New Outlook – all you email are belong to us

An interesting article in c’t magazine this week. They looked at the new Microsoft Outlook version that is now shipping with Windows 11.

In an article titled “cloudy with the possibility of data leaks” (link below, German, possibly paywall), they analysed the New Outlook for review (separate article) and came across a couple of worrying facts.

https://www.heise.de/select/ct/2023/28/2331715395648017635?seite=all

1. If you use a Windows 11 local account, without a linked Microsoft Account, when you add mail accounts (E.g. IMAP or POP3 to other mail services), it seems that Microsoft creates a “shadow” Microsoft Account to hold your emails online in their cloud.
2. In order to call up the mail from other services, you naturally have to enter your username and password for those services. But, unlike Windows Mail or other traditional mail programs, it sends the username and password unencrypted to the Microsoft servers, so that Microsoft’s services can call up your emails for you – this also explains the behaviour noted by another poster on this forum, that they were getting notifications, even when New Outlook wasn’t running.

When questioned, Microsoft said that the password is stored encrypted on their service and they have no access to it. This isn’t strictly true, the password has to be unencrypted every time they call up your email, so whilst individual employees might not have direct access to your email passwords, the system does, which means, in theory, an employee looking after that system could also de-encrypt the passwords.

We also saw a couple of months back that Microsoft lost its own encryption keys in a crash-dump that wasn’t handled properly and had that key in the clear within the dump, which is how hackers managed to get hold of it. So, if a server crashes whilst it is pulling a user’s email, it could have the password in the memory dump.

The Data Protection Registrars in the EU aren’t, as you can guess, very pleased with this turn of events. The information that Microsoft is creating shadow Microsoft Accounts isn’t explicitly made, when you add accounts to New Outlook. Likewise, they are using the emails stored in the cloud for analysis, but nothing in the T&Cs on how they will use the data, whether it stays in your “MA” space or whether it can/will be used for wider co-pilot or marketing purposes.

Basically, if you have gone so far as to not want to use a MA with Windows 11, you shouldn’t use the New Outlook, because MS will be creating an MA in the background to store and analyse your emails.

If you don’t want Microsoft to have the passwords to your other accounts, you shouldn’t use the New Outook.

Naturally, if you are happy to use an MA with Windows 11 and think that MS analysing your emails for co-pilot and maybe other uses will bring you benefits, there is nothing to stop you using New Outlook.

But this is another step along the Cory Doctorow’s naughty-wordification of Windows, IMHO.

If you value your privacy, you should probably consider using a different mail client that doesn’t store your credentials in the cloud and doesn’t analyse all your emails in the cloud.

As c’t said in their article, this isn’t the first time they were caught doing this, the original Outlook app for Android and iOS did the same thing, which caused a minor uproar at the time and caused the app to be shunned by businesses, until they changed how it worked.