Did Microsoft give the EU the finger or did they ship to soon.
I’m no close follower of Microsoft or any vendor, I follow several twitter accounts that keep me updated on IT related news. I can remember that a few of them were excited about Microsoft releasing Outlook of iOS at last.
The next thing I notice is that security guys are calling Microsoft names and the EU parliament put a ban on the use of the new outlook app for iOS. Yesterday while working for a large company someone came into the room and declared that management put a ban on Outlook for all users. This is spreading, so what’s the problem.
Let’s start at the beginning.
What is Microsoft Outlook for iOS?
Microsoft has bought Accompli a while ago on December 1 last year, Accompli was/is an Email app and that’s just what they needed. Accompli was only 18 months old when Microsoft acquired it, that’s a good deal for such a young company.
What do they offer/support?
When you look towards a new Email client these days you wonder what accounts that I have now can I integrate with it? Everyone has multiple accounts with various providers so the more you can add the more valuable the product gets. The new Outlook app for iOS offers the following connections;
Microsoft Office 365
Microsoft Exchange online
Microsoft Exchange 2007SP2, 2010 and 2013
Outlook.com (including Hotmail, live and MSN)
Most of the accounts you might use are here, so no wonder people got excited.
What Cloud storage will it be able to connect to?
This was where I looked twice, they connect to cloud storage from the outlook app? So users will be able to save anything to the cloud outside the eyes of the security of your company? Hopefully this can be controlled in some way with a MDM/MAM tool.
The cloud storage providers it will connect to, are;
Sure interesting in what their thought was here, in my opinion Microsoft tends to develop too much for customer markets and not for professional markets. The idea to connect to cloud storage is nice from a student point of view but in Enterprises we don’t like our users to use back doors to share data.
Where is my data and who’s watching it?
The fuzz the last days has been around storing data on servers outside the EU. When data is stored in the US suddenly it has to comply to US regulations. With the patriot act in place this has more implications that one would think of at first. The US government has the ability to request for data and when data from a EU citizen is stored in the US that data is also within the reach of them.
The European commission has created a regulation, the EU DATA PROTECTION laws (27 countries),that regulates how companies have to handle your data. Security and privacy is more an issue in Europe than it is in the US, basically we Europeans distrust anything happening in the US. We certainly don’t want our data to be sniffed at by your government (of course still our data can be sniffed but at least we think it’s safe 😉 ). The rules we’re strict, it was illegal to transport EU personal data outside the EU.
This sounds great and all our data is protected as long as it’s not stored on a US based server. The truth however was more difficult. Under the patriot act any US company regardless of their location has to turn over data is requested. That would be a impossible way to act for US companies, they couldn’t comply with both laws. US companies with a EU based office had to comply with US regulations but if they did they would breach EU regulations.
To get around this the US-EU Safe harbor Framework was setup, another treaty, regulation to control what happens to your data. This treaty has been discussed a lot over here, I remember people getting really upset knowing that a foreign government could access our personal data. The treaty is there and discussed every year.
Safe Harbor basically gives you control over your data, you are the data controller of your data. The cloud storage provider is the data processor.
If we look at the Microsoft Azure site, you see a specific part for the EU data protection law. I also included the data types for that also is important in this discussion, depending if the data is personal data the rules apply, if it’s not different rules apply.
All provider have statements like this, with Amazon this is a lengthy document that you could read if you are bored. The documents are created like this to make sure they are complying in any situation.
So in short (not my best habit), there are rules that your personal data can only be transferred to a non-EU server if you agrees with it. Let me say it again, YOU have to say I want my data on a US server. Now back to real story, Microsoft Outlook app for iOS.
Security guys at Microsoft on holiday?
What has come to light after the release of the new Microsoft Outlook app for iOS is that the data is stored on a US based cloud storage provider, Amazon that is. Microsoft knows that when they transfer our personal data outside the EU without your consent they violate the rules. They know the EU needs money after the crisis and they are willing to let Microsoft pay for this. So why did they bring out this product with this behavior?
Someone at Microsoft was sleeping or perhaps it was something really stupid. It feels like they bought Accompli in December, went for Christmas holiday, came back and released Outlook without taking a second look at how Acompli worked.
I assume that Accompli is the reason this security issue is there, I think they used to work with Amazon and only had US based customers. I was surprised that they were able to release it so soon after acquiring and perhaps this is why..
This is from their website, as stated it was US based only.
Several companies and the EU parliament now banned Microsoft for iOS, not really what they aimed for I guess. I guess someone at Microsoft had a very bad day when this news surfaced, let’s see how they patch this feature? Perhaps they will add the option for you to choose where your data is stored and perhaps they will use their own cloud storage for that…. only guessing so far, interested to see what the future brings us.
For now I will advice my customers to wait..
Hope I wrote down the regulations correctly, if there are errors point them out and I’ll correct them. My idea was to create an overview and get my own thoughts around this matter aligned, and get you informed.
Today I took a look at the Microsoft pricay and security agreements that come with the application and I think it’s interesting to see that they mention this US location of data there.
Of course this is the sneaky way of asking for consent but not the nice way to do it.
I think the EU will think different about this way of working, users have to give consent in a way that they understand what they agree to, not hidden in a privacy agreement that no one reads.
The link to the privacy agreement is here and the security agreement you find here.