News: 1717509606

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Microsoft accused of tracking kids with education software

(2024/06/04)


A privacy campaign group with a strong record in legal upheavals has asked the Austrian data protection authority to investigate Microsoft 365 Education to clarify if it breaches transparency provisions under GDPR.

Noyb said Microsoft pushed data protection obligations onto schools that use the system, and failed to comply with subjects' right to access data about them. Neither Microsoft's privacy documentation, requests for access, nor noyb's research could fully clarify what data about children is being processed by Microsoft 365 Education.

Max Schrems, noyb's honorary chairman, was behind a series of court cases that brought [1]an end to a transatlantic data-sharing agreement , now [2]replaced by the EU-US Data Bridge arrangement.

[3]

In its new complaint, noyb said Microsoft was trying to avoid responsibility under GDPR by insisting that almost all of the data protection responsibilities lie with local authorities or schools.

[4]

[5]

"In reality, neither has the power to influence how Microsoft actually processes user data. Instead, they are faced with a take-it-or-leave-it situation where all the decision-making power and profits lie with Microsoft, while schools are expected to bear most of the risks. Schools have no realistic way of negotiating or changing the terms," noyb said in a [6]statement .

[7]OpenAI slapped with GDPR complaint: How do you correct your work?

[8]EU tells Meta it can't paywall privacy

[9]Meta's pay-or-consent model hides 'massive illegal data processing ops': lawsuit

[10]Meta accused of enrolling undecided EU users in ad-sponsored platform

Maartje de Graaf, data protection lawyer at noyb, said: "Under the current system that Microsoft is imposing on schools, your school would have to audit Microsoft or give them instructions on how to process pupils' data. Everyone knows that such contractual arrangements are out of touch with reality. This is nothing more but an attempt to shift the responsibility for children's data as far away from Microsoft as possible."

The Register has asked Microsoft if it wants to provide a response to the complaint.

In a second complaint, noyb said Microsoft 365 Education still installs cookies without consent and uses them to analyze user behavior, collect browser data and prepare advertising. The company has no valid legal basis for this processing, the campaign group said.

[11]

Felix Mikolasch, data protection lawyer at noyb, said: "Our analysis of the data flows is very worrying. Microsoft 365 Education appears to track users regardless of their age. This practice is likely to affect hundreds of thousands of pupils and students in the EU and EEA. Authorities should finally step up and effectively enforce the rights of minors."

Noyb has asked the DSB (Austrian data protection authority) to determine the personal data about children that Microsoft 365 Education is processing. If the authority finds a breach of GDPR, the authority should impose a fine, the complainant said. ®

Get our [12]Tech Resources



[1] https://www.theregister.com/2020/07/16/privacy_shield_struck_down/

[2] https://www.theregister.com/2023/10/11/uk_us_data_bridge/

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Zl86JHbrcmxIEr7ctGbqTwAAAA4&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zl86JHbrcmxIEr7ctGbqTwAAAA4&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Zl86JHbrcmxIEr7ctGbqTwAAAA4&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[6] https://noyb.eu/en/microsoft-violates-childrens-privacy-blames-your-local-school

[7] https://www.theregister.com/2024/04/29/openai_hit_by_gdpr_complaint/

[8] https://www.theregister.com/2024/04/18/eu_meta_subscription_privacy/

[9] https://www.theregister.com/2024/02/29/meta_gdpr_complaints/

[10] https://www.theregister.com/2024/01/23/meta_eu_advertising/

[11] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zl86JHbrcmxIEr7ctGbqTwAAAA4&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[12] https://whitepapers.theregister.com/



Doctor Syntax

"In its new complaint, noyb said Microsoft was trying to avoid responsibility under GDPR by insisting that almost all of the data protection responsibilities lie with local authorities or schools."

Actually, I think that's preferable. Parents can take the matter up with the schools. For the average parent or parent organisation this is going to be easier than dealing with Microsoft. After all, it would have been the schools' decision to go with Microsoft, not the parents'.

This, I think, is a better principle that saying if the data you provided to a local supplier is breached by their supplier in the US then take it up in a US court. That idea was behind the previous privacy fig-leaves and equally, AIUI, behind the bridge framework.

The schools can then take the matter up with Microsoft and, as customers, should find this easier - not very much easier but they do have a direct relationship. And if they don't get a satisfactory answer from Microsoft they can cease doing business with them.

cornetman

> ,,, he schools can then take the matter up with Microsoft and, as customers, should find this easier

Which as the article made *extremely* clear, is not a realistic possibility.

Doctor Syntax

That is there problem. It's a damn sight less of a realistic possibility for the parents to take it up with Microsoft.

If you were one of the parents what would you do?

I think the law needs to be very clear: if you do business with someone - and I'll include sending children to school - then you must be able to hold that business responsible for whatever actions any of its agents takes.

From the business's PoV it needs, in consequence, to be very careful about whom it appoints as its agents. Simply passing the responsibility along the chain and then throwing up your hands and saying "it's too difficult" is not good enough.

MS wants it both ways

Mike 137

Unfortunately, it's impossible under the (very practical) legislation for the LAs or schools to be data controllers in this context. A data controller defines the purposes and nature of processing. A data processor follows the instructions of a data controller to the letter and cannot lawfully process the specified data in any other way (or indeed process any other data as processor for that controller). MS is trying to suggest that LAs or schools are data controllers in respect of Microsoft 365 Education, but that just doesn't hold water. As the Noyb lawyer stated, that would require MS to process exclusively under instructions from the LAs or schools, whereas in fact it's MS that decides on the purposes and nature of the processing. The LAs and schools have no way to modify that processing as it's practically impossible to negotiate it with MS. So in fact MS is the data controller.

Re: MS wants it both ways

Guy de Loimbard

As long as we have some proactive delving into the masses of telemetry software now sends home, then at least we are informed enough to raise the issue up the chain.

If the complaint is upheld then you'd like to think that MS and others would change their MO, but, not unreasonably cynically of me to think, I doubt we'll see any real and significant change and any monetary or other punitive judgement is so financially insignificant it holds no real deterrent value or substance to make these organisations change.

Re: MS wants it both ways

Doctor Syntax

Microsoft might change their will and will only change their way if their market is cut away from them. If it's made clear to their customers, the schools in this case, that they will be held responsible for Microsoft's shenanigans with the data they entrusted to them then they'll have to stop entrusting them with that data.

Re: MS wants it both ways

Doctor Syntax

"The LAs and schools have no way to modify that processing as it's practically impossible to negotiate it with MS"

Then don't deal with them. It's the schools who have a relationship with the parents. If the schools just hand things over to a 3rd party it's their choice and they should be held responsible to the schools for the consequences of that choice.

It looks as if Noyb have lost their way on this.

There's an easy fix...

3arn0wl

Educational institutions ought to be using Open Source software anyway.

Re: open source

Snake

Sounds (very) nice, but regretfully on job listings "Fluent in LibreOffice" simply never shows up. "Fluent in MS Office" or "skilled in Excel", yes. But the open source replacements aren't exact replacements, 1-for-1 all-function equivalent, so training students with FOSS might not work to their benefit. I'm going to get downvoted, but go look at your local job listings and see for yourself.

Re: open source

3arn0wl

No doubt you're right, but it's not a good enough reason to maintain the status quo : job adverts can change.

Re: open source

Mike 137

" job adverts can change "

Not until employer requirements change. Since almost every office uses M$ not open source, that requirement is what drives the job specifications. I suspect this will be the case for the foreseeable future. And BTW I've almost never found a business consider the privacy implications for either staff or customers of the technologies or 3rd party services they choose to deploy. Convenience and cost rule the day.

What do the students have to say?

H. sapien Floridanus

I know people and can make this all go away for 50 cases of Skittles.

- Peewee, Student Council President

All this talk of cookies, but where are they? My milk carton awaits.

Calliou, Entitlement Advocate

Hmmmm

Anonymous Coward

The UK ICO should maybe take a peek at GLOW in Scotland. It uses both M365 education AND Google Classroom.

Having had some significant involvment in them I'm pretty certain both of those organisations are very much up to no good with kids data. It was a bun fight at the start to get them to stop slinging ads directly to kids.

I don't like my kids being forced to use Google services (it's school choice not kids choice which to use).

Brief History Of Linux (#4)
Walls & Windows

Most people don't realize that many of the technological innovations taken
for granted in the 20th Century date back centuries ago. The concept of a
network "firewall", for instance, is a product of the Great Wall of China,
a crude attempt to keep raging forest fires out of Chinese territory. It
was soon discovered that the Wall also kept Asian intruders ("steppe
kiddies") out, just as modern-day firewalls keep network intruders
("script kiddies") out.

Meanwhile, modern terminology for graphical user interfaces originated
from Pre-Columbian peoples in Central and South America. These natives
would drag-and-drop icons (sculptures of the gods) into vast pits of
certain gooey substances during a ritual in which "mice" (musical
instruments that made a strange clicking sound) were played to an eerie
beat.