All your emails are belong to MS

Microsoft is going to replace – again – the basic Windows email application. After Outlook Express and Windows mail, that despite some huge vulnerabilities were quite usable, the simple but adequate for a touch UI interface Mail in Windows 8, and the very limited and ugly Mail in Windows 10, it’s time of Outlook for Windows now.

This looks like a porting of the web interface of into a desktop application. This idiotic arrangement looks to come with poisoned features. If you use mail accounts not hosted already on some Microsoft server, to use them they need to be “synchronized” with the Microsoft Cloud.

My take is this desktop web application has not an implementation of standard mail protocols (or Exchange ones), nor has a full-featured local storage for mail data, relying for such function on its server side implementation. That means:

  • Your mail credentials are sent and stored on Microsoft servers, implying that Microsoft can access your mailboxes, whenever it wants, and if that data are compromised, your mailbox also is.
  • Your whole mailbox contents are read and stored on Microsoft servers as well, implying Microsoft has a full copy of all your emails, with evident security and privacy implications.

All your mail are belong to us, it looks Nadella thinks. Especially now he needs a lot of training material to justify his AI investment.

Now, if one has not their emails stored in a Microsoft server, and pay for having them in a different server, it is exactly because they don’t want them stored in a Microsoft server (or a Google one, if you ask). Be very careful if you use Outlook for Windows to read company emails, or anything that can contain sensitive data. You are sending everything to Microsoft, and you may break company policies, or even the law.

How this got past Microsoft legal office I don’t know. Probably they believe they can blame the user anyway. Hope this is just another attempt to save on software development, as it looks Microsoft doesn’t like to develop software anymore, it is turning into a services company, the only company model this kind of CEO understands – and not something explicitly aimed at hindering privacy.

However, under the CLOUD Act, any data in a US company server can be requested by US authorities, even when stored abroad (and under FISA, it’s even worse). And there’s the AI training issue, too.

The process of updating your current settings doesn’t explain the implications – referring the user to the usual extremely long “privacy policy”. Email data usually contain lots of personal information under GDPR, and an “informed consent” is required.

So now the Mail application has wholly gone from my Windows systems. If Outlook for Windows replaces Outlook itself also – it looks Microsoft has this silly plan in mind too-, my Office Microsoft 365 subscription will be gone as well.

My advice is to stay away from Outlook for Windows unless your emails are already stored in Microsoft servers. While hoping