Data Centre

Cloud

Microsoft accused of sharing data of Office 365 business subscribers with Facebook and its app devs

Because that always ends well

45 Got Tips?

Updated Microsoft is being sued for allegedly sharing its Office 365 customers' business data with Facebook app developers, partners, and subcontractors in violation of its data privacy promises.

The lawsuit was filed in US District Court in San Francisco, on behalf of plaintiffs Frank Russo, Koonan Litigation Consulting, and Sumner Davenport & Associates, all Office 365 customers.

The complaint [PDF] says that – while Microsoft has repeatedly promised its business customers that it would only use their data to provide purchased services, that it would share their data with subcontractors only on a need-to-know basis, and that it will never share their data with third-parties – those claims are false.

Privacy Shield binned after EU court rules transatlantic data protection arrangements 'inadequate'

READ MORE

"In fact, contrary to its representations, Microsoft has regularly shared – and continues to share – its business customers' data with Facebook and other third parties," the complaint says. "The data is shared even when neither the customers nor their contacts are Facebook users."

The complaint contends Microsoft has shared data with hundreds of subcontractors when not necessary for purchased services, and that some of these downstream firms have suffered data breaches. It also claims Microsoft routinely uses business customers' emails, documents, calendars, location data, and media files to develop new products, to gather business intelligence, and otherwise derive commercial benefit.

The trio says that this means Microsoft has violated the US Wiretap Act, the US Stored Communications Act, and consumer protection laws in the State of Washington.

Still, as long as the devs were trustworthy...

In particular, the plaintiffs claim that Microsoft automatically shares customers' business contacts with Facebook, without consent, whether or not the customers or their contacts are Facebook users.

"Even if a customer discovers and disables this Facebook-sharing 'feature' after activating Office 365 or Exchange Online services, the damage has already been done," the complaint says, pointing to the Cambridge Analytica scandal as an example of the potential harm.

"At that point, the business customer’s contacts have been shared with Facebook. As Microsoft explains in an obscure technical instruction, '[o]nce contacts are transferred to Facebook, they cannot be deleted from Facebook's systems except by Facebook.'"

As a result, business customers' data can be accessed not just by Facebook, "but also by whomever Facebook shares the data with, and whomever those entities decide to share the data with, ad infinitum."

Chain of data command

Then there's the issue of third-party developers. The complaint says that "even if a business customer did not download a third-party application (and thus did not consent to sharing its data with the third-party), Microsoft nonetheless transmits the non-consenting business customer’s data to third-party developers if another Office 365 user consented to the application."

The lawsuit insists Microsoft's claims that it abides by System and Organization Controls (SOC 1 and SOC 2) standards are false, pointing to the company's own documentation stating that Microsoft Graph does not comply with SOC 1 or SOC 2.

"Because Microsoft’s Graph automatically gathers all business customers’ Office 365 and Exchange Online data, and Graph does not comply with SOC standards, Microsoft’s handling and use of business customers’ Office 365 and Exchange Online data also does not comply with SOC standards," the complaint says.

The lawsuit is seeking class certification on behalf of Microsoft's non-governmental business customers and damages to be determined.

Microsoft did not immediately respond to a request for comment at time of publication. ®

Updated to add

“We’re aware of the suit and will review it carefully,” a Microsoft spokesperson told The Register after this story was filed.

“However, while the allegations themselves are not very specific, as we understand them we don’t believe they have merit. We have an established history of both robust privacy protections and transparency, and we’re confident that our use of customer data is consistent with the instructions of our customers and our contractual commitments.”

Sign up to our NewsletterGet IT in your inbox daily

45 Comments

Keep Reading

Canary-build Microsoft browser blocks Microsoft extension from inflicting Microsoft search engine

Virtue is its own reward

Microsoft 365 Business to gain more Azure Active Directory toys... oh, and it's called Microsoft 365 Business Premium (from 21 April)

Because this Office branding shake-up isn't confusing at all

Wow, Microsoft's Windows 10 always runs Edge on startup? What could cause that? So strange, tut-tuts Microsoft

Punters asked to hand over their logs if browser keeps coming to life against their wishes

Microsoft: 14 January patch was the last for Windows 7. Also Microsoft: Actually...

Wallpaper-stripping bug will be fixed

Microsoft quietly extends Azure reserved instances to five-year term

But only for one HPC-oriented instance type, with steeper exit charges and deeper discounts

Microsoft delivers CouchOps capability with Android TV upgrade to Remote Desktop app

Also adds Windows Virtual Desktop support and two-factor authentication

Windows Server spotted behind cloudy curtain as Microsoft unveils the next generation of Azure Stack HCI

Inspire Use your old-school skills while having native Azure integration

Russia-linked Gamaredon hacker crew using Microsoft's Visual Basic for Applications to pwn Microsoft's Outlook

From targeting Ukraine to random mailboxes: how the mighty have fallen

Microsoft says ciao to Xiaoice: Formerly unpatriotic Chinese teenager sim flies the nest

Redmond will retain stake in popular chatbot service

Microsoft confirms pursuit of TikTok after Satya Nadella chats to Donald Trump

‘Appreciates President Trump’s personal involvement’ and promises so much security, you’ll be tired of securing

Tech Resources

4 Steps to Prove the Value of Your Vulnerability Management Program

Vulnerability management can feel like an endless climb. Learn how to focus your efforts, prove the value of your program, and gain trust, budget, and recognition in 4 doable steps

Simplifying Hybrid Cloud Flash Storage

According to industry analysts, a critical element for secure hybrid multicloud environments is the storage infrastructure.

Navigating the New Era of Cloud Computing

Hear from Steve Sibley, VP of Offering Management for IBM Power Systems about how IBM Power Systems can enable hybrid cloud environments that support “build once, deploy anywhere” options.

Manage your data, not just your storage

In this paper we look at the challenges that cold data presents, at techniques and technologies that can help with the problem, and at the advantages organizations can gain from a smarter approach to data management.