I genuinely don't understand how you can come to this conclusion.
If I open the door to someone and allow them to take picture inside my house, there is no legal understanding that they are now allowed to make and keep a copy of my keys.
The understanding is that I allowed to take the picture (make the sync), through the access that I gave (door opened / imap connection made). And the underlying understanding is actually that I remain in control of access later on, meaning they can't do it again without me opening the door / connecting again.
Microsoft knows that, because they buried that information inside the webpage that the consent dialog links to, except the dialog doesn't say "important detail there" but "for more information see there" aka pretend the dialog's summary is correct.
If anything, coupled with the awkward Outlook (but not Outlook) naming this is one more of their modern move that will piss off entreprise IT admins. Your employee opens the "wrong" outlook, type his office credentials and then Microsoft now has outside of your corp account a copy of all data of that employee AND its credentials. If there was any actual real competitor in their field they would never be able to pull such crap.
Well, the consent item is "sync" and that translates in your sample more to "you consent to let them take pictures of your house whenever they want". And for that, a key property is the username (or your house key). Otherwise, "sync"/"taking photos any time" would not work. You could argue that "sync" could be considered 1-time sync or permanent sync ... but honestly we talk about IMAP and a permanent connection to fetch Emails. Let us not assume we talk about a one time "sync".
And yes, I agree that Microsoft buried the nasty password detail with the purpose of not disengaging the users. I also think that anything data privacy related, normal users are completely overwhelmed with no chance to ever understand the situation.
I share your thought about replicating passwords. Not to the concrete worry you express but that it is a really bad practice compared to industry practice (see OAuth2 refresh token).
Well, they consent to the fact that data is "synced" to Microsoft. That is the use case and the consent-able item. The password is just a random property of that item. And that is literally on the screen. That is broad but that is how privacy topics are generally handled.
No, they are not. GDPR notices (which this is) must be understandable to the layman. Including all consequences like "this will also allow access to other services secured with the same university/company-wide password".
The German law you cite about getting a password is applicable if you plan to or actually access data they are not authorized to. Which is not the case (assuming they do not).
GDPR deals with privacy. The user name is personal identifiable data. The password is only personal data. The emails themselves can be PII or just personal data. GDPR legally wise, the password is the least risky set of data here (as absurd as it is). Also it is a property of the process. Take a GDPR sheet of a club about giving photographies of your kids to the newspaper. You consent to the publishing of images and give the club data for it (first name, last name, restriction, name of parent, etc). And these properties are not mentioned in the consent but just are part of the process. This is nothing else, just that we are very worried about that the property is a password.
I agree that they should ethically mention that they transfer your password. I also agree that there is no way a layman can understand any consent they grant on the Internet. There is a reason why informed consent in clinical trials (where this can be life and dead) is not just a checkbox but a conversation, quiz, explanations, etc.
I genuinely don't understand how you can come to this conclusion.
If I open the door to someone and allow them to take picture inside my house, there is no legal understanding that they are now allowed to make and keep a copy of my keys.
The understanding is that I allowed to take the picture (make the sync), through the access that I gave (door opened / imap connection made). And the underlying understanding is actually that I remain in control of access later on, meaning they can't do it again without me opening the door / connecting again.
Microsoft knows that, because they buried that information inside the webpage that the consent dialog links to, except the dialog doesn't say "important detail there" but "for more information see there" aka pretend the dialog's summary is correct.
If anything, coupled with the awkward Outlook (but not Outlook) naming this is one more of their modern move that will piss off entreprise IT admins. Your employee opens the "wrong" outlook, type his office credentials and then Microsoft now has outside of your corp account a copy of all data of that employee AND its credentials. If there was any actual real competitor in their field they would never be able to pull such crap.
Well, the consent item is "sync" and that translates in your sample more to "you consent to let them take pictures of your house whenever they want". And for that, a key property is the username (or your house key). Otherwise, "sync"/"taking photos any time" would not work. You could argue that "sync" could be considered 1-time sync or permanent sync ... but honestly we talk about IMAP and a permanent connection to fetch Emails. Let us not assume we talk about a one time "sync".
And yes, I agree that Microsoft buried the nasty password detail with the purpose of not disengaging the users. I also think that anything data privacy related, normal users are completely overwhelmed with no chance to ever understand the situation.
I share your thought about replicating passwords. Not to the concrete worry you express but that it is a really bad practice compared to industry practice (see OAuth2 refresh token).
It is not informed consent if people don't understand what is happening, though.
Well, they consent to the fact that data is "synced" to Microsoft. That is the use case and the consent-able item. The password is just a random property of that item. And that is literally on the screen. That is broad but that is how privacy topics are generally handled.
I also do not like it.
If the data includes credentials but that isn't explicitly mentioned when asking for consent, I seriously hope that won't hold up before a judge.
1 reply →
I am not so sure about that. Are they allowed to simply assume "expert" knowledge?
No, they are not. GDPR notices (which this is) must be understandable to the layman. Including all consequences like "this will also allow access to other services secured with the same university/company-wide password".
This could also be a punishable crime in Germany: https://www.gesetze-im-internet.de/stgb/__202c.html and other articles around that one.
The German law you cite about getting a password is applicable if you plan to or actually access data they are not authorized to. Which is not the case (assuming they do not).
GDPR deals with privacy. The user name is personal identifiable data. The password is only personal data. The emails themselves can be PII or just personal data. GDPR legally wise, the password is the least risky set of data here (as absurd as it is). Also it is a property of the process. Take a GDPR sheet of a club about giving photographies of your kids to the newspaper. You consent to the publishing of images and give the club data for it (first name, last name, restriction, name of parent, etc). And these properties are not mentioned in the consent but just are part of the process. This is nothing else, just that we are very worried about that the property is a password.
I agree that they should ethically mention that they transfer your password. I also agree that there is no way a layman can understand any consent they grant on the Internet. There is a reason why informed consent in clinical trials (where this can be life and dead) is not just a checkbox but a conversation, quiz, explanations, etc.
2 replies →