This policy overview for Skype is part of a series looking at the privacy practices of commonly used videoconferencing services. While the focus of this review is on Skype, Microsoft Teams also references the same base privacy policy as Skype. The series includes:
- Introduction — the introduction provides background information on the scope of this work, and a summary of general findings
- An overview of Google Meet, Duo, and Hangouts
- An overview of Microsoft Skype and Teams (this document)
- An overview of Cisco WebEx
This policy overview for Skype has three sections:
- Summary Notes, general observations about the privacy policy and service offering;
- Rubric Mapping, a more structured look at the services, mapping the language in the privacy policy to 10 defined categories; and
- Policy Notes, a series of excerpts from the privacy policy, with commentary on what the language means.
The privacy policy analysis is based on the publicly available policy at https://privacy.microsoft.com/en-us/privacystatement. This policy was last updated in April 2020.
1. Summary Notes
1. Microsoft’s terms state that they can collect data on Skype/Teams users from different third parties, including data brokers, openly available government databases, and location tracking services.
2. Microsoft’s terms define a large range of data that they can collect. While not all data are collected when signing up for Skype/Teams, the terms do not provide clear distinctions about the specific data elements required for Skype or Teams. The lack of clarity makes it difficult to make an informed decision about potential privacy risks.
3. Microsoft’s terms carve out the right to collect, store, and process data — including video and audio data — from people who enter physical spaces owned or controlled by Microsoft. These spaces are not clearly defined, but the terms mention Microsoft stores. The terms make no distinction between passively collected surveillance data, or more informed and obvious collection (for example, an interview).
4. Microsoft’s terms explicitly exclude data used from email, chat, video calls, voicemail, documents, photos, or other personal files to target ads. This is a great step, and it’s good to see Microsoft make this commitment. This language could be made even stronger if Microsoft explicitly guaranteed that this information was never used to inform or shape any user profile. Excluding data from use in targeted ads is great; excluding data from use in any type of user profile is better. If this is already standard practice for Microsoft, then making that clear would be a great addition to their terms.
5. Microsoft’s terms clearly state that opting out of “interest-based” ads does not stop data collection of data elements that could be used for interest-based ads (but can conceivably have other uses). This reinforces the points made above. Microsoft should clarify how data collected from email, chat, video calls, voicemail, documents, photos, or other personal files is used, and clearly define uses that are off limits.
6. Microsoft’s terms describe data sharing within Microsoft, and with affiliates. Because Microsoft is such a large company, this type of sharing without clearly defined safeguards creates the potential for misuse or unexpected secondary uses of information.
7. Microsoft’s terms define data as an asset that can be transferred as part of a sale. The terms do not include any language that says affected users would be notified, or whether they would have any ability to not have their data transferred.
8. Microsoft’s terms describe how they allow third party companies to collect analytics data within Microsoft products. While this is a common practice in the industry, Microsoft is more transparent than other companies with regard to how they describe this practice. Microsoft’s clarity on this, however, doesn’t change the reality that this practice has the potential to compromise a person’s privacy.
9. Skype/MS Teams can be accessed in a range of ways, including a personal account, or a Teams account associated with school, business, or family. The range of ways that meetings can be accessed — and the potentially different rules governing meeting hosts in each of these contexts — creates an environment where it is difficult, at best, to understand the privacy implications of any given meeting.
10. When your access to Skype or Teams comes via a business, school, or other organization, people within that organization will have rights to examine your activity in that service, sometimes without your knowledge. In a worst-case scenario (micromanaging boss, online stalking within the workplace, etc.) a regular person in an organizational instance of Teams could be subjected to workplace surveillance that feels and/or is abusive.
2. Skype/Microsoft Teams mapped to the Rubric
This rubric is based on these policy notes.
Personal Data Leak
Skype/Microsoft Teams, like all videoconferencing services, have the potential for leaking personal data. Hosts can record calls and potentially share those recordings, and other participants can make surreptitious recordings of calls without the knowledge or consent of participants.
When participating in any videoconference, if you are not aware whether or not a call is being recorded, ask the host. If it is not possible to ask the host, assume that the call is being recorded, and adjust your level of participation in the call to whatever feels comfortable.
First Party Data Collection
Microsoft’s terms are very detailed about the type of data they can collect. The definitions in their policy cover the entire suite of Microsoft services, so not all of the elements listed here would necessarily be collected if a person is using Skype/MS Teams. However, because access to Skype/Teams is tied to a Microsoft Live login, this creates the possibility that a person using Skype, but no other Microsoft products, would have a hard time not being profiled and tracked within Microsoft’s larger customer base. In short, even if a person only wants to use Skype, they get connected to a range of other services — this is comparable to people with a GMail account getting tied into Google’s ecosystem.
Data Enhancement
Microsoft’s terms define how data collected by Microsoft are enhanced with data from multiple different third party sources, including data brokers, location service providers, and open government databases.
Third Party Access
Microsoft’s terms describe how they allow third party companies to collect analytics data within Microsoft products. While this is a common practice in the industry, Microsoft is more candid than other companies with regard to how they describe this practice. Microsoft’s clarity on this, however, doesn’t change the reality that this practice has the potential to compromise a person’s privacy.
Microsoft’s terms also describe sharing within Microsoft, and with affiliates. Because Microsoft is such a large company, this type of sharing without clearly defined safeguards creates the potential for misuse of information.
Implications of Employer or School Sponsorship of Service
If you are using Microsoft Teams — and Skype is bundled within Teams — as part of a school or business, the people administering the service have the ability to review information you share and interactions you have while using the service. Some of the features of Teams could allow managers to track employee locations as they are clocking into and out of work.
Data Deletion and Retention
Microsoft’s terms contain a section dedicated to data retention, but this section does not contain many specific commitments to deleting the data they hold within a clearly defined time frame. Two exceptions include search data (where they state that they remove IP addresses associated with searches after 6 months) and tracking of individual people using Microsoft services (where they say they remove cross-session identifiers after 18 months. While it is good to see some specific language, these deletion windows are broad to the point where they offer minimal privacy protection.
Microsoft also makes a good step by extending GDPR rights to all users, regardless of whether or not they live in the European Union. However, they potentially soften or undermine that commitment by saying that access could be limited if “required or permitted by applicable law.”
Differentiation between data collected from hosts versus participants
Microsoft’s terms do not appear to make a clear distinction between data collected from a meeting or conference host, and data collected from participants.
In addition, Microsoft’s terms state that for the consumer version of Skype, “if you use a Microsoft service, such as Outlook.com, to manage contacts, Skype will automatically add the people you know to your Skype contact list until you tell us to stop.” The terms also state that Skype will check other address books and harvest contacts if given the opportunity. It is unclear how consent is given or withdrawn. It is also unclear if consent is withdrawn whether or not harvested contacts will be deleted. Given that Microsoft Services including Skype are tied together with a Live login, this potentially means that if a person makes a decision to sync contacts (or makes a mistake, and accidentally syncs contacts) then the contacts could be collected and shared across all Microsoft services.
Information Used for Product Improvement
Microsoft clearly states that they use data to improve existing products, including adding new features. This creates the potential for a range of secondary uses for audio and video data collected within Microsoft services.
Data That Can Be Sold or Shared as Part of a Transaction
Microsoft’s terms define data as an asset that can be transferred as part of a sale. While language that defines data as an asset that can be transferred is included in most privacy policies, Microsoft is a large company that is not likely to be acquired in its entirety. However, Microsoft’s terms state that they have the right to “disclose personal data as part of a corporate transaction such as a merger or sale of assets.”
Access to Data for Machine Learning, AI Analysis, or Human Review
Microsoft’s terms describe how human review (referred to as “manual methods” in Microsoft’s terms) are used to review data that have been processed and/or analyzed via AI. The section of the terms dedicated to Skype contains language that describes automatic translation and captioning features. Generally, features like real time captioning and real time translation imply automated analysis via AI.
3. Privacy Policy Notes
The rough notes below include direct quotations from Microsoft’s Privacy Policy, and commentary on the potential implications of the policy language. These notes are not legal advice.
The larger excerpts of policy language are in italics.
— — — — — — — — — — — — — — — –
Data enhanced/collected from third parties
Microsoft’s terms define how data collected by Microsoft are enhanced with data from multiple different third party sources, including data brokers, location service providers, and open government databases. The terms list categories of third parties, but do not appear to list specific third parties.
“We also obtain data from third parties. We protect data obtained from third parties according to the practices described in this statement, plus any additional restrictions imposed by the source of the data. These third-party sources vary over time and include:
Data brokers from which we purchase demographic data to supplement the data we collect.
Services that make user-generated content from their service available to others, such as local business reviews or public social media posts.
Communication services, including email providers and social networks, when you give us permission to access your data on such third-party services or networks.
Service providers that help us determine your device’s location.
Partners with which we offer co-branded services or engage in joint marketing activities.
Developers who create experiences through or for Microsoft products.
Third parties that deliver experiences through Microsoft products, such as skills related to Cortana.
Publicly-available sources, such as open government databases.”
— — — — — — — — — — — — — — — –
Employer Surveillance
Schools and businesses that supply Microsoft products have overlapping terms. This makes it difficult to understand whether your organization or Microsoft has final say over key decisions related to your privacy.
“If you represent an organization, such as a business or school, that utilizes Enterprise and Developer Products from Microsoft, please see the Enterprise and developer products section of this privacy statement to learn how we process your data. If you are an end user of a Microsoft product or a Microsoft account provided by your organization, please see the Products provided by your organization and the Microsoft account sections for more information.”
— — — — — — — — — — — — — — — –
First party collection
Microsoft’s terms are incredibly detailed about the type of data they can collect. The definitions in their policy cover the entire suite of Microsoft services, so not all of the elements listed here would necessarily be collected if a person is using Skype/MS Teams. However, because access to Skype/Teams is tied to a Microsoft Live login, this creates the possibility that a person using Skype, but no other Microsoft products, would have a hard time not being profiled and tracked within Microsoft’s larger customer base. In short, even if a person only wants to use Skype, they get connected to a range of other services — this is comparable to people with a GMail account getting tied into Google’s ecosystem.
It’s also worth highlighting that the data collection described by Microsoft is pretty standard for major platforms. Microsoft’s terms do a good job describing the range of data they collect; the details in Microsoft’s terms can be used as a point of comparison when evaluating how transparent or forthright other companies are being when they disclose the data they collect and store.
The full list of data elements are included verbatim below. It is lengthy.
“Name and contact data. Your first and last name, email address, postal address, phone number, and other similar contact data.
Credentials. Passwords, password hints, and similar security information used for authentication and account access.
Demographic data. Data about you such as your age, gender, country, and preferred language.
Payment data. Data to process payments, such as your payment instrument number (such as a credit card number) and the security code associated with your payment instrument.
Subscription and licensing data. Information about your subscriptions, licenses, and other entitlements.
Interactions. Data about your use of Microsoft products. In some cases, such as search queries, this is data you provide in order to make use of the products. In other cases, such as error reports, this is data we generate. Other examples of interactions data include:
Device and usage data. Data about your device and the product and features you use, including information about your hardware and software, how our products perform, as well as your settings. For example:
Payment and account history. Data about the items you purchase and activities associated with your account.
Browse history. Data about the webpages you visit.
Device, connectivity, and configuration data. Data about your device, your device configuration, and nearby networks. For example, data about the operating systems and other software installed on your device, including product keys. In addition, IP address, device identifiers (such as the IMEI number for phones), regional and language settings, and information about WLAN access points near your device.
Error reports and performance data. Data about the performance of the products and any problems you experience, including error reports. Error reports (sometimes called “crash dumps”) can include details of the software or hardware related to an error, contents of files opened when an error occurred, and data about other software on your device.
Troubleshooting and help data. Data you provide when you contact Microsoft for help, such as the products you use, and other details that help us provide support. For example, contact or authentication data, the content of your chats and other communications with Microsoft, data about the condition of your device, and the products you use related to your help inquiry. When you contact us, such as for customer support, phone conversations or chat sessions with our representatives may be monitored and recorded.
Bot usage data. Interactions with third party bots and skills available through Microsoft products like Cortana.
Interests and favorites. Data about your interests and favorites, such as the sports teams you follow, the programming languages you prefer, the stocks you track, or cities you add to track things like weather or traffic. In addition to those you explicitly provide, your interests and favorites can also be inferred or derived from other data we collect.
Content consumption data. Information about media content (e.g., TV, video, music, audio, text books, apps, and games) you access through our products.
Searches and commands. Search queries and commands when you use Microsoft products with search or related productivity functionality.
Voice data. Your voice data, such as the search queries or commands you speak, which may include background sounds.
Text, inking, and typing data. Text, inking, and typing data and related information. For example, when we collect inking data, we collect information about the placement of your inking instrument on your device.
Images. Images and related information, such as picture metadata. For example, we collect the image you provide when you use a Bing image-enabled service.
Contacts and relationships. Data about your contacts and relationships if you use a product to share information with others, manage contacts, communicate with others, or improve your productivity.
Social data. Information about your relationships and interactions between you, other people, and organizations, such as types of engagement (e.g., likes, dislikes, events, etc.) related to people and organizations.
Location data. Data about your device’s location, which can be either precise or imprecise. For example, we collect location data using Global Navigation Satellite System (GNSS) (e.g., GPS) and data about nearby cell towers and Wi-Fi hotspots. Location can also be inferred from a device’s IP address or data in your account profile that indicates where it is located with less precision, such as at a city or postal code level.
Other input. Other inputs provided when you use our products. For example, data such as the buttons you press on an Xbox wireless controller using Xbox Live, skeletal tracking data when you use Kinect, and other sensor data, like the number of steps you take, when you use devices that have applicable sensors. And, if you use Spend, at your direction, we also collect financial transaction data from your credit card issuer to provide the service.
Content. Content of your files and communications you input, upload, receive, create, and control. For example, if you transmit a file using Skype to another Skype user, we need to collect the content of that file to display it to you and the other user. If you receive an email using Outlook.com, we need to collect the content of that email to deliver it to your inbox, display it to you, enable you to reply to it, and store it for you until you choose to delete it. Other content we collect when providing products to you include:
Communications, including audio, video, text (typed, inked, dictated, or otherwise), in a message, email, call, meeting request, or chat.
Photos, images, songs, movies, software, and other media or documents you store, retrieve, or otherwise process with our cloud.
Video or recordings. Recordings of events and activities at Microsoft buildings, retail spaces, and other locations. If you enter Microsoft Store locations or other facilities, or attend a Microsoft event that is recorded, we may process your image and voice data.
Feedback and ratings. Information you provide to us and the content of messages you send to us, such as feedback, survey data, and product reviews you write.
Product-specific sections below describe data collection practices applicable to use of those products.”
— — — — — — — — — — — — — — — –
First Party Collection
The terms contain specific references to meeting data transmitted via Skype.
“Content. Content of your files and communications you input, upload, receive, create, and control. For example, if you transmit a file using Skype to another Skype user, we need to collect the content of that file to display it to you and the other user. If you receive an email using Outlook.com, we need to collect the content of that email to deliver it to your inbox, display it to you, enable you to reply to it, and store it for you until you choose to delete it. Other content we collect when providing products to you include:
Communications, including audio, video, text (typed, inked, dictated, or otherwise), in a message, email, call, meeting request, or chat.
Photos, images, songs, movies, software, and other media or documents you store, retrieve, or otherwise process with our cloud.”
— — — — — — — — — — — — — — — –
First Party Collection
AI and automated processing
This language describes that Microsoft reserves the right to store and process data — including video and audio data — from people who enter physical spaces owned or controlled by Microsoft. The terms make no distinction between passively collected surveillance data, or more informed and obvious collection (for example, an interview).
“Video or recordings. Recordings of events and activities at Microsoft buildings, retail spaces, and other locations. If you enter Microsoft Store locations or other facilities, or attend a Microsoft event that is recorded, we may process your image and voice data.”
— — — — — — — — — — — — — — — –
AI and automed processing, augmented by human review
Product improvement
This language describes how human review (or “manual methods”) are used to review data that have been processed and/or analyzed via AI. While product improvement is not explicitly included in the language of this excerpt, the reasons for processing, automated analysis, and human review of that analysis implies that Microsoft uses AI and human review of data as part of product improvement.
“Our processing of personal data for these purposes includes both automated and manual (human) methods of processing. Our automated methods often are related to and supported by our manual methods. For example, our automated methods include artificial intelligence (AI), which we think of as a set of technologies that enable computers to perceive, learn, reason, and assist in decision-making to solve problems in ways that are similar to what people do. To build, train, and improve the accuracy of our automated methods of processing (including AI), we manually review some of the predictions and inferences produced by the automated methods against the underlying data from which the predictions and inferences were made. For example, we manually review short snippets of a small sampling of voice data we have taken steps to de-identify to improve our speech services, such as recognition and translation.”
— — — — — — — — — — — — — — — –
High level statements about advertising and marketing
Microsoft explicitly excludes data used from email, chat, video calls, voicemail, documents, photos, or other personal files to target ads. This is a great step, and it’s good to see Microsoft make this commitment. This language could be made even stronger if Microsoft explicitly guaranteed that this information was never used to inform or shape any user profile. Excluding data from use in targeted ads is great; excluding data from use in any type of user profile is better.
“Promotional communications. We use data we collect to deliver promotional communications. You can sign up for email subscriptions and choose whether you wish to receive promotional communications from Microsoft by email, SMS, physical mail, and telephone. For information about managing your contact data, email subscriptions, and promotional communications, see the How to access and control your personal data section of this privacy statement.
Relevant offers. Microsoft uses data to provide you with relevant and valuable information regarding our products. We analyze data from a variety of sources to predict the information that will be most interesting and relevant to you and deliver such information to you in a variety of ways. For example, we may predict your interest in gaming and communicate with you about new games you may like.
Advertising. Microsoft does not use what you say in email, chat, video calls, or voice mail, or your documents, photos, or other personal files to target ads to you. We use data we collect through our interactions with you, through some of our products, and on third-party web properties, for advertising in our products and on third-party properties. We may use automated processes to help make advertising more relevant to you. For more information about how your data is used for advertising, see the Advertising section of this privacy statement.”
— — — — — — — — — — — — — — — –
Legal mention
This language relates to how Microsoft can use data to ensure compliance with applicable law.
“Legal compliance. We process data to comply with law. For example, we use the age of our customers to ensure we meet our obligations to protect children’s privacy. We also process contact information and credentials to help customers exercise their data protection rights.”
— — — — — — — — — — — — — — — –
Employer surveillance
Microsoft’s terms specify that when the service is provided as part of a school or workplace, the administrators of the system will have additional insight into how you use the system.
“If you use a Microsoft product provided by an organization you are affiliated with, such as an employer or school, or use an email address provided by such organization to access Microsoft products, we share certain data, such as interaction data and diagnostic data to enable your organization to manage the products.”
— — — — — — — — — — — — — — — –
Third party and affiliate data use
Microsoft shares data within Microsoft, and with affiliates. Because Microsoft is such a large company, this type of sharing without clearly defined safeguards creates the potential for misuse of information.
This language also defines data as an asset that can be transferred as part of a sale.
“In addition, we share personal data among Microsoft-controlled affiliates and subsidiaries. We also share personal data with vendors or agents working on our behalf for the purposes described in this statement. For example, companies we’ve hired to provide customer service support or assist in protecting and securing our systems and services may need access to personal data to provide those functions. In such cases, these companies must abide by our data privacy and security requirements and are not allowed to use personal data they receive from us for any other purpose. We may also disclose personal data as part of a corporate transaction such as a merger or sale of assets.”
— — — — — — — — — — — — — — — –
Law Enforcement request page/Transparency report
Microsoft maintains a transparency report and referencences the report in its terms.
https://www.microsoft.com/en-us/corporate-responsibility/law-enforcement-requests-report
— — — — — — — — — — — — — — — –
Data Retention
Microsoft’s terms have conflicting language about a person’s ability to access, control, or delete data that Microsoft holds about a person. The language below clearly says that in some cases, access rights can be limited. However, the terms are not clear about when those cases might exist.
“You can also make choices about the collection and use of your data by Microsoft. You can control your personal data that Microsoft has obtained, and exercise your data protection rights, by contacting Microsoft or using various tools we provide. In some cases, your ability to access or control your personal data will be limited, as required or permitted by applicable law. How you can access or control your personal data will also depend on which products you use.”
The terms also state that users can request access, erasure, or deletion of personal data, but the terms do not explicitly say that requests will be honored.
“You can access and control your personal data that Microsoft has obtained with tools Microsoft provides to you, which are described below, or by contacting Microsoft. For instance:
If Microsoft obtained your consent to use your personal data, you can withdraw that consent at any time.
You can request access to, erasure of, and updates to your personal data.
If you’d like to port your data elsewhere, you can use tools Microsoft provides to do so, or if none are available, you can contact Microsoft for assistance.”
Microsoft takes a good step and extends GDPR rights to all people, regardless of location, but they undercut their commitment by creating a vague carve out that can be read as providing Microsoft a reason to not allow access or deletion.
“You may have these rights under applicable laws, including the EU General Data Protection Regulation (GDPR), but we offer them regardless of your location. In some cases, your ability to access or control your personal data will be limited, as required or permitted by applicable law.”
— — — — — — — — — — — — — — — –
First Party Collection
Third Party Access
Microsoft’s terms clearly state that opting out of “interest-based” ads does not stop data collection.
“Because the data used for interest-based advertising is also used for other required purposes (including providing our products, analytics, and fraud detection), opting out of interest-based advertising does not stop that data collection. You will continue to get ads, although they may be less relevant to you.”
— — — — — — — — — — — — — — — –
First Party Collection
Microsoft’s terms clearly define how cookies are used to uniquely identify people, and the range of data stored via cookies. This level of clarity is a good thing; other companies should follow Microsoft’s lead here. Other companies almost certainly use cookies in comparable ways, but they are not as clear in their disclosures.
“For example, if you enter your city or postal code to get local news or weather information on a Microsoft website, depending on your settings, we store that data in a cookie so that you will see the relevant local information when you return to the site. Saving your preferences with cookies, such as your preferred language, prevents you from having to set your preferences repeatedly. If you opt out of interest-based advertising, we store your opt-out preference in a cookie on your device.”
“When you sign in to a website using your personal Microsoft account, we store a unique ID number, and the time you signed in, in an encrypted cookie on your device.”
“Some of our websites include social media cookies, including those that enable users who are signed in to the social media service to share content via that service.”
“Microsoft uses cookies to collect data about your online activity and identify your interests so that we can provide advertising that is most relevant to you.”
“Microsoft uses cookies to record how many visitors have clicked on an advertisement and to record which advertisements you have seen, for example, so you don’t see the same one repeatedly.”
“We use first- and third-party cookies and other identifiers to gather usage and performance data. For example, we use cookies to count the number of unique visitors to a web page or service and to develop other statistics about the operations of our products.”
“If you visit one of our websites, the site will set some or all of the following cookies:
MUID, MC1, and MSFPC. Identifies unique web browsers visiting Microsoft sites. These cookies are used for advertising, site analytics, and other operational purposes.
ANON. Contains the ANID, a unique identifier derived from your Microsoft account, which is used for advertising, personalization, and operational purposes. It is also used to preserve your choice to opt out of interest-based advertising from Microsoft if you have chosen to associate the opt-out with your Microsoft account.
CC. Contains a country code as determined from your IP address.
PPAuth, MSPAuth, MSNRPSAuth, KievRPSAuth, WLSSC, MSPProf. Helps to authenticate you when you sign in with your Microsoft account.
MC0. Detects whether cookies are enabled in the browser.
MS0. Identifies a specific session.
NAP. Contains an encrypted version of your country, postal code, age, gender, language and occupation, if known, based on your Microsoft account profile.
MH. Appears on co-branded sites where Microsoft is partnering with an advertiser. This cookie identifies the advertiser, so the right ad is selected.
childinfo, kcdob, kcrelid, kcru, pcfm. Contains information that Microsoft account uses within its pages in relation to child accounts.
MR. Used to collect information for analytics purposes.
x-ms-gateway-slice. Identifies a gateway for load balancing.
TOptOut. Records your decision not to receive interest-based advertising delivered by Microsoft.”
— — — — — — — — — — — — — — — –
Third Party Collection
Microsoft’s terms also define how third parties collect data from within Microsoft services. These third parties can use this data according to their own terms.
“In addition to the cookies Microsoft sets when you visit our websites, third parties can also set cookies when you visit Microsoft sites. For example:
Companies we hire to provide services on our behalf, such as site analytics, place cookies when you visit our sites. See opt-out links below.
Companies that deliver content, such as videos or news, or ads on Microsoft sites, place cookies on their own. These companies use the data they process in accordance with their privacy policies, which may enable these companies to collect and combine information about your activities across websites, apps, or online services.”
— — — — — — — — — — — — — — — –
First Party Collection
Microsoft is clear that they use web beacons to track people on non-Microsoft sites. This isn’t especially surprising, and other companies do this as well, but/and it’s rare to see the process described this openly. The data collected via web beacons could be tied to other information collected by Microsoft, and collected by third parties.
“In addition to placing web beacons on our own websites, we sometimes work with other companies to place our web beacons on their websites or in their advertisements. This helps us to, for example, develop statistics on how often clicking on an advertisement on a Microsoft website results in a purchase or other action on the advertiser’s website. It also allows us to understand your activity on the website of a Microsoft partner in connection with your use of a Microsoft product or service.”
— — — — — — — — — — — — — — — –
Third Party Collection
Microsoft’s terms describe how they allow third party companies to collect analytics data within Microsoft products. While this is a common practice in the industry, Microsoft is more candid than other companies with regard to how they describe this practice. Microsoft’s clarity on this, however, doesn’t change the reality that this practice has the potential to compromise a person’s privacy.
“Finally, Microsoft products often contain web beacons or similar technologies from third-party analytics providers, which help us compile aggregated statistics about the effectiveness of our promotional campaigns or other operations. These technologies enable the analytics providers to set or read their own cookies or other identifiers on your device, through which they can collect information about your online activities across applications, websites, or other products. However, we prohibit these analytics providers from using web beacons on our sites to collect or access information that directly identifies you (such as your name or email address). You can opt out of data collection or use by some of these analytics providers by clicking any of the following links”
— — — — — — — — — — — — — — — –
First Party Collection
Employer Surveillance
If you are using Microsoft Teams as part of a school or business, the people administering the service have the ability to review information you share and interactions you have while using the service.
“If you use a Microsoft product provided by an organization you are affiliated with, such as an employer or school, and you use your work or school account to access that Microsoft product, that organization can:
Control and administer your Microsoft product and product account, including controlling privacy-related settings of the product or product account.
Access and process your data, including the interaction data, diagnostic data, and the contents of your communications and files associated with your Microsoft product and product accounts.”
While Microsoft’s policies don’t provide a full breakdown of the types of data that are shared with employers within Teams, some of the features that can be enabled within Teams show potential for employer surveillance, including location tracking. The Time Clock feature (described here: https://support.office.com/en-us/article/set-up-time-clock-for-shifts-63ff9958-3594-4d05-82eb-a4a342cba2e2 ) “allows managers to set up optional location detection, which detects where employees are when they clock in and out.”
— — — — — — — — — — — — — — — –
Employer Surveillance
In most cases, when a business or school provides Microsoft products to their employees, staff, and/or students, the organization and Miocrosoft have an additional contract that can bring additional rules or controls in addition to what is covered in the publicly available privacy policy. However, these contracts are not always publicly available, and an organization’s privacy practices might not be any better or worse than what is described in Microsoft’s publicly available terms.
“If your organization provides you with access to Microsoft products, your use of the Microsoft products is subject to your organization’s policies, if any. You should direct your privacy inquiries, including any requests to exercise your data protection rights, to your organization’s administrator.”
— — — — — — — — — — — — — — — –
Third Party Access
Data Leak
Because Skype/Teams authenticate using Microsoft Live, many people using Skype/Teams can use their MS Live login to access other services. This practice is convenient, but it can also expose information to other services. In short, if you use your MS Live login for third party services, be sure you trust the other service.
“With a Microsoft account, you can sign into Microsoft products, as well as those of select Microsoft partners. Personal data associated with your Microsoft account includes credentials, name and contact data, payment data, device and usage data, your contacts, information about your activities, and your interests and favorites. Signing into your Microsoft account enables personalization, consistent experiences across products and devices, permits you to use cloud data storage, allows you to make payments using payment instruments stored in your Microsoft account, and enables other features.”
— — — — — — — — — — — — — — — –
Product improvement
Microsoft clearly states that they use data to improve existing products, including adding new features. This creates the potential for a range of secondary uses for audio and video data collected within Microsoft services.
“Product improvement. We use data to continually improve our products, including adding new features or capabilities. For example, we use error reports to improve security features, search queries and clicks in Bing to improve the relevancy of the search results, usage data to determine what new features to prioritize, and voice data to improve speech recognition accuracy.”
— — — — — — — — — — — — — — — –
Data Retention
Microsoft’s terms contain a section dedicated to data retention, but this section does not contain many specific commitments to deleting the data they hold within a clearly defined time frame. Two exceptions include search data (where they state that they remove IP addresses associated with searches after 6 months) and tracking of individual people using Microsoft services (where they say they remove cross-session identifiers after 18 months. While it is good to see some specific language, these deletion windows are broad to the point where they offer minimal privacy protection.
“Microsoft retains personal data for as long as necessary to provide the products and fulfill the transactions you have requested, or for other legitimate purposes such as complying with our legal obligations, resolving disputes, and enforcing our agreements. Because these needs can vary for different data types, the context of our interactions with you or your use of products, actual retention periods can vary significantly.
Other criteria used to determine the retention periods include:
- Do customers provide, create, or maintain the data with the expectation we will retain it until they affirmatively remove it? Examples include a document you store in OneDrive, or an email message you keep in your Outlook.com inbox. In such cases, we would aim to maintain the data until you actively delete it, such as by moving an email from your Outlook.com inbox to the Deleted Items folder, and then emptying that folder (when your Deleted Items folder is emptied, those emptied items remain in our system for up to 30 days before final deletion). (Note that there may be other reasons why the data has to be deleted sooner, for example if you exceed limits on how much data can be stored in your account.)
- Is there an automated control, such as in the Microsoft privacy dashboard, that enables the customer to access and delete the personal data at any time? If there is not, a shortened data retention time will generally be adopted.
- Is the personal data of a sensitive type? If so, a shortened retention time would generally be adopted.
- Has Microsoft adopted and announced a specific retention period for a certain data type? For example, for Bing search queries, we de-identify stored queries by removing the entirety of the IP address after 6 months, and cookie IDs and other cross-session identifiers that are used to identify a particular account or device after 18 months.
- Has the user provided consent for a longer retention period? If so, we will retain data in accordance with your consent.
- Is Microsoft subject to a legal, contractual, or similar obligation to retain or delete the data? Examples can include mandatory data retention laws in the applicable jurisdiction, government orders to preserve data relevant to an investigation, or data retained for the purposes of litigation. Conversely, if we are required by law to remove unlawful content, we will do so.”
— — — — — — — — — — — — — — — –
Skype-specific terms
Microsoft’s terms contain a section dedicated specifically for the consumer version of Skype. These terms are included below in their entirety, with commentary included on specific sections of these terms.
People using Skype as part of a business are directed to the “Enterprise and developer” products section. The “Enterprise and developer” products section is also covered below, but the separation between what is covered under the consumer terms and what meaningful differences exist in the “Enterprise and developer” terms is not clear.
“Skype lets you send and receive voice, video, SMS, and instant message communications. This section applies to the consumer version of Skype; if you are using Skype for Business, see the Enterprise and developer products section of this privacy statement.”
Microsoft’s terms clearly state that they track who people speak with, and when people speak with them. Given that other parts of Microsoft’s terms describe potential location tracking, it is possible that Microsoft knows where people are when they are using Skype, in addition to whom they meet with, and for how long.
“As part of providing these features, Microsoft collects usage data about your communications that includes the time and date of the communication and the numbers or user names that are part of the communication.
Skype profile. Your Skype profile includes information you provided when you set up a Microsoft account. To enable other people to find you on Skype (or products that interact with Skype, such as Skype for Business), depending on your profile settings, your Skype profile is included in the Skype public search directory and may be recommended to other users. Your profile includes your user name, avatar, and any other data you choose to add to your profile or display to others.”
The consumer version of Skype, by default, harvests all contacts stored in Outlook or other Microsoft Services. The terms also state that Skype will check other address books and harvest contacts if given the opportunity. It is unclear how consent is given or withdrawn. It is also unclear whether or not if consent is withdrawn whether or not harvested contacts will be deleted. Given that Microsoft Services are tied together with a Live login, this potentially means that if a person makes a decision to synch contacts (or makes a mistake, and accidentally synchs contacts) then the contacts could be collected and shared across all Microsoft services.
“Skype Contacts. If you use a Microsoft service, such as Outlook.com, to manage contacts, Skype will automatically add the people you know to your Skype contact list until you tell us to stop. With your permission, Skype will also check your device or other address books to automatically add your friends as Skype contacts. You can block users if you don’t want to receive their communications.”
The language in this paragraph provides some insight into how much a “Group Manager” can see about the activity of people within a group. People who are using Skype as part of a group should be aware that managers have the ability to track their usage. Managers running groups should take additional steps (like using strong passwords, using a password manager, and/or using multi-factor authentication) to protect their accounts.
“Skype Manager. Skype Manager lets you manage a group’s (such as your family’s) Skype usage from one central place. When you set up a group, you will be the Skype Manager Administrator and can see the patterns of usage, including detailed information, like traffic data and details of purchases, of other members of the group who have consented to such access. If you add information like your name, other people in the group will be able to see it. Members of the group can withdraw consent for Skype Manager by visiting their Skype account page.”
This is interesting language, and it’s not clear whether or not this poses any actual threat or not, but it’s worth noting that if a phone manufacturer uses a third party service for notifications that claims any rights to data processed for notifications, this could leak data. It’s also worth noting that if this is an issue with Skype, it would also be an issue with any other app on the phone using the third party service for notifications. The safest option here if you are using Skype on your phone is to disable notifications.
“Push notifications. To let you know of incoming calls, chats, and other messages, Skype apps use the notification service on your device. For many devices, these services are provided by another company. To tell you who is calling, for example, or to give you the first few words of the new chat, Skype has to tell the notification service so that they can provide the notification to you. The company providing the notification service on your device will use this information in accordance with their own terms and privacy policy. Microsoft is not responsible for the data collected by the company providing the notification service. If you don’t want to use the notification services for incoming Skype calls and messages, turn it off in the settings found in the Skype application or your device.”
If a real time translation feature is offered, it generally indicates at least two things:
1. AI is used to process the real time translation; and
2. Human review of your call and the translation (where a person listens to snippets of your call and spot checks the accuracy of the translation) could be happening as part of quality review.
“Translation features. To help you communicate with people in different languages, some Skype apps offer audio and/or text translation features. When you use translation features, your voice and text data are used to provide and improve Microsoft speech recognition and translation services.”
Because any videoconference can be recorded and/or shared, participants should have clear notice if a host is recording a call, and if a host is recording a call then the host should know how to store files safely. The most privacy protective option is to not record videoconferences, and if a participant is unsure about whether or not a videoconference is being recorded, they should err on the side of caution and assume that the call is recorded.
“Recording features. Some versions of Skype have a recording feature that allows you to capture and share all or part of your audio / video call. The recording will be stored and shared as part of your conversation history with the person or group with whom the call occurred. You should understand your legal responsibilities before recording any communication. This includes whether you need to get consent from all parties to the communication in advance. Microsoft is not responsible for how you use your recordings or the recording features.”
People should be aware that any time they interact with a bot, the bot could be collecting information. Even though the bot appears in Skype, the bot could be provided by a third party and collecting information under a completely different privacy policy.
“Skype bots. Bots are programs offered by Microsoft or third parties that can do many useful things like search for news, play games, and more. Depending on their capabilities, bots may have access to your display name, Skype ID, country, region, language, and any messages, audio, video, or content that you share with the bot. Please review the bot profile and its privacy statement before engaging in a one-to-one or group conversation with a bot. You can delete a bot that you no longer wish to engage with. Prior to adding a bot to a group, please ensure that your group participants have consented to their information being shared with the bot.”
Recommendations based on text and interactions suggest that there is automated processing of interactions, and possibly use of a behavioral profile for an end user, that powers these recommendations.
“Recommendations in Skype. Subject to availability, Skype may offer suggestions to help you manage your time, tasks, find information and get things done. For example, Skype may provide contextual prompts to create reminders or suggest you create a task using Microsoft services.This data may also be used to improve Microsoft products.”
Similar to real time translation, any time a captioning feature is offered, it generally indicates at least two things:
1. AI is used to process the real time captioning; and
2. Human review of your call and the captions (where a person listens to snippets of your call and spot checks the accuracy of the captions) could be happening as part of quality review.
“Captioning. Certain Skype features include accessibility functionality such as captioning. During Skype calls, a call participant can activate a voice-to-text feature, which allows the user to view the audio chat as text. If a user activates this feature, other call participants will not receive a notification. Microsoft uses this voice and text data to provide captioning of audio for users.”
— — — — — — — — — — — — — — — –
Using Skype as part of Microsoft for Business
Microsoft’s language around who controls data — and therefore who has responsibility for that data — when a company uses Microsoft’s Enterprise offerings is dense, and not especially clear.
“To provide the Enterprise Online Services, Microsoft uses data you provide (including Customer Data, Personal Data, Administrator Data, Payment Data, and Support Data) and data Microsoft collects or generates associated with your use of the Enterprise Online Services. We process data as described in the Online Services Terms (OST) and the Microsoft Trust Center.”
The descriptions of “data controller” and “data processor” are directly relevant for GDPR, and also help us understand how Microsoft views their role in managing the data they collect and control. Unfortunately, their definitions here are not as clear as they need to be, and as a result it is difficult to get any precise sense of who has legal control of data collected and held by Microsoft. Microsoft generally claims to be a processor of the data they hold (except for the large number of reasons that they state gives them the right to use the data, including for “improving core functionality”); however, given that Microsoft claims broad rights to use the data they hold and the customer (who is theoretically the controller) has no immediately visible right to object to certain types of processing, it’s difficult to see the consistency and the logic behind Microsoft’s definition of how they are a data processor.
“Personal Data. Customer is the controller of Personal Data and Microsoft is the processor of such data, except when (a) Customer acts as a processor of Personal Data, in which case Microsoft is a subprocessor, (b) Microsoft is processing Personal Data for its legitimate business operations, in which case Microsoft is a controller, or © stated otherwise in the OST. Microsoft is a controller of Personal Data when processing Personal Data for its legitimate business operations associated with providing the service, such as billing and preparing invoices; account management; compensation; financial reporting; business planning and product strategy; improving core functionality for accessibility, privacy, and energy efficiency; and combatting fraud, cybercrime, and cyberattacks on Microsoft products. We generally aggregate Personal Data before using it for our legitimate business operations, removing the ability to identify specific individuals. We use personal data in the least identifiable form that will support processing necessary for legitimate business operations.”
— — — — — — — — — — — — — — — –
NOTE: These details were included in an earlier draft, but were cut for reasons of brevity and clarity. However, after feedback, it was recommended that these details were included. END NOTE
Microsoft’s terms highlight that if your organization provides you with Microsoft services, additional terms might apply, and they point you to the “Enterprise and Developer Products” section.
If you represent an organization, such as a business or school, that utilizes Enterprise and Developer Products from Microsoft, please see the Enterprise and developer products section of this privacy statement to learn how we process your data. If you are an end user of a Microsoft product or a Microsoft account provided by your organization, please see the Products provided by your organization and the Microsoft account sections for more information.
The “Enterprise and Developer Products” section links to an overview page with multiple sections. This page is shown in full below.
Each section contains informational downloads, many in MS Word format. The English version of the Product Terms is 138 pages long, and contains information about various Microsoft product offerings. The document contains multiple tables; the table shown below contains some information about Skype.
The English version of the Online Services Terms checks in at a trim 35 pages, and includes additional information and definitions, including the table pictured below.
Even if a regular user found the link to the Product Overview page, and even if this regular user found the link to the correct information sheet, the chances that they could pull meaningful information about their rights are slim. Additionally, many of these data sheets appear to be updated monthly.
