How Microsoft has (so far) avoided tough scrutiny over privacy issues

The “original gangster of big tech” has managed to dodge the bad headlines and congressional grilling that have ensnared its rivals by working with regulators and advocating its own solutions.

How Microsoft has (so far) avoided tough scrutiny over privacy issues
[Photo: Drew Angerer/Getty Images]

Quietly but confidently, Microsoft is back.


For the first time in almost a decade, it’s the most valuable company in the world while its archrival Apple stumbles. It’s been lauded for its smart pivot into AI and cloud services in recent years and its acquisition of the popular GitHub software development platform. And it’s almost completely avoided the privacy debacles and questions about monopolistic tendencies that have dogged Facebook, Google, and Amazon, which have resulted in those companies facing negative headlines on a daily basis, nasty lawsuits, and their top executives being grilled in U.S. Congress.

Microsoft sells targeted ads against search results, and users have complained about how their data is secured in the cloud, the company hasn’t received nearly the same level of scrutiny, and it’s been years since its executives were hauled before Congress.

That’s despite the fact that Microsoft owns LinkedIn, which has raised eyebrows with its uncanny skill at suggesting connections for its 600 million users, and was recently probed in Ireland for using email addresses of 18 million non-members to buy targeted ads on Facebook. And European governments have raised concerns about the storage of user data in the cloud via Office 365, and how Microsoft plans to address those issues. And through a partnership with Facebook, Microsoft’s Bing search engine was able to see the names of “virtually all” Facebook users without their consent through 2017. And just this week, Microsoft announced a deal with Kroger’s to set up retail experiences, in which displays will feature digital ads personalized to the individual shopper, raising privacy issues as well as potential cutbacks in retail jobs.


There are a few key reasons why Microsoft’s practices haven’t generated the same level of scrutiny from regulators–and the company’s history is a big part of it.

“They’ve been around the block, they’ve been the evil perpetrator before, and they’ve already learned how to play very nicely with regulators,” Jennifer King, director of consumer privacy at the Center for Internet and Society Stanford Law School, tells Fast Company. “That’s one of the reasons you don’t see Microsoft executives being hauled in to Congress: They have a long-standing relationship, through lobbyists, policymakers–they’ve been in this space for decades.”

In fact, it’s been over two decades since Microsoft’s bespectacled, youthful CEO Bill Gates testified to Congress and was grilled on whether the company’s “breathtaking growth” hurt competition in the software industry. And it was sued by the federal government, which accused it of running a monopoly, in a bitter, hard-fought case that took years to settle.


Those confrontations taught Microsoft many lessons, including how to anticipate the concerns of regulators, reorganize the company in a way that satisfied anti-trust concerns, and make privacy a part of its organizational structure.

“Microsoft took that action against them extremely seriously and really changed the organization as a result,” King says. “They had close to 20 years where they had basically re-architected their entire organization to have people who deal with privacy issues from a legal standpoint, from software standpoint, from the usability, computer interaction standpoint embedded throughout the entire organization. That is unlike any of the other tech companies.”

After a series of antitrust investigations by the Federal Trade Commission and the U.S. Department of Justice (DOJ), Microsoft received a number of consent decrees, as the regulators looked closely at Microsoft’s practices, prices, and growing market share. In 2000, there was a court judgment to split up the company, which was later overturned.


Microsoft CEO Satya Nadella [Photo: Dan Taylor/Heisenberg Media]
“They’re the original gangster of big tech, known for sucking the air supply from their competition in the 1990s [Netscape] with implicit subsidies,” says Scott Galloway, a professor at New York University’s Stern School of Business and one of the most vocal critics of big tech. “Had the DOJ not put the brakes on Microsoft, we might not have Google today, favoring Bing as the dominant search engine.”

And Microsoft has taken steps to address privacy issues. In 2016, France ordered the company to stop tracking Windows 10 users, and the Electronic Frontier Foundation criticized it for sending all kinds of telemetry data, including location, text input, touch input, and sites you visit, back to Microsoft. The company responded with a combination of more transparency—revealing what info it collects on Windows 10 users—and giving them more control, by letting users choose between basic and full levels of data collection.

“Microsoft hasn’t (yet) given any reason for Congress to call them to testify on Capitol Hill. While big tech has been ripe with scandal in 2018, Microsoft remains unscathed,” Galloway notes. “While we keep barking at the moon about Facebook and Apple, Microsoft just keeps plugging along. It’s impressive.”


The company’s current CEO, Satya Nadella, who assumed the role five years ago, has also earned praise for navigating the latest wave of regulatory scrutiny and privacy challenges.

“The award for tech CEO of the year goes to Satya Nadella, who’s proven himself as a competent, responsible leader, able to protect the firm and its users from conflict,” says Galloway, praising the executive’s leadership and insight.

Navigating roadblocks in Europe

But it doesn’t mean the broader discussion about user privacy and data collection hasn’t touched them, especially as the company grows and adds more online communities like GitHub to its universe of products and services.


Over the last few months, an army of European regulators and government agencies have shed light on some of the parent company’s global user data collection practices at LinkedIn and elsewhere, even as the company is pressing forward with new initiatives, further broadening its reach and market standing.

By all accounts, Europe has been more proactive than the U.S. in probing American tech giants and asking tough questions about their privacy and consumer data practices. And Microsoft voluntarily extended Europe’s tough GDPR rights to its worldwide customer base, though it’s not clear how it could he held accountable for violating voluntary rules in the U.S.

In a November report, the Irish Data Protection Commissioner detailed how LinkedIn U.S., which serves as LinkedIn Ireland’s data processor, had “processed hashed email addresses of approximately 18 million non-LinkedIn members and targeted these individuals on the Facebook Platform with the absence of instruction from the data controller.”


As a result of this audit, the Irish regulator told LinkedIn “to cease pre-compute processing and delete all personal data associated with such processing.”

The regulators found the company targeted non-LinkedIn members in violation of existing provisions. LinkedIn has said it compiled with the regulator’s demands.

“We fully cooperated with the Data Protection Commission’s 2017 investigation of a complaint about a European advertising campaign, and found the global processes and procedures we had in place were not followed,” says Kalinda Raina, head of global privacy at LinkedIn. “We took appropriate action and have made the internal changes to help protect against this happening again.”


As a result of this audit, LinkedIn says it ended globally the so-called “pre-computation” practice, which previously allowed new members to discover their connections when they joined LinkedIn.

‘Alarming’ privacy concerns led to changes

Data privacy questions are not limited to LinkedIn.

Microsoft stored sensitive data from users of Office, including subject lines from emails and full sentences that are run through a spelling and grammar checker or the translation tool, according to an audit commissioned by the Dutch Ministry of Justice & Security, which found “alarming” privacy concerns and a lack of “opt-out” options for users from having their data collected. The agency reached an agreement with Microsoft on October 26, which made changes to satisfy its customers’ preferences.


While the Dutch Ministry of Justice & Security is not the country’s regulator, its report does pinpoint several gaps in Microsoft’s practices.

“Covertly, without informing people, Microsoft does not offer any choice with regard to the amount of data, or possibility to switch off the collection, or ability to see what data are collected, because the data stream is encoded,” said Privacy Company, the file-storage and file-sharing venture started by internet mogul Kim Dotcom, which compiled the report for the Dutch ministry.

When it comes to telemetry issues for Office 365 and Windows, Microsoft promises to do more.


“We have done work in the past year to give customers more choice and transparency in what diagnostic data is shared with Microsoft, and we will do more in the coming months,” said Julie Brill, deputy general counsel and corporate vice president for privacy and regulatory affairs, in a statement to Fast Company. “There are often tradeoffs between disabling diagnostic data, and our ability to ensure security, reliability, and the functionality of product features–so we always work to make sure customers understand the impact of each option. Our approach has always been designed around feedback from customers, and we deeply value their continued input.”

Concerns about the widespread use of Microsoft products by government agencies and how this data is stored offsite is not limited to Europe.

In China, most Western social media sites like Facebook and Twitter are blocked, while LinkedIn has thrived and currently boasts 41 million users. To survive in the country, LinkedIn has worked with Beijing, setting up a joint venture with local partners and routinely removing posts and profile pages that are considered politically sensitive, such as those related to the Tiananmen Square massacre.


Just last week, New York-based Chinese activist Zhou Fengsou, who was a student leader in the Tiananmen protests, was informed that his page had been blocked.

“While we strongly support freedom of expression, we recognized when we launched that we would need to adhere to the requirements of the Chinese government in order to operate in China,” the company told Zhou in a message.

Further, privacy and consumer data watchdogs say that the United States government agencies and regulators are significantly behind Europe.


Microsoft appears to recognize the responsibility.

“Every one of our solutions is reinforcing our core intelligent cloud and intelligent edge platform,” Nadella said on the last earnings call. “Not only are we optimistic about the opportunity for us and for our customers, we also recognize our responsibility.”

The increased focus on cloud computing adds more urgency to the questions about how data is compiled and used, as Microsoft’s range of products and partnerships, in the private and public sectors.

“Privacy considerations are fundamental to any acquisition and start with seeking out partners who have shared values,” says Microsoft’s Julie Brill in response to questions. “There is always more we can do on privacy at Microsoft, and the same is true for anyone we acquire.”

Forward march on military contracting

Like other tech giants, especially Amazon and Google, Microsoft is a longtime government contractor, but it’s largely avoided the negative headlines amid a surge in activism by tech workers outraged over how their products are used. In November, the Redmond, Washington-based company outbid multiple leading tech companies and defense contractors to win a $480 million contract with the U.S. government, committing to provide its augmented reality HoloLens devices. The U.S. Army will use Microsoft technology to “increase lethality by enhancing the ability to detect, decide, and engage before the enemy.”

The company is still in the running for the Joint Enterprise Defense Infrastructure (JEDI) project, a $10 billion contract to provide cloud services for the Department of Defense and expand Microsoft’s engagement with the U.S. government.

Unlike Google, Microsoft has gone full steam ahead with government contracts that have sparked criticism among employees across the tech sector.

Earlier this month, Microsoft president and chief legal officer Brad Smith expressed ethical concerns over the use of AI by the military, but he reiterated its commitment to work with the Pentagon, saying that “we think it’s more productive to be engaged than disengaged in shaping how the technology is used.”

And unlike Google, Microsoft doesn’t seem as bothered by employee criticism, highlighted most recently by a blog post in October written by company staffers that urged company management not to bid on the U.S. military project JEDI. In June, 300 employees threatened to resign over its contract with U.S. Immigration and Customs Enforcement (ICE), which remains active.

“They’ve been around longer than many of the other firms, so are very skilled at playing the government game, especially given what they learned based on past actions against them by various governments,” says Lauren Weinstein, a technology consultant based in Los Angeles and cofounder of People for Internet Responsibility.

Anticipating future concerns

Going forward, the company is trying to be proactive about potential new data privacy regulations and other rules that rein in Silicon Valley, which are widely expected since there is a bipartisan consensus for such oversight of the tech sector.

Last month, Microsoft expressed in a blog post its concerns about facial recognition technology’s potential for abuse. Earlier this year, a study identified racial and gender discrimination in AI facial recognition. In the post, the company said, “We should not wait for governments to act,” and committed itself to creating safeguards to address the tech in the first quarter of 2019. It remains unclear what that means for Microsoft’s own Azure facial recognition technology, which it has been busy promoting on its site.

The company also recently stood out from its competitors by backing the French government’s Paris Call for Trust and Security in Cyberspace initiative, an international effort to regulate the internet and combat online censorship and hate speech. Conspicuously missing from the signatories: the U.S. government.

Microsoft certainly seems all too aware of the importance of stressing user control in its new products. It recently launched a partnership with Mastercard to create a “digital identity,” emphasizing that this tool will allow users “to verify their digital identity with whomever they want, whenever they want.” It remains unclear how this initiative across financial, commerce, digital, and government services will help to create a “decentralized” identify, raising fresh concerns about Microsoft’s reach and access to user data, and how they’re collecting and using it.

Arthur Patel, principal program manager in Identity Engineering at the company, insists that “Microsoft does not have and will not have access to Mastercard customer data.”

And in a statement, Joy Chik, corporate vice president in the Identity division of Microsoft’s Cloud and artificial intelligence group, said, “We believe people should be in control of their digital identity and data, and we’re thrilled to first work with Mastercard to bring new decentralized identity innovations to life.”

For now, it’s likely up to Europe to keep Microsoft, and their tech rivals in check. As Fast Company‘s Mark Sullivan noted, it remains unclear if any congressional action on data privacy will take place this year, or get punted into 2020. And Galloway says the U.S. regulation is “absolutely” falling behind Europe.

“Compared to the U.S., Europe tends to have tougher anti-trust rules and consumer privacy protections,” he says. “I think we are headed toward a reverse D-Day. Just like we saved Europe in the middle of the 20th century, they’re going to save us from the tyranny of technology.”