Microsoft accused of sharing data of Office 365 business subscribers with Facebook and its app devs

Updated Microsoft is being sued for allegedly sharing its Office 365 customers' business data with Facebook app developers, partners, and subcontractors in violation of its data privacy promises.

The lawsuit was filed in US District Court in San Francisco, on behalf of plaintiffs Frank Russo, Koonan Litigation Consulting, and Sumner Davenport & Associates, all Office 365 customers.

The complaint [PDF] says that – while Microsoft has repeatedly promised its business customers that it would only use their data to provide purchased services, that it would share their data with subcontractors only on a need-to-know basis, and that it will never share their data with third-parties – those claims are false.

"In fact, contrary to its representations, Microsoft has regularly shared – and continues to share – its business customers' data with Facebook and other third parties," the complaint says. "The data is shared even when neither the customers nor their contacts are Facebook users."

The complaint contends Microsoft has shared data with hundreds of subcontractors when not necessary for purchased services, and that some of these downstream firms have suffered data breaches. It also claims Microsoft routinely uses business customers' emails, documents, calendars, location data, and media files to develop new products, to gather business intelligence, and otherwise derive commercial benefit.

The trio says that this means Microsoft has violated the US Wiretap Act, the US Stored Communications Act, and consumer protection laws in the State of Washington.

Still, as long as the devs were trustworthy...

In particular, the plaintiffs claim that Microsoft automatically shares customers' business contacts with Facebook, without consent, whether or not the customers or their contacts are Facebook users.

"Even if a customer discovers and disables this Facebook-sharing 'feature' after activating Office 365 or Exchange Online services, the damage has already been done," the complaint says, pointing to the Cambridge Analytica scandal as an example of the potential harm.

"At that point, the business customer’s contacts have been shared with Facebook. As Microsoft explains in an obscure technical instruction, '[o]nce contacts are transferred to Facebook, they cannot be deleted from Facebook's systems except by Facebook.'"

As a result, business customers' data can be accessed not just by Facebook, "but also by whomever Facebook shares the data with, and whomever those entities decide to share the data with, ad infinitum."

Chain of data command

Then there's the issue of third-party developers. The complaint says that "even if a business customer did not download a third-party application (and thus did not consent to sharing its data with the third-party), Microsoft nonetheless transmits the non-consenting business customer’s data to third-party developers if another Office 365 user consented to the application."

The lawsuit insists Microsoft's claims that it abides by System and Organization Controls (SOC 1 and SOC 2) standards are false, pointing to the company's own documentation stating that Microsoft Graph does not comply with SOC 1 or SOC 2.

"Because Microsoft’s Graph automatically gathers all business customers’ Office 365 and Exchange Online data, and Graph does not comply with SOC standards, Microsoft’s handling and use of business customers’ Office 365 and Exchange Online data also does not comply with SOC standards," the complaint says.

The lawsuit is seeking class certification on behalf of Microsoft's non-governmental business customers and damages to be determined.

Microsoft did not immediately respond to a request for comment at time of publication. ®

Updated to add

“We’re aware of the suit and will review it carefully,” a Microsoft spokesperson told The Register after this story was filed.

“However, while the allegations themselves are not very specific, as we understand them we don’t believe they have merit. We have an established history of both robust privacy protections and transparency, and we’re confident that our use of customer data is consistent with the instructions of our customers and our contractual commitments.”