We don't have access to that data internally. We can't access customer data outside performance metrics about the service. At least for the normal dev there is no real way to get access to what the customer does.
sabarn01> We don't have access to that data internally. We can't access customer data outside performance metrics about the service. At least for the normal dev there is no real way to get access to what the customer does.
On the other hand we have:
Microsoft> We and 7xx Third Parties access Outlook data on user devices.
Taking both you and Microsoft at face value, we seem to have two fairly different assertions.
Customer concerns could be allayed if their shared data was fully auditable at any time by the customer. This would include what buyers of this data can see.
Outlook (the app) is not the same as outlook.com (the email service) or Exchange Online (what most companies use). Data from one product/service could be used in different ways than others.
They can access your whole tenant and everything in it. Have had some pretty wild support calls where MSFT has had to crawl through a tenants data specifically the schedule system. It was ultra broken. They can literally just give themselves permission and roll in. If you can't your just not high enough up in a support team.
Their use of 3rd party and external tools for adjusting registry during licensing problems is wild.
> They can literally just give themselves permission and roll in. If you can't your just not high enough up in a support team.
That is what a support team is for.
And those access elevations will be tracked and audited, just like at any other organization that handles sensitive data.
This isn't some super duper secret, when shit breaks there needs to be a, well secured, escape hatch for the people who fix things to crawl in and make repairs.
Prior to cloud hosting, Microsoft could get permissions to remote in to your servers, or prior to those days, send someone physically out with a laptop and a debugger.
Not having those protections in place would be a company ending event for Microsoft. The legal system would crush them, and customers would leave in droves.
And the number of markets Microsoft completes in now is tiny. This isn't the 90s where Microsoft competed in slews of consumer and business markets. The potential upside from the Cloud team slurping up secrets from competitors in literally ANY other business segment, is dwarfed by the losses that would hit MS.
Now of course that doesn't mean some corrupt fool in sales won't risk destroying the company so he can make his yearly bonus (that very thing has brought down companies before!), but Microsoft internally has a lot of motivations to ensure that doesn't happen.
So, don't trust Microsoft saying "trust us". Trust Microsoft being greedy and wanting to keep growing the cash cow that is Azure Cloud.
I wasn't talking about Azure. I was talking about Microsoft's software products such as Outlook, Windows, etc.
Rergardless, my point is that Microsoft saying that they have audits and controls in place is exactly the same as them saying "trust us". They're just saying "trust that we have effective controls in place".
Sure, I understand. The thing is that a company has to already have a measure of trust in order for the verification to be of reassurance to people. Hiring outside verifiers is absolutely better than nothing, but it's not a thing that inherently instills a high degree of confidence.
What an organization can (and should) do is to behave in a way that earns people's trust over time. Microsoft actually had a window of opportunity to do this. They even made a very public campaign proclaiming how they weren't like the Microsoft of old and were more trustworthy than they used to be. And for a while, I even thought that perhaps a real culture change really did happen. But their behavior (especially around Windows and Office) is uncannily similar to that of other companies of questionable trustworthiness.
Suppose I'm using services provided by JohnFen's employer. What does it do better than Microsoft that I can trust it with my data? What should Microsoft do to be a trusted partner?
Well, I think most enterprises are more concerned with liability than anything, and as long as they can blame any breaches/security issues on Microsoft, that addresses most of their concern.
Also, people aren't enterprises. Microsoft doesn't treat people like they treat enterprises.
If you don't know that millions of people spending money can't be fools, you're probably one of them
And frankly given the monopolistic nature of the business, there are a lot of enterprises that pay for microsoft's services because they don't have the power to make the decision not to
Enterprises have more leverage and different agreements, often custom agreements, with vendors. Small businesses and consumers get click-wrap agreements - nobody reads them; nobody has time and Microsoft wouldn't change them regardless.
I got to the PDF download link, but I have to have a Microsoft account to actually download it, so that's a bit of a showstopper.
In any case, it doesn't much matter. The threads I'm in here are pretty much just me saying I don't trust Microsoft and others saying that I should, so I'll just bow out and leave it at that: we have different opinions.
Oh I don't treat it like a secret. It's more that it's not known or understood by many users in how it actually affects the security posture of your organization.
Cannot say for the entire Microsoft, but in Azure the only way to access customer data is through support flow for cases where customer explicitly gave permissions. Otherwise support portal will not allow access. And there is no other way of accessing customer data. Access is revoked after a case is closed.
The incentive for customers to give this access is simple - with this my team can answer questions right away without very lengthy back and forth (especially if customer is in different time zone). Which results in (way) faster support and problem resolution.
> Cannot say for the entire Microsoft, but in Azure the only way to access customer data is through support flow for cases where customer explicitly gave permissions.
That article notes that Microsoft says Microsoft accesses our data and make it available to 7xx 3rd parties. It is safe to assume that Microsoft has automated process to violate our privacy and not eyeballs and fingers.
So you don't really need to defend Azure tech support because no one is accusing Azure tech support.
What about executives and other higher-ups? If they want to know about my internal business operations - for example, if we are competitors, they are looking to invest, etc.
Is there technical protection? Is it encrypted in a way that's only accessible to me?
The reality here is that no one will trust a pinky promise. Especially not from Microsoft. You’re fighting a good fight but it’s a losing battle no matter how locked down it feels from your POV.
“Can we have access to X, but don’t worry, we don’t let anyone look at X unless Y happens” is a bit suspicious when “grant X permission when Y happens” isn’t an option.
Even worse when the access to X is only disclosed to users living in a jurisdiction requiring it.
Microsoft’s many brand and marketing folks have a big uphill battle if they want to convince me otherwise. Or they can just stop collecting data.
Welcome to my local bakery! We have to collect your credit card number before you enter. No one can access your credit card number though. I write it on a piece of paper and put it in a safe. Here, look at this list of people that have seen me put credit card numbers into a safe!
I’m sure you understand, we need to collect your credit card number because that’s how we make money at this bakery. No I will not explicitly explain how. Don’t you feel like I’ve improved your experience?
The document I linked explains how why and when. It also explains how we verify that and who does the verification. Also O365 customers have access to audit logs and the rest. At some level everything is about trust there is no way you can verify any large organizations activities.
That’s a big document with lots of acronyms and references to specific standards for compliance that law professionals might be familiar with, but is otherwise completely meaningless.
You also mentioned that collecting user data is how Microsoft is paid in the GP comment. That’s pretty clear to me. I thought when I paid Microsoft, that was the main revenue stream.
The document provided in theory communicates what you said so succinctly before, but with more legal and confusing language.
If it says the opposite, then just asking me to assume that this document that’s extremely difficult to read explains why outlook should ingest information I wasn’t told about, since I live in a jurisdiction where Microsoft doesn’t need to, and why that’s actually a neutral or possibly “good” thing for me, is a bit silly.
—
Edit: if I’m misunderstanding what you said earlier by:
> We have to collect customer data that's what we get paid for.
Then I’m sorry. I don’t mean to frame you as saying something you don’t mean to.
I should have been more specific. We have lots a data classifications we maintain and we have different rules for different classifications. Customer content we can't access without customer consent. We are paid to store customer content. Customer content is like your work doc stored in one drive. Some classification are only accessed in aggregate. Some are easier to access but cleared after a short period ect. We all have to go though a large training every year about the different classifications and that's not easy to communicate in a short comment.
We store data everywhere to meet european GDPR standards regardless of where you live. We have logs but they can only contain sanitized information.
Any document which attempts to describe how a large origination handles data is going to large and complex. As sometimes different standards conflict. For example we have to keep records of anyone who changes the system for some period of but we also have to delete data that has end user identifiers. When stuff like that happens we have to go to lawyers and have language that describes how we handle thoes conflicts. That doesn't lead to a small doc.
You can trust open source, because it is transparent. You can verify, so you can trust. Perhaps it's time to start rolling back the layers of secrecy. Sunshine is and always will be the best disinfectant.
Unless you run it yourself you don't know. They could run a modified version ect. You can't know and at some level you have to trust that they do what they say.
Are these external audits just SOC checklists where they're basically just looking at policies and processes for employees or are teams of auditors routinely coming into each office and data center to physically examine servers and trace network cables while taking an independent inventory of all the hardware that sensitive data touches and the software running on that hardware?
SOC compliance and external audits can help keep things reasonably secure and prevent the totally careless/incompetent handling of data, but I'm skeptical that they would typically be robust enough to detect Microsoft's own equivalent of Room 641A let alone the actual hardware installed by the feds which MS itself isn't allowed to touch.
I don't know if I can say what we have to turn over to the auditors that isn't in the public document. As to verifying the hardware we buy our hardware from other companies who have their own controls. If you dig far enough down everything ultimately comes to trust as no one can verify everything.
All the more reason to only ever trust a corporation to do what is in the interest of their bottom line, including lie to your face, collect and sell your data, and violate the law whenever the financial disincentive is less than the profit potential.
Is that what you were referring to? The phrase "we have to collect customer data" implies a different thing entirely, so I misunderstood.
My objection to Microsoft's methods in this regard isn't the data that customers voluntarily and knowingly store on Microsoft servers, it's the collection of data about customers, their machines, and the use of their machines that happens behind the scenes.
We collect telemetry about user actions and the successes of our service. All the data we collect is about how the service runs and we only look at it via aggregation. Internally we have training every year about what you can and can't collect and under which scenarios. It gets stricter every year.
What are you using instead? Open source offerings generally work for me, it's when I have to share the results with others that formatting etc problems appear.
> You can get access with customer permission for a limited time window which is audited. In the normal course of business no.
Right but no one is saying your department is violating our privacy. I'm not sure why you feel a need to defend it.
I think we can safely say that MS's methods of violating our privacy are all automated and that you + coworkers aren't eyeballing our personal data. So we can move on from that.
If you'd like to speak to the privacy violations that are referenced in the article, we're all ears. Education guesses about methods or who some of the 3rd parties are would be terrific.
I use an older version of "Windows Firewall Control". Regarding Outlook, I block ALL, except the server(s) that Outlook needs to contact in order to collect emails (i.e. you may have a couple of gmail accounts, etc.)
The pros: Outlook doesn't get to speak to MS
The cons: When an email has linked images, they don't load, which for the past 20+ years hasn't been a problem.
