Is Microsoft Office 365 Secure?

I love new stuff especially when it’s as hyped as being an online solution for a mobile user like me. So naturally I was excited to try out the new Office 365. My best experience with Office was back in my college days when I was writing alot of papers. I had my styles perfectly bent to the will of APA guidelines and Endnote, poised and ready to show my citation prowess, held every reference I ran across whether I used it in a paper or not. I would like to mention that this was Office for Mac.

Fast forward to today and my computer usage has changed significantly and so has the computing world. Long gone for me are the days of academic writing, and at times I miss them. Reports, emails, budgets and code, the new and fascinating creatures inhabiting my screen, offer a never ending variety of entertainment. When I look at the various devices peeking at me from the shelf, counter and yes my pocket, they all have something in common, they are portable. My primary qualifier for any new technology? It has to work on mobile devices because I work from everywhere and those “work” times spent riding a train or bus really add up giving me back significant parts of my day.

On to the Office 365 website I ventured hoping to relive those, glory days…? Anyhow, blow past that buy thing I want to try it now! So into the trial I go clicking rapidly through account creation and blah, blah, blah, to the setup page, now we are getting somewhere. Strange, I need to install something on my computer to use a web based system? I would need to do this every were I go? What if I use someone else’s computer? Who cares, I want Office now but wait, what is this? My hopes dashed on the following screen.

No setup available for this computer
There are no updates for the operating system that is running on your computer. To see a list of operating systems and web browsers that are supported, see Software requirements in Help. Return to the Home page to use Microsoft Office 365.

So what does it run on, not my Chromebook? Well I guess MS hates Google so that makes sense. The Software requirements link didn’t work so off I went to chase down the long tailed power suckers inhabiting the house. I have a few gadgets around and my wife is a Mac freak so I ran around trying to “load” Office 365. Android tablet – no, HTC Thunderbolt – no, iPad – no, Macbook… yesssss-no, error. Well it seems obvious this is a Windows only kind of thing so I fired up my VDI connected to a virtual Windows desktop running in the server room at work. Again, not supported for Windows 2003 Data Center edition. So here I am, still no Office bliss after an hour of running around.

So no big deal, it’s new right and 75% of our office has XP or Windows 7. I can try tomorrow on a borrowed laptop. But tonight I can do what I spend a big chunk of time doing, reading the Terms of Service. Because we are a law firm and a Gov there are rules, specifically the New Mexico Rules of Professional Conduct. The sticking factor is always Rule 16-106 Confidentiality of Information. If an attorney can’t defend that they had every assurance from a third party service provider that client information would be kept confidential they may be disbarred or worse.

Microsoft is selling this product to the business world so they must have a great ToS. I found a “Legal” link at the bottom of the page and that lead to the “Portal terms of use.” A quick search for “Disclosure” yielded this statement,

Microsoft reserves the right at all times to disclose any information as Microsoft deems necessary to satisfy any applicable law, regulation, legal process or governmental request, or to edit, refuse to post or to remove any information or materials, in whole or in part, in Microsoft’s sole discretion.

Surely I have miss-clicked or the Portal is not part of Office 365 because this statement says Microsoft will do what ever it want with my information. No way any attorney could use a product with a statement like that.

Hammering away on other links only cause my concern to grow with statements like:

I tried the Microsoft Online Services Trust Center.

Security Notice 1

For Office 365 for Small Business and Professionals, content and files transferred to and from SharePoint Online are not encrypted in-transit through Secure Socket Layer (SSL) or other mechanisms.

File access on WiFi at business conferences is out.

When using Microsoft Exchange Online, significant additional information will be transmitted to and stored by Microsoft as part of this Service. This includes all information in your Service mailbox, as long as you are connected to Microsoft Exchange Online.

What is “significant additional information” it is not clear in any other document I read.

Will Microsoft give notice when customer data is transferred to a new country?

No. But Microsoft will give notice if and when Microsoft changes the information about Office 365 Geographic Boundaries

Federal Govies beware!

And the final blow:

Can Microsoft Online Services use or disclose my data without my permission?

In a limited number of circumstances, Microsoft may need to disclose data without your prior consent, including as needed to satisfy legal requirements, or to protect the rights or property of Microsoft or others

That reads as a big fat YES! Attorney client information is always privileged and that “or” gives Microsoft permission to violate that trust.

Please someone tell me I can’t read, that bouncing around to so many different pages attempting to find answers has made my vision foggy. Is there a different agreement for Law, Government, anyone concerned about privacy? If so I can’t seem to locate it.

Leave a Comment

2 Comments

Leave a Reply

Kent Cunningham

Hi James,

Thanks for this feedback. You raise some extremely important concerns. We want people to access Office 365 productivity tools in the way that best suits their specific needs, and/or the needs of their organization – whether it’s on-premise, from the cloud, or using a hybrid approach. We want to offer both choice and flexibility. Office 365 programs are available from a variety of web browsers, desktop applications, and mobile devices – including PCs, Macs, iPhones, Android phones and Blackberry devices. Admittedly, the user experience on the iPad isn’t as great as we would like it to be, and we’ve passed along your feedback to the product team. They are working on improving that experience.

It also sounds like you were a victim of a confusing “sign up” page (which we are working to update). For capabilities like calendaring, contacts, messaging and shared documents, you actually don’t have to install any software. The software installation piece is only for advanced capabilities like real-time two-way video conferencing or full desktop sharing with remote control, for which we offer installable clients. We’re working to clarify the language. It’s also essential to note that having the option of offline/installable clients is a great choice for users who find themselves commonly disconnected from Internet access or those who simply prefer the speed of local processing due to large file sizes or bandwidth constraints. Additional information regarding cross-platform support for various browsers and clients can be found in our software requirements guide for Office 365, and I regularly deliver demos from Ubuntu and/or OSX to highlight these capabilities.

More importantly, I wanted to address your privacy concerns. Microsoft takes privacy extremely seriously, particularly in the government market where our customers are responsible for protecting sensitive public data. The first disclaimer you cite, detailing Microsoft’s right to disclose information in response to a government request, is a reflection of the fact that we are subject to the laws of the countries where we operate, and may have to respond to legitimate law enforcement requests. All corporate cloud providers headquartered in the U.S., for example, must comply with these same regulations. That said, Microsoft will only provide enterprise customer data when it is legally required to do so, and will limit the content to only that data which it is required to disclose. When it comes to the “protection of rights and others” phrase, this is targeted at content that violates our agreements or policies because it is illegal or malicious.

We are very highly committed to protecting customer privacy, and because of this, Microsoft also does not mine or index customer data for advertising purposes. In fact, all of our Online/Cloud offerings for enterprises utilize separate systems that are kept physically and logically separate from consumer advertiser-supported services to prevent data flow between the two systems.

Finally, to respond to your inquiry about the geographic location of customer data, Microsoft traditionally assigns customers to the data center closest to the billing address on their account. Customers have the option to proactively choose one of several geographic locations for housing their data (such as in the U.S., Asia, or European Union), and can choose to be notified if/when those geographic boundaries change for any reason.

We strive to deliver great experience with a focus on security and privacy in alignment with US Laws, to help customers confidently reap the benefits of cloud computing. Here are a few links that provide some additional detail on my comments above: