Microsoft, and probably the US government, will read all your email. Even if it is stored on accounts that might be illegal for you to share with them.

Header image: Microsoft, modified

I recently got this message from my email provider1. It turns out that my colleagues, and former co-workers, at heise online have discovered something pretty disturbing about Microsoft’s new version of the Outlook email client that is set to supersede the current mail application used in consumer versions of Windows.

If you set up a new account in the software, Microsoft offers a supposed security function: It says that non-Microsoft accounts are synchronised with the Microsoft cloud and that copies of “emails, calendars and contacts are therefore synchronised between your email provider and Microsoft data centres”. In view of the drastic consequences of giving consent here, the warnings and explanations from Microsoft are probably too inconspicuous. Only a few users will realise that they are giving Microsoft comprehensive access to passwords, mail and more.

With other words: Microsoft will be able to read all of your emails. Even if those emails are stored locally and on servers that have nothing to do with Microsoft. If you fetch your work emails at home, for example, Microsoft will get access to all of these emails as well. This is not the case with the current Mail application in Windows. Microsoft is using their coming switch to “the new Outlook” to get their hands on data they would’ve never have been able to access before.

And there are good reasons for them not to. Giving them access to your work emails, for example, might violate all kinds of contracts, not to mention privacy laws like the GDPR. I don’t even want to speculate about things like industry secrets, NDAs or patient records. Keep in mind that all data in the hands of Microsoft is also potentially data in the hands of the US government. I think these days, it’s safe to assume that once that data is on Microsoft’s servers, it will be accessed by all kinds of people in the US federal government and organisations they want to give that data to.2

The German Federal Commissioner for Data Protection and Freedom of Information, Ulrich Kelber, seems to agree.

The reports of suspected data collection by MS via Outlook are alarming. We will be asking the Irish data protection commissioners, who are legally responsible for this, for a report at the meeting of the European data protection supervisory authorities on Tuesday.

Before all of this, I would never have recommended anybody use Outlook. It’s a horrible email client that leads you down all kinds of bad practices.3 But now, I strongly recommend against using it, no matter what. Even if you only use it with Microsoft accounts, the simple fact that they even tried this policy change means nobody should trust Microsoft with email data ever again.

  1. Full disclosure: Mailbox.org has been providing me with a free email account since I started working for myself as a freelancer years ago. I do think they are a great provider, regardless of their patronage of me. They’ve also never asked for anything in return, which has me pretty positively inclined towards them. ↩︎

  2. Don’t be fooled by the supposedly high threshold of a subpoena in the CLOUD Act. As we’ve learned from the Twitter Files, US technology companies proactively tend to hand over all kinds of information voluntarily when simply being asked — by the US federal government or by their NGO partners. In many cases, compelling them with a subpoena doesn’t seem to be necessary anymore these days. ↩︎

  3. By far the worst of it is giving users the idea that emails can be recalled if you suddenly get regrets about sending them. This is not part of the specifications of the email protocol and the fact that Microsoft thought implementing this was a good idea has puzzled me for decades, since it only works if the recipient also uses Outlook. Anyone with a proper email setup will get your email the second you send it and a recall will do shit about that, except alerting them that you feel bad about what you sent. This feature gives people a false sense of security that’s typical Microsoft snake oil: Give people a quick technical fix that doesn’t really work instead of educating them about the actual problem. Which is that you should re-read and, more importantly, re-think an email before blindly mashing the send button. ↩︎