critical
Microsoft launched Recall — a feature that screenshots your screen every few seconds and stores a searchable AI database of everything you do. Microsoft said screenshots were "always encrypted." Security researcher Kevin Beaumont built a free tool called TotalRecall that could copy and read the entire database in two seconds. The screenshots were stored in a plain SQLite database. Microsoft delayed the launch after the backlash.
critical
Microsoft spent a year rebuilding Recall's security with enterprise-grade encryption, and the same researcher broke it again — extracting everything without triggering any security alerts.
critical
Microsoft's Purview Information Protection is supposed to block your credit card numbers, Social Security numbers, and passwords from being shared. Security researchers found it keeps letting sensitive data through — the filter that's supposed to protect your most critical information fails at its one job. Organizations paying for Microsoft's enterprise security suite discovered the guardrails have holes. The feature exists so Microsoft can check a compliance box. Whether it actually works is apparently a secondary concern.
critical
Microsoft promised Copilot would respect your confidentiality labels — the digital equivalent of "EYES ONLY" stamps. Then in January 2026, a bug let Copilot read and summarize those exact confidential emails anyway. Microsoft wouldn't say how many people were affected. The US Congress had already banned Copilot for staffers. The European Parliament blocked it on work devices. The tool designed to make you productive was quietly reading the emails it was told not to touch.
critical
You're paying for Microsoft 365 to write documents and send emails. What you're also getting is 801 advertising companies processing your data — location, contacts, calendar, browsing. Microsoft's own EU consent screen says it plainly: 801 partners. Even if you opt out of targeted ads, data collection continues. You're not the customer of a productivity suite. You're the product of an advertising network that happens to include a word processor.
critical
Microsoft told European schools its software was GDPR-compliant. Austria's regulator disagreed — twice. First, Microsoft refused to tell a student what data it held. Then they found advertising tracking cookies on a child's school computer. The school didn't know. The Ministry didn't know. Microsoft's own docs confirmed the cookies were for advertising. France and Germany had already banned 365 from classrooms. Microsoft said "we meet all standards." The regulator said: stop within four weeks.
critical
Microsoft spent a year redesigning Recall's security after researchers extracted everything in 2 seconds. The new version? Researchers extracted everything again. The database also has secret tracking fields Microsoft never told anyone about. They built a vault, got robbed, rebuilt it, got robbed again.
critical
Microsoft made a huge deal about requiring your face or fingerprint for Recall. Turns out that's only for setup. After that, a 4-digit PIN unlocks your entire visual history. Like putting a retinal scanner on your front door but leaving the back door open with a Post-it saying "1234."
critical
Windows has a lovely privacy settings page. You can turn everything off. It does not matter. Underneath, a process called MAPS reports every file you touch to Microsoft. It used to have an off switch. Microsoft removed it. The privacy settings are a placebo.
critical
Microsoft's Copilot ignored confidentiality labels on emails for a month in early 2026 — the second time in eight months it failed to keep secrets secret. The European Parliament's response was immediate: they disabled Copilot on all 8,000 of their devices. When the people who write privacy laws won't trust your AI with their own emails, that tells you everything.
high
Microsoft says you can opt out of Copilot training. But the privacy policy still allows using your data for "advertising," "product improvement," and "compliance." Opting out of training doesn't opt you out of collection. Researcher Arvind Narayanan found Microsoft's privacy controls create an "illusion of choice" — the data still flows, just under different legal justifications.
high
Copilot is embedded in Windows, Edge, Office, and Bing — you can't use a modern Windows PC without encountering it. Microsoft's privacy policy discloses 801 advertising partners. The AI that reads your documents, emails, and search queries feeds into the same ecosystem that serves you ads. Microsoft doesn't disclose how many of those 801 partners receive Copilot-derived data.
critical
Academic research proved Edge is the least private browser you can use — worse than Chrome. It sends a permanent hardware ID to Microsoft that you can't disable, even if you reinstall. It starts tracking before you've agreed to anything.
critical
Every letter you type in Edge's address bar goes straight to Microsoft. They were also caught sending every URL you visit to Bing through a 'Follow Creator' feature most people didn't know existed. Microsoft called it a bug. It was the design.
critical
Edge's AI reads everything you browse, takes screenshots of pages you visit, and builds a profile across all your Microsoft products. This is on by default. Security researchers showed attackers can hijack the AI using the pages you visit.
Minecraft
Kids & Education · 6 contradictions
Serious concerns
critical
Minecraft says "create, explore, and survive in your world." Microsoft says every block you place, every item you craft, every mob you kill, and everywhere you go in that world is transmitted to their servers. In 2022, they required all players -- including children who'd played offline for years -- to create Microsoft accounts or lose access to a game they already paid for. "Your world" is Microsoft's data. A child building a treehouse in Minecraft is generating telemetry for a trillion-dollar company.
high
Minecraft's Java Edition was built on community-run servers where operators set their own rules. In 2022, Microsoft added a chat reporting system that sends private conversations to Microsoft moderators -- and server owners cannot turn it off. A child chatting with friends on a private server is now being monitored by Microsoft. Bans are global: get reported on one server, lose access everywhere. The community built mods to disable it. Mojang patched those mods out. Microsoft inserted itself as the moderator of private conversations between children playing a block game.
high
Mojang promised transparency and player control over telemetry. On Bedrock Edition -- the version most children play on phones and consoles -- telemetry cannot be fully disabled. On Java Edition, telemetry was added to a game that had existed without it for over a decade. When the community protested, Mojang made some of it optional but kept core collection mandatory. A child playing Minecraft on an iPad has zero ability to stop Microsoft from logging their gameplay.
LinkedIn
Social Media · 6 contradictions
Serious concerns
critical
LinkedIn claimed three separate legal justifications for tracking users and serving targeted ads. The Irish Data Protection Commission demolished all three. Consent wasn't freely given. "Legitimate interests" didn't hold. And personalized ads being "necessary to fulfill the contract" was rejected — you don't need targeted advertising to run a job board. The EUR 310 million fine came from a complaint filed in 2018 by French privacy group La Quadrature Du Net. It took six years for regulators to act. During those six years, LinkedIn kept profiling a billion users with no valid legal basis.
high
In April 2021, data from 500 million LinkedIn users showed up for sale on a hacker forum. Two months later, it happened again — 700 million users, meaning virtually every person on the platform had their full name, email, phone number, and gender exposed. LinkedIn's response was to argue semantics: "It's scraping, not a breach." The distinction is meaningless to the 700 million people whose details were compiled into a searchable database and sold. LinkedIn's position: "We didn't lose your data, we just made it so easy to collect that someone vacuumed up all of it."
high
When you update your LinkedIn profile with your job title, employer, and skills, you think you're building a resume. Microsoft thinks you're building an ad profile. After the $26.2 billion acquisition, LinkedIn data flows directly into Microsoft's advertising machine — your professional identity targets ads across Bing, Outlook, and other Microsoft services. Outside the EU, you're automatically opted in. Microsoft brags that LinkedIn data boosted ad click-through by 16% and conversions by 64%. Your career history isn't helping you network — it's making Microsoft's ad business more profitable.
high
Defender sends every website and download to Microsoft -- the first company in the NSA's PRISM program, with 801 advertising partners.
high
Microsoft lets you flip a switch to stop collection, then quietly flips it back. Try harder and your computer might crash.
high
Microsoft says Defender data is for security only, but it flows into the same systems powering their ads and AI. No wall between security data and everything else.
critical
When you add your Gmail or Yahoo account to the new Outlook, Microsoft sends your email password to their servers. Not a hash — the actual password. Verified by security researchers. Microsoft designed it this way on purpose.
critical
Russian military hackers used an Outlook vulnerability to steal credentials — just receiving an email was enough, you didn't even have to open it. Another bug meant just looking at your inbox in preview mode could give attackers full control of your computer.
critical
Microsoft's AI was caught reading confidential emails for weeks. They share your data with 801 advertising partners. Nearly a third of government demands for your email come with gag orders — Microsoft is legally forbidden from telling you they gave it away.
OneDrive
Cloud Storage · 4 contradictions
Serious concerns
high
Microsoft can read every file on OneDrive. They scan them, their Copilot AI processes them, and Microsoft was the first company on the NSA's PRISM surveillance slides in 2007. In 2022, a Microsoft employee was caught accessing customer emails without authorisation. The company that built the backdoor for the NSA now stores your documents, reads them with AI, and connects them to 801 advertising partners.
high
OneDrive syncs your files to the cloud by default — many users don't realise their desktop is being uploaded. If Microsoft's automated scanner flags something in your files, you lose access to your email (Outlook), your documents (Office 365), your gaming library (Xbox), and your Windows licence. One algorithm's judgment call, and your entire digital life is locked. Microsoft's Community Standards give them the right to make that call.
medium
Personal Vault requires your fingerprint or face scan to open files. It sounds secure — except Microsoft still holds the encryption keys and can read everything inside. In August 2023, Chinese hackers (Storm-0558) used a stolen Microsoft signing key to access US government email accounts for a month. The vault keeps other people out. It does not keep Microsoft — or anyone who compromises Microsoft — out.
critical
Microsoft's Gaming Copilot arrived on Xbox with a secret: switched on by default, silently taking screenshots, running OCR to extract every word of text, and shipping it to Microsoft for AI training. When users discovered this, Microsoft didn't apologize — they "publicly defended the feature." Every message typed in a game, every username on screen, every notification — captured and fed into Microsoft's AI pipeline. You weren't asked.
high
Microsoft boasts about removing 368 million pieces of harmful content from Xbox while the FTC fined them $20 million for hoovering up children's data without parents' permission. Kids under 13 signed up for Xbox Live and Microsoft kept everything — avatars, photos, personal details — even when parents never finished consent. The company that couldn't follow basic child privacy law now wants its AI assistant to screenshot your children's gaming sessions.
high
Microsoft promises gaming data is only shared with publishers "to support games." Then Microsoft bought Activision Blizzard for $68.7 billion, becoming the publisher of Call of Duty, WoW, and Candy Crush. Now "sharing with the publisher" means sharing with itself — merging 400 million gamers' habits into the same company running one of the world's largest ad networks. The privacy policy didn't change. The meaning of it did.
GitHub
Productivity · 4 contradictions
Serious concerns
high
GitHub promised not to train Copilot on your private code. But a class-action lawsuit showed Copilot reproducing verbatim chunks of open-source code — including copyright notices and licence text — without attribution. If the AI memorised and regurgitated GPL-licensed code, it violated the licence. If it did the same with your private code, you'd never know. The training data went from GitHub to OpenAI to Copilot. GitHub controls what goes in. OpenAI controls what comes out. You control nothing in between.
high
You write code in VS Code. Copilot sends it to OpenAI for completion. OpenAI runs on Microsoft Azure and now AWS. Microsoft owns GitHub and 27% of OpenAI. Your proprietary code passes through three companies with $185 billion in mutual financial obligations. A developer writing trade secrets has their code context flowing through a code host, an AI company, and a cloud provider — all connected by ownership and investment. They promised the platforms are separate. The money says they aren't.
high
Iranian developers woke up and couldn't access their own code. Years of work, locked behind US sanctions — on a platform that calls itself global and neutral. In 2024, Palestinian developers had accounts suspended for unspecified "terms of service violations." GitHub reversed it after the internet noticed. Security researchers had their proof-of-concept exploits removed via DMCA takedowns. When your code lives on a US-owned platform, US sanctions decide if you can access it, US politics decide if your account survives, and US copyright law decides if your security research stays up. Neutral is a marketing term.
high
Meeting transcripts from Teams are stored in OneDrive, indexed by Microsoft's compliance search tools, and now processed by Copilot AI — the same system connected to Microsoft's 801 advertising partners. Your employer's compliance team, Microsoft's AI, and potentially Microsoft's ad system can all access what was said in your meeting. The transcript you didn't ask for is now a permanent, searchable, AI-processed record.
high
Microsoft Teams encrypts 1:1 calls but not group meetings — the ones where sensitive business discussions actually happen. And you can't remove Teams from Windows without using PowerShell commands Microsoft doesn't document in the normal uninstall flow. In 2023, the EU fined Microsoft €4.6 million for bundling Teams with Office. The feature you can't remove doesn't even encrypt the calls that matter most.
medium
Copilot now listens to your entire Teams meeting in real time. Microsoft added a "no save" mode where the transcript is processed and then deleted — but during the meeting, everything you say is still being sent to Microsoft's servers, analysed by AI, and held in memory. "No save" means the recording is destroyed after. It does not mean the recording never happened.
Bing
Search Engines · 3 contradictions
Serious concerns
high
Every Bing search feeds into Microsoft's advertising network of 801 partners. Edge's address bar sends what you type to Microsoft before you even press Enter — a feature called "search suggestions" that's on by default. Researcher Zach Edwards found Edge sending full URLs of pages you visit to Bing servers. Your browser is reporting your activity in real time.
high
Bing is embedded in five places across Windows: the Start menu, the taskbar search, Cortana, Edge's address bar, and the Windows search indexer. Microsoft has made it deliberately difficult to switch — in 2023, they removed the ability to change the default search in the Edge address bar for European users until EU regulators intervened. Bing isn't a choice. It's a default that resists being changed.
medium
Every search you make on Bing trains Microsoft's AI models — Copilot, Bing Chat, and whatever comes next. There's no wall between "searching" and "training." Microsoft's terms of service grant them a licence to use your search queries for product improvement. When you ask Bing a private question, you're also teaching Microsoft's AI. The search bar isn't just a search bar — it's a training data pipeline.