Microsoft Outlook finds a new use :

a surveillance tool for targeted advertising

__________________________

The new Microsoft Outlook finds a new use :

a surveillance tool for targeted advertising

Microsoft shows it is no different than the Googles and Metas of the world. And given a gazillion people use its products (especially Outlook) that is a big, big problem.

BY:

Gregory Bufithis

Founder/CEO

Eric De Grassse

Chief Technology Officer

Angela Delvecchio

Attorney/Avvocato - U.S./Italy

Legal Affairs Reporter

Members of the Project Counsel Media Team

19 January 2024 (Paris, France) -- Thanks to new EU privacy regulations, the new Outlook displays a disturbing disclosure there that users elsewhere never see: Microsoft is using the app to harvest personal data and selling it advertisers that use it to display targeted ads both inside and outside the app. “It looks like Outlook is no longer simply an email service,” Proton’s Edward Komenda writes in a new post to the privacy focused company’s blog. “It’s a data collection mechanism for Microsoft’s 772 external partners and an ad delivery system for Microsoft itself".

This disclosure explains that Microsoft and 772 of its partners are scanning the PC on which the new Outlook runs specifically to identify the user, storing and/or accessing information on that PC, delivering personalized ads and other content, and otherwise deriving “audience insights.” A separate “Choose your ads layout” window, also shown only in the EU, explains that Outlook will display dismissible ads in your mailbox by default, but that you can move the ads into a banner above the mailbox instead. Some ads from Microsoft and its partners literally appear as if they were new emails, confusing users. As Komenda notes in his post:

“Thanks to the EU’s General Data Protection Regulation, Europeans are at least informed that a small village of third parties will be able to look at their data. UK users can explore a ‘List of Advertising Partners,’ which shows the disturbing number of ad companies working with Microsoft.

Americans, thanks to their government’s refusal to pass privacy legislation, are never even informed this is happening.”

NOTE TO READERS: a big hap tip to Andy Jenkinson (one of our "go to" contacts for all-things-cybersecurity-and-all-things-surveillance), for bringing this story to our attention. We interviewed Andy about Microsoft and part of that interview can be found at the end of this post, plus a link to our longer video interview with him from late last year. As our regular watchers and blog readers know, Andy is a well-known and oft cited expert in cybersecurity and the complexity of our cyber infrastructures, and the mind-boggling demands of internet security.

Komenda goes on:

Everyone talks about the privacy-washing (new window) campaigns of Google and Apple as they mine your online data to generate advertising revenue. But now it looks like Outlook is no longer simply an email service(new window); it’s a data collection mechanism for Microsoft’s 772 external partners and an ad delivery system for Microsoft itself.

Surveillance is the key to making money from advertising or bulk data sales to commercial and possibly some other organizations. Komenda enumerates how these sucked-up data may be used:

• Store and/or access information on the user’s device
• Develop and improve products
• Personalize ads and content
• Measure ads and content
• Derive audience insights
• Obtain precise geolocation data
• Identify users through device scanning

The write up provides this list of information allegedly available to Microsoft:

• Name and contact data
• Passwords
• Demographic data
• Payment data
• Subscription and licensing data
• Search queries
• Device and usage data
• Error reports and performance data
• Voice data
• Text, inking, and typing data
• Images
• Location data
• Content
• Feedback and ratings
• Traffic data

Wow 😳

I particularly like the geolocation data. With Google trying to turn off the geofence functions, Microsoft definitely may be an option for some customers to test. Good, bad, or indifferent, millions of people use Microsoft Outlook. Imagine the contact lists, the entity names, and the other information extractable from messages, attachments, draft folders, and the deleted content.

NOTE TO READERS: the issue is so critical the New York State Bar Association added a pop-up session on the issue to its Annual Meeting this week in NYC. IT teams at law firms, accounting firms, etc. are doing full investigations.

For more information about Microsoft’s alleged data practices, please, refer to the Proton article linked above. To be clear, Microsoft does not use personal data in email to target ads. But Microsoft’s privacy statement explains why it doesn’t need to do that to build a profile of you, as it targets ads based on “your interests and favorites, your location, your transactions, how you use our products, your search queries, or the content you view.” It then sells that data to advertisers and other online entities, including service providers.

Microsoft’s expanded push into advertising was no doubt triggered by Google’s successes in this market, and the firm announced in 2021 that it wanted to double the size of that business to $20 billion. But Microsoft is now “addicted” to these revenues, Komenda charges, which is why it has expanded its customers exposure to advertising.

Yes, Komenda's firm Proton sells privacy (last year we wrote about the release of its native email client) and so you may view these charges as self-serving. That’s fine, but be sure to read the Proton blog post in full, including the many links it has to other examples. We've made this point about Microsoft Edge, and, in particular, Andy Jenkinson has made the same point: it’s pretty clear that Microsoft today is, in Komenda’s words, no different than the Googles and Metas of the world. And that is a problem.

We certainly became uncomfortable when we read the section about how MSFT steals your email password. Imagine. Theft of a password. We'd like some verification on that. I mean, gee: our "favorite" giant American software company would not do that to me, a loyal customer, would it? And you guys are so buddy-buddy with OpenAI. Golly, Aunt Bee!!

A chat with Andy Jenkinson

In an era dominated and totally reliant upon digital communication, Microsoft's Outlook has long been a stalwart for professionals and individuals alike. A major concern however lies in Microsoft's tarnished security history. The tech giant has faced numerous security breaches and vulnerabilities in the past, raising doubts about the safety of user data within their platforms. 

Andy Jenkinson's continuing research demonstrates Microsoft's wholly inadequate DNS security. Greg Bufithis interviewed Andy about many of these issues last year (there is a link to their video interview below), and last night they had a brief chat about the Microsoft Outlook issue. Here is part of that chat:

Greg Bufithis: It seems we are always talking about Microsoft!! We cannot get past these guys. Give me your quick run-down on the latest imbroglio.

Andy Jenkinson: [laughing] I need to write a book about Microsoft!

Ok, in a nutshell ... with Outlook now implicated in extensive data sharing, users face an increased risk of unauthorized access, putting both individuals and large organizations in precarious positions. The real threat emerges from continued errors, oversights, and basic security negligence that could lead to illegal remote access and exploitation. Data collection for Microsoft or others can easily become data exfiltrated for nefarious use.

Greg Bufithis: We have talked about this before. The interconnected nature of digital platforms often means that a single vulnerability can have far-reaching consequences. Microsoft's past lapses in security, coupled with the sheer volume of external partners involved, amplify the compounded risk of unauthorized entities gaining access to sensitive information. I had a chat with several law firms today and they are freakng out.

Andy Jenkinson: Exactly. For individuals, this translates into a loss of personal privacy. Every email, appointment, and communication within the Outlook ecosystem is susceptible to prying eyes.

For large organizations, the implications are even more severe, as confidential business communications, strategies, and sensitive data may be exposed to external entities.

Greg Bufithis: And so we are now on Steve King's turf [note to readers: our other "go to" cybersecurity expert]. He has been pounding the table for years that as the world transforms even further into a surveillance state, the need for heightened awareness regarding data privacy and security has never been more critical. Steve's Linkedin pieces are just brilliant.

Andy Jenkinson: Right again. And I'll note, whilst the notion of reverting back to pen and paper may seem archaic, it underscores the growing apprehension surrounding digital surveillance. Physical records are immune to remote hacking and are not susceptible to large-scale data breaches.

My big take-away? The true extent of surveillance in the digital age is coming to light with Microsoft's Outlook at the forefront. Whether individuals or large organizations, the time has come to reassess the trade-offs between convenience and privacy and the legal liabilities enforced upon them.

NOTE TO READERS: DNS stands for “domain name system” and it can be described as the index for the internet. It allows users to access information by translating a domain name (like theprojectcounselgroup.com) into the corresponding IP address that a browser needs to load internet resources (for example, articles like this one). As a system, the DNS is used to track, catalog, and regulate websites all over the world. It is the bedrock of the Internet. If DNS is not secure, cyberattackers will exploit DNS server vulnerabilities to divert traffic away from legitimate servers towards fake ones, steal data, launch denial-of-service (DoS) attacks, embed themselves in DNS infrastructure, etc., etc. This is what DNS security is all about, the technique of defending DNS infrastructure from cyberattacks. 

Andy has made this his stock-in-trade (among many other areas of cybersecurity expertise) and he is recognized world-wide as a DNS expert. He and Greg discuss DNS infrastructure in a video interview, linked below.

The October 7th Hamas attack on Israel unleashed a flood of information from main stream media and open source intelligence trying to understand and explain how Israel failed to foresee and confront the Hamas attack.

These operational failures and weaknesses were among a wide array of logistical and intelligence lapses by the Israeli security services that paved the way for the Gazan incursion into southern Israel.

Except that these operational and intelligence failures are just parts of a massive security, and cybersecurity, failure across the board.

To discuss all of these cyber failures ... and much, much, much more about cybersecurity ... Greg interviewed Andy, his first guest on Greg's new interview program "Luminous Encounters".

Here is that interview:

You can reach Andy at:

Cybersec Innovation Partners Ltd,

24/25 The Shard,

32 London Bridge Street,

London, SE1 9SG,

United Kingdom

Tel: +44 (0)20 7293 7001

info@cybersecip.com

* * * * * * * * * * * * * * * 

For the URL to this post, please click here.

To read Greg's other posts and ruminations,

please visit his archive by clicking here

* * * * * * * * * * * * * * *