← Productivity
F

Microsoft 365

Fail
Microsoft · 🇺🇸 United States
PolicyApp PermissionsNetwork TrafficFirmwareRegulatory
Technical details
Manufacturer: Microsoft

⚠️ The bottom line

Microsoft promised Copilot would respect your confidentiality labels — the digital equivalent of "EYES ONLY" stamps. Then in January 2026, a bug let Copilot read and summarize those exact confidential emails anyway. Microsoft wouldn't say how many people were affected. The US Congress had already banned Copilot for staffers. The European Parliament blocked it on work devices. The tool designed to make you productive was quietly reading the emails it was told not to touch. You're paying for Microsoft 365 to write documents and send emails. What you're also getting is 801 advertising companies processing your data — location, contacts, calendar, browsing. Microsoft's own EU consent screen says it plainly: 801 partners. Even if you opt out of targeted ads, data collection continues. You're not the customer of a productivity suite. You're the product of an advertising network that happens to include a word processor.

Legal jurisdiction
🇺🇸 United States (headquarters)
CLOUD Act read more →
US govt can demand your data from this company even if stored overseas
FISA §702 / PRISM read more →
NSA collects stored emails, photos, messages without individual warrants
Geofence warrants read more →
Police can demand location data for everyone near a crime scene
Spying
3/4 HIGH
Is someone spying on me?
Data Sharing
4/4 EXTREME
Who gets my data?
Kids at risk
Security
4/4 EXTREME
Is it actually secure?
Honesty
4/4 EXTREME
Can I trust what they say?
Kids at risk
REPLACE Extreme risk. Look for alternatives or lock down hard.
12Contradictions
3Critical
9High
0Medium
13Sources
Findings by concern
Spying 3/4 HIGH 2 findings
⚡ highpolicy claims vs app permissions
Microsoft told the world Productivity Score wasn't a surveillance tool. Meanwhile, it tracked how often each employee sent emails, attended meetings, used chat — with individual monitoring on by default. Only the boss could turn it off, not the worker being watched. Wolfie Christl, the Austrian researcher who exposed it, said it "normalises extensive workplace surveillance in a way not seen before." Microsoft removed the dashboard after outrage. They didn't remove the data collection. The scoreboard is gone. The scoring never stopped.

What they claim: Microsoft says Productivity Score is not a work monitoring tool, designed with privacy at its core.

What we found: Researcher Wolfie Christl demonstrated it tracked individual employees' email frequency, meeting attendance, chat usage by default. Only admins, not employees, could access privacy controls. David Heinemeier Hansson called it morally bankrupt. Christl said it was likely illegal in Austria and Germany. Microsoft removed dashboards after backlash but kept the data collection.

⚡ highmarketing vs app
Every file you've saved in OneDrive, every email in Outlook, every Teams chat, every meeting transcript — Copilot's new design reads them all, all the time. Not when you ask. Automatically. Microsoft 365 went from a productivity suite to a surveillance suite with a copilot badge.

What they claim: Microsoft 365 markets productivity tools as keeping your work private within your organisation

What we found: The new Copilot design pulls from emails, files, chats, and meetings inline across the entire Microsoft 365 suite. AI now has persistent access to all workspace content — proactively reading and correlating data across every M365 app without per-query consent.

Data Sharing 4/4 EXTREME 3 findings
⚠️ criticalpolicy claims vs app permissions
You're paying for Microsoft 365 to write documents and send emails. What you're also getting is 801 advertising companies processing your data — location, contacts, calendar, browsing. Microsoft's own EU consent screen says it plainly: 801 partners. Even if you opt out of targeted ads, data collection continues. You're not the customer of a productivity suite. You're the product of an advertising network that happens to include a word processor.

What they claim: Microsoft states it does not use personal data from emails, chats, or documents to target ads.

What we found: The new Outlook for Windows shares data with 801 external advertising partners. Microsoft's EU consent dialog reads: We and our 801 partners process data to store and access information on your device, personalize ads, measure ads, derive audience insights, obtain precise geolocation, and identify users through device scanning.

⚠️ criticalpolicy claims vs app permissions
Microsoft told European schools its software was GDPR-compliant. Austria's regulator disagreed — twice. First, Microsoft refused to tell a student what data it held. Then they found advertising tracking cookies on a child's school computer. The school didn't know. The Ministry didn't know. Microsoft's own docs confirmed the cookies were for advertising. France and Germany had already banned 365 from classrooms. Microsoft said "we meet all standards." The regulator said: stop within four weeks.

What they claim: Microsoft says Microsoft 365 for Education meets all required data protection standards.

What we found: Austria's DSB found Microsoft violated GDPR Article 15 by refusing student data access. Then found Microsoft placed advertising tracking cookies on a minor's school device. The school and Austrian Ministry didn't know. noyb's Max Schrems noted the same terms apply to millions of students across EU/EEA. France and Germany already banned 365 from schools.

⚡ highregulatory findings vs policy claims
The Netherlands found eight GDPR violations and "large-scale and covert personal data collection." Microsoft claimed to be a data processor following instructions. The Dutch said no: Microsoft is a joint controller making its own decisions about your data. Germany agreed: organizations literally cannot prove GDPR compliance when using 365 because Microsoft won't disclose what it does. France banned it from government use. Three countries investigated. Three countries found the same thing.

What they claim: Microsoft positions itself as a GDPR-compliant data processor acting on behalf of customers.

What we found: The Dutch DPIA found 8 GDPR violations and large-scale covert data collection. Germany's DSK concluded organizations cannot prove GDPR compliance when using 365 because Microsoft won't fully disclose processing. France banned it from government use. Three countries, same finding.

Security 4/4 EXTREME 5 findings
⚡ highpolicy claims vs firmware analysis
Microsoft says you control your privacy. But Required Diagnostic Data cannot be turned off — period. Not on Home. Not on Pro. Enterprise customers get a "Security" level that reduces collection. The 400 million consumers paying the same company? No such option. The Dutch government investigated and found Microsoft was collecting data "covertly." You can't opt out of something you were never told was happening.

What they claim: Microsoft says users have meaningful control over privacy and can choose what data to share.

What we found: Required Diagnostic Data cannot be disabled on Home or Pro — not even with registry hacks. Enterprise can reduce to Security level. An undocumented registry key only blocks some modules; others keep transmitting. The Dutch DPIA found Microsoft collected this telemetry covertly without adequate transparency.

⚡ highpolicy claims vs regulatory findings
Microsoft bundled Teams into every Office 365 subscription — force-installing it for millions and making removal nearly impossible. Slack called it illegal tying. The European Commission agreed and prepared a fine of up to $24.5 billion. Microsoft's "choice" meant every Office customer automatically got Teams while competitors like Slack had to convince each customer individually. Microsoft avoided the fine by agreeing to unbundle — seven years after Slack complained, only after the threat of a record penalty.

What they claim: Microsoft says it offers customers choice and interoperability in collaboration tools.

What we found: The EC found Microsoft breached antitrust rules by tying Teams to Office 365, force-installing for millions. Slack's 2020 complaint called it illegal tying. Microsoft faced a potential $24.5 billion fine. In September 2025 Microsoft agreed to a 7-year unbundling commitment with 50% price cuts on Teams-free packages.

⚡ highpolicy claims vs app permissions
Microsoft Graph API is the master key to everything in your organization's 365: emails, files, calendars, org charts. Microsoft calls it secure. Attackers call it their favorite tool. Russian intelligence (APT28) used it for espionage against European governments. A single exposed endpoint leaked 50,000 user records from a major airline. Multiple malware families use Graph API for command-and-control because traffic looks like normal Office usage. The logs that could catch this? Not enabled by default.

What they claim: Microsoft promotes Graph API as a secure, permission-based gateway to organizational data.

What we found: Graph API has become a top tool for attackers. CloudSEK found an unauthenticated endpoint exposing 50,000 Azure AD records at a major airline. Russian APT28 used Graph for C2 targeting European governments. Multiple malware families use it because traffic blends with legitimate 365 usage. Activity logs not enabled by default.

⚡ highpolicy claims vs app permissions
Microsoft says Copilot only shows what you already have access to. The average organization has 802,000 overshared files — 16% of all business-critical data accessible to people who shouldn't see it. Copilot doesn't passively sit on these permissions. It actively searches, summarizes, and presents this data on a silver platter. At Black Hat 2024, a researcher showed Copilot could be tricked into exfiltrating data through prompt injection. He called leakage "probable, not just possible." Microsoft gave AI the keys to a building where most doors were already unlocked.

What they claim: Microsoft says Copilot only surfaces data to which individual users have view permissions.

What we found: Concentric AI found 16% of business-critical data is overshared in typical 365 environments — average 802,000 files at risk per org. Copilot inherits over-permissions and actively surfaces sensitive data. Security researcher Michael Bargury demonstrated at Black Hat 2024 that Copilot could exfiltrate data via prompt injection, calling leakage probable not just possible.

⚡ highmarketing claim vs third party research
A security researcher found that anyone with a low-level Azure backup job could silently promote themselves to full administrator of a Kubernetes cluster — then steal secrets or plant malicious code. Microsoft told him he was wrong, quietly fixed the hole anyway, and never told customers it existed. Without a CVE number, security teams cannot patch what they cannot track. One researcher, one cloud provider, and thousands of organisations left in the dark.

What they claim: Microsoft publicly pledges to prioritise security above all else under its Secure Future Initiative, promising transparent vulnerability disclosure and customer notification of security risks.

What we found: In May 2026, Microsoft rejected a critical privilege escalation vulnerability in Azure Backup for AKS reported by security researcher Justin O'Leary. The flaw allowed a Backup Contributor (low-privilege) user to gain cluster-admin access with zero prior Kubernetes permissions — a Confused Deputy attack. Microsoft told BleepingComputer the issue requires pre-existing administrative privileges, which O'Leary disputed as factually incorrect. CERT/CC assigned VU#284781. Microsoft then lobbied MITRE against CVE issuance. The attack path was subsequently silently patched — with no CVE, no advisory, and no customer notification.

Honesty 4/4 EXTREME 2 findings
⚠️ criticalpolicy claims vs app permissions
Microsoft promised Copilot would respect your confidentiality labels — the digital equivalent of "EYES ONLY" stamps. Then in January 2026, a bug let Copilot read and summarize those exact confidential emails anyway. Microsoft wouldn't say how many people were affected. The US Congress had already banned Copilot for staffers. The European Parliament blocked it on work devices. The tool designed to make you productive was quietly reading the emails it was told not to touch.

What they claim: Microsoft says Copilot respects DLP policies and sensitivity labels ensuring confidential content stays protected.

What we found: In January 2026, a bug let Copilot read and summarize confidential emails in Sent Items and Drafts despite DLP restrictions. Microsoft confirmed a code error but wouldn't say how many were affected. Fix didn't roll out until February. US Congress banned Copilot for staffers. European Parliament blocked it on work devices.

⚡ highpolicy claims vs app permissions
Microsoft says spell-check only sends five words at a time. Grammar checking sends whole sentences, PowerPoint Designer analyzes your slides, and some Connected Experiences keep your content "for as long as your account exists." This happens at automatic intervals — not just when you click a button. You can turn it off, but then you lose the features you're paying for. The choice: let us read your documents, or don't use the product you bought.

What they claim: Microsoft says documents stay on your device or tenant, Connected Experiences send minimal data.

What we found: Connected Experiences send document content to servers for grammar, design, translation, and research. Some retain content for as long as your account exists. Consumer plans cannot fully disable Required Connected Experiences. Privacy advocates note actual processing is unknown and unverifiable.

What happened to real people
Documented incidents involving Microsoft products and user data.
First PRISM participant (2007). 31% of US legal demands come with secrecy orders — 1,974 gag orders in H1 2025 alone. Users never told their data was demanded. [source]
Storm-0558: Chinese hackers used a stolen Microsoft signing key to access US government officials' email accounts. Microsoft's own infrastructure was the attack vector. [source]
What your data is worth to governments
Microsoft complied with 6,288 government data requests in H1 2025. That's 31% of demands include secrecy orders. Microsoft has been a confirmed PRISM participant since 2007. Under this programme, the NSA collects stored communications. The company is legally prohibited from telling you. Jurisdiction: US (CLOUD Act, FISA Section 702, Patriot Act).
Documented: First PRISM participant (2007). 31% of US legal demands come with secrecy orders — 1,974 gag orders in H1 2025 alone. Users never told their data was demanded.
Documented: Storm-0558: Chinese hackers used a stolen Microsoft signing key to access US government officials' email accounts. Microsoft's own infrastructure was the attack vector.
What is PRISM? · What is the CLOUD Act? · Transparency report
Sources