[German]After it became public knowing, that the new Outlook app transmits access data for mail accounts (credentials and content) to Microsoft, Redmond has now explained the issue to German news site heise and made some statements. Tenor: If you use the new Outlook app, we will send all emails and appointments from the configured accounts via the Microsoft servers. I summarize the topic in this blog post.
New Outlook app and access data
Concise summary. Microsoft has been providing the so-called "New Outlook app" since September 2023, which will initially replace the Mail and Contacts apps in Windows. I reported on this changeover in July in the article Microsoft 365: First Windows Mail and Calendar users will be migrated to the new Outlook at the end of August 2023. Windows 11 will be delivered with the new Outlook app in future. In the medium term, however, Microsoft is also planning to replace the classic Outlook from Microsoft Office with the new Outlook app.
A few days ago, German news site heise confirmed my suspicion that the new Outlook app transfers the credentials for email and calendars accounts to Microsoft so that the data can be collected via the "Microsoft Cloud" and then transferred to the app. I explained the situation in more detail in the article Beware: New Outlook app transfers access data to Microsoft, where I also pointed out that this practice has already been the case with the Microsoft apps for Android and iOS for years. In 2015, the European Parliament's IT department had banned the Microsoft Outlook app for Android and iOS (based on the above facts).
Ok, Microsoft has documented that
In fact, Microsoft has even described its intention to "hijack" emails and calendar entries when users use certain products in a support article. It says:
To enhance your Microsoft 365 experience in New Outlook for Windows, Outlook.com, Outlook for iOS, Outlook for Android, and new Outlook for Mac, you can now sync your non-Microsoft accounts (including their emails, contacts, and events) to the Microsoft Cloud. This is available for Gmail, Yahoo, iCloud, and IMAP accounts in Outlook for iOS, Outlook for Android, and new Outlook for Mac. Also available for Gmail and Yahoo accounts in New Outlook for Windows and available for Gmail accounts in Outlook.com. This allows you to enjoy many features that were previously only available to those with Microsoft 365, or Microsoft Exchange Online email accounts.
I have bolded the term for New Outlook for Windows to emphasize that the common practice used for Outlook.com and the Outlook apps for Android and iOS should now also apply to the new Outlook app for Windows. The classic Outlook therefore proceeds differently, where, as far as I know, access data (credentials) entered for email servers is exchanged directly 1:1 with the mail client. In the support article linked above, Microsoft clearly explains what happens during synchronization with the Microsoft Cloud:
Syncing your account to the Microsoft Cloud means that a copy of your email, calendar, and contacts will be synchronized between your email provider and Microsoft data centers. Having your mailbox data in the Microsoft Cloud lets you use the new features of the Outlook client (New Outlook for Windows, Outlook for iOS, Outlook for Android, Outlook.com, or Outlook for Mac) with your non-Microsoft account, just like with your Microsoft accounts.
This means that the new Outlook app is actually a no-go for people who are data-conscious. The fact that the Federal Commissioner for Data Protection (BfDI), Prof. Ulrich Kelber, has expressed his concerns and wants to request information from the Irish data protection authority actually indicates the explosive nature of Microsoft's approach.
Microsoft's statement to heise
Microsoft has now issued a statement on the matter to the editors of German news site heise. The editors have summarized the statement in the article Neues Outlook: Microsoft bezieht Stellung zur Übertragung von Zugangsdaten and refers to the topic in the following tweet.
According to heise, Microsoft essentially refers to the support article linked above, so that the facts have been legally pointed out. Additional Microsoft says: "Synchronizing users' IMAP accounts helps deliver a consistent user experience for all accounts added to Outlook. This includes allowing Mail Search to mark emails as read or unread for added accounts."
We encounter user experience as bullshit bingo everywhere in the Microsoft cosmos. Translated it says "it benefits the user when we synchronize their data". Behind the scenes, it could also be translated as "I'm throwing you a carrot because I want your data". The heise article points out that:
- With some providers, the access data is transferred from the new Outlook app to the Microsoft servers using the BasicAuth procedure and stored there as an access token. For Exchange Online, Microsoft has switched off Basic Authentication in 2023 for security reasons (see Reminder: Basic Authentication in Exchange Online will be switches off in 2023).
- For providers such as (Gmail and Yahoo Mail) that support oAuth, an authentication token is transmitted directly to the Microsoft servers.
But basically, the key point is that the servers use this access data to retrieve content from the mailboxes and calendars or later write it and then exchange it with the new Outlook app. heise has recorded it on its own mail server – a Microsoft server accesses the mailbox in question. Microsoft is therefore the classic man-in-the-middle who monitors everything. Microsoft is quoted by heise with the following statements on the question of whether data is sent to the client via Microsoft's cloud:
This information is stored as long as users actively use the email client. If there is inactivity, the access data will be removed in accordance with the Account Lifecycle Process. Users also have the option to request the removal of the data (including access data) upon request by deleting the account and selecting the "Remove from all devices" option.
Translated it means: We get your information and save it when you actively use the new Outlook app. It's clear that every mail or calendar retrieval is a synchronization that Microsoft stores in it's cloud (also without a Microsoft user account). When information is removed via the account lifecycle process remains unclear (a German reader told me, that the Android Outlook app deletes the data after 10 days of inactivtiy) and is not relevant. The fact is that data that is actually only to be exchanged between the email inbox or calendar and the new Outlook client takes a detour via the Microsoft servers.
And then Microsoft unintentionally follows up by saying to heise: Users who do not want to use their accounts with the Microsoft Cloud can cancel and switch back to classic Outlook. The "switch to cloud synchronization" is therefore not automatic; users have to choose whether they want to add these accounts. In plain language, this means that only those who have the old, classic Outlook client from Microsoft Office can avoid synchronization with the Microsoft Cloud.
But Microsoft has been trying for weeks to entice people to switch from classic Outlook to the new Outlook app. Very few users are aware of the implications. And if there is no longer a classic Outlook application in the future, everyone will be stuck on the new Outlook app and synchronized with the Microsoft Cloud.
It is a development that is creeping but foreseeable. First the companies were lured onto Exchange Online, then there is an app that is also supposed to channel the remaining accounts outside of Exchange Online or outlook.com via the Microsoft Cloud. Microsoft's goal was also propagated: Microsoft wants to evaluate the mails, appointments etc. via AI (Copilot) – they promise the user "better mails", but in my eyes they want to access all data, business transactions etc.
Actually dystopian conditions a la Big Brother and a GDPR nightmare – not to mention the fact that even the retrieval of a t-online mail depends on the functioning of the Microsoft Cloud. So it's good that the above incident has made waves – and the recommendation must be: Folks, hands off Microsoft's (Outlook) apps. It's beginning to seem to me that Microsoft is enjoying the freedom of fools and the users are applauding – at least when I read some of the reports on the Internet. It's time to start looking for alternatives – I'm glad that I've been using Thunderbird exclusively as a client for many years. Or how do you see this behavior?
