Like almost all Web players, Microsoft does not shy away from collecting personal data. But its new free Outlook app would take its indiscretion to the next level. And rather worrying…
Microsoft is preparing to replace its Mail email application, present by default in Windows 10 and Windows 11, with a “brand new” app called Outlook and already available (read our article). Modeled on the Web version of the Outlook.com service, Outlook is intended to be clearer, richer and more practical than Mail. But it would also be much more indiscreet. This is what the German magazine specializing in IT C’T reveals on Heise Online after an in-depth study of the data transmitted to Microsoft by the Outlook application.
According to the experts’ report, Outlook would thus take great liberties with the personal data of its users, particularly when it comes to entrusting the application with handling of emails managed by other providers. Indeed, Outlook allows you to manage several mailboxes from Microsoft, of course, but also from Gmail, Yahoo and now iCloud (Apple). And according to C’T, this delegation of power is not without impact on confidentiality: “If you try the new Outlook, you risk transferring your IMAP and SMTP email account credentials and all your emails to Microsoft serversindicates the magazine before specifying: although Microsoft explains that it is possible to return to previous applications at any time, the data will already be stored by the company. This allows Microsoft to read emails“. By associating an external account with Outlook, we allow Microsoft to quietly take a look at all the correspondence and therefore analyze the content for commercial purposes, for example. But that wouldn’t be all.
Outlook for Windows: identifiers transmitted in clear text and used by Microsoft
More worryingly, experts were able to analyze the data exchanged between the new Outlook app and Microsoft’s servers and came to the following observation: ” [le trafic] contained the target server, login name and password which were sent to Microsoft’s servers. Although protected by TLS, the data is sent to Microsoft in the clear in the tunnel. Without informing or inquiring about it, Microsoft itself grants itself access to the IMAP and SMTP connection data of users of the new Outlook “. The authors of the report emphasize that Gmail accounts managed by Outlook are not affected due to the OAuth2 authentication system set up by Google and which does not transmit sensitive data.
C’T hastened to ask Microsoft for explanations, but the Redmond giant has so far remained silent on the subject. This did not prevent Ulrich Kelber, the German federal commissioner responsible for data protection and freedom of information (BfDI) from expressing alarm at Mastodon (the social network competing with X/Twitter) about this practice for the least strange. He also asked the Irish Data Protection Supervisor for the matter to be discussed at a meeting of European data protection supervisory authorities. Pending possible clarifications from Microsoft, it is therefore not recommended to switch to the new Outlook app. Or, at least, not to integrate other email accounts than those already at Microsoft.