Emails, Contacts, and Passwords - Oh My! New Outlook Overshares with Microsoft

When using Outlook your sensitive data may not stay on your machine, but be sent to Microsoft servers.

Outlook shares your email addresses and passwords with Microsoft - a huge security risk!
The latest version of Microsoft's email client behemoth Outlook is nearing release and it has security experts concerned. Outlook, a business staple for decades, has become more demanding in the data which it collects from its users. This latest update doesn't change the pattern. To the contrary: it makes things worse. The new version of Outlook will share not only the unencrypted content of your mailbox, contact lists, and calendar events, but can also share sensitive login information like passwords with the Microsoft servers in the USA.

MS Outlook Might Share Your Passwords

The warnings about Outlook sharing your passwords and other sensitive information escalated beyond the more privacy-inclined internet users and now the German Federal Commissioner for Data Protection and Freedom of Information, Ulrich Kelber, will be bringing these upcoming changes to discussion with other EU data protections organizations later this week.

Outlook update: What is going on under the hood that poses a threat to our privacy and online security?

How MS Outlook Shares Data

The new MS Outlook is not the local email client as we formerly knew it. The new version acts as a gateway to Microsoft's cloud environment. In order for your emails from non-Microsoft owned email providers to be synced to your devices, Microsoft will be requesting and storing your IMAP and SMTP credentials for each email account on their servers.

When adding an account to the new Outlook users are greeted with a somewhat intimidating warning about sharing their information. The message says that to connect an IMAP account, Outlook needs to synchronize emails with the Microsoft cloud. While existing contacts and events may not be shared with Microsoft, all new additions that you make in Outlook will be also stored in the Microsoft cloud.

This may even include your login credentials like passwords - which makes the key to accessing your online life available to the American tech giant.

Not only are your login credentials being shared from Outlook with Microsoft servers, but also any future contacts or calendar events you might create in the application.

But the movement of this data will of course be securely encrypted right...?

Not quite. Despite being sent to Microsoft's servers with TLS protection, the data is sent plain-text. The German tech magazine c't of Heise publishing house ran a test while configuring a new IMAP/SMTP connection and posted the following terrifying image of their results:

Screenshot of the code: Outlook shares your data not encrypted with the Microsoft cloud.

The team at reached out to Microsoft for comment on the security of Outlook given these changes, but as of yet there has been no response from the campus in Redmond, WA.

Why Should You Be Alarmed

Beyond the fact that sending passwords in plain-text is a terrible idea and worst-possible security, what other threats might be posed by syncing all of your emails, calendar events, and contacts to Microsoft's servers?

This is an issue of trust. Microsoft is an American company and falls under US jurisdiction. Their degree to cooperation with law enforcement and intelligence agencies is unknown, but there is already existing evidence that Big Tech companies are eager to cozy up with government agencies.

In the early 2000's AT&T built and operated a telecommunications interception room for NSA in their facilities known as Room 641A.

Door of room 641A at AT&T This is the door to room 641A at AT&T where the NSA intercepted communications data.

We do not know whether Microsoft is acting in a similar fashion, but without strong privacy laws and end-to-end encryption we cannot be sure that our data is safe.

Beyond the threat of nation state surveillance, we do not know the degree to which Microsoft may be working with data brokers to harvest and sell user data. In the United States of America, the third-party doctrine declares that in the case of ISPs, banks, financial institutions, and email service providers customers have "no reasonable expectation of privacy".

This is unacceptable.

What This Means for Businesses

Every business has its own unique use case and scope. What does using the new Outlook mean for the average business user?

With a longstanding suite of software for business customers, it is unlikely that everyone will be quick to drop Microsoft Office in favor of a free and open source solution like LibreOffice. Some businesses, particularly those which handle sensitive information, must consider what these changes mean for the privacy of their customers or clients.

For companies and organizations operating within the EU, the GDPR privacy laws will need to be carefully examined to determine if this upgrade is compatible with the EU's privacy standards. We will see in the coming days what kind of discussion comes from Mr. Kelber's push within the EU.

For medical practices operating within the US, HIPAA compliance is going to be a major concern. By handing over your email login information to Microsoft you are giving them potential access to sensitive information about patients. If passwords were shared between the email account and other services, then this poses an even greater threat to patients in the event of a data breach.

IP theft also poses an interesting threat. If any IP sensitive information is included in the content you are storing within Microsoft's cloud environment, your business will need to assess the risk posed by a breach or exposure of any of your company data.

Always remember, a cloud server is just someone else's computer.

If your data is not securely encrypted in transit and at rest, then it is not secure on that server either.

Take Action!

What can the average internet user do in the face of these invasive changes?

It's time for an Outlook alternative!

Our first step would be to stop choosing Outlook for personal use. There are plenty of open source solutions to protect your emails, calendar events, and contact lists. Tuta provides all of these features and more with full end-to-end encryption of all your data and we never have access to your login credentials.

Besides, Tuta lets you use unlimited email addresses with your own custom domain while Outlook no longer supports custom domains for private users.

The next step would be to raise these concerns with friends, co-workers, and your doctor's office. By spreading the word that there are great privacy respecting alternatives to Big Tech we can all fight to make our digital future a more secure, safe, and free space.

Recommended for further reading: Check our review on private email services to see which one best meets your needs.