Data privacy risks of buying / using Microsoft Office 2016

Impetus · 01-10-2015 6:54pm #1

I purchased a copy of Office 2016 yesterday from an Irish Microsoft re-seller. The sale was a download software purchase for the software "suite" that resides on one’s PC, the download info and links for which was sent to the same email address as I used to place the order with the reseller.

I avoid using the cloud based option (365) which involves Microsoft provided storage and processing of one’s data (who knows where it will be stored and transferred to or who will have access to same?).

It seems strange to me that Microsoft is pushing the cloud version of Office so heavily, (offering lower cost and more features than the conventional software version run on a PC). And the cost of cloud services must be higher than software running on client PCs. Accordingly I suspect the company’s motives even more.

I have my own (paid for) email server, which email address was used in correspondence with the Irish re-seller when ordering the product. On this occasion I was forced, as usual, to use a Microsoft Live account after signing-in with my normal email address and the Microsoft supplied password.

Despite having the correct email address and password (for the Live.com account) from a previous software activation, the system asked for lots of personal information, in my view needlessly, given that I had purchased the license a few hours earlier, from the same IP number. I do not use Live.com email for anything else – I wouldn’t touch “free” email, especially from a US source, with a barge pole. The information demanded included:

First name, last name, data of birth (format specified), place of my birth, place of mother’s birth (both are an unlawful question under Sec 3 Article 8 of EU privacy directive 95/46/EC** in that it would tend to reveal my ethnic origin), other passwords I use, subject header info of recent emails I sent (does Microsoft have access to NSA database of email metadata?), names of folders I have created for email, email address of contacts I have recently sent emails to, Xbox Live prepaid card number, the name on my credit card, card number, expiry date (month and year), etc.

I was instructed to submit the form from a computer “I frequently use” – which makes me think that Microsoft has embedded some serial number or other ID in systems running Microsoft software (eg Windows), and warned to use the “correct domain” for the email accounts I provide them with.

This information is totally un-necessary to confirm that I purchased a copy of Office from a Microsoft dealer. Emailing me using my email address of choice, with a user-id and password, following receipt of the funds, and requiring me to use these data to perform the download is more than enough security. In addition, if they needed, I would have no problem clicking on a specific URL with a long hash as part of the download procedure. Microsoft after all pushed the email link to me – I did not initiate the event by attempting a download from Microsoft’s site on my own bat. They pushed the download link because they received funds from the dealer. My parentage, or date of birth or where I live is none of their business. It is not necessary for the transaction to be completed securely.

The request of these data by Microsoft are in breach of Sec 3 (a) 1 c of Irish Data Protection Law 6 of 2003* – especially sub-section (iii) “shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they were collected or are further processed”, and (i) “shall have been obtained only for one or more specified, explicit and legitimate purposes”. One wonders if Microsoft (and similar entities) make more money from providing data on customers to US government agencies than they do directly from the customer. I shopped around before buying this product, and found it sold at a cheaper price from dealers based in other EU countries – including Amazon.de, Amazon.fr, Amazon.co.uk etc. The Irish re-seller sold it at the same price as on the Microsoft Store. A cosy monopoly, but that is another story.

I cancelled the order and demanded a refund, for what appears to me to be spyware, even before it is installed.

* http://www.irishstatutebook.ie/eli/2003/act/6/enacted/en/pdf

**http://tinyurl.com/dataprivacydirective

anvilfour · 04-10-2015 1:48pm

Well done Impetus,

I understand that it's not possible for everyone simply to use OpenOffice or LibreOffice. Also the free online versions of MS Office programs have privacy concerns although I have never tried to use them offline and download completed documents to my computer!

Perhaps it would be best for those people who have to use MS Office to try buying an older version e.g Office 2010 on DVD. Alternatively, the Windows tablet I ordered for a friend a few months ago, came bundled with a 12 month Office 365 subscription, so maybe you could get it that way?

Impetus · 04-10-2015 4:15pm

anvilfour wrote: »

Well done Impetus,

I understand that it's not possible for everyone simply to use OpenOffice or LibreOffice. Also the free online versions of MS Office programs have privacy concerns although I have never tried to use them offline and download completed documents to my computer!

Perhaps it would be best for those people who have to use MS Office to try buying an older version e.g Office 2010 on DVD. Alternatively, the Windows tablet I ordered for a friend a few months ago, came bundled with a 12 month Office 365 subscription, so maybe you could get it that way?

Why should those of us who are concerned about professional and/or personal privacy have to rely on out of date software, in some unprovable hope that things will be more secure? Microsoft Office has a monopoly – especially for people who have to interchange their documents with others or other systems (eg writers). One doesn’t want to spend a year writing a book on out of date or open source software, where the publisher or publishing system (eg Create Space or similar) needs 100% compatible Microsoft Office files. There is also the issue of computer security – newer versions of office tend to have fixes for issues that remain unpatched in older versions of the product. These patches can be critical where people share .doc and Excel files for example, as without them, malware can be spread from machine to machine.

Microsoft Office is a de-facto unregulated monopoly. The EU competition or data privacy authorities have done little or nothing to fix the issue. Microsoft is abusing its monopoly in an attempt in this instance to collect personal information. Information that it not essential to the task at hand.

Similar issues apply to Windows 10 with its Facebook like 13 pages of privacy settings. The default settings in virtually every case are against the customer’s interests. Even if you switch off all the id numbering “services”, it is my understanding that Windows 10 still sends one ID number to Microsoft. For this reason I don’t use Windows 10. Again no action against Microsoft from the dozy Bureaucrats in Brussels!

There is also the issue of software updates and patches which can be installed without the users’ knowledge at any time. From time to time one finds on close examination that these patches restore the privacy settings to the manufacturers’ defaults - totally ignoring the client's settings.

This is yet another instance of the US pushing its legal system via a backdoor on the EU, using companies like Microsoft (funded presumably by the undisclosed, bottomless pit budgets of 3 letter organisations like the NSA). Not unlike the US IRS form W-8BEN-E* that Irish people (and other Europeans, Asians etc) and companies have to complete to open bank accounts with Irish and other European and Asian banks – people who have no relationship with the USA, aside perhaps from being a tourist there once or twice.

Irish data privacy law is deficient in not enforcing a limit on the kind of data that an entity seeks from someone who is financially committed to a system (eg having bought software) to activate or fix or use the system). Allowing Microsoft to continue in this direction (it gets more intrusive every year) is political and administrative corruption.

Ireland could do with a high profile certification/licensing system for software and cloud services providers, which involves periodic random inspection of systems. It could cover such areas as data collection from victim clients, ring-fencing data storage (ie copying data to locations outside the EU is a no-no), verification of software updates and patches to ensure that they do not tamper with user settings without their explisit agreement, etc. A requirement that any data transfers outside the EU require either the consent of all parties (in writing - NO shrink-wrap or "click agree to proceed" type arrangements) or a court order from an Irish court, and the data victim should be a compulsory notice party to the legal proceedings. Companies could be scored perhaps given ratings from A+++ to F. Should Microsoft or anybody else break the rules, the ultimate sanction might include fines, and removal of their data security rating. The system might initially be voluntary - global companies who want to demonstrate to their global customer base that their data is safely managed would be motivated to sign-up - and would have nothing to hide. The question could be put to companies who did not sign up, why not? This legal infrastructure could also apply to hardware (eg internet of things), and apps / app stores.

In relation to apps, (which are a massive data privacy risk in themselves), the app publisher would have to publish justification behind each data element it proposed to have access to on the client device.

The certification could perhaps be operated by a division of nsai.ie - similar to an ISO standard. The ingredients and methodology could be compiled using a consultation website which would allow the public to comment and advance ideas which would be brought into the security standard definition.

Abuse of privacy is a major disincentive to buying goods and services. Certified compliance with well defined, independent security standards could be a major selling point. It might even lead to unseating the corrupt established players in the IT space.

anvilfour · 05-10-2015 8:17am

Impetus wrote: »

Why should those of us who are concerned about professional and/or personal privacy have to rely on out of date software, in some unprovable hope that things will be more secure? Microsoft Office has a monopoly – especially for people who have to interchange their documents with others or other systems (eg writers). One doesn’t want to spend a year writing a book on out of date or open source software, where the publisher or publishing system (eg Create Space or similar) needs 100% compatible Microsoft Office files. There is also the issue of computer security – newer versions of office tend to have fixes for issues that remain unpatched in older versions of the product. These patches can be critical where people share .doc and Excel files for example, as without them, malware can be spread from machine to machine.

Microsoft Office is a de-facto unregulated monopoly. The EU competition or data privacy authorities have done little or nothing to fix the issue. Microsoft is abusing its monopoly in an attempt in this instance to collect personal information. Information that it not essential to the task at hand.

Similar issues apply to Windows 10 with its Facebook like 13 pages of privacy settings. The default settings in virtually every case are against the customer’s interests. Even if you switch off all the id numbering “services”, it is my understanding that Windows 10 still sends one ID number to Microsoft. For this reason I don’t use Windows 10. Again no action against Microsoft from the dozy Bureaucrats in Brussels!

There is also the issue of software updates and patches which can be installed without the users’ knowledge at any time. From time to time one finds on close examination that these patches restore the privacy settings to the manufacturers’ defaults - totally ignoring the client's settings.

This is yet another instance of the US pushing its legal system via a backdoor on the EU, using companies like Microsoft (funded presumably by the undisclosed, bottomless pit budgets of 3 letter organisations like the NSA). Not unlike the US IRS form W-8BEN-E* that Irish people (and other Europeans, Asians etc) and companies have to complete to open bank accounts with Irish and other European and Asian banks – people who have no relationship with the USA, aside perhaps from being a tourist there once or twice.

Irish data privacy law is deficient in not enforcing a limit on the kind of data that an entity seeks from someone who is financially committed to a system (eg having bought software) to activate or fix or use the system). Allowing Microsoft to continue in this direction (it gets more intrusive every year) is political and administrative corruption.

Ireland could do with a high profile certification/licensing system for software and cloud services providers, which involves periodic random inspection of systems. It could cover such areas as data collection from victim clients, ring-fencing data storage (ie copying data to locations outside the EU is a no-no), verification of software updates and patches to ensure that they do not tamper with user settings without their explisit agreement, etc. A requirement that any data transfers outside the EU require either the consent of all parties (in writing - NO shrink-wrap or "click agree to proceed" type arrangements) or a court order from an Irish court, and the data victim should be a compulsory notice party to the legal proceedings. Companies could be scored perhaps given ratings from A+++ to F. Should Microsoft or anybody else break the rules, the ultimate sanction might include fines, and removal of their data security rating. The system might initially be voluntary - global companies who want to demonstrate to their global customer base that their data is safely managed would be motivated to sign-up - and would have nothing to hide. The question could be put to companies who did not sign up, why not? This legal infrastructure could also apply to hardware (eg internet of things), and apps / app stores.

In relation to apps, (which are a massive data privacy risk in themselves), the app publisher would have to publish justification behind each data element it proposed to have access to on the client device.

The certification could perhaps be operated by a division of nsai.ie - similar to an ISO standard. The ingredients and methodology could be compiled using a consultation website which would allow the public to comment and advance ideas which would be brought into the security standard definition.

Abuse of privacy is a major disincentive to buying goods and services. Certified compliance with well defined, independent security standards could be a major selling point. It might even lead to unseating the corrupt established players in the IT space.

Hi Impetus,

I agree with much of what you say, however I really don't see why you can't use an open source alternative like Libre Office which can open Microsoft Word, Excel and Powerpoint documents - the only times I've had issues with these over vanilla office was when trying to play an embedded flash video in a Powerpoint presentation.

Also if you are really so concerned about Microsoft's monopoly, why not break it (for you at least) by switching to an open source, non proprietary Operating System like Linux?

Apart from when I popped into an internet cafe a couple of times last year I have not used Windows for 10+ years now and yet still am able to manage my finances with an Excel spreadsheet, manage my various e-mail addresses through use of Mozilla Thunderbird and even have published a book.

I do not think that more legislation/regulation of major software providers would help as much as people voting with their feet - if you don't want to use Microsoft products because they are invasive of your privacy then you have a choice not to buy them!

anvilfour · 05-10-2015 8:20am

In the last analysis, if you're using closed source proprietary software, what kind of legislation or guarantee would be enough to satisfy you there was no undiscovered security flaw or worse a government mandated backdoor in the program? As such if you're truly privacy conscious, you need to avoid programs like that altogether - I admire your tenacity but I don't think the NSA or other shadowy government organisations will play by the rules.

Impetus · 05-10-2015 9:11am

anvilfour wrote: »

I do not think that more legislation/regulation of major software providers would help as much as people voting with their feet - if you don't want to use Microsoft products because they are invasive of your privacy then you have a choice not to buy them!

I am not so much suggesting the direct imposition of legislation (aside from current and forthcoming EU data privacy directives). I am suggesting a ISO type standard for privacy which looks at the entire installation and usage cycle of software, cloud services, apps etc. Companies that are certified to comply with the standard can publish the fact. Companies that don't comply with the standard would have questions to answer. I see it as a marketing advantage for Ireland and could be a marketing advantage for honest companies who want to do business globally. It would also make room for new entrants to the market to sell their offering on the merits of this aspect of quality of service.

The British company Experian (actually it is domiciled in Ireland - but is in substance GB based) had poor encryption standards apparently for data it managed for T-Mobile USA (and perhaps other / all Experian clients. As a result 15 million T-Mobile USA customers and potential customers had their personal information stolen recently. This suggests to me that any Irish "ISO standard" (or IS) should have various levels of security specified - depending on the size and value of data at risk. Some ISO standards are already in place (eg 27x standards). I am thinking in terms of knitting together best practice, and taking into account EU data privacy objectives (such as a minimum of information is asked for and stored) and combining that with laws that require court involvement and the "victim" being a notice party to same.

As for Word and Excel, there is no guarantee that Libra Office files are 100% identical - in terms of working with other people on the same document or working with systems. Libra Office can't work in real time over a network so that several people can compose the same document - showing real time updates on each client machine, for example. Office is a monopoly like the phone service used to be. That used to have regulation in terms of privacy demands, and perhaps pricing.

Impetus · 05-10-2015 9:18am

anvilfour wrote: »

In the last analysis, if you're using closed source proprietary software, what kind of legislation or guarantee would be enough to satisfy you there was no undiscovered security flaw or worse a government mandated backdoor in the program? As such if you're truly privacy conscious, you need to avoid programs like that altogether - I admire your tenacity but I don't think the NSA or other shadowy government organisations will play by the rules.

Of course they are not going to play by the rules. But we have moved from a stage or where one could buy Office and other software in a store, and install it on a PC to an intrusive registration process prior to install (where was your mother born stuff etc), "cloudification", etc. This is against freedom of speech, and takes us back to the Hitler way of running a country. "Big brother creep".

anvilfour · 05-10-2015 11:08am

Impetus wrote: »

Why should those of us who are concerned about professional and/or personal privacy have to rely on out of date software, in some unprovable hope that things will be more secure? Microsoft Office has a monopoly – especially for people who have to interchange their documents with others or other systems (eg writers). One doesn’t want to spend a year writing a book on out of date or open source software, where the publisher or publishing system (eg Create Space or similar) needs 100% compatible Microsoft Office files. There is also the issue of computer security – newer versions of office tend to have fixes for issues that remain unpatched in older versions of the product. These patches can be critical where people share .doc and Excel files for example, as without them, malware can be spread from machine to machine.

Microsoft Office is a de-facto unregulated monopoly. The EU competition or data privacy authorities have done little or nothing to fix the issue. Microsoft is abusing its monopoly in an attempt in this instance to collect personal information. Information that it not essential to the task at hand.

Similar issues apply to Windows 10 with its Facebook like 13 pages of privacy settings. The default settings in virtually every case are against the customer’s interests. Even if you switch off all the id numbering “services”, it is my understanding that Windows 10 still sends one ID number to Microsoft. For this reason I don’t use Windows 10. Again no action against Microsoft from the dozy Bureaucrats in Brussels!

There is also the issue of software updates and patches which can be installed without the users’ knowledge at any time. From time to time one finds on close examination that these patches restore the privacy settings to the manufacturers’ defaults - totally ignoring the client's settings.

This is yet another instance of the US pushing its legal system via a backdoor on the EU, using companies like Microsoft (funded presumably by the undisclosed, bottomless pit budgets of 3 letter organisations like the NSA). Not unlike the US IRS form W-8BEN-E* that Irish people (and other Europeans, Asians etc) and companies have to complete to open bank accounts with Irish and other European and Asian banks – people who have no relationship with the USA, aside perhaps from being a tourist there once or twice.

Irish data privacy law is deficient in not enforcing a limit on the kind of data that an entity seeks from someone who is financially committed to a system (eg having bought software) to activate or fix or use the system). Allowing Microsoft to continue in this direction (it gets more intrusive every year) is political and administrative corruption.

Ireland could do with a high profile certification/licensing system for software and cloud services providers, which involves periodic random inspection of systems. It could cover such areas as data collection from victim clients, ring-fencing data storage (ie copying data to locations outside the EU is a no-no), verification of software updates and patches to ensure that they do not tamper with user settings without their explisit agreement, etc. A requirement that any data transfers outside the EU require either the consent of all parties (in writing - NO shrink-wrap or "click agree to proceed" type arrangements) or a court order from an Irish court, and the data victim should be a compulsory notice party to the legal proceedings. Companies could be scored perhaps given ratings from A+++ to F. Should Microsoft or anybody else break the rules, the ultimate sanction might include fines, and removal of their data security rating. The system might initially be voluntary - global companies who want to demonstrate to their global customer base that their data is safely managed would be motivated to sign-up - and would have nothing to hide. The question could be put to companies who did not sign up, why not? This legal infrastructure could also apply to hardware (eg internet of things), and apps / app stores.

In relation to apps, (which are a massive data privacy risk in themselves), the app publisher would have to publish justification behind each data element it proposed to have access to on the client device.

The certification could perhaps be operated by a division of nsai.ie - similar to an ISO standard. The ingredients and methodology could be compiled using a consultation website which would allow the public to comment and advance ideas which would be brought into the security standard definition.

Abuse of privacy is a major disincentive to buying goods and services. Certified compliance with well defined, independent security standards could be a major selling point. It might even lead to unseating the corrupt established players in the IT space.

No one is denying that it would be possible to have some kind of regulatory authority for software - my point is that I don't think it's being very realistic to think that any legislation will prevent flaws in closed-source software from being exploited. You'd also have no way of knowing there isn't a backdoor.

Don't you think if you're truly interested in privacy it might be best to avoid Microsoft products altogether?

anvilfour · 05-10-2015 11:13am

Impetus wrote: »

I am not so much suggesting the direct imposition of legislation (aside from current and forthcoming EU data privacy directives). I am suggesting a ISO type standard for privacy which looks at the entire installation and usage cycle of software, cloud services, apps etc. Companies that are certified to comply with the standard can publish the fact. Companies that don't comply with the standard would have questions to answer. I see it as a marketing advantage for Ireland and could be a marketing advantage for honest companies who want to do business globally. It would also make room for new entrants to the market to sell their offering on the merits of this aspect of quality of service.

The British company Experian (actually it is domiciled in Ireland - but is in substance GB based) had poor encryption standards apparently for data it managed for T-Mobile USA (and perhaps other / all Experian clients. As a result 15 million T-Mobile USA customers and potential customers had their personal information stolen recently. This suggests to me that any Irish "ISO standard" (or IS) should have various levels of security specified - depending on the size and value of data at risk. Some ISO standards are already in place (eg 27x standards). I am thinking in terms of knitting together best practice, and taking into account EU data privacy objectives (such as a minimum of information is asked for and stored) and combining that with laws that require court involvement and the "victim" being a notice party to same.

As for Word and Excel, there is no guarantee that Libra Office files are 100% identical - in terms of working with other people on the same document or working with systems. Libra Office can't work in real time over a network so that several people can compose the same document - showing real time updates on each client machine, for example. Office is a monopoly like the phone service used to be. That used to have regulation in terms of privacy demands, and perhaps pricing.

It's an interesting idea Impetus and I hate to rain on your parade but so long as we're using proprietary software how would we have a way of knowing that they were living up to their promises?

As for the files being 100% identical, it's true they won't be but for all practical intents and purposes they're fine - I have worked on loads of projects when I was at Uni using OpenOffice/LibreOffice and only had one issue with Powerpoint as outlined above (later found out there is a workaround for this).

You're right in saying that Microsoft do have an excellent way to collaborate on documents but they are by no means the only poker game in town, what about gobby, EtherPad and EtherCalc?

Impetus · 05-10-2015 2:34pm

>>>>It's an interesting idea Impetus and I hate to rain on your parade but so long as we're using proprietary software how would we have a way of knowing that they were living up to their promises?

Nobody is going to get the “FullZ” (to use a hacking term) on my personal Id info to sell me a software package or anything else.

In the past one could buy this software with relative anonymity and install it on a PC etc. There is a creeping invasiveness about forcing download only delivery and “promoting” cloud services where Microsoft wants to store your documents in “its cloud”. No thank you. I am simply drawing attention to the pathway that software is taking, and the abusive conduct by companies such as Microsoft when it comes to processing sales and providing customer service. It smells of “we can, therefore we will”.

Whether or not you can exchange files between Word and say Libra Office depends on the nature of the document – eg if you are working on a 600 page book with tables and charts and high resolution elements, the word .doc file will almost certainly look different when output via Libra or any other alternative.

beauf · 05-10-2015 2:55pm

Data grabbing is now common for everything. Buy a pint of milk and they was to sign you up to a loyalty card to get your data. Had a problem with a phone company the other day, they wanted 9 bits of information before they'd talk to me. Worlds gone mad. Sign up to Windows 10 and to set up your kids family safety they all now need emails, and each email need a whole bunch of data. Use any social media application, or messaging apps, or media, or email and they grab any personalised data from your contacts indeed anything they can grab.

Its a self sustaining symbiotic relationship. To pay for the development and maintenance of these services, they need the data to sell. The services aren't free, you pay with your data.

Its the same with all websites also.

beauf · 05-10-2015 2:56pm

You can choose to not use these services and websites but its getting harder to do so.

anvilfour · 05-10-2015 4:30pm

Impetus wrote: »

>>>>It's an interesting idea Impetus and I hate to rain on your parade but so long as we're using proprietary software how would we have a way of knowing that they were living up to their promises?

Nobody is going to get the “FullZ” (to use a hacking term) on my personal Id info to sell me a software package or anything else.

In the past one could buy this software with relative anonymity and install it on a PC etc. There is a creeping invasiveness about forcing download only delivery and “promoting” cloud services where Microsoft wants to store your documents in “its cloud”. No thank you. I am simply drawing attention to the pathway that software is taking, and the abusive conduct by companies such as Microsoft when it comes to processing sales and providing customer service. It smells of “we can, therefore we will”.

Whether or not you can exchange files between Word and say Libra Office depends on the nature of the document – eg if you are working on a 600 page book with tables and charts and high resolution elements, the word .doc file will almost certainly look different when output via Libra or any other alternative.

I admire your tenacity Impetus... I must confess I wrote my own book entirely using OpenOffice- the template was available in Word format and I went from there. I agree there are potential issues with layout but I haven't seen any so far.

The main obstacle you have to overcome isn't so much a loss of quality by using an office suite like Libre so much as the fact you have to learn all over again how you used to do everything.

I don't mean to sound critical it just astonishes me that given how committed you are to keeping your data safe you wouldn't just stick to using Free and Open Source Software!

Impetus · 05-10-2015 6:54pm

anvilfour wrote: »

I admire your tenacity Impetus... I must confess I wrote my own book entirely using OpenOffice- the template was available in Word format and I went from there. I agree there are potential issues with layout but I haven't seen any so far.

The main obstacle you have to overcome isn't so much a loss of quality by using an office suite like Libre so much as the fact you have to learn all over again how you used to do everything.

I don't mean to sound critical it just astonishes me that given how committed you are to keeping your data safe you wouldn't just stick to using Free and Open Source Software!

I do use open source software - where appropriate. All my servers are running open source Linux, Apache, MySQL, PHP, as well as Drupal, Lime Survey, etc. etc. In a professional services company you can have many people working on a complex document, and there is no alternative to the Word monopoly for real-time collaboration. I could go on about spreadsheets auto-updating from the web where open source does not cut ice.

anvilfour · 06-10-2015 8:13am

Impetus wrote: »

I do use open source software - where appropriate. All my servers are running open source Linux, Apache, MySQL, PHP, as well as Drupal, Lime Survey, etc. etc. In a professional services company you can have many people working on a complex document, and there is no alternative to the Word monopoly for real-time collaboration. I could go on about spreadsheets auto-updating from the web where open source does not cut ice.

We have already discussed Gobby which is a collaborative editor as well as EtherPad and OnlyOffice which is a fully featured office suite, all of which I have used, small sample here:

You seem very sure that nothing can hold a candle to Microsoft Word for working collaboratively on a document and yet you have plenty of alternatives - I have also used Google Docs in the past which is excellent although naturally you'd need a gmail address for this. Has advanced features though for inserting tables/images, all your usual stuff.

I think we have already tacitly agreed that if you're really concerned about your privacy than closed source software is off limits, perhaps rather than try to campaign for greater regulation (which we know is futile), it might be better to look at some open source alternatives which will serve your needs better?

I collaborate on documents all the time with my colleagues and friends without using MS Office!

Update : My August colleague has reminded me that to use the online version of OnlyOffice you do need to register but it is possible to install a version on your own server.

Impetus · 06-10-2015 9:29am

I hadn’t heard of Ether Pad – thanks for reminding us. It will probably work for some / many collaborative tasks. But I don’t know of any large publisher or publishing system (like https://www.createspace.com) that accepts anything but Word or PDFs authored on Word.

In terms of Microsoft Office I want to install it (the suite) on a workstation notebook which I can take and use on aircraft, in trains, in offices, at home wherever. The installation process forces you to use a Microsoft email account (eg live.com or Outlook.com). When I enter the correct user-id and password (which it accepts as being correct), it demands all the personal information listed earlier in this thread (in a “to make sure it is really, really, me”) mode. I refuse to answer these questions and provide these private data to Microsoft.

Look at all the large scale hacks going on - each often involving hundreds of millions of users' data. At most they offer one year of "monitoring" to victims - which is useless. Your unalterable personal facts are out in the world to be used by any criminal who has the resources to do so. Companies don't seem to learn from being hacked either. Experian was hacked last year - and hacked again this year (because they were using defective encryption - or so it appears). Minimalism of data exposure is the only solution to mitigate the risks. This is why I was against the idea of assigning a unique Eircode to each household and business. Because it could be used as the basis of joining pieces of data coming from various (minimalised) sources to create a large jigsaw on each persons' personal info. This is one of the reasons why no other country in the Western world uses unique per house or per person "postcodes".

My argument is not about alternatives – my argument is about the breach of existing data privacy legislation by Microsoft which is going on ad infinitum. And seems to me to be getting more intrusive on each new version of each Microsoft product. (Compare Win 7 with Win 10 with its 13 pages of privacy switches that it seems to ignore in any case in the case of at least one ID code). (Source Steve Gibson www.grc.com).

anvilfour · 06-10-2015 1:12pm

Impetus wrote: »

I hadn’t heard of Ether Pad – thanks for reminding us. It will probably work for some / many collaborative tasks. But I don’t know of any large publisher or publishing system (like https://www.createspace.com) that accepts anything but Word or PDFs authored on Word.

My own book was authored by Lulu who have templates you can download into OpenOffice and LibreOffice? Are you sure CreateSpace doesn't allow you to open and edit documents in OpenOffice? A quick google shows quite a few people have - you are aware both Apache OpenOffice and LibreOffice allow you to save in Microsoft formats as well as open the documents?

In terms of Microsoft Office I want to install it (the suite) on a workstation notebook which I can take and use on aircraft, in trains, in offices, at home wherever. The installation process forces you to use a Microsoft email account (eg live.com or Outlook.com). When I enter the correct user-id and password (which it accepts as being correct), it demands all the personal information listed earlier in this thread (in a “to make sure it is really, really, me”) mode. I refuse to answer these questions and provide these private data to Microsoft.

I agree that you shouldn't provide data to Microsoft. I just wonder if you choose to use proprietary software with potential backdoors/security holes that perhaps the battle is already over for privacy and providing your e-mail address too makes little difference.

Impetus · 06-10-2015 2:59pm

anvilfour wrote: »

My own book was authored by Lulu who have templates you can download into OpenOffice and LibreOffice? Are you sure CreateSpace doesn't allow you to open and edit documents in OpenOffice? A quick google shows quite a few people have - you are aware both Apache OpenOffice and LibreOffice allow you to save in Microsoft formats as well as open the documents?

I agree that you shouldn't provide data to Microsoft. I just wonder if you choose to use proprietary software with potential backdoors/security holes that perhaps the battle is already over for privacy and providing your e-mail address too makes little difference.

Please don't miss the point. Microsoft is building up a wide-spectrum global database of personal information. Microsoft has no right to do this under EU law. They can sell me software without knowing where my mother was born or my date of birth or anything else of my FullZ. Sure they can put back doors into software - but if European law is properly and rigorously enforced their executives will be subject to arrest when they land in Europe. And their European managers will have their own concerns about breaking their national laws in being complicit with their US colleagues. This thread is about information security. Not using open source or anything else. I have nothing against open source - in the same way as I am just as happy to pay for a jumper with cash or a payment card. But the right is mine to decide which method of payment I use and which shop I buy it at. And if the colours run in the jumper destroying my clothes during a shower, I have a right of action against the supplier and probably the manufacturer directly or indirectly for supplying a negligently died garment.

beauf · 06-10-2015 4:25pm

There's a definite shift to all functionality resulting in some data grab or other. In that its increasingly impossible to use services without, providing an increasing amount of identifiable data.

anvilfour · 07-10-2015 11:29am

Impetus wrote: »

Please don't miss the point. Microsoft is building up a wide-spectrum global database of personal information. Microsoft has no right to do this under EU law. They can sell me software without knowing where my mother was born or my date of birth or anything else of my FullZ. Sure they can put back doors into software - but if European law is properly and rigorously enforced their executives will be subject to arrest when they land in Europe. And their European managers will have their own concerns about breaking their national laws in being complicit with their US colleagues. This thread is about information security. Not using open source or anything else. I have nothing against open source - in the same way as I am just as happy to pay for a jumper with cash or a payment card. But the right is mine to decide which method of payment I use and which shop I buy it at. And if the colours run in the jumper destroying my clothes during a shower, I have a right of action against the supplier and probably the manufacturer directly or indirectly for supplying a negligently died garment.

With respect, I don't feel we have strayed from the point at all. This is indeed the Information Security forum so why would you be using something which doesn't keep your information secure? You have a choice, use free and open source software if you want to remain anonymous, there are some excellent alternatives to Microsoft, simples!

beauf · 07-10-2015 12:03pm

MS won't stop doing this until people stop using it.

But in fairness to MS, they see how Google are doing the same thing and are even more popular. They just want a slice of that pie.

anvilfour · 07-10-2015 12:48pm

beauf wrote: »

MS won't stop doing this until people stop using it.

But in fairness to MS, they see how Google are doing the same thing and are even more popular. They just want a slice of that pie.

Well said beauf, I think perhaps part of the problem is that people aren't aware of the alternatives and particularly when you consider that many Google apps come preinstalled on Smartphones, they probably don't bother to think about the implications for their privacy.

I'd love Microsoft to start being open, publishing their code for review, promptly closing security flaws and refusing to put in backdoors for law enforcement but until they do, I honestly don't think there's much point quibbling about giving them your Mother's maiden name too.

Impetus · 07-10-2015 6:04pm

While I don’t have much time for Google, at least most of the services are “free” at the point of use. You knowingly pay in terms of (usually anonymously) sharing your search history. (Unless you use gmail – which goes down the path of serious infiltration of identity and mixing in phone numbers where the company can get away with it). You can get the Blackphone 2 if you want to use Android with the ability of apps to leak personal information nipped in the bud.

Microsoft charges quite a high price for its Office software, which puts the company in a different category. The price of free services is “you are the product”. The price of paid for services should be the €€€ you spend, and only that. Microsoft is trying to have the bread buttered on both sides. Making each customer a potential victim in “Five-Eye-land”.

The EU has this stupid, time wasting, repetitive, spammy, website consent to cookies which virtually every site has stupidly implemented – for max stupidity and in your face-ness check out http://www.eirgrid.com/operations/systemperformancedata/windgeneration/ or most other government websites.

If instead, the EU developed a standard icon to be displayed by companies like Google (eg an outline of an eye with the “€” on a layer on top), where clicking on the icon brought up an explanation of how this “free service” or app is funded from your personal information, we might have some progress. The icon symbol could be discrete – and yet informative to anyone clicking on same.

And for the record it is not “your mother’s maiden name” that worries me – it is her and your places of birth and DoB. The sort of questions the intelligence agencies like to ask.

beauf · 07-10-2015 8:13pm

The Blackphone 2 is $799 about £525. Thats not going to be an option for most people. But there are cheaper ways, you can set up a phone with a dummy account, then additional email from other providers, on some phones allowing you to keep your data seperate. There are other techniques like that. But its no simple and the non technical people are not going to be able to do that.

I don't really get your point about being free. It in no way negates the data grab that google or the targeting advertising it drives from it. Or the risk that you can be cut off your account at googles whim.

Google Docs in no way similar to MS Office. Many people might use 5% of MS Office. But that doesn't mean the other 95% isn't of value to those that use it to the full. There is in many situations simply nothing else that can do what it can do. Especially if there is a lot of VBA/Automation experience in a organisation.

Paying money for services, software doesn't automatically mean it exempts the use from these data grabs. Certainly not the case for Microsoft recent products and probably not for others. If you watch dragons den its quite noticeable how often they show vastly more interest in the data a product/website acquires, than they do the actual product.

I had a technical query the other say with my phone provider. They required, 9 bits of personal data before they would even talk to me. Interestingly they use the information from their forum, to validate the account, not the account details itself. So even though internally their data silo's are cross linked with each other, those links contain errors. If you do things like spell your name or address slightly differentl, use different email accounts, for different things. You can track where the information is being shared.

Its a different world...

Impetus · 07-10-2015 9:48pm

beauf wrote: »

I don't really get your point about being free. It in no way negates the data grab that google or the targeting advertising it drives from it. Or the risk that you can be cut off your account at googles whim.

It is not the issue of being "free". It is the illusion of "free" that I am trying to underscore. Let's say you had a million EUR in a drawer in your bedroom, and I knew of this. If I was so motivated, I might offer you a free cleaning lady to look after your house. If you were naive enough, like most gmail, yahoo mail, ymail, hotmail, Outlook cloud, live.com etc users, you might take me up on your offer. The free cleaning lady would almost certainly have cleaned out your drawers while she whizzed around your house. While this might be a story in extremis, the same basic principles apply - even though you email services may be only taking 50c worth of personal information from 100 million victims, every day.

If they were honest, the sign-up page would have big, bold, conditions in 30 pt Helvetica type along the lines of "While this service is nominally "free", if you click yes below, we reserve the right to scour through your emails and spam you with advertising (eg if you have just bought a Sony A7Rii camera from Amazon, our advertising will cause you to see dozens of pages of advertisements for all sorts of cameras. And we may provide or sell your ID and the contents of your emails to entities that purport to act in the interests of national security - either in your country of residence, or our country of domicile or some other country without any court order or evidence of your involvement with criminal activity. Govern yourself according ejit. Click >>> [Yes] and enjoy, sucker!)

beauf · 07-10-2015 10:12pm

This is very, old news.

Impetus · 10-10-2015 3:51pm

beauf wrote: »

This is very, old news.

Antonym

Data privacy risks of buying / using Microsoft Office 2016

Comments