Microsoft’s move towards ads on the Mail App in Windows 10 sparks privacy concerns

Microsoft had planned to bring ads to the Mail App in Windows 10. It also has an entire support page dedicated to ads on mail. But last week after the backlash from the people, Frank X. Shaw, the Head of Communications at Microsoft claimed on Twitter that ads on the Mail app were not intended to be tested broadly. Though it has been turned off now.

According to Microsoft, the ads will appear for all users. Even if one doesn’t use a Microsoft email service like Outlook and only have Gmail, Yahoo, G Suite, or other third-party accounts, the ad will still be visible until one purchases an Office 365 subscription. The team at Microsoft is having a pilot running in Brazil, Canada, Australia, and India to get user feedback on ads in Mail. These ads will be visible on Windows Home and Windows Pro but not on Windows EDU or Windows Enterprise.

Microsoft chooses Interest-based advertising for its users

Windows generates an advertising ID for each user on the device. When the advertising ID is enabled, both Microsoft apps and third-party apps can access and use the advertising ID. It is similar to the websites that access and use a unique identifier stored in a cookie. Mail app uses this ID to provide more relevant advertising to users.

Also, the Mail app may use the demographic information to make ads more relevant to the users. This is possible for the users who have logged into Windows with a Microsoft Account. Users can turn off interest-based advertising at any time. If a user turns off the interest-based advertising, the user will still see ads but they won’t be relevant to the interests.

As per the Support page of Microsoft, these interest-based ads do not check the user’s emails to display ads. Microsoft does not use personal information, like the content of the email, calendar, or contacts, to target the users for ads. Microsoft doesn’t use the content in the mailbox or in the Mail app.

But privacy is still a concern while referring to Microsoft. As per a report by Privacy Company, Microsoft collects and stores users personal without any public documentation.

Microsoft systematically collects data about the individual use of Word, Excel, Outlook, and PowerPoint without letting users know. Since the data stream is encoded, Microsoft does not offer any choice to switch off the data collection, or ability to see what data has been collected.

For example, Microsoft collects information about events in Word, when you use the backspace key a number of times in a row, which probably means you do not know the correct spelling. But also the sentence before and after a word that you look up in the online spelling checker or translation service.

Microsoft‘s use of the telemetry data is one of the biggest concerns of the report as Microsoft is regularly pushing more and more services off-premise. Data Protection Impact Assessment (DPIA) show that the new methods like Microsoft cloud, in SharePoint, OneDrive, Office 365 come with high data protection risks for data subjects.

The blog states that Microsoft has already made commitments to make adjustments to its software to accommodate privacy concerns, e.g. a telemetry data viewer tool and a new “zero-exhaust setting.”

Privacy Company outlines six high risks for data subjects

• The unlawful storage of classified/sensitive/special categories of data, both in metadata and in subject lines of the e-mail.
• The incorrect qualification of Microsoft as a data processor, instead of a joint controller.
• Insufficient control over factual data processing and sub-processors.
• The lack of purpose limitation, both for the processing of historically collected data and the possibility to dynamically add new types of events
• The transfer of diagnostic data outside of the European Economic Area (EEA), while the current legal ground for Office ProPlus is the Privacy Shield and the validity of this agreement is subject of a procedure at the European Court of Justice.
• The indefinite retention period of diagnostic data and also the lack of a tool to delete historical, diagnostic data.

The Privacy Company recommends admins of the enterprise few measures to lower the privacy risk for employees and other users. It suggests to not use SharePoint Online / OneDrive. It advises to not use the web-only version of Office 365. The company also suggests using a stand-alone deployment without Microsoft account for confidential/sensitive data.

Read more about the news on the DPIA’s pdf.

Read Next

Microsoft amplifies focus on conversational AI: Acquires XOXCO; shares guide to developing responsible bots

Microsoft fixes 62 security flaws on Patch Tuesday and re-releases Windows 10 version 1809 and Windows Server 2019

Microsoft announces container support for Azure Cognitive Services to build intelligent applications that span the cloud and the edge