This idea is inspired by this inquiry:
If that person’s story is true and accurate, the exposure would have profound consequences because it would mean that Microsoft can no longer legally claim to be merely a “data processor” (which currently shields MS from many GDPR responsibilities). It would make MS a data controller, which comes with heavy obligations for privacy protections.
For example, whenever a data controller sends spam, MS currently points the finger, saying “we are just a data processor”. But if MS were also a controller, they would be legally obligated to act on complaints.
Apart from the linked inquiry, Microsoft must profit from its email service. How does it do that on gratis personal accounts if the user uses a free sofware client with no ads? Are ads injected into the payloads? If not, then there is a 2nd motivator for MS to snoop on email payloads.
This community (citizenscience) has no description and there is no other community in the threadiverse with that name. I can only assume I am in the right place here. But I realise I am out on a limb with a tech matter as mander is focused on natural sciences.
History
Microsoft has a long-standing reputation for not using email content for marketing. MS heavily critisized Google for doing that around 2013-14 (which was actually a marketing tactic – with success). This is why businesses and govs use MS for email. But in 2021, MS bought Xandr, a surveillance advertising company.
The privacy policy
It’s short and broken into sections well enough to not be a burden to read. I find it vague enough that I think users can have no expectation that MS does not snoop on email payloads. Which means if MS is caught doing that, the privacy policy cannot be used against them. But it would help if more eyeballs could verify. The fact that the privacy policy does not clearly refute the possibility of email snooping suggests MS could be hiding surveillance that it expects to eventually get caught on.
The setup
We need Microsoft users to experiment. We need someone to carefully arrange email conversations with other MS users. Requirements:
- It is important that both ends of the email be Microsoft-hosted email accounts.
- The accounts should be free personal accounts and ideally newly created. Though it would be interesting to separately test corporate enterprise accounts for comparison.
- Enable personalised ads in your MS dashboard (it’s the default).
- The topics put through email must be very orthogonally disconnected with the user’s lifestyle and habits. E.g. if the email sender is a teenager not interested in diy home improvement, then write email asking what materials to use for plumbing and roofing. Men could ask the other person about hair, nails, and makeup products if they would not normally do so.
- Take great care not to web search the topics you put in email or have any trace outside of email.
- Use a free software email client. Rationale: commercial or closed-source clients could do their own snooping and give plausible deniability that invalidates the research. Even MS’s own clients would invalidate the research because MS could argue they snooped on the client, not on the email in transit.
- Use Bing and other MS services for searches, ideally when logged in, taking care not to search for anything remotely like the topics discussed in email. Take screenshots of ads that correspond with the exclusively email content.
It would also be interesting to inject a topic into both web searches and email and study whether the combination has an amplifying effect. But of course very difficult to control and produce irrefutable proof of that. This would be a more rigorous study.
Can you setup 2 accounts and control both ends of the conversation?
I think not. Decades ago I had multiple Google accounts. I took great care to keep them separate, only used them over Tor, never from the same device, etc. Google still figured out that they could associate the accounts together and I could not work out how Google pulled that off. If MS does the same, they could be clever enough to disregard the payloads precisely to stiffle this research. So an MS-using partner is best for this.
I will not do this research myself because I cannot stomach the thought of using MS or even giving MS prerequisite info to get the accounts open.
Some answers require no experiments:
- Does the privacy policy allow for email scanning?
- Do FOSS users of gratis MS services receive ads in the email payloads?