[German]I'm picking up on an (actually old) topic here in the blog, which is becoming virulent again with the new Outlook app introduced by Microsoft. The new Outlook app transfers all (actually secret) access data for mail accounts to Microsoft in the cloud. The topic has already been raised as a question by readers and has now become "virulent" thanks to an article by our colleagues at German site heise.
What is the new Outlook app about?
At the end of September 2023, Microsoft announced the availability of the new Outlook app for Windows. This app is available in the Microsoft Store and is intended to replace the previous Windows apps Mail and Calendar. I reported on this changeover in July in the article Microsoft 365: First Windows Mail and Calendar users will be migrated to the new Outlook at the end of August 2023.
In the article New Outlook for Windows now available, Microsoft explains the availability of the app. It is a free app for Windows users that makes it possible to integrate and manage various email accounts (from Outlook.com, Hotmail.com, Gmail, Yahoo, iCloud etc.) via IMAP and also integrate calendars so that they can be managed under the new interface.
Microsoft states that email and calendar are now combined in one app. This should simplify the organization of appointments and emails (although I wonder what's new here – classic Outlook and Thunderbird have also been able to do this for years). The app can be downloaded from the Microsoft Store for consumers (via their personal Microsoft account) under Windows 11.
The app with the new Outlook should be pre-installed on devices sold with Windows 11, version 23H2, as well as on machines that have been updated to Windows 11, version 23H2. As long as a conventional Outlook client is available for corporate environments under Microsoft Office, hardly anyone will give it much thought. But in the future (perhaps 2025/2026), Microsoft also wants to replace classic Outlook with the new Outlook app. This will then also affect corporate environments.
It is advertised that better emails can be written with the new Outlook for Windows because AI functions have been integrated into the app. Furthermore, intelligent spelling and grammar checks should ensure that the sentences in the email are concise and error-free. Anyone with a Microsoft 365 Personal or Family subscription will also receive advanced AI writing tools via the Microsoft Editor.
However, the app is already raising questions about serious problems in advance. For example, the COM interfaces and VBA will die with the new app, which kicks all applications that rely on such things (see New Outlook: Microsoft will definitely not support COM add-ins). A few days ago, readers also asked me whether the app also transfers passwords for mail and calendar accounts to the Microsoft cloud.
Login data goes to the cloud
When readers asked about transferred passwords, I immediately thought of the older blog post Warning: Microsoft Outlook app breaks (company) security. It was about Microsoft's Outlook app for Android and iOS devices, which transfers all passwords that users enter to access their email accounts to Microsoft and the cloud.
Problem known since 2015
Back in February 2015, I described a security-related bombshell in the German blog post Outlook-App: Im EU-Parlament wegen IT-Sicherheit blockiert. The EU Parliament's IT department had blocked the Outlook app from being used by members and employees of the EU Parliament for security reasons. The background to this was that although the app bears the Microsoft logo, it originates from the acquired company Acompli. During an analysis, users discovered that login data, attachments and more were being routed via external servers and stored in the cloud.
This has not changed over time with the Outlook apps. At the beginning of 2021, I had already read the comment Outlook für Android speichert weiter Paßwörter in der Cloud by a German user with the alias Erlenmayr in the heise forum. At the time, it emerged that the Outlook app transfers passwords to Microsoft's cloud and that emails are also analyzed there.
New Outlook app transfers passwords
The exciting question was whether this also happens with the new Outlook app for Windows (well, the question wasn't that exciting, because my answer was "yes", but I haven't yet had time to investigate this and prove it in a test). I can now save myself this step, because the colleagues at heise have done just that. In the article Microsoft lays hands on login data: Beware of the new Outlook, the topic I outlined above is now taken up in relation to the new Outlook app. The editorial team analyzed the transferred data and documented it. But you don't have to go that far.
Microsoft has published a support article Sync your account in Outlook to the Microsoft Cloud, which points out that the new Outlook app synchronizes non-Microsoft accounts (including email, contacts, and events) with the Microsoft Cloud. This is available for Gmail, Yahoo, iCloud and IMAP accounts in Outlook for iOS, Outlook for Android and new Outlook for Mac. Also available for Gmail and Yahoo accounts in New Outlook for Windows and for Gmail accounts in Outlook.com. This way, you can use many features that were previously only available to those with Microsoft 365 or Microsoft Exchange Online email accounts.
In other words: your passwords, your content, simply everything that you actually want to keep private goes to Microsoft in the cloud with the new Outlook app and is scanned and analyzed there.
Case of "no way"
Apart from the "don't do that", it gets even funnier when I think of corporate environments that are subject to the GDPR. As soon as the European Court of Justice (ECJ) rejects the US-EU Transatlantic Data Privacy Framework (DPF) as not EU-compliant, all companies will have a big problem. This is because all data from email accounts and calendars is synchronized in the Microsoft cloud. And that's illegal under GDPR.
German data privacy watchguard (BfDI), Prof. Ulrich Kelber, is concerned and wants to request information from the Irish data protection authority. Specifically, it says: "On Tuesday, the BfDI will ask the Irish data protection supervisory authority DPC, which is responsible for Microsoft in Europe, for further information on the case in the European Data Protection Committee".
