Microsoft goes after app-based consent phishing attacks in Cloud

In a separate commentary, Microsoft’s Brandon LeBlanc says that in addition to taking this step, his company will be adding similar privacy protection measures to its corporate email and cloud service platforms.

The EU regulation that will start rolling out in August, GDPR, is the biggest technology change to hit the digital landscape since the opening of the World Wide Web — a rules package that both forms a broad framework and is designed to implement it. While it won’t have a huge impact on daily computing (although, if applied with persuasive enforcement, its privacy protections should eventually act as a brake on digital sharing), it will have some impact on computer security, given the way that a company can insist that a data-processing system be forced to comply with its policies.

Google has an excellent example of this in a partial addition to the GDPR rules. Google encrypts data that it does not expect to be stored on its servers. This means that if someone tries to search it or read it, the search engine knows it will have to stop the read-only search. But in the future, it won’t be able to push the data to another server, so that someone trying to read it will have to use their own machine. Google says it didn’t need to add the encryption; it was already making that decision on its own — but of course, it just wanted to comply with the GDPR.

The same kind of decision is probably necessary elsewhere — but I suppose we’ll need to see what other companies do. Here’s what Microsoft says it will be doing, as part of its plan to comply with the GDPR’s privacy rules:

“Microsoft will not send customers an alert, or ask for specific permission to move data from Microsoft to a third party unless it has explicit consent or explicit authorization for the customer to transfer. Microsoft reserves the right to ask a customer for consent in cases where a license to access and use the data by a third party has expired.”

Thus the company would require “explicit consent” only in situations where a customer gave that consent. Such scenarios appear to leave little doubt about the kind of data that would be acceptable — customers would be able to confirm that they wanted Microsoft to store on its servers the stuff the company really doesn’t need. But it remains to be seen what customers will do with this privacy assurance.

How will Microsoft’s behavior here help consumers? Microsoft’s position is that it’s not trying to give itself the right to access and store data without customers’ permission. Instead, it’s just protecting the customers’ right to turn off Microsoft’s access to data, to say nothing of Microsoft’s prerogative to say that its customers can’t do that. So in that sense, Microsoft is no different from Google, which encrypts Google apps’ contents but maintains that it’s required to store the contents on its servers. The major difference is that Google can extend its encryption to other functions, while Microsoft can’t.

Microsoft says it isn’t trying to give itself the right to access data without customers’ permission. Instead, it’s just protecting the customers’ right to turn off Microsoft’s access to data.

Google can enforce the privacy regulations it is enforcing anyway, and Microsoft can insist on it — but Microsoft is probably doing it to make a statement and get consumer trust in its privacy commitments. If Google’s approach ends up being as effective as Microsoft’s seems like it could be, I’d support privacy laws that forced similar law-enforcing practices on companies. If, instead, technology companies like Microsoft that don’t do that find it worthwhile to threaten self-control, or at least that may keep most customers’ consent, it’s kind of a double-loss.

Won’t some companies find it worthwhile to surreptitiously gather information through such activities? Perhaps. The law-enforcement community for example already does this. But while it may be proper for law enforcement to seek information about suspects, it’s a different story when companies want to obtain customer information in return for a product — and it’s a more direct use of the kind of thing that GDPR seems designed to address.

Now Microsoft says it will be avoiding that practice. That has to be good news for the tech sector as a whole, even though it doesn’t offer a convincing reason for everybody else to do so, either.

Related posts

Leave a Comment