Microsoft Privacy Update: What You REALLY Need To Know

Microsoft Privacy 2

With Microsoft updating its Services Agreement and Privacy Statement from 1st August 2015, the usual, weasel-worded emails have been dropping into our inboxes, expressing how much the business cares for our privacy and gives us… ahem… ‘control’. As I said in an article about Soundcloud, the only real concern data-mining businesses have about our privacy, is how much they can invade it, and then gloss over their gross invasions with soundbyte PR. But let’s not jump the gun. Here’s Microsoft’s soundbyte PR…

We remain committed to protecting your data, being clear about how we use it and putting you in control. For example, we do not use the contents of your email, chat, video calls, documents, photos or voicemail to target advertising to you.

Sounds great, doesn’t it. Of course, they have to protect everyone’s data within the bounds of the law, so it always makes me laugh the way these companies pitch data protection like it’s some sort of luxury commitment, offered out of the goodness of their hearts. And just because Microsoft doesn’t scan your private communication and content for the purpose of targeting ads, it doesn’t mean the organisation doesn’t scan. Indeed, it has to scan email – otherwise how on earth would it recognise spam?

The feelgood soundbyte from Microsoft’s publicity release is really a dig at Google, reminding users of a very public attempt Microsoft made to raise awareness of Gmail’s ad-targeting algorithms. It was a bid to make Google look like the villain, and paint Microsoft as the friendly, caring face of free online services. But the reality is that Microsoft still scans your communication, and it still targets ads at email users.

How it ‘launders’ the data in between those two fence posts is almost impossible to work out. But I can say from experience that when I’ve previously opted out of Microsoft’s email ad targeting, nothing changed, and I still got the same ads, which were based on what Microsoft had previously understood my preferences to be. A coincidence? Draw your own conclusions.

So how much does Microsoft respect your privacy? It doesn’t, or at least claims not to directly use information scanned from your private matter for marketing, but what’s its broader stance on tracking? Let’s delve into the actual Privacy Policy and find out…


Web bugs are one of the technologies online businesses can employ to circumvent users’ attempts at privacy protection. Microsoft uses web bugs, although it refers to them by the rather less panic-inducing term of web beacons. Web bugs, or web beacons, use covert image hotlinks to generate server hits, which, in conjunction with other information, determine a user’s behaviour at a very specific and personal level. For example, the technology can tell whether, and when, you opened an email, and what your response was…

Sometimes we include web beacons in our promotional email messages or newsletters to determine whether messages have been opened and acted upon.

They’re not called web bugs for nothing.

Or, the technology can tell Microsoft if and when you’re using third party websites, which you didn’t realise had anything to do with the company…

We sometimes work with other companies that advertise on Microsoft sites to place web beacons on their sites or in their advertisements to let us develop statistics on how often clicking on an advertisement on a Microsoft site results in a purchase or other action on the advertiser’s site.

Obviously, these businesses are in the advertising trade, and if it can’t be proved that your purchase was made on referral from Microsoft, then Microsoft ain’t gonna get paid. So inevitably, Microsoft will go to great lengths to ascertain exactly what you’re doing on other sites. There’s money riding on it, and there’s no higher motivation than that.

Microsoft Privacy 1


Microsoft lists a motley crew of analytics providers in its Privacy Statement, including Omniture (Adobe), Nielsen, Coremetrics, Google Analytics (interesting that Microsoft kicks Google’s privacy publicly for negative marketing purposes, but still uses Google Analytics), and KISSmetrics.

What sort of capabilities do these tools give Microsoft?… Well, here’s KISSMetrics’ Twitter bio

Google Analytics tells you what’s happening, KISSmetrics tells you who’s doing it. We track real people—where they come from, what they do, and who purchases.

I wouldn’t really place that under the heading of “protecting your privacy”, would you?


Again, from the Microsoft Privacy Statement…

In addition to standard cookies and web beacons, websites can use other technologies to store and read data files on your computer. This may be done to maintain your preferences or to improve speed and performance by storing certain files locally. But, like standard cookies, these technologies can also be used to store a unique identifier for your computer, which can then be used to track online activity. These technologies include Local Shared Objects (or “Flash cookies”), HTML5 Local Storage and Silverlight Application Storage.

The emphasis in that quote was obviously mine. Microsoft wouldn’t be that keen to highlight the most salient bits of its Privacy Policy, of course. The type of tracking referenced above is once again designed to circumvent a user’s preferences and continue to track when conventional cookies have been expressly blocked. Flash cookies cannot be deleted (or even recognised) using a browser’s standard cookie management system. They’re not really cookies. They’re a hijacking – a perversion – of another technology, which was designed for something else entirely.

Microsoft Privacy 3


But this is the best bit. Here’s Microsoft’s stance on the Do Not Track protocol in browsers. The protocol we use to clearly indicate to Web providers that we don’t want to be tracked…

Because there is not yet a common understanding of how to interpret the DNT signal, Microsoft does not currently respond to the browser DNT signals on its own websites or online services, or on third-party websites or online services where Microsoft provides advertisements, content or is otherwise able to collect information. We continue to work with the online industry to define a common understanding of how to treat DNT signals.

Great, isn’t it? They take absolutely no notice whatsoever of our instructions, to them, that we do not want to be tracked. And the reason they take no notice, according to them, is that they don’t understand how to interpret a Do Not Track notification! It is indeed a difficult one to interpret, I must admit. I wonder what DO NOT TRACK could possibly mean?

But don’t worry, because Microsoft are working with the online industry to fulfil the almost impossibly difficult detective task of working out what DO NOT TRACK means.

This has evidently brought out my sarcastic side, but the above does demonstrate what these businesses are like, and how incredibly misleading their PR exercises are. I know nothing in life is free, and what you save in money with free online services, you inevitably pay for in privacy. But why try to make it look like you’re not spying on users and are some kind of saint, when you won’t honour clear Do Not Track notifications, and use the unbelievably slimy excuse that you don’t understand what it means? It’s almost childish. Just admit you’re a bunch of aggressive, pathological data-miners, like everyone else!

Even Twitter at least recognises Do Not Track, and I don’t think anyone could consider Twitter particularly impressive in the privacy stakes. So let’s not kid ourselves that Microsoft is some kind of Internet saint. It bugs your email, it bugs your use of the wider Web, it uses under-the-radar LSO/Flash cookies to continue tracking when conventional cookies are blocked, and it completely ignores Do Not Track requests.

Things could be worse. Microsoft doesn’t, as far as I can establish, currently use Mouseflow (incredibly detailed realtime observation of user behaviour) and I can’t see anything directly relating to Canvas Fingerprinting. However, the privacy Statement’s mention of HTML5 Local Storage and Silverlight App Storage hints at use of the Evercookie – a shockingly pervasive cookie-respawning mechanism which is just about the worst threat to user privacy currently under development. What’s clear is that Microsoft is using some very sophisticated and aggressive technologies to keep tabs on what you’re doing.

Beware soundbyte PR, and always read the full documentation.