Microsoft accused of sharing data of Office 365 business subscribers with Facebook and its app devs

Because that always ends well

Updated Microsoft is being sued for allegedly sharing its Office 365 customers' business data with Facebook app developers, partners, and subcontractors in violation of its data privacy promises.

The lawsuit was filed in US District Court in San Francisco, on behalf of plaintiffs Frank Russo, Koonan Litigation Consulting, and Sumner Davenport & Associates, all Office 365 customers.

The complaint [PDF] says that – while Microsoft has repeatedly promised its business customers that it would only use their data to provide purchased services, that it would share their data with subcontractors only on a need-to-know basis, and that it will never share their data with third-parties – those claims are false.

Privacy Shield binned after EU court rules transatlantic data protection arrangements 'inadequate'


"In fact, contrary to its representations, Microsoft has regularly shared – and continues to share – its business customers' data with Facebook and other third parties," the complaint says. "The data is shared even when neither the customers nor their contacts are Facebook users."

The complaint contends Microsoft has shared data with hundreds of subcontractors when not necessary for purchased services, and that some of these downstream firms have suffered data breaches. It also claims Microsoft routinely uses business customers' emails, documents, calendars, location data, and media files to develop new products, to gather business intelligence, and otherwise derive commercial benefit.

The trio says that this means Microsoft has violated the US Wiretap Act, the US Stored Communications Act, and consumer protection laws in the State of Washington.

Still, as long as the devs were trustworthy...

In particular, the plaintiffs claim that Microsoft automatically shares customers' business contacts with Facebook, without consent, whether or not the customers or their contacts are Facebook users.

"Even if a customer discovers and disables this Facebook-sharing 'feature' after activating Office 365 or Exchange Online services, the damage has already been done," the complaint says, pointing to the Cambridge Analytica scandal as an example of the potential harm.

"At that point, the business customer’s contacts have been shared with Facebook. As Microsoft explains in an obscure technical instruction, '[o]nce contacts are transferred to Facebook, they cannot be deleted from Facebook's systems except by Facebook.'"

As a result, business customers' data can be accessed not just by Facebook, "but also by whomever Facebook shares the data with, and whomever those entities decide to share the data with, ad infinitum."

Chain of data command

Then there's the issue of third-party developers. The complaint says that "even if a business customer did not download a third-party application (and thus did not consent to sharing its data with the third-party), Microsoft nonetheless transmits the non-consenting business customer’s data to third-party developers if another Office 365 user consented to the application."

The lawsuit insists Microsoft's claims that it abides by System and Organization Controls (SOC 1 and SOC 2) standards are false, pointing to the company's own documentation stating that Microsoft Graph does not comply with SOC 1 or SOC 2.

"Because Microsoft’s Graph automatically gathers all business customers’ Office 365 and Exchange Online data, and Graph does not comply with SOC standards, Microsoft’s handling and use of business customers’ Office 365 and Exchange Online data also does not comply with SOC standards," the complaint says.

The lawsuit is seeking class certification on behalf of Microsoft's non-governmental business customers and damages to be determined.

Microsoft did not immediately respond to a request for comment at time of publication. ®

Updated to add

“We’re aware of the suit and will review it carefully,” a Microsoft spokesperson told The Register after this story was filed.

“However, while the allegations themselves are not very specific, as we understand them we don’t believe they have merit. We have an established history of both robust privacy protections and transparency, and we’re confident that our use of customer data is consistent with the instructions of our customers and our contractual commitments.”

Send us news

Microsoft sweeps up after breaking .NET with December security updates

XPS doc display issues fixed – until the next patch, at least

Oracle, Microsoft barely compete for a quarter of their US Federal contracts

Vendor lock-in: savings of up to $750m a year possible if Uncle Sam didn't predetermine the victor

Memory safety is the new black, fashionable and fit for any occasion

Calls to avoid C/C++ and embrace Rust grow louder

Apple sued for promising privacy, failing at it

What's allowed for Cupertino is verboten for everyone else

Microsoft upgrades Defender to lock down Linux gear for its own good

Ballmer thought this kernel was cancer, Nadella may disagree

Microsoft is checking everyone's bags for unsupported Office installs

Please, sir. I don't want a 365 subscription

Months after NSA disclosed Microsoft cert bug, datacenters remain unpatched

You know when we all said quit using MD5? We really meant it

Smart ovens do really dumb stuff to check for Wi-Fi

Pinging search services in the US, China, Russia perhaps not ideal for privacy

Azure Stack HCI gets extra protection with 'long-requested feature'

Kerberos support in WAC and a host of other goodies also added

ChatGPT talks its way through Wharton MBA, medical exams

This perhaps says more about the tests than the artificial intelligence on display

Microsoft and community release scripts to help mitigate Defender mess

Techies forced to mop up after update caused ASR rules to detect false positives, wiping icons and apps shortcuts

Latest Windows 11 build shares desktop real estate with, er, Spotify

Third party widgets are on the march in latest Windows Preview, which fixes some Arm64 FAILs too