If Outlook is $69.95, you are the product

Stand and deliver! Your data or your life!
31 January 2024

“Private” by dominique cappronnier is licensed under CC BY-NC-ND 2.0.

  • New Outlook 365 provides Microsoft with users’ data.
  • Opting out of ads can require 772 clicks (in the EU).
  • A ‘unified experience’ for all email accounts.

Microsoft’s business-focused email client, Outlook, an integral part of the O365 (Office 365) suite, is now widely available in its latest version, which manifests as a web wrapper around the company’s Outlook web interface. Depending on geography and an organization’s internal policies, O365 users on Mac, Windows, Android, and iOS are offered an upgrade to the latest version, or can download a new binary.

For those not subscribed to a personal or organizational O365 account, the free Windows and Mac versions are ad-supported, with advertisements from Microsoft and its partners appearing as emails in users’ inboxes or above the mailbox. Yes, almost exactly like junk mail.

The application allows users to configure new Outlook 365 to be a front end for other email providers (Yahoo!, Gmail, generic IMAP, etc.) as well as their organization’s O365 or outlook.com email. According to developers on XDA, credentials for other accounts registered with the Outlook client are transmitted in plain text to Microsoft and stored. All email traffic to and from external email services synchronizes via Microsoft’s servers, using the held login credentials, with Microsoft’s servers interacting directly with other email providers’ authorization mechanisms.

Once authorized during setup, data to and from third-party email services flows via Microsoft, so the company has full access to email contents, users’ calendars, event details, and contacts. The new Outlook doesn’t act as a traditional email client; rather, it’s an interface onto Microsoft Cloud, which mediates as an authenticator and processor of the contents of a user’s Gmail, Rackspace, Zoho, Yahoo! etc., in addition to any O365 email accounts. This means Outlook can present a ‘unified experience‘ to grateful users – in return for their data.

Users in the EU are informed during installation that “[Microsoft] and 772 third parties process data to: store/and or access information on your device,” although in other geographies, Microsoft is not legally bound to present this information. Regardless, the company and its carefully chosen range of commercial partners can, in addition to storing and accessing data on the user’s computer, obtain precise geolocation, identify specific users through device scanning, and measure interactions with any information present in Outlook. Interactions in this context typically mean time spent looking at a message, which messages are opened, links clicked, and so on.

New Outlook 365 shares your data with 773 companies.

That’s not a giant ‘O,’ it’s an unblinking eye, stripping your email of its data like a shoal of piranha fish on a corpse.

Users of the free tiers of new Outlook 365 can choose how advertisements are presented to them, either in a banner above the mailbox or as emails inserted into the Inbox. That choice then permeates to all the user’s installations across devices. A subscription to O365 removes the presence of commercial messages (apart from the ones that would appear in an inbox as a matter of course as spam, naturally).

UK and European users can choose not to receive messages from each of the 772 advertising partners with whom Microsoft operates either at installation time, or later, by individually moving 772 sliders, one against each company’s name, from “On” to “Off.” US-based users and those in areas lacking pertinent data protection regulations are not offered either facility. Note that the advertising preferences hide commercial messages from the named partners. Microsoft’s partners will still receive the user data detailed above derived from the contents of all email accounts, including but not limited to users’ payment details (PayPal, credit cards, etc.), interactions with any email’s content, exact location, any behavioral indicators of demographics, images displayed in Outllook, usernames, and passwords sent by email.

According to Statista, 1.3 million companies are using Office 365 in the US as of February 2024, plus 300,000 in the UK and 148,000 in Australia. There are 7 million monthly active K-12-aged users of the Microsoft Learning Tools Suite (Outlook, Word, Edge, etc.) in schools worldwide [pdf]. The Office 365 suite is usually free for educational users, with just possession of a school or non-profit learning institution email address required to download Outlook and other applications.

Personal and business Office 365 subscriptions’ monetary costs vary according to region and offered tiers, with typical businesses paying around $10 per month, per user.

Very slick as usual – but where’s the data protection?