Probably using the Facebook Graph API. Sounds like a shit idea.
It also claims the process is that Facebook graph API would send Microsoft the contact details, not the other way around (I am open minded to it going both ways). It also claims Microsoft had to roll back access to various elements of this API in 2015...
FFS.
This post has been deleted by its author
This is odd.
Exchange Admin Centre in O365 lists Facebook Contact Sync as being enabled under the Default OWAMailbox Policy but when you edit the policy there is no Facebook Contact Sync option listed.
MS Support say that Facebook sync is no longer available - which is born out by a quick search:
https://support.microsoft.com/en-us/office/facebook-connect-is-no-longer-available-f31c8107-7b5a-4e3d-8a22-e506dacb6db6
But that's referring to Facebook Connect from 2013! Is that the same thing?
Confirming that with MS Support.
They have said you need to run a Powershell command to check settings:
Set-OwaMailboxPolicy -Identity <Name of the Policy> FaceBookEnabled $False
MS published the below document on January 2020. It seems quite explicit and on their own website? Does Microsoft really find it necessary to assist Facebook with the "people you may know" API????
https://docs.microsoft.com/en-us/exchange/recipients-in-exchange-online/manage-facebook-contact-sync
"Facebook contact synchronization lets people set up a connection between their Facebook account and their Microsoft 365 or Office 365 account by using Outlook on the web (formerly known as Outlook Web App). After they set up a Facebook connection, all their Facebook friends are listed as contacts in People in Microsoft 365 or Office 365. They can then interact with their Facebook friends as they do with their other contacts. Facebook contact sync is turned on by default if the feature is available in your region."
The information for each Facebook friend is stored as a read-only contact record in the Facebook folder in People. The information that's synchronized between Facebook and Outlook on the web includes first name, last name, all phone numbers, all email addresses, and all street addresses. Facebook contacts are stored in the user's mailbox and are retained in accordance with the Microsoft 365 or Office 365 service agreement.
"During the Outlook on the web and Facebook connection setup, the contacts in the user's default contacts folder are uploaded to Facebook as part of a one-time synchronization with Facebook. Facebook uses this contact information as part of the "People you may know" friend suggestions on Facebook. The one-time upload of information also allows Facebook to include the information for your users' Outlook on the web contacts in Facebook applications that your users may choose to use, for example, mobile phone applications."
Would this refer to all e-mail contacts I exchange email with (including spam), or just my actual formal contacts list?
There is also:
You can't disable Facebook contact sync for your Office 365 organization
Which says:
Make sure that users don't have the option to connect to Facebook by using the steps that are described in Add Facebook friends as contacts. If users don't have the option to add their Facebook friends as contacts, you can safely ignore the error message.
Click on that link and you get:
Sorry, the page you’re looking for can’t be found.
You may have clicked an old link or the page may have moved.
Yeah, great MS. See icon.
I'm quite willing to accept giving the user informed consent to share contacts, for obvious purposes.
But the ... sheer idea that any of the following options are sensible baffles me:
a) My IT manager has permission to default my business and facebook contacts syncing up (could theoretically result in Outlook being used to spy on LinkedIn recruitment activity). Or giving my IT manager backdoor admin to my FB contacts list? Or in more serious legal territory: insight to sexual/health/unionised behaviour
b) My IT manager wants my business email contacts shipped to Facebook for any reason whatsoever
That page also tells you why in the “Causes” section, right above what you quoted.
“This issue occurs if Facebook integration isn't available for your organization. Validation rules block access to features that don't apply to certain organizations. Even though you can't disable the feature, you don't have to be concerned about the feature being used by people in your organization. If the Facebook contact sync feature isn't available for your organization, this means that the feature is blocked at a deeper level.”
I’m not sure how you could’ve missed it, quite honestly.
I've noticed an awful lot of traffic from our corporate mandated windows 10 / O262 messes trying to go to Microsoft Aria and associated addresses. Pihole blocks these addresses. What exactly do they want to phone home? At what point did I agree to phone home, or indeed when did the corporation do so? What GDPR violations are being made accidentally or otherwise by the telemetry? Had quite enough of this bollocks.
Going off at a tangent - I run a Windows 10 Pro (2004) VM on my Linux Mint desktop. I also run a pfsense firewall with the pfblockerNG package installed.
Obviously I have blocked Microsoft at a DNS level but have also blocked all Microsoft ASN I can find (25 so far). I will allow access to Microshaft but only when I decide its appropriate (eg Windows update check) otherwise the VM Win 10 client is blocked.
As soon as I booted the Windows 10 VM this afternoon pfsense reported that it tried to establish a connection (443) to these IP's
52.114.128.43
52.114.77.33
Whois shows they are both Microshaft
NetRange: 52.96.0.0 - 52.115.255.255
CIDR: 52.96.0.0/12, 52.112.0.0/14
NetName: MSFT
NetHandle: NET-52-96-0-0-1
Parent: NET52 (NET-52-0-0-0-0)
NetType: Direct Assignment
OriginAS:
Organization: Microsoft Corporation (MSFT)
RegDate: 2015-11-24
Updated: 2015-11-24
Ref: https://rdap.arin.net/registry/ip/52.96.0.0
Conclusion
You may block Microsfaft at an DNS level but it appears to have some hard coding for IP addresses to circumvent this.
As I am somewhat neurotic I operate a similar ASN policy for Facebook. Google, Oracle, Adobe, Yahoo. Twitter, Telegram and Amazon. It can be a bit wearing at times but at least I decide who has access to what.
Whilst I am only a home user I also operate a default block outbound policy on pfsense - stops any IOT devices phoning home unless specifically authorised.
Think I'll go for a lie down now ....
@Binraider
If I have understood your intentions correctly, I think that blocking individual Microsoft IP addresses will be akin to "wack a mole" much better to block at the ASN level.
As indicated in my original post one of the third party packages I use in pfsense is called pfblockerNG (pfBlockerNG-devel v2.2.5_33) which allows DNS and ASN blocking. Amongst its killer features is it will automatically check and update ASN lists so as additional subnets are added/removed from an ASN it will update the firewall block lists without any further intervention.
Looking at my firewall logs this morning (post Windows 10 VM boot) I can see the following IP addresses (all Microshaft) on port 443 blocked
52.114.75.79
13.69.68.25
13.80.7.77
52.114.132.73
These are different from those I listed yesterdays and would not be blocked via DNS (no entries listed for IP's)
Personally, if you can, I would recommend switching to pfsense full stop. It is very sophisticated and also free open source software! While pi-hole is good (and has a very low hardware requirement) pfsense is IMHO streets ahead in functionality.
For pfsense higher specification hardware will be required but its still relatively modest. I use an Intel NUC (see here https://www.mini-itx.com/~JBC313) which is powered by a 36w supply. Whatever hardware you use for pfsense its strongly recommended that it has Intel NIC’s and AES-NI on the chipset.
Frankly (whilst I am only a home user) I would feel naked without pfsense. Its also excellent for configuring VPN inbound/outbound connections.
Looks like microsoft cloud's Equivelence dicision will be under review and the Office for the Data Commisioner in Ireland may be getting a call to investigate.
Not like they'll actually do anything, but they might go through a tonne of boxes to look like they are doing something....
"Microsoft is being sued for allegedly sharing its Office 365 customers' business data with Facebook app developers, partners, and subcontractors in violation of its data privacy promises"
No need in my company... they use 'Workplace by Facebook" as well as Office 365
(I've looked at Workplace a couple of times, but it's just a mess... 'important' messages from the CEO jumbled up with pictures of Sally from Account's dog and a picture of a company van, just in case we'd forgotten what they look like!)
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
