EU Parliament blocks Microsoft Outlook apps over privacy fears

The European Parliament has reportedly become the latest organisation to block members from using Microsoft's new Outlook apps because of "serious security issues".

EU Parliament blocks Microsoft Outlook apps over privacy fears
EU Parliament blocks Microsoft Outlook apps over privacy fears

According to an email which was leaked to IDG News Service at the end of last week, the Parliament's IT department – DG ITEC – has moved to block the use of the new Outlook apps on iOS and Android, despite both apps having been updated recently.

“Please do not install this application, and in case you have already done so for your EP corporate mail, please uninstall it immediately and change your password,” it said. The IT department went on to warn that these apps would send password information on to Microsoft without permission, and will store emails in a third-party cloud service, over which the Parliament would have no control.

Microsoft's latest Outlook app essentially acts as an email inbox for any email service, irrespective of whether you have Exchange, Outlook, iCloud, Google or Yahoo email accounts. The apps were developed by Accompli, the firm which Microsoft acquired for a reported £120 million (US$ 200 million) late last year. The intention has been for the app to replace the much-criticised Outlook Web App as the email client for Office 365 users.

Shortly after this news broke, Frederic Jacobs, Open Whisper Systems, wrote on Twitter: “Just got an email from @EPFL_en Security (Swiss Federal Institute of Technology Lausanne) department asking to note install “Outlook” apps over concerns over US/Microsoft stored passwords/data.” 

The University of Wisconsin and Delft University in the Netherland have also blocked access to the apps, with the former advising 170 people who have accessed it to change passwords, while now blocking access to the app from its Office 365 servers.

All three appear to be blocking these apps for the same reasons; because data, including password information, is stored in the cloud and because this information can also be sent back to Microsoft without user permission.

This information is stated in the app's privacy policy, which details that while the email information, calendar data, and address book contacts are being sent securely to the app, Outlook may temporarily store all of that information  - along with metadata - in a third party cloud service.

One source, who wished to remain anonymous, said that there was nothing to suggest that the new apps – created by the Microsoft-owned Accompli – are any more vulnerable/technical than Microsoft's Office 365 Cloud.

F-Secure security adviser Sean-Sullivan said that his firm had a similar shift years ago when it moved away from Nokia Push because it was gathering usernames and passwords. He said that it seems generated by IT department but wouldn't be surprised if there was also residing concerns over how – and what – data Five Eyes collects.

“I think it's driven by the IT department, our IT department had the same policy and in this case, maybe they strayed from that policy.”

Specifically, he said that this might be down to the Bring Your Own Device (BYOD) trend controlling which, he said, was like “herding cats”, and suggested that two-factor authentication (2FA) and specific application passwords might be the way forward, especially as some of these members will be holding on very sensitive information. He added that Microsoft would itself have to innovate, not only on the third-party storage but also as the email password is the same as the domain password.

When details are hosted locally – like iOS on an Exchange server for example - passwords, the encryption ‘handshake' (via TLS or SSL) and all communication sent to the email server would all be encrypted and stored locally.

This news comes at an awkward time for Microsoft which, while dodging allegations about its involvement with the NSA, has also been in court against the US government, after the latter demanded data held at Microsoft's data centre in Dublin, Ireland.

Late last month, speaking at the Davos conference in Switzerland, Microsoft's general counsel Brad Smith detailed the challenges in adhering to government requests while also maintaining user privacy.

“It's a challenge but I think the first thing to recognise is that we're dealing with a situation where fundamental society values are in tension with each other,” said Smith, his comments first reported by SC. “We are keeping the public safe- that is critical – we have freedom of expression, that fundamentally defines societies across Atlantic, and we have personal privacy and so need solutions to strike the balance. In a sense, the question we need to ask is 'who should strike that balance?'

“Government officials doing more makes me nervous because people are asking us to draw lines between these values. No-one elected us – isn't this the kind of decision that members of US Congress or the French national assembly are elected to make?”