Microsoft's popular email service Outlook is rolling out a major update that has privacy advocates alarmed about increased data sharing with the tech giant.
The latest version of Outlook aims to provide a more integrated experience by syncing user data like emails, contacts, and calendar events with Microsoft's cloud servers. However, this comes at the cost of sharing sensitive information like email account passwords in plain text with Microsoft.
According to the report by the German tech magazine c't of Heise publishing house, when adding a new email account in Outlook, users are now presented with a warning that in order to sync the account, login credentials and new data will be sent to Microsoft's servers unencrypted. Tests performed by German tech site Heise showed Outlook transmits passwords in plain text when configuring new accounts.
Microsoft's cloud servers contact our IMAP server. Image/ heise.de |
This raises security concerns, as users' email passwords and other account information would be exposed. Outlook also lacks end-to-end encryption, meaning Microsoft has unencrypted access to user emails, contacts, and calendar data stored on their servers.
Ulrich Kelber, Germany's Federal Commissioner for Data Protection and Freedom of Information, plans to discuss these changes with other EU data protection authorities this week. The updates may conflict with EU privacy laws like GDPR that restrict how user data can be shared and processed.
Beyond security issues, increased data sharing with Microsoft also raises surveillance concerns. As a US company, Microsoft could be compelled to provide user data to government agencies like the NSA. Without encryption, users have no protection against Microsoft potentially exploiting or selling data to third parties.
For businesses, these changes could put confidential information at risk. Sensitive customer data, intellectual property, or medical records shared through Outlook may be exposed on Microsoft's servers. Companies will need to weigh the privacy risks before upgrading.
Microsoft: Data synchronization for a consistent user experience
On contacting Microsoft for comment on the security of Outlook given these changes, Microsoft explains,
"Syncing users' IMAP accounts helps deliver a consistent user experience across all accounts added to Outlook. This includes allowing Mail Search to mark emails as read or unread for added accounts."
The functions are described in the aforementioned Microsoft article linked in the notification from Outlook. So far, however, there is nothing about the transmission and storage of access data.
When adding an IMAP account, new Outlook sent login data and server information to Microsoft. Image/ heise.de |
Microsoft also replied cryptically: "We store access data to IMAP providers whose servers Microsoft contacts with the BasicAuth procedure as user tokens in encrypted form in the user's mailbox." Behind BasicAuth is the insecure login with username and password in HTTP, an unusual description for IMAP logins. In the end, this means that the access data for IMAP providers is stored encrypted by Microsoft.
"For email providers that support OAuth (Gmail and Yahoo Mail), we never get access to users' credentials because the service receives an OAuth token from the client. This means that Microsoft does not have access to the plaintext password," the company adds to Heise Online, "only the users and the Microsoft service that interacts with the target servers have access to these tokens."
Users' concern before data import - No Automatic Data Import
"Users of the new Outlook app for Windows will be able to choose whether to import accounts from classic Outlook when they select Try the new Outlook," the company said.
For each imported Gmail, Yahoo Mail, iCloud, or IMAP account, users would receive the notification and would have to select to sync the data to the Microsoft Cloud to continue.
"Users who don't want to use their accounts with the Microsoft cloud can cancel and switch back to classic Outlook. So the "switch to cloud synchronization" is not automatic, users have to choose whether they want to add these accounts," Microsoft further explains.
Regarding the question of whether this means that all data will go through Microsoft's cloud and the manufacturer will collect all access data, Microsoft replied: "This information is stored as long as users are actively using the email client."
"If there is inactivity, the credentials will be removed according to the account lifecycle process. Users also have the option to request the removal of the data (including credentials) upon request by deleting the account and selecting the "Remove from all devices" option.
Outlook's push for deeper integration with Microsoft's cloud ecosystem shows the tech giant's increasing appetite for user data. While convenient, businesses and consumers should carefully examine if the new features are worth the privacy tradeoff. Microsoft needs to address security concerns and be fully transparent about how user data will be handled.