Microsoft’s New Outlook App: A Deep Dive into Its Data-Sharing Practices and Privacy Concerns

Introduction

Microsoft’s Outlook app has long been a staple for managing emails and calendars in both personal and professional settings. However, with the release of its new version, privacy advocates are raising alarms over how much user data is being shared with third parties. According to an article by ProtonMail, Outlook now shares data with over 800 third parties—a shocking revelation that raises significant concerns about privacy and user control.

In this post, we will examine how the new Outlook app operates as a data collection tool, how your data is shared with these third parties and what this means for your privacy. We’ll also explore the implications of this data-sharing practice and provide strategies for protecting your personal information.

The Outlook App: A Data Collection Powerhouse

The new Outlook app’s functionality is undeniably powerful, but it has drawn criticism for the extent to which it functions as a data collection service. With its seamless integration into the Microsoft ecosystem and various third-party platforms, Outlook has become a tool for gathering vast amounts of personal data, some of which you might not even realise is being shared.

Claims of Sharing Login Information

One of the most concerning allegations against the Outlook app is that it shares login information (including usernames, email addresses and passwords) with third parties. While Microsoft does not explicitly state that login credentials are shared directly, certain third-party integrations could expose this data indirectly.

Evidence and Citations

According to a report by ProtonMail (source: ProtonMail on Outlook’s Data Collection), the Outlook app’s integration with hundreds of third parties raises questions about data security, including the potential for login information to be shared with certain external services. The article highlights that even though Microsoft claims to encrypt passwords and protect user data, the mere fact that so many services are involved in data handling increases the risk of inadvertent leaks or breaches.

Moreover, when integrating with services like Zoom, Slack, or Trello, these platforms often require users to log in via Outlook, potentially giving them access to your Microsoft account credentials. This process may expose login information, especially if any of these platforms suffer a security breach, as seen in past incidents with Zoom and Slack (sources: Zoom Security Breach Report and Slack Data Breach).

Login Sharing and OAuth Risks

Many of these services use OAuth for authentication, which allows third-party applications to access user accounts without exposing passwords. However, OAuth is not foolproof. Misconfigurations or vulnerabilities in the OAuth process can expose tokens that allow third parties to access your account as though they had your credentials. This is particularly risky when the third-party service integrates with multiple other platforms, as seen in tools like Slack and Trello, where data flows between multiple services.

OAuth tokens have been shown to be vulnerable in cases of poor implementation or phishing attacks, leading to unauthorised access to user accounts. If such an incident occurs, third parties could potentially gain access to sensitive data, including login information. For more information about OAuth vulnerabilities, Salt have a useful article at https://salt.security/blog/a-new-oauth-vulnerability-that-may-impact-hundreds-of-online-services.

Microsoft’s Role in Data Commodification

Microsoft’s business model relies heavily on monetising user data through advertising and analytics. The integration of Outlook with other Microsoft services such as Bing and LinkedIn enables the company to build rich profiles of user behaviour, preferences and even professional relationships. This level of data collection turns Outlook into more than just an email client—it is a cornerstone of Microsoft’s surveillance capitalism model, where user data is the primary commodity.

In addition, Microsoft has faced scrutiny over its vague and often opaque privacy policies. According to The Guardian (source: The Guardian on Microsoft Privacy), the company has been accused of failing to fully disclose how much data is shared with third parties or what these third parties do with the data they receive.

Who Are the Third Parties and Why Is Your Data Shared?

Microsoft’s new Outlook app integrates with a wide array of third parties, ranging from advertising networks to analytics services and productivity tools. Each of these parties has access to different kinds of data, depending on the permissions you grant within the app. The ProtonMail article highlights that Outlook shares data with over 800 third parties, which raises significant concerns about how much personal information is being circulated across the web. Let’s dive deeper into who these third parties are and what specific data they may be collecting.

1. Advertising Networks

Advertising is one of the largest reasons why third-party data sharing happens in apps like Outlook. Microsoft partners with various advertising networks to show you personalised ads based on your usage patterns. These ads are displayed inside the Outlook app, on the web version and across other Microsoft services like Bing.

• Google Ads (https://ads.google.com/home/): Google Ads is one of the most prominent advertising networks that integrates with Outlook. When you use Outlook, data such as your email interactions, search terms and location may be shared with Google Ads for the purpose of targeting you with personalised advertisements. This information includes behavioural data (e.g., how often you open promotional emails) and the content of the emails you receive, especially if they contain product or service promotions.
• Facebook Audience Network (https://www.facebook.com/audiencenetwork/): Through its integration with the Facebook Audience Network, Outlook shares data such as demographic information (age, gender), interactions with specific emails or calendar events and your general behaviour across Microsoft services. Facebook uses this data to provide targeted advertising based on your interests and activities.
• Microsoft Advertising/Bing Ads (https://ads.microsoft.com/): Microsoft’s own advertising network works similarly to Google Ads, collecting information about your usage within the app to serve relevant ads. Bing Ads, for instance, tracks how you interact with search queries related to content in your emails or calendar events and uses this data to serve targeted ads both within Outlook and on the Bing search engine.

Each of these networks may use identifiers such as cookies or device IDs to track you across multiple services, potentially building detailed profiles about your online habits.

2. Analytics Providers

In addition to advertising, data is shared with third-party analytics providers to track user engagement, improve app performance and collect insights on how the app is used.

• Google Analytics (https://analytics.google.com/analytics/web/): Google Analytics tracks how you interact with Outlook’s interface, including clicks, scrolls and the time you spend reading or composing emails. This data is typically aggregated, but it still gives Google a view of how Outlook users behave, which can later be used for both service improvements and advertising purposes.
• Adobe Analytics (https://business.adobe.com/uk/products/analytics/adobe-analytics.html): Adobe Analytics performs a similar role to Google Analytics, collecting data on your interactions within the app to optimise user experience and to provide Microsoft and third-party partners with behavioural insights. This can include metrics like how often you open certain types of emails, which buttons you click and how long you spend on specific tasks.

Both Google Analytics and Adobe Analytics have access to broad behavioural data, but when combined with other datasets, they can provide a more personal profile of a user’s habits.

3. Service Integrators and Productivity Tools

Service integrators like Zoom, Slack and Trello add to the ecosystem of productivity tools that work with Outlook. When you connect these services to Outlook, they require access to specific data to provide features like meeting scheduling or task management.

• Zoom (https://zoom.us/privacy): When you use Zoom with Outlook, Zoom collects information from your Outlook calendar, such as meeting titles, participants and times. This data is used to sync events between Zoom and Outlook, but Zoom also retains this information for its own use, which could include analytics or even sharing with third-party partners.
• Slack (https://slack.com/intl/en-gb/trust/privacy/privacy-policy): Integrating Slack with Outlook gives Slack access to your calendar events, meeting details and even email content (depending on the permissions granted). This data is primarily used to improve Slack’s functionality, such as syncing messages and notifications, but Slack may also use it to provide insights to their advertisers or third-party partners.
• Trello (https://trello.com/privacy): Trello uses data from your Outlook emails and calendar to help you organise tasks and projects. This includes accessing email subjects, body content and attachments to generate cards and boards within Trello. Trello’s privacy policy reveals that some of this information may be shared with their own partners for service improvements or marketing.

4. Social Media and Sharing Platforms

Outlook integrates with several social media platforms that allow you to share content or notifications from within the app. However, these integrations often involve the exchange of more data than users might expect.

• LinkedIn (https://www.linkedin.com/legal/privacy-policy): When you connect LinkedIn to Outlook, LinkedIn collects data such as your email contacts, job titles and the content of emails or calendar events related to networking or recruitment. This data is used by LinkedIn to build your professional network but may also be used for advertising and job suggestion purposes.
• Twitter (https://twitter.com/en/privacy): Twitter’s integration with Outlook allows you to share email content or calendar events directly on the platform. However, it also enables Twitter to access information such as who you are corresponding with and the nature of those communications, which can later be used for advertising targeting or analytics.

Each of these social media platforms may store and use this data according to their own privacy policies, sometimes with third-party sharing of their own.

What Are the Risks of Sharing Your Data with These Third Parties?

The sheer scale of third-party data sharing—over 800 companies—is a troubling revelation, especially when you consider the types of data being shared. Microsoft is not just sharing basic metadata; sensitive details such as email content, calendar events and contact lists are potentially accessible to these third parties.

Some of the key risks associated with this practice include:

1. Data Breaches

With so many third-party integrations, Outlook becomes a prime target for cyberattacks. If one of the third-party services you use with Outlook experiences a data breach, your personal information could be exposed, even if Microsoft’s servers remain secure. For example, past breaches of popular services like Facebook (https://about.fb.com/news/2019/04/keeping-passwords-secure/) and Zoom have shown how vulnerable user data can be when shared across multiple platforms.

2. Targeted Advertising

Microsoft’s integration with advertising networks means your personal habits and email usage are analyzed to deliver targeted ads. While some users may not mind this, others find it intrusive. Additionally, these personalised ads can be based on sensitive information from your emails and calendar events, such as medical appointments, financial transactions, or travel plans.

3. Surveillance Capitalism

Outlook’s extensive data-sharing practices contribute to the larger issue of surveillance capitalism. Companies profit from your data by analyzing it and selling insights to advertisers, governments, or other organizations. This commodification of personal information poses serious ethical questions about the role of tech companies in modern society.

What You Can Do to Protect Your Data

While Microsoft’s new Outlook app offers undeniable convenience and functionality, there are steps you can take to limit how much of your data is shared with third parties:

1. Limit App Permissions

Be mindful of the permissions you grant to third-party apps that integrate with Outlook. Only grant the permissions necessary for basic functionality. For instance, avoid connecting your calendar or contact lists to third-party apps unless absolutely necessary.

2. Switch to Privacy-Focused Alternatives

Consider using privacy-focused email clients like ProtonMail (https://protonmail.com/) or Tutanota (https://tutanota.com/). These services prioritise user privacy and are designed to limit data-sharing with third parties.

3. Opt Out of Targeted Advertising

Take advantage of Microsoft’s privacy controls by visiting the Microsoft Privacy Dashboard (https://account.microsoft.com/privacy/) and opting out of personalised ads. This will limit the amount of data shared with third-party advertising networks.

4. Use End-to-End Encryption

Enable end-to-end encryption for your emails whenever possible. Microsoft offers this feature in Outlook, but you must actively use it to protect the content of your messages from being accessed by third parties.

5. Explore GDPR Protections

If you’re based in Europe, you can take advantage of the General Data Protection Regulation (GDPR), which gives users the right to request data deletion, access and control. Use these rights to manage what data Microsoft and third parties hold about you.

Comparing the Free Outlook App vs. Full Outlook in Microsoft Office

While the free version of Outlook offers many of the basic features users need, the paid version of Outlook that comes with Microsoft Office includes more robust functionality. In this section, we will compare both versions based on privacy and user-friendliness to give you a clearer idea of what you’re getting with each option.

Free Outlook App

• Privacy Focus: The free Outlook app is notorious for its extensive data sharing. As previously discussed, it shares information with over 800 third parties, including advertising networks and analytics providers. There’s minimal control over how this data is used.
• User-Friendliness: The free version is highly user-friendly, with intuitive features like drag-and-drop, deep integration with Microsoft services and a familiar interface for Microsoft users.
• Features: The free version offers basic email functionality, calendar integration and a few additional tools like tasks and notes. However, it lacks some of the more advanced collaboration features found in the paid version.

Full Outlook App (Microsoft Office)

• Privacy Focus: While the paid version of Outlook still shares data with third parties, it offers better privacy controls compared to the free version. Enterprise users can leverage additional encryption options and data management tools and Microsoft promises better protection for premium users.
• User-Friendliness: The paid version of Outlook provides all the user-friendly elements of the free version, with the added benefit of more advanced features that make it suitable for business environments. Its interface is familiar to most Microsoft Office users.
• Features: The paid version includes advanced features like:
  • Advanced email management (rules, sorting, categories)
  • Shared mailboxes
  • Delegation (granting others access to your inbox)
  • Integration with Microsoft Teams and SharePoint
  • Advanced calendaring and scheduling tools
  • Premium support for security and privacy

Comparison Table: Free Outlook vs. Full Outlook (Microsoft Office)

Comparison of Email Clients for Windows, Apple and Linux

In response to growing concerns about privacy and the diversity of email clients available across platforms, here is an expanded list that includes additional options such as eM Client and Betterbird. We’ll compare them on privacy, user-friendliness and operating system support. Each product also includes links to their official websites for more details.

Privacy-Focused Email Clients for Different Operating Systems

1. ProtonMail (protonmail.com)

• Operating Systems: Web-based (works across Windows, macOS, Linux)
• Privacy: Excellent. ProtonMail is highly privacy-focused, offering end-to-end encryption and strict adherence to Swiss privacy laws. No data is shared with third parties and all emails are fully encrypted.
• User-Friendliness: Very user-friendly with a clean interface and intuitive controls. ProtonMail excels in its simplicity and privacy focus, though it may lack some advanced productivity features.

2. Tutanota (tutanota.com)

• Operating Systems: Web-based and native apps for Windows, macOS, Linux
• Privacy: Excellent. Tutanota encrypts everything from emails to calendars and subject lines, providing comprehensive privacy protection. Adheres to GDPR and no data is shared with third parties.
• User-Friendliness: Very easy to use with a straightforward interface. It lacks advanced features but is ideal for privacy-conscious users.

3. Thunderbird (thunderbird.net)

• Operating Systems: Windows, macOS, Linux
• Privacy: Good. Thunderbird doesn’t track users or share data with third parties. While encryption isn’t enabled by default, it can be configured using OpenPGP or Enigmail for secure communication.
• User-Friendliness: Moderately user-friendly. It offers powerful customization and add-ons but has a more complex interface compared to other clients. Great for advanced users seeking flexibility.

4. Betterbird (betterbird.eu)

• Operating Systems: Windows, Linux
• Privacy: Good. Based on Thunderbird, Betterbird inherits many of its privacy features, including strong data protection, no tracking and encryption options via OpenPGP.
• User-Friendliness: Betterbird aims to improve Thunderbird’s usability by adding bug fixes and enhancements, making it a bit more user-friendly. It’s still best suited for users familiar with Thunderbird’s interface.

5. Microsoft Outlook (Free) (outlook.com)

• Operating Systems: Windows, macOS (via Outlook.com web-based)
• Privacy: Poor. The free version of Outlook shares data with over 800 third parties, including advertising networks. Users have limited control over what data is shared.
• User-Friendliness: Extremely user-friendly with seamless integration into Microsoft’s ecosystem, making it ideal for users already familiar with Microsoft products.

6. Microsoft Outlook (Microsoft Office) (microsoft.com/en-us/microsoft-365/outlook)

• Operating Systems: Windows, macOS
• Privacy: Moderate. The paid version provides better privacy controls, with enterprise encryption options and less third-party data sharing. However, it still integrates with advertising networks.
• User-Friendliness: Highly user-friendly, with all the advanced features needed for business users, such as shared mailboxes, calendar management and deep Microsoft integration.

7. Apple Mail (apple.com/mail)

• Operating Systems: macOS, iOS
• Privacy: Good. Apple prioritises user privacy and Apple Mail does not track email content for advertising. Users can enable encryption via S/MIME.
• User-Friendliness: Very intuitive and easy to use, especially for macOS users. Apple Mail is seamlessly integrated with the Apple ecosystem but may lack the advanced productivity features some users need.

8. KMail (kontact.kde.org/kmail)

• Operating Systems: Linux (KDE Plasma)
• Privacy: Good. KMail does not share user data with third parties and it supports encryption via OpenPGP for secure communication.
• User-Friendliness: Moderately user-friendly, particularly for users familiar with Linux and KDE. Its interface is functional but less polished than proprietary clients.

9. eM Client (emclient.com)

• Operating Systems: Windows, macOS
• Privacy: Moderate. eM Client offers encryption options like S/MIME and PGP for secure emails but lacks the strict privacy focus of ProtonMail or Tutanota. While it doesn’t share data with advertisers, it doesn’t offer the highest level of privacy protection.
• User-Friendliness: Very user-friendly. It includes features like email translation, task management and calendar syncing, making it a well-rounded client for productivity.

Comparison Table: Email Clients for Windows, macOS and Linux

Outlook’s Data Sharing is a Wake-Up Call for Privacy

Microsoft’s new Outlook app represents a turning point in how we should think about data privacy. With its integration into over 800 third parties, the risks to users’ personal information are substantial. While the app may offer increased functionality and convenience, it comes at a significant cost: the commodification of your private information. The relationship between Outlook and these third parties exemplifies the surveillance capitalism model that has come to dominate the tech industry.

For privacy-conscious users, this is a wake-up call. We must be more vigilant about the services we use and the permissions we grant. We also need to consider alternatives to mainstream tech offerings that prioritise privacy and security.

As consumers, we have the power to demand better privacy protections from companies like Microsoft. By making conscious decisions about the tools we use and pushing for greater transparency, we can help shape a digital future where privacy is respected and safeguarded.

Conclusion

Choosing the right email client depends on your privacy needs and desired user experience. ProtonMail and Tutanota continue to lead in privacy-focused email services, offering robust encryption and protection from data-sharing practices. For those who need a versatile, user-friendly client with features such as calendar and task management, eM Client and Microsoft Outlook (Office version) are excellent choices, though they do not offer the same level of privacy protection as ProtonMail or Tutanota.

For users seeking open-source alternatives with flexible features, Thunderbird and Betterbird are solid choices, especially for Linux users. Apple Mail provides a privacy-conscious option for macOS users, while KMail remains a good choice for those using Linux and seeking a KDE-integrated email solution.

If privacy is your top concern, ProtonMail or Tutanota are the best choices. However, if you require more productivity features, eM Client or the paid version of Microsoft Outlook may offer the right balance between functionality and security.

Final Thoughts and Call to Action

The revelations about Microsoft Outlook’s extensive data sharing should prompt every user to reassess their digital privacy practices. Start by reviewing the third-party services connected to your email accounts, reconsider the apps you use and take steps to limit unnecessary data sharing. If privacy matters to you, the time to act is now.

References and Further Reading

1. ProtonMail on Outlook’s Data Collection: https://proton.me/blog/outlook-is-microsofts-new-data-collection-service
2. Salt Labs exposes a new vulnerability in popular OAuth framework, used in hundreds of online services: https://salt.security/blog/a-new-oauth-vulnerability-that-may-impact-hundreds-of-online-services
3. Zoom Security Breach Report: https://www.bbc.co.uk/news/business-58050391
4. Slack Data Breach Report: https://www.zdnet.com/article/slack-resets-passwords-after-2015-data-breach-exposed-accounts/
5. Google Ads: https://ads.google.com/home/
6. Facebook Audience Network Privacy Policy: https://www.facebook.com/audiencenetwork/
7. Google Analytics Privacy Policy: https://analytics.google.com/analytics/web/
8. Adobe Analytics: https://www.adobe.com/analytics/adobe-analytics.html
9. Trello Privacy Policy: https://trello.com/privacy
10. Zoom Privacy Policy: https://zoom.us/privacy
11. Slack Privacy Policy: https://slack.com/intl/en-gb/trust/privacy/privacy-policy
12. The Guardian on Microsoft Privacy: https://www.theguardian.com/commentisfree/article/2024/jul/06/microsoft-recall-ai-privacy-climbdown-artificial-intelligence