Microsoft case exposes pervasive data collectionby
Microsoft is to amend its Productivity Score feature after it comes under fire for workplace surveillance by a known advocate. Bill Mew investigates what this means for Microsoft and data privacy.
Following a recent backlash, Microsoft has been forced to make significant changes to a new “Productivity Score” feature. The feature gave companies data to understand how workers are using and adopting different forms of technology.
The new feature made headlines in recent weeks as people realised that it could let managers see individual user’s data by default. However, this is not the first time that Microsoft has been criticised for the data that it routinely collects.
Tracking the productivity of remote workers during the pandemic
Microsoft rolled out the “Productivity Score” feature as part of Microsoft 365 in late October, but it went largely unnoticed. However, the firm promoted the feature during the recent lockdown as a way for firms to track the productivity of their remote workforces.
It was only when privacy and union activists realised that the tool lets managers see individual user data by default, that the uproar began. They argued that the new “Productivity Score” feature turned Microsoft 365 into a full-fledged workplace surveillance tool.
Responding to the backlash, Microsoft was keen to clarify that it was designed to assess overall organisational productivity. It agreed to remove user names entirely from the product to ensure that it can no longer be used to monitor individual employees.
While that has soothed the current furore, it has also drawn attention to wider concerns about the data that Microsoft and other firms collect.
Not the first accusation of widespread and systematic data collection
In a Data Protection Impact Assessment (DPIA) conducted for the Dutch Ministry of Security and Justice in 2018, Microsoft was criticised for systematically collecting data on a large scale about the individual use of Word, Excel, PowerPoint and Outlook. Covertly, without informing people.
Among other things the report outlines Microsoft’s “unlawful storage of sensitive/classified/special categories of data, both in metadata and in, for example, subject lines of e-mails.” While the tech giant’s collection of such information is of concern, it is who else the firm shares this information with that worries privacy campaigners most.
Microsoft actually deserves great credit for seeking to stand up to the NSA and CIA. It’s president Brad Smith has been a champion for digital ethics and it was Microsoft’s battle with the DoJ to protect the privacy of emails held in Ireland that made US authorities implement the CLOUD Act. Together FISA 702, E.O. 12333, and the CLOUD Act are the main framework that allows the US spy agencies to conduct extraterritorial mass surveillance.
Countering terrorism while protecting privacy and civil liberties
A further report about cloud-based office platforms from the Swedish National Procurement Service prompted The Privacy and Civil Liberties Oversight Board (PCLOB), an independent agency of the US Government, to publish a set of statements entitled “Countering Terrorism While Protecting Privacy and Civil Liberties: Where Do We Stand in 2019?”.
The PCLOB is meant to provide oversight of the US spy agencies, but it has been hobbled by the current administration which has slashed its funding and failed to appoint new members to the board meaning that it cannot reach quorum in order to make any decisions.
It was a combination of the extraterritorial intrusion and mass surveillance activities of the US spy agencies and the lack of oversight or redress provided by US authorities that led the EU courts to overturn Privacy Shield, the data-sharing agreement between the EU and US.
Where does that leave Microsoft?
Whatever Microsoft’s pedigree as a digital ethics champion, it now finds itself in the same boat as all other US tech firms (cloud firms, telcos, social media giants, etc.) in no longer being legally able to store or process personal data of EU citizens.
Such problems will persist as long as US mass surveillance continues unchecked.
As we have reported, the recent Shrems II ruling not only overturned Privacy Shield but it also stated that SSCs may need to include “supplementary measures” where laws in a third country (such as the US) create risks to data protection. These supplementary measures can be contractual, technical or organisational or a combination of the three.
Guidance from the European Data Protection Board
Following the ruling, many of the tech giants pinned their hopes on using encryption as a supplementary measure, but recent guidance for cloud services providers from the European Data Protection Board (EDPB) has called this into question.
In its recommendations, the EDPB said that encryption would only be an adequate measure if "the keys are retained solely under the control of the data exporter, or other entities entrusted with this task which reside in the European Economic Areas" or a third country with an adequate level of protection.
As the recent backlash against Microsoft’s “Productivity Score” feature shows, tech firms need to be open about the data that they collect and sensitive to users’ concerns about surveillance. In this respect Microsoft’s recent changes are laudable, but all tech firms need to be a great deal more open and honest about where they stand in respect to the Schrems ruling. The size of the backlash if they remain in denial will dwarf the “Productivity Score” debacle.
This problem won’t go away unless the tech giants lobby for regulatory reform to blunt the mass surveillance by the US spy agencies. However this saga unfolds, Accounting Web will continue to keep you up to date on every twist and turn.
You might also be interested in
Founder and CEO of CrisisTeam.co.uk (SiliconANGLE global Startup of the Week – May 2019), an elite team of experts in incident response, cyber law, reputation management and social influence that help clients minimize the impact of cyber incidents. Previous cloud strategist at UKCloud (the...