Beware of What the New Outlook Shares with Microsoft

· 4 min read
Beware of What the New Outlook Shares with Microsoft

Microsoft Outlook is one of the most widely used email clients in the world, both for personal and business use. However, recent changes to the Outlook software have privacy advocates and researchers concerned about how user data is being handled.

Outlook Shares Login Credentials

One of the most alarming discoveries came from German technology site Heise Online. They found that when setting up a new IMAP email account in the new Outlook for Windows, the login username and password were sent in plaintext to Microsoft's servers.

This gives Microsoft ongoing access to users' email accounts even if the Outlook app is later uninstalled. Not only are your login credentials being shared from Outlook with Microsoft servers, but also any future contacts or calendar events you might create in the application.

This allows Microsoft to access the user's entire email account on the IMAP server. Microsoft itself acknowledges it stores copies of emails, calendars and contacts from non-Microsoft providers like Gmail and iCloud on their cloud servers, but had not clearly stated it was collecting login credentials as well.

Copied Emails and Broad Access to Personal Data

Equally troubling is Microsoft's handling of email content. When email, calendar and contact data from third-party providers is synchronized to Microsoft's cloud, it is sent to their US-based servers.

This puts the full contents of users' inboxes at risk of surveillance. As an American company, Microsoft is subject to US warrantless surveillance laws, which allow intelligence agencies broad access to data held by US-based tech firms. If a government demanded access to a user's emails stored on Microsoft's servers, the company would have no legal means to refuse the request.

Through these mechanisms, Microsoft is gaining an unprecedented view into billions of people's personal lives. With full access to email inboxes, contacts lists and calendar details from millions of accounts, they can build highly detailed profiles of individuals, their relationships and activities.

Microsoft emphasizes that sharing data to their cloud "allows you to enjoy many features", but these benefits come at the cost of individual privacy. Once your intimate data leaves your device and home country's laws, you lose control over how it's used or who may access it.

Privacy Concerns from Watchdogs

Reflecting these issues, privacy advocates and regulators have voiced serious concerns with Outlook's data practices. The German Federal Data Protection Commissioner, Ulrich Kelber, has said on Mastadon they will be pursuing the issue at European level through the data protection authorities

With so much private information now centrally collected by Microsoft, the risks of a data breach putting it all in the wrong hands must also be considered. Previous very large breaches have exposed billions of user records. Should personal emails, contact details or credentials be exposed in a future incident, the damage to individuals could be severe in terms of identity theft, blackmail or other threats.

Microsoft's Perspective

Naturally, Microsoft takes a differing view of their practices. They emphasize that sharing data to their cloud simply "lets you enjoy new Outlook features" and claim third-party terms still apply to user data.

However, they provide no option to access added capabilities without uploading all information to US servers. And as the sole operator of those systems, they exercise control over how data is handled rather than the original provider. The company also did not directly acknowledge collecting login credentials until technical analyses proved it.

What This Means for Businesses

For business customers, storing personal data in this way (albeit unintentionally) may constitute a GDPR offence that is subject to fines. After all, storing data in the Microsoft cloud legally constitutes data processing that requires the conclusion of an order data processing agreement (DPA) with Microsoft - and companies may have to identify this as such in their data protection declarations and in the data processing directory. It is irrelevant whether this is done intentionally by the company management or ultimately through the uninformed consent of an individual employee. ~ Mailbox.org

Alternatives for Privacy Conscious Users

For those seeking to avoid these risks, there are some alternative email options that avoid uploading personal data to third parties:

Secure Email Providers

Services like Tutanota, ProtonMail and Posteo offer end-to-end encrypted email that never leaves your device. Only the encrypted versions of messages are stored on their servers.

Self-Hosted Email

By running your own email server, you maintain full control and no third party gains access. However, this requires technical expertise and ongoing maintenance.

Desktop Email Clients

Consider using Outlook alternatives like Mailbird and Thunderbird.

Simple Forwarding

Forwarding a free email address to a privately self-hosted one allows web-access while keeping your primary inbox independent.

Use the Web Client.

For people who cannot ditch the outlook because of school or work, consider using the web client on privacy focused browsers such as Brave or Firefox.

For many, transitioning away from the convenience of Outlook integration may be difficult. But given Microsoft's expanding data collection, privacy minded individuals have cause to seek alternative options. The risks of broad commercial surveillance and unencrypted data transfers have never been higher.

💡
Email is an inherently insecure technology and in as much as many companies try introducing encryption and other privacy features, communication between different email providers still leave traces of information and metadata about you and even break the encryption at times. So if you want to be completely anonymous, stay away from email or consider Strategically Planning the Use of Email Aliases