← Cloud Storage
D

OneDrive

Serious concerns
Microsoft · 🇺🇸 United States
PolicyApp PermissionsNetwork TrafficFirmwareRegulatory
Technical details
App: com.microsoft.skydrive
Manufacturer: Microsoft

The bottom line

Microsoft can read every file on OneDrive. They scan them, their Copilot AI processes them, and Microsoft was the first company on the NSA's PRISM surveillance slides in 2007. In 2022, a Microsoft employee was caught accessing customer emails without authorisation. The company that built the backdoor for the NSA now stores your documents, reads them with AI, and connects them to 801 advertising partners. OneDrive syncs your files to the cloud by default — many users don't realise their desktop is being uploaded. If Microsoft's automated scanner flags something in your files, you lose access to your email (Outlook), your documents (Office 365), your gaming library (Xbox), and your Windows licence. One algorithm's judgment call, and your entire digital life is locked. Microsoft's Community Standards give them the right to make that call.

Legal jurisdiction
🇺🇸 United States (headquarters)
CLOUD Act read more →
US govt can demand your data from this company even if stored overseas
FISA §702 / PRISM read more →
NSA collects stored emails, photos, messages without individual warrants
Geofence warrants read more →
Police can demand location data for everyone near a crime scene
Spying
2/4 MODERATE
Is someone spying on me?
Data Sharing
2/4 MODERATE
Who gets my data?
Security
2/4 MODERATE
Is it actually secure?
Honesty
2/4 MODERATE
Can I trust what they say?
ACCEPTABLE Moderate concerns. Standard privacy hygiene applies.
4Contradictions
0Critical
2High
2Medium
4Sources
Findings by concern
Spying 2/4 MODERATE 2 findings
⚡ highfirmware analysis vs policy claims
Microsoft can read every file on OneDrive. They scan them, their Copilot AI processes them, and Microsoft was the first company on the NSA's PRISM surveillance slides in 2007. In 2022, a Microsoft employee was caught accessing customer emails without authorisation. The company that built the backdoor for the NSA now stores your documents, reads them with AI, and connects them to 801 advertising partners.

What they claim: OneDrive securely stores and protects files.

What we found: Microsoft holds keys. Not zero-knowledge. Scans for 'objectionable content.' PRISM first participant (2007). Same infrastructure: Outlook (801 ad partners), Copilot AI, Recall, DiagTrack.

⚫ mediumfirmware analysis vs regulatory findings
If you use Microsoft for work, your documents (OneDrive), emails (Outlook), chats (Teams), meetings (Teams), searches (Bing), browsing (Edge), and desktop activity (Windows) all flow into one Microsoft account. No other company sees this complete a picture of your professional and personal life. The Copilot AI that now reads all of it was pitched as a productivity tool. It's also the most comprehensive surveillance tool any corporation has ever built.

What they claim: OneDrive integration is for convenience.

What we found: Every M365 document defaults to OneDrive. Combined with Outlook, Teams, DiagTrack -- Microsoft has most complete user data picture of any company.

Security 2/4 MODERATE 1 finding
⚫ mediumpolicy claims vs firmware analysis
Personal Vault requires your fingerprint or face scan to open files. It sounds secure — except Microsoft still holds the encryption keys and can read everything inside. In August 2023, Chinese hackers (Storm-0558) used a stolen Microsoft signing key to access US government email accounts for a month. The vault keeps other people out. It does not keep Microsoft — or anyone who compromises Microsoft — out.

What they claim: Personal Vault provides extra security.

What we found: Adds authentication but NOT zero-knowledge encryption. Microsoft can still access Vault files. Access control, not encryption upgrade.

Honesty 2/4 MODERATE 1 finding
⚡ highfirmware analysis vs policy claims
OneDrive syncs your files to the cloud by default — many users don't realise their desktop is being uploaded. If Microsoft's automated scanner flags something in your files, you lose access to your email (Outlook), your documents (Office 365), your gaming library (Xbox), and your Windows licence. One algorithm's judgment call, and your entire digital life is locked. Microsoft's Community Standards give them the right to make that call.

What they claim: OneDrive gives users control over files.

What we found: Syncs Desktop/Documents/Pictures by default on Windows. Account suspension affects ALL Microsoft services. No way to use Windows Home without Microsoft account.

What happened to real people
Documented incidents involving Microsoft products and user data.
First PRISM participant (2007). 31% of US legal demands come with secrecy orders — 1,974 gag orders in H1 2025 alone. Users never told their data was demanded. [source]
Storm-0558: Chinese hackers used a stolen Microsoft signing key to access US government officials' email accounts. Microsoft's own infrastructure was the attack vector. [source]
What your data is worth to governments
Microsoft complied with 6,288 government data requests in H1 2025. That's 31% of demands include secrecy orders. Microsoft has been a confirmed PRISM participant since 2007. Under this programme, the NSA collects stored communications. The company is legally prohibited from telling you. Jurisdiction: US (CLOUD Act, FISA Section 702, Patriot Act).
Documented: First PRISM participant (2007). 31% of US legal demands come with secrecy orders — 1,974 gag orders in H1 2025 alone. Users never told their data was demanded.
Documented: Storm-0558: Chinese hackers used a stolen Microsoft signing key to access US government officials' email accounts. Microsoft's own infrastructure was the attack vector.
What is PRISM? · What is the CLOUD Act? · Transparency report
Sources