“Microsoft steals access data” – When the well-known German IT portal “Heise Online” uses such drastic words in its headline, then something is up. If Microsoft has its way, all Windows users will have to switch to the latest version of Microsoft Outlook. But: Not only can the IMAP and SMTP access data of your e-mail account be transferred to Microsoft, but all e-mails in the INBOX can also be copied to the Microsoft servers, even if you have your mailbox with a completely different provider such as mailbox.org.
Main risk: Transferring your data to Microsoft “Synchronisation with the Microsoft server” – and everything is copied!
If you set up a new account in the software, Microsoft offers a supposed security function: It says that non-Microsoft accounts are synchronised with the Microsoft cloud and that copies of “emails, calendars and contacts are therefore synchronised between your email provider and Microsoft data centres”.
Anyone who reads this carefully may be perplexed, no question. But we all know how easy it is to agree to supposed banalities without reading them and to click away notices, especially when setting up software. In view of the drastic consequences of giving consent here, the warnings and explanations from Microsoft are probably too inconspicuous. Only a few users will realise that they are giving Microsoft comprehensive access to passwords, mail and more. Therefore, once again clearly:
Microsoft gets full access to mails, calendars and contacts!
But not only Windows users are at risk: Outlook versions for iOS, Mac and even Android are also affected, according to Heise.
mailbox.org warns against using the new Microsoft Outlook
mailbox.org warns its users: there is a high risk that sensitive data may be transmitted to Microsoft when using the new Outlook! And by the way: this compromised data includes not only emails, but also calendar and contact data.
For business customers, storing personal data in this way (albeit unintentionally) may constitute a GDPR offence that is subject to fines. After all, storing data in the Microsoft cloud legally constitutes data processing that requires the conclusion of an order data processing agreement (DPA) with Microsoft – and companies may have to identify this as such in their data protection declarations and in the data processing directory. It is irrelevant whether this is done intentionally by the company management or ultimately through the uninformed consent of an individual employee.
Whether business or private: We strongly advise all our customers not to use the new Outlook! And we have the following alternatives for you:
- Another e-mail client: We advise you to switch to the popular e-mail client “Thunderbird” on your computer. This is compatible with Windows and easy to set up. On mobile devices, there are a number of different IMAP mail clients, such as FairEmail and K9 Mail (which will also be called Thunderbird in the future).
- Using the webmailer: As a mailbox.org customer, you can use our secure webmail portal at any time, which offers an excellent alternative to desktop email clients. In addition to mail, calendar and contacts, you also have secure access to files and Office documents – and your personal video conference with OpenTalk is just a click away.
We do everything we can to protect the security and privacy of your e-mail communication. But we also need your help: make sure you use apps from providers that respect and protect your privacy and security.
The German Federal Commissioner for Data Protection and Freedom of Information, Ulrich Kelber, is also alarmed: On the social media network Mastodon, he described the data collection as “alarming” and announced his intention to pursue the issue at European level through the data protection authorities as early as next Tuesday.