Does MS Outlook Share Your Passwords?

The German tech site Heise triggered a scandal in November 2023 revealing that the new Outlook which is replacing the mail app on Windows has severe security issues as it shares users’ passwords with Microsoft’s American servers.

This has brought the authorities onto the scene as the warnings about the new Outlook for Windows sharing your passwords and other sensitive information could not be ignored due to the severe security implications. This is particularly concerning, also for national security, if you think that nearly every government organization from Germany to the USA is using a Windows enterprise environment. Consequently, the German Federal Commissioner for Data Protection and Freedom of Information, Ulrich Kelber, has stated on Mastodon:

“The reports of suspected data collection by MS via Outlook are alarming. We will ask the Irish data protection commissioners, who are legally responsible for this, for a report at the meeting of the European data protection supervisory authorities on Tuesday.”

While it seems that to date Irish officials have not issued any statements on Microsoft’s email password security issue, it’s worth taking a deeper look into how the new Outlook for Windows shares your passwords, what this means for your security and how you can protect yourself from the over-aggressive data collection by Microsoft.

So let’s take a closer look at the Outlook update: What is going on under the hood that poses a threat to our privacy and online security?

Aggressive Data Collection

With its latest update, Outlook is following in the footsteps of Silicon Valley tech giants like Google (Alphabet), Facebook (Meta), and Apple by collecting more and more data. Obviously, Microsoft has learned that data is the new oil and that it can tremendously increase its revenue by leveraging on what it already has: vast amounts of data from its billion of personal, business, and public sector customers around the world.

Collecting and analyzing user data has become ever more lucrative, particularly now that Microsoft has invested heavily in OpenAI, the most prominent artificial intelligence company today.

In 2012, when Google changed its privacy policy that allowed the big tech to collect user data, Microsoft paid for newspaper ads underlining its own privacy protections compared to Google.

Now, more than a decade later, Microsoft has learned that privacy does not bring in any money, but data collection, user profiling and personalized advertisements do. It is sad to see that companies like Microsoft and Apples that used to champion privacy (see this iPhone ad from 2020) have now also turned to data collection to grow revenues.

In tech it seems all that counts is growing shareholder value. And since in a saturated market like the USA and Europe, if these companies can not sell more iPhones or more Windows computers, they must turn to data collection and personalized ads.

Growing Partner Network

So it does not come as a surprise that the new Outlook for Windows shares data with hundreds of third parties as stated in its privacy policy.

Thanks to the European GDPR, Microsoft can not hide the information about its excessive data sharing from European users. If you are in the EU and use the new Outlook for Windows for the first time on a new PC, you will be prompted with this information via a cookie request:

We and 772 third parties process data to: store and/or access information on your device, develop and improve products, personalize ads and content, measure ads and content, derive audience insights, obtain precise geolocation data, and identify users through device scanning. Some third parties may process your data on the basis of their legitimate interest. You may exercise your right to consent or object at any time by selecting the Manage preferences link below, or through Outlook settings. By clicking the Accept all button, you agree to the use of these technologies and the processing of your data for these purposes while using Outlook.

When seeing this request, it is important to not click it away quickly and accidentally hit ‘Accept All’. If you do, you’ll allow Microsoft to share a lot of your personal with its growing partner network for various purposes, some of which could freak out any privacy-inclined individual. By accepting all you would agree to data analytics and tracking, including:

• Display personalized ads
• Get audience insights
• Store your geolocation data
• Access data on your device
• Identify you via device scanning

So again, when seeing this request to allow data sharing pop up: make sure to click Reject All!

First of all, you will not want Microsoft to share your sensitive personal data with hundreds of advertisers and data brokers, and secondly its partner network is constantly growing. Microsoft’s data sharing with third parties seems to be a rather lucrative step as the cookie warning has now been updated to sharing data with “813 partners”. Who knows how many more partners will get their hands on your data in the future should you consent to sharing?

Joining The Top 5 Advertisers

With this increasing data sharing one thing has become obvious: Microsoft is on its way to become one of the top five online advertisers.

Already in 2022, Microsoft Ads chief Rob Wilk stated in an interview that the US tech giant plans to double its advertising revenue $20 billion. Now, we are seeing this plan put into action.

With the release of the new Outlook for Windows in September 2023, Microsoft has completed its final step into joining the top five advertisers: Alphabet (Google), Meta (Facebook), Apple, Amazon, and now also Microsoft.

Even before people on Reddit have complained that Outlook disguises ads as emails - just like Gmail is now showing ads directly in your inbox:

So while this is nothing new, the ads machine will grow even stronger with the new Outlook. Ads that are being shoved in the faces of Outlook users are either about Microsoft’s own products or about third party products being sold by Microsoft to its partners.

While Microsoft might let you use Outlook for free, they monetize you by selling your time and attention to third parties. This is similar to what other big tech services like Google and Facebook are doing, but with the new Outlook the data sharing is exploring entirely new dimensions.

Besides the data sharing with third parties - that you can actively reject to - the new Outlook will also share sensitive data such as passwords with its cloud servers if you use Microsoft’s sync feature. This is even more worrying as it contains a severe security risk, one that could lead to credential stuffing attacks as all your passwords will be stored on one central server: Microsoft’s.

This info came quite as a shock to the security-inclined and deleting Outlook accounts has become a trend.

But before you decide on whether you can still trust Microsoft with your personal mailbox, let’s take a technical deep dive into how Outlook shares your data to understand what is going on exactly!

Security Issue: How The New Outlook Shares Data

The new MS Outlook for Windows is not the local email client as we formerly knew it. The new version acts as a gateway to Microsoft’s cloud environment. In order for your emails from non-Microsoft owned email providers to be synced to your devices, Microsoft will be requesting and storing your IMAP and SMTP credentials for each email account on their servers.

When adding an account to the new Outlook, users are greeted with a somewhat intimidating warning about sharing their information. The message says that to connect an IMAP account, Outlook needs to synchronize emails with the Microsoft cloud. While existing contacts and calendar events may not be shared with Microsoft, all new additions that you make in Outlook will be also stored in the Microsoft cloud.

In detail the message displayed in Outlook reads:

“What happens when I sync my account to the Microsoft Cloud? Syncing your account to the Microsoft Cloud means that a copy of your email, calendar, and contacts will be synchronized between your email provider and Microsoft data centers. Having your mailbox data in the Microsoft Cloud lets you use the new features of the Outlook client (New Outlook for Windows, Outlook for i0S, Outlook for Android, Outlook.com, or Outlook for Mac) with your non-Microsoft account, just like with your Microsoft accounts.”

As the warning states, shared data may even include your login credentials like passwords - which makes the keys to your digital life available to the American tech giant. With the new Outlook, Microsoft is giving itself excessive powers over all of your email data that you have connected via IMAP. At any given time, Microsoft can scan your mailbox and share sensitive data with third parties - all of this without you knowing about it.

Not only are your login credentials and emails being shared from Outlook with Microsoft servers, but also any future contacts or calendar events you might create in the application. When logging in to new Outlook you give Microsoft unlimited access to your email account.

As XDA Developers state: The new Outlook client is no longer a “client”, but a wrapper around Microsoft’s cloud services. Your data, including your passwords, are no longer stored locally in the Outlook client, but stored on Microsoft’s servers and fetched locally.

Is the shared data secured with encryption?

As security experts, we would expect that the sharing of this data will of course be securely encrypted end-to-end. However, as German tech journalists discovered, this is not the case with the new Outlook.

While the data is being sent to Microsoft’s servers with TLS protection, the data is sent plain-text. The German tech magazine c’t of Heise publishing house ran a test while configuring a new IMAP/SMTP connection and posted the following terrifying image of their results:

Screenshot of the code: Outlook shares your data not encrypted with the Microsoft cloud.

The team at Heise.de reached out to Microsoft for comment on the severe security issue of the new Outlook given these findings, but there has been no response from the campus in Redmond, WA.

This has been a real shock to the IT experts at Heise. If you feel the same way, you can start looking for a new email provider by browsing the comparison of Outlook and Gmail or - even better for your privacy and security - the comparison of Outlook vs Tuta Mail.

Why You Should Be Alarmed

Beyond the fact that sending passwords to a central server is a terrible idea and worst-possible security, what threats might be posed by syncing all of your emails, calendar events, and contacts to Microsoft’s servers?

First of all, this is an issue of trust. Microsoft is an American company and falls under US jurisdiction. Their degree to cooperation with law enforcement and intelligence agencies is unknown, but there is already existing evidence that Big Tech companies are eager to cozy up with government agencies. This is extremely worrying as the US is part of the Five Eyes Alliance.

In the US, there are several scandals known where big tech companies have shared sensitive user data all too willingly with the authorities. For example, in 2016 where shocked by the news that Yahoo gave access to all their email accounts to US authorities, and in the early 2000’s AT&T reportedly built and operated a telecommunications interception room for the NSA in their facilities known as Room 641A.

This is the door to room 641A at AT&T where the NSA intercepted communications data.

We do not know whether Microsoft is acting in a similar fashion, but without strong privacy laws and end-to-end encryption no one can be sure that sensitive customer data is safe on Microsoft’s US servers.

Beyond the threat of nation state surveillance, we also do not know the degree to which Microsoft may be working with data brokers to harvest and sell user data. But judging from the new privacy policy pop-up that is shown to European customers in the new Outlook for Windows data sharing is extensive and will grow even further.

In the United States of America, it is also worth looking at the the third-party doctrine. The third-party doctrine in the USA declares that if you voluntarily submit information to third parties, e.g. email providers, you can have “no reasonable expectation of privacy” in that information. As in the USA there is no legislation similar to the European GDPR - which guarantees Europeans that their personal data must be protected by tech companies - the data people share with Microsoft is not save from US authorities. It can potentially even be obtained without a legal warrant or other judicial oversight.

This is unacceptable.

What This Means for Businesses

Every business has its own unique use case and security requirements. What does using the new Outlook mean for businesses?

With a longstanding suite of software for business customers, it is unlikely that everyone will be quick to drop Microsoft Office in favor of a free and open source solution like LibreOffice. Some businesses, particularly those which handle sensitive information, must consider what these changes by Microsoft’s Outlook mean for the privacy of their customers or clients.

For companies and organizations operating within the EU, the GDPR privacy laws will need to be carefully examined to determine if this upgrade is compatible with the EU’s privacy standards.

For medical practices operating within the US, HIPAA compliance is going to be a major concern. By handing over your email login information to Microsoft, you are giving the tech giant potential access to sensitive information about patients.

Intellectual property (IP) theft also poses an interesting threat: If any IP sensitive information is included in the content you are storing within Microsoft’s cloud environment, your business will need to assess the risk posed by a breach or exposure of any of your company data.

To summarize, we have to ask ourselves, are Outlook emails private and secure? Microsoft does boast of various encryption features to protect your Outlook emails, particularly for business customers, but with this new update, Outlook can no longer be considered private and secure.

Always remember, a cloud server is just someone else’s computer. If your data is not securely encrypted end-to-end in transit and at rest, then it is not secure on that server either.

Switch On Privacy

What can the average internet user do in the face of these invasive changes that affect not only your security but also your privacy?

Our first step would be to stop choosing Outlook for personal use. There are plenty of open source solutions to protect your emails, calendar events, and contact lists.

Tuta Mail provides all of these features and more with full end-to-end encryption of all your data and we never have access to your login credentials.

Tuta Mail lets you use unlimited email addresses with your own custom domain whereas Outlook no longer supports custom domains for private users.

The next step would be to raise these concerns with friends, co-workers, and your doctor’s office. By spreading the word that there are great privacy respecting alternatives to Big Tech we can all fight to make our digital future a more secure, safe, and free space.

We at Tuta are committed to building a better Internet - one where your privacy is protected by default.

Sign up for a private and secure email account now.