> Microsoft also plans to deploy its EU Data Boundary, though which EU customer data can be processed in compliance with data regulations, by the end of 2022.
IMHO that's the root of the problem. Why does MSFT need to process customer data? Yeah, we all know why, but I'm really getting tired of this shit!
It's not a problem paying for your product but leave my data alone, it is mine and that's it! No searching for emails, no training AIs on my code, no scanning images for "child porn", no reading my documents for "national security", etc... all the customer data you need to process is my email to send me a payment receipt or the size of the data I've saved to see if I'm over quota or whatever on that line.
And the same applies to all players in this field, not just MSFT who isn't even one of the worst offenders.
It's a cloud-based product. So processing is a core part of the value proposition - the provider (Google, Microsoft) stores a copy of the data and exposes APIs that the frontends use to download the documents to the users' machines.
The alternative is a product that is not collaborative (no online collaboration, at least) or requires customers to hire a sys admin to install on their own servers and maintain it.
This isn't some nefarious plot by big tech to steal your data, it's the product people want.
> This isn't some nefarious plot by big tech to steal your data
It is though. They could design it in a way that it operates on your data but they have no access to the data outside of these strictly defined operations. If that was a priority to solve, it would be solved.
> it's the product people want.
These two things are not mutually exclusive.
Despite which, this is not true. There are no non cloud options if MS Office anymore, or of the Adobe Creative Suite. This stuff has been forced on us, often by work, and then the other options were removed. Hence the nefarious plot thing.
But that's the thing, at 6.99 you're also paying with your data. What you're really saying is you want it for free.
Also, 2 years to make back the cost really isn't that bad. I have a 2007 Office dvd and it still works fine on W10, so if you keep this new version of office for 16 years, you made back your money 8 times over.
But they do. Viva and Cortana read my O365 hosted work email (and I believe other data, including Sharepoint files) to provide a "daily briefing" email which picks up topics and queries from recent emails and foist some primitive organisational methods. AFAICT this is a service that has been subscribed to over and above any vanilla O365, but I'm not interested in the legal osculum infame. Both I and the data are in the EU, so they have to appear to play by those rules.
It is possible that microsoft segregates the processing state of Viva and Cortana such that no human outside your organization has access to the data without accessing the permission-controlled keys.
Yes, ultimately Microsoft holds the keys to your encrypted data at rest but billions of dollars are riding on them managing customer keys well.
“Machine Learning ("ML") models are trained on public web data, and as such do not contain any customer data from your tenant. In the future it's possible we will use customer data to improve accuracy of the ML models, in which case the data handling of ML models will follow the same policies as any other customer content (including data residency, retention, access control, sensitivity).”
These daily briefing emails I get at work remind me that "We are watching you." I complain about this to our security team and ask why they let Microsoft read our emails. They do not give me much of a response. I assume they get something out of the bargain.
To my knowledge, they make money off of selling SAAS software here and not ads. It being cloud based is done to get recurring revenue. Office and Photoshop hit a point where it will satisfy vast majority of customer needs a while back. That's when the recurring payment model was put in place. To deal with piracy and paid customers not updating their software for years.
That might be the case now but who knows where the future takes them. A smart legal council once told me even though you have a great relationship with the organization right now the contract you sign is binding and when ownership changes and revenues needs are different you really don't know who you are up against and what they will do with your data. Not that we have any real power except to try and use another product...
A lot of their money is from enterprise contracts. These businesses have strict privacy requirements and would immediately end their Microsoft contracts or sue the company is they were monetizing their data. Let alone businesses with regulated privacy laws like medical or fintech. No business would touch them with a 10 foot pole.
For Windows Home or other free/bundle solutions, it's a different situation. But not for enterprise or pro/higher-tier customers.
MS is a big ad player now. They have the ad contract with Netflix and are growing the business. Advertising is not the only use of this data. MS also makes billions from service contracts with the DOD. The services sold are not detailed or disclosed to the public.
They could design it in a way that it operates on your data but they have no access to the data outside of these strictly defined operations. If that was a priority to solve, it would be solved.
If you’re thinking of end to end encryption, that doesn’t discharge from GDPR. When person-related data is processed outside of the EU, even just to store encrypted bits, it must comply with all aspects of GDPR.
The genie is out of the bottle, cloud cooperation is a given for modern software. The question has moved on to how to regulate those clouds in ways that prevent the harmful sides. GDPR is one attempt to do that.
You’re responding to a point that the parent isn‘t making.
Enabling collaboration doesn’t mean AI training, exposing data within an organization doesn’t require MS to be scanning it, and their servers don’t need to be in the US. It makes business sense for them to do so, but isn’t a requirement per se.
I think their point is the definition of "processing" would also likely cover collaboration (i.e. you could stop AI training etc but you still wouldn't be compliant)
Agreed. When things are web hosted, there's all kinds of processing. Still. Spam filter, searching email history, even loading an email is considered processing the email.
I believe both Google and Microsoft try to firewall any Enterprise or business data from their consumer lines. This means none of it will get fed into AI filters for the most part. Though I'm guessing marking things is spam still is a global thing.
Schrems 1 goes even farther than that... the issue is the potential access by the US government of the EU data through strongarming Microsoft (or other US companies), which is in violation of EU rights.
There's no way around this issue while Microsoft-spawned EU companies are still part of Microsoft. I guess they could still sell open source software (to prove there are no backdoors, otherwise, after the Snowden scandal you have to assume that there are by default) that doesn't get to run on Microsoft's servers and that Microsoft doesn't provide technical support for... but how can this be a business ??
Except nobody has their definition of processing. I think some German working group also rejected Office 365 because they could not nail Microsoft down on what "processing" means and targeting minors with overly broad agreements when schools are already operating under stricter than normal data processing constraints is a no go even if your name isn't Epstein.
This looks to me to be a fairly solved problem, Gitlab can be instances you manage yourself and there is no specific limitations on what works on your self hosted ones. Microsoft provides server software for Outlook, ActiveDirectory, Sharepoint and the whole org management stack that doesn’t need Microsoft meddling with the data.
Office365 shouldn’t be some wildly different software that can’t live outside of Microsoft’s full grasp.
The difference is that Outlook, AD & Sharepoint were all designed to be deployed on-premises as an option from the start.
Most of 365 appears to be designed and architected to be a multi-tenanted SaaS solution, so I suspect it's not anywhere near as simple as just spinning up your own 365 instance.
365 is probably thousands of microservices behind the scenes which all have their own unique infrastructure requirements and will be actively managed by Microsoft. I suspect running these in your own datacentre would not be an easy feat without complete re-engineering by Microsoft.
We come to the same conclusion: Microsoft chose a different way for Office 365 where it could provide the service to more consumers while also keep way more control, in particular making it easier to justify recurring subscriptions at large.
It goes hand in hand with their cloud efforts and pushing for more services, so I understand the motivation. I also kinda wish this trend stopped.
> It's a cloud-based product. So processing is a core part of the value proposition
not necessarily, if I choose a cloud product, it's to avoid having to manage the mail and data servers, not to have the content of those servers rifled through
You don't want a spam filter in your email? Everything should go straight to inbox? And that's not even mentioning the processing they have to do to figure out whose email it is in the first place.
All I have to do is skim any privacy policy these days and virtually every cloud service has written theirs in a way that I can pretty much guarantee they're selling my data to someone.
I picked up electrical engineering as a hobby because I want a smart home but there isn't a single IoT device on the market that I can trust won't phone home to sell my data. On the bright side I've found soldering isn't too hard and prototype size batches of PCBs are cheaper than ever.
For the prosumer smart home, I highly recommend going with the low end industrial automation (ie https://automationdirect.com, https://findernet.com, etc) rather than “IoT” brands. Way more powerful, everything is interoperable, and the business model is much simpler. No phoning home.
If I wanted something that was more akin to putting legos together that's definitely the way, but I found it quite enjoyable to go down to the low level of electrical design, and any application that can be accomplished by flipping a switch can be made wifi-compatible with an ESP32 module and a relay or TRIAC circuit (TRIACs are nice because they don't have a lifetime rated in switching cycles). I don't have to worry about my microcontroller phoning home if I wrote the firmware it's flashed with!
There’s a case for cloud apps to move to a ‘bring your own data storage’ model. Draw.io does it, letting you load and save and share files using box or Google storage on the backend.
‘But the web app running locally has access to your data and can phone home to its servers in the US or wherever’ - yeah, and so can a locally installed application.
Locally installed application can be black holed. Hence why everyone fetishizes the cloud. They want the recurring revenue and your data, and you not to ask any probing questions, or getting pesky net admins getting pissy about all this data exfil from the network.
I don’t want to collaborate with anyone. I don’t want that ‘functionality’ to get in my way. I don’t want to be driven to despair in an attempt to save a document to my local storage rather than to the OneDrive or whatever it’s called by default.
Shared documents have been utterly game-changing. I never want to go back to mailing documents and presentations around and having to merge conflicting comments together again.
ADDED: And that's not even counting the fact that I can access my docs from multiple computers without worrying about shared network storage, etc.
You seem to have an incorrect definition of "processing". It's not about scanning your data or doing anything special with the content. If your data is in the cloud they're automatically processing it.
My point is not about doing anything special with their customer's data, it is that if they didn't do anything beyond the basic processing needed for their services to work it would be straightforward to migrate their offerings to Europe complying with local laws.
Instead, if you are used to doing whatever you want with the data you store it takes years to build an European service since many parts of your process need to be reviewed and maybe even rebuilt.
It was about time for those laws to finally kick in and we started to see a change.
Exactly... feel like a lot of people have 0 perspective on how all encompassing the GDPR is
I've worked on plugin software for a super common enterprise ticketing application. The fact that we need to make sure one person can't see another person's data mean we need to record the user names or a unique identifier number of some sort. But these numbers can be related back to a living breathing human being, so that's processing personal data according to European law and makes selling to Europe seem almost insurmountable if you aren't venture capital funded happy to burn very large piles of cash.
Afaik exchanging business cards in Europe technically involves violating the GDPR if you pass them on to someone else at work without explicit permission. But contacting the person for permission also isn't allowed, Honda got HUGE fines for that iirc
>Afaik exchanging business cards in Europe technically involves violating the GDPR if you pass them on to someone else at work without explicit permission
A bit off topic, but...I would have thought it depends on how you got that card. If someone hands me their card in a private meeting I wouldn't share it anyway. I would offer to do an introduction.
If someone had cards in a display stand on their public front desk it is really advertising, and I am quite sure you could share it. Sounds like a GDPR scare story.
>And, as the processor, they are required to do as the controller (you) instructs.
There seems to be a terminology issue here, "You" would generally be the data subject, not the data controller, unless you are a company.
If you're directly using Office 365 or Google workspace, then MSFT/Google would be the data controller (the primary company who handles the private data), and any subcontractors involved would be data processors on behalf of the controller.
If you're a user in the school system, and have no direct agreement with MSFT/Google, then the school may be the data controller and MSFT/Google handling that data on behalf of the school.
It literally isn't. The source provided by the parent confirms it. There is no 'with intent to process' clause.
> Processing covers a wide range of operations performed on personal data, including by manual or automated means. It includes the collection, recording, organisation, structuring, _storage_, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data.
> It includes the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data.
I feel like you're intentionally missing the second section here.
Regardless, GDPR has hundreds of provisions where it excludes data as long as it's not processed, "storing is processing" in so far as it's secure and not being used by anyone except the account holder isn't going to stand up in any court on the planet, even luddite ones.
You might be parsing the sentence incorrectly. I'd generally read it as:
> It includes {the [(collection), (recording), (organisation), (structuring), (storage), (adaptation or alteration), (retrieval), (consultation), (use), (disclosure by {[transmission], [dissemination] or [otherwise making available]}), (alignment or combination), (restriction), (erasure) or (destruction)] of personal data}.
So there is no "second section" of the sentence, just a long list. The text of the GDPR has the exact same list [0].
"Tech" companies never ask users what they want. The company decides what it wants, sets the direction that is most profitable and users follow along (after all, what choice do they have). Then "tech" company employees and spokespersons claim this is what people want. Ex post facto. Bullshit!
IMHO, HN commenters can speak for themselves. However there is no reason to believe they can speak on behalf of users.
The regional council of Reunion (French Overseas Region) has set up a few years ago a plan so that each high school student get a laptop running Ubuntu. It made me discover Linux, and it's partly thanks to that that I work in IT today.
Honestly, on the right hardware Linux runs so much better than Windows. Whenever I need to open Windows I'm appalled at how laggy the whole UI is even when running it on latest-gen hardware. KDE, on the other hand, is super snappy and one of the best-looking desktop systems IMHO.
The worst part is by far Windows Update. As a regular Debian and Arch user, where updates take seconds to install, running Windows Update is like watching paint dry.
Largely, that boils down to Windows never really having had a package manager like Linux distributions had, and not really an equivalent to the concept of "a file belongs to exactly one modular, versioned package".
As a consequence, Windows has to check all of the files under its management if they are still the same as in the original installation or if they got touched by one of the dozens of Windows Update packages somewhen along the path, and if yes by which update package, and what that means for the compatibility between updates, and what effects that has in turn on the update installation order. Then it has to check for each potential update candidate if there is a localized version available, do a final check again if it actually can apply each update because some of these have conditional checks... oh, and some of the updates depend on Windows components being installed, so this has to be checked as well, oh and then it needs to trawl through the hot mess that is the database of drivers installed on the system and the hardware it has encountered, and to check if there are updates available for that. And at least the last time I looked (Win7 era) it also was possible to integrate MS Office and Visual Studio updates into the MS Update process, not sure if that's still the case today, but back then that also added to the discovery process.
Windows is a hot mess of a lot of legacy garbage. Some of it got cleaned up a bit (e.g. refactoring stuff into components), but it's still nowhere near what almost all flavors of Linux sans buildroot offer.
Never mind that on linux you can largely just run updates in the background and not notice them happening. The only real annoyance I run into with background updates is that it'll make firefox want to restart.
Still, much better than locking up your entire computer for a long ass time followed by a mandatory reboot.
People just accept 1-200 ms delays as adequate, and it's a shame. I recently booted up a Pentium 3 900 Mhz machine with Windows XP sp3 installed, and it felt like it reacted faster than I registered my original action.
As a frequent user of arch linux and not so frequent user of windows I think this might come from the lazy loading of .net for all the apps.
Excel might be the worst here, but that is an UX problem. When you open it, it will first have you make it editable, then you need to allow connections, and finally if you want to mess around with something like powerquery it will lazy load .net each time before the UI is showing.
It really depends on the type of applications you use though.
I have frequently wondered why .net is just not preloaded somewhere on system launch and kept in memory. At least that is how it feels to me not being familiar with the .net technicals.
Not sure, I run Windows on Alder lake systems and had official Surface hardware that wasn't able to run stock Windows 10/11 without stuttering. Standard programs like Powerpoint and Word would also have terrible lag, e.g. when using the Surface pen. Still boggles my mind why they design hardware that isn't able to run their software without issues.
I'd recommend refraining from opening sexy_girl.exe next time you receive it sent by a Nigerian prince. I see that as the only explanation for people having constant issues with Windows, because I literally never have issues.
Can't answer. I always shied all those thin "pretty" laptop. For me pretty is functional so all my laptops are big gamer type. Everything runs instant on those, even my 10 years old ASUS ROG G73. Mind you all my PCs and laptops are stuffed with max RAM they can accept.
I do have one exception - some tiny very slim laptop from ASUS. It is used strictly to play Netflix, youtube and music to entertain me when I am on rowing machine. It does that just fine but it does not run anything but browser and music player.
> on the right hardware Linux runs so much better than Windows.
Does your right hardware have a battery?
I was recommended Lenovo x220 as the best laptop and Linux-friendly one. Now I have it and I noticed that if web-browser has some moderately heavy pages opened like 20 tabs with Youtube, and dozens of light ones like HN - in Windows+Chrome this scenario eats slightly more energy then reading a e-book while in Linux+FF this halves battery time. Now my country suffers from shifting blackouts, so I installed Windows 7 on all my laptops with battery, and I have a significant benefit in mobility time.
While I see this is a good, I wish it wasn't just about how/where the data is stored. I would love to see a bigger push against teaching children on proprietary software in general over free software+generic skills.
Worldwide billions are spent by public education systems of different countries on microsoft office entrenching their future workforce into using microsoft products. Google was actually able to break microsoft cycle over the last decade but it is one proprietary system over another.
And before that, Apple got a generation hooked on iMacs by making the colorful pear-shaped all-in-one CRT computers the standard in every school.
Education is a prime target for rent-seekers for two reasons. First, you can use the same product and marketing on thousands of schools. Second, your marks are young and impressionable.
This applies to other free offerings like Google Workspace for Education. Paid versions of these cloud services might be an option if they hadn't already been disallowed based on worries about data safety.
Generally speaking current law in the EU does not allow the use of US cloud services. That’s the basic outcome of the cited Schrems 2 ruling.
The various entities that use cloud services either cease to use them or get around the ruling by making their users agree to their data being processed in the US.
And there is people working on challenging the legality of different ways they "make" their users agree to storing data in countries that does not meet the EU's standard for "privacy protection".
Currently we haven't had a clear ruling but at one point there might be a Schrems 3 ruling disallowing any accept by click-wrap license.
the rational, socially optimal approach would be to have open source, standards based, self-sovereign platforms built around organizations like [0]. Private enterprize would have to compete on providing value-adding tools within these platforms, with access to user data monitored and strictly limited on a need-to-know basis.
Phasing out basic services because of GDPR will further set France back in all topics of information technology. Sure, there are flaws in the offerings of said providers, but the current alternatives just aren't there. And punishing every company that somehow collects data got the EU in this situation where there is no European company capable of delivering a product of the quality and polishing as Google or Microsoft are. The argument that every US hosted provider is by default incapable of meeting GDPR requirements is especially ridiculous when we consider that western intelligence services were found to heavily collaborate with mass surveillance by the NSA.
This will result in basically raising two types of kids. The technically inclined that see through this charade and will go on to leverage their knowledge in any jurisdiction that they do not associate with french legacy IT. And on the other hand, those who will not and forever associate the French IT systems and government with archaic computer systems that are completely removed from their other experiences in the cyberspace.
As time goes, I tend to believe keeping using Microsoft and Google’s offering until equivalent alternatives emerge will make it more difficult for these alternatives to rise.
As a real world example, China wouldn’t have many of its mega corps if it was favoriting the established US equivalent until something rises to the same level. I hate to say this, but in this field, provided an entity has enough resources, protectionism basically works.
Let's not conflate these product offerings with "basic services". The basic services are document editing and e-mail, which can be done locally or with a local provider respectively. The conversion to a SAAS product changes the product offering, but does not change the basic services that schools/businesses require.
> there is no European company capable of delivering a product of the quality and polishing as Google or Microsoft are.
Pretty much any other chat app is better quality than Microsoft Teams. And TeX, which is much better than Microsoft Office, was written by a single persnn.
Wanted to share a story that could be related to MS Teams and monitoring, or may be I am just being paranoid and making connections to unrelated events.
I am an h1b from India, working for one of those Indian contracting companies as a contractor to an US company. For my work, I use my employer provided laptop to remote login to client's Azure AVD remote desktop.
____
The incident:
One day, I was talking to a colleague about the 100 year wait period for greencards through client's MS teams. I shared him some twitter links (where people say they would be 115 when they get greencard and such) through Whatsapp. While I was talking about it, Teams got disconnected. Didn't think anything about it, thought it was just a network issue.
Same day, I was talking to another colleague, mentioned the same greencard thing, and shared the twitter links over Whatsapp. Again, MS teams got disconnected. I thought it was an odd coincidence that it got disconnected twice when I talked about this subject.
Same day, at around 9.30 pm, I get an email from Twitter saying they blocked a suspicious login from a city in US. So, someone knew my user name & password.
____
Regarding how someone would know my Twitter username & password: While applying for US visa, we need to give our social media user names in the DS160 form, which my employer will also see. I have used this password else where, so some data breach may have leaked it.
I don't know if one of the employees whom I talked to snitched me to my employer or my client was monitoring my Teams conversation (or Teams is looking for trigger words) and decided to investigate further where I am getting these info from Twitter.
____
This was the Twitter alert I got:
Suspicious login alert
There was an attempt to log in to your account @accountname that seems suspicious.
Suspicious login
Device: Unknown
Location: Springfield, MA, USA
When: date & time (11 minutes ago)
*Location is approximate based on the login's IP address.
If this was you
- There is no need to take any action right now. Just to be safe, you'll need to answer some security questions the next time you login to this account.
If this wasn't you
- Change your password now to protect your account. You'll be logged out of all your active Twitter sessions except the one you're using this time.
Yes, there are roles that allow an admin or legal team to review all sorts of activity across M365. That’s not MSFT, though.
In the US, you should never expect privacy on company owned devices or services. The company may even be decrypting SSL sessions, revealing passwords in the clear (though they shouldn’t…).
If you employer pays for Teams, assume they can monitor it and MS facilitates it. In the US, I believe, this isn't considered legally wrong, meaning it is OK to monitor employee use of company assets.
So anytime newspapers covers a store of a country where its native language is not English papers should be injecting random native language into the article?
Is this a bit of a non-story? It says the "free" version of the services, which is an extremely sensible position to take. Would this preclude an institution from using a paid Workspace for Education account with their differentiated terms and guarantees?
Depends on the terms and guarantees, and so far both o365 and especially google workspaces have been reluctant to offer proof that there is no way for the US headquarter to access data stored on Europeans citizens.
MS had a German cloud region operated in a way that was designed to look independent of the US Headquarter but somehow that got rolled back into the global azure operations structure after a few years. And while there is talk about trying something similar again but nobody can tell if that will be accepted as separate enough or how long it will be before those boundaries are crossed anyway.
For public funded institutions depending on any kind of user accept as a prereq for any service is extremely problematic so none of the workaround that have been used by businesses to bypass the lack of a valid "safe harbour agreement" so any solution put in place have to be designed in a way that don't require any "consent to data transfer"
The problem is with the cloud integration not necessarily with the Microsoft part so if Microsoft wanted to they could sell an version of office to the school with the cloud functionally disabled or changed to point to an on-prem SharePoint installation but this is the smallest part of why school administrators like o365 and google apps.
The problem is that when you look into the email/groupware market and particularly how to manage devices/accounts, something both o365 and google apps(with Chromebooks) offer as a part of the cloud subscription, so now your kind of dealing with implementing authentication, file hosting, email, chat and a whole lot of associated problems based on picking individual solutions for each part of the puzzle.
What the regulators expect will happen is that smaller local companies will start selling integration services to the schools because that's how it worked when IT was introduced to the marketplace. But that market have been decimated over the last few decades so it's not obvious who in the local markets can still do it as the big vendors have been positioning their training offerings and best practice guides towards less locally controlled infrastructure.
If governments can collaborate to engineer and build airplanes for example, why can't they do the same for edu software? The economic benefits (of edu) and the number of people directly and indirectly affected has to be on the order of airplanes / airtravel.
> If governments can collaborate to engineer and build airplanes for example, why can't they do the same for edu software?
Airplanes are a good example on just how utterly bad this can become - we have a lot of issues there. Both the EU and US sued each other over unfair subsidies, both Boeing and Airbus have massive structural issues because they are also expected to distribute pork over election districts...
At the core, the problem is anti-competition laws. Governments have enough firepower to simply muscle every free market competition to its knees - the private competitors would simply sue any too effective effort by the government away, and I cannot even claim that this would be without reason.
Nextcloud is the prevailing solution being adopted along with Collabora office suite integration. I have it running on a RPI here at home, and it is great. It is all free software, but companies and institutions pay subscription for support.
IMHO that's the root of the problem. Why does MSFT need to process customer data? Yeah, we all know why, but I'm really getting tired of this shit!
It's not a problem paying for your product but leave my data alone, it is mine and that's it! No searching for emails, no training AIs on my code, no scanning images for "child porn", no reading my documents for "national security", etc... all the customer data you need to process is my email to send me a payment receipt or the size of the data I've saved to see if I'm over quota or whatever on that line.
And the same applies to all players in this field, not just MSFT who isn't even one of the worst offenders.