Class Action Claims Microsoft Secretly Shares Business Users’ Data with Facebook, Unauthorized Parties

Three California businesses claim in a proposed class action filed this week that Microsoft Corporation unlawfully hands over its business customers’ data to Facebook and other third parties without users’ knowledge or consent.

The 38-page lawsuit out of California alleges that although Microsoft assures those who pay for its business-class Microsoft Office 365 and Microsoft Exchange cloud-based services that their data will only be used to provide the services they purchased, the tech behemoth has surreptitiously shared their emails, documents, contacts, calendars, and other data with unauthorized parties – and profited off the information.

The plaintiffs claim that despite Microsoft’s claims of transparency about who has access to customers’ data and how the data is used, the company continues to intentionally deceive customers “to this day” with regard to the extent of its data-sharing practices and the unauthorized use of their information. From the complaint:

Contrary to Microsoft’s representations and without its customers’ consent, Microsoft shares its business customers’ contacts and related data with Facebook; shares the content of its business customers’ emails, documents, contacts, calendars, and other data with unauthorized third parties for unauthorized purposes; and uses its business customers’ data to develop new products and services to sell to others.”

Microsoft Wins Consumers’ Trust

Described in the suit as “the largest software company in the world,” Microsoft has allegedly built its advertising campaigns for its cloud-based services on gaining and maintaining customers’ trust.

To accomplish this, Microsoft has “consistently represented” to business customers that their data—which the case notes is one of a business’s most valuable assets—would only be used to provide them with the specific services they purchased, the lawsuit says.

According to the suit, Microsoft Office 365 and Exchange users were assured that they—“and they alone”—would have control of their data, including emails, documents, contacts, calendars, location data, audio files, and video files.

Contrary to these representations, Microsoft, the case says, not only shares customers’ data with third parties, but uses the information for its own benefit to develop new products and services—all without users’ knowledge or consent.

Microsoft “Routinely and Automatically” Shares Data with Facebook, Lawsuit Says

According to the case, Microsoft business customers are unaware that the company “routinely and automatically” shares their contacts with Facebook, “the world’s largest social media network,” regardless of whether the customers or their contacts are Facebook users.

Though a customer could discover and disable the so-called Facebook-sharing “feature” baked into Microsoft’s products, “the damage has already been done,” the lawsuit alleges, adding that once a business customer’s contacts have been transferred to the social media giant, only Facebook has the authority to delete the information from its systems.

The suit goes on to allege that as soon as Facebook gains access to a customer’s contacts, the information then becomes accessible to “whomever Facebook shares the data with,” and can then be passed on infinitely to other entities.

Cited in the lawsuit is the Facebook/Cambridge Analytica scandal, when Facebook granted limited data access to University of Cambridge psychology lecturer Aleksandr Kogan and after which data-mining firm Cambridge Analytica exploited the information of 87 million Facebook users to influence voting decisions for the 2016 U.S. presidential election.

“With Facebook’s data,” the complaint explains, “Cambridge Analytica was able to create a political microtargeting platform that identified which issues mattered to the voter and, with eerie precision, use machine learning and sentiment manipulation to influence them to vote (or not vote).”

The case adds that Facebook data shared by Microsoft can also be used by cybercriminals and hackers to piece together “previously scrubbed” identifying information about Microsoft business customers that can then be sold as “sensitive commercial information” on the black market or the dark web.

Microsoft Shares Data Through Developer Platform, Class Action Alleges

Aside from the Facebook data sharing allegations, the lawsuit claims Microsoft has passed on business customers’ private information to third-party developers through its developer platform.

According to the case, even when business customers have not downloaded a third-party application and consented to data sharing, Microsoft shares their information with the developer anyway based on the consent of another Office 365 user.

In other words, the suit says, Microsoft advertises to developers interested in using its platform that they will be granted access to not only authorized users but other customers who communicate with the authorized user.

“For example,” the complaint states, “Microsoft explains to developers that they can ‘perform searches for people who are relevant to the [Microsoft] user and have expressed an interest in communicating with that user’ about specific topics, such as pizzas. Microsoft explains that ‘[t]opics in this context are just words that have been used most by users in email conversations. Microsoft extracts such words and creates an index for this data to facilitate . . . searches.’”

The lawsuit alleges that without customers’ consent, Microsoft shares with developers the content of their emails and grants access to their schedules, locations, and availability status while only requesting that developers maintain “reasonable security measures.”

“The actual level of security used by those third-party developers is unknown and not reasonably knowable to Plaintiffs,” the lawsuit reads.

Adding insult to injury, Microsoft profits from sharing its business customers’ Office 365 data by charging developers for access to the platform and demanding a commission on the sale of products and services developed through the use of customers’ data, per the complaint.

Microsoft Hands Over Data to “Hundreds of Subcontractors,” Lawsuit Claims

According to the case, Microsoft also shares business customers’ data with “hundreds of subcontractors,” sometimes referred to as “subprocessors,” in order to “serve Microsoft’s separate commercial ventures,” which include developing artificial intelligence applications and development interfaces.

The lawsuit alleges that the tech company anonymizes only “a minuscule portion” of customers’ data—e.g., Social Security numbers and credit card numbers—while granting subcontractors access to documents, emails, email attachments, text, and audio and video files.

Moreover, without disclosure to customers, Microsoft allegedly requires that subcontractors encrypt “only a limited subset” of customers’ data, which the case argues poses a security and privacy risk, especially considering some subcontractors have suffered data breaches and are based in countries “known for corporate espionage” such as Russia, China, and Libya.

Class Action Claims Customers’ Data Used to Develop New Products

Data sharing practices aside, the lawsuit alleges that Microsoft also uses its customers’ data to develop and sell new products and services “that benefit only Microsoft.”

Despite the company’s “repeated assurances” that customers’ data will only be used to provide the specific services they purchased, Microsoft allegedly mines the data to develop and sell other products, including Security Graph API, Microsoft Audience Network, Windows Defender Application Control, Azure Advanced Threat Protection, Advanced Threat Protection, and virtual personal assistant “Cortana.”

The lawsuit notes that these products are not necessary to provide Office 365 services and therefore fall outside of the represented purpose for which Microsoft told customers their data would be used.

“In sum,” the case states, “despite its promises to use business customers’ data only for the purpose of providing the customers with the purchased services, Microsoft uses the data for its own purposes: to create and sell new products to others.”

Privacy Concerns

According to the case, Microsoft not only misleads customers as to how their data is shared and used, but also as to how their data is protected.

The case claims the company falsely promises customers that it complies with System and Organization Controls (SOC) standards adopted by the American Institute of Certified Public Accountants that safeguard the privacy and confidentiality of information stored in cloud-based systems.

Though Microsoft represents that its cloud services comply with SOC 1 and SOC 2 standards, “[t]hese promises are false,” according to the case, given Microsoft automatically harvests all of its business customers’ data into Graph, a separate product that does not comply with SOC standards.

The plaintiff businesses argue that they and other Microsoft business customers would not have purchased the defendant’s services had they known about the company’s data sharing and privacy practices.

As for Microsoft, a spokesperson told Law360 that the company is “aware of the suit and will review it carefully” and added the following:  

“However, while the allegations themselves are not very specific, as we understand them we don't believe they have merit. We have an established history of both robust privacy protections and transparency, and we're confident that our use of customer data is consistent with the instructions of our customers and our contractual commitment.”

Who Is Covered by the Lawsuit?

The lawsuit looks to cover any person or non-governmental entity in the U.S. who, at any time since July 17, 2016, subscribed to or purchased one of the following products but did not purchase or subscribe to Microsoft Cognitive Services:

Can I Join the Lawsuit?

At this time, you don’t need to take any action to join the lawsuit. If the case moves forward and settles, which could take months or even years, anyone affected should then have an opportunity to claim their piece of the settlement. It’s also important to note that the case can be dismissed at any time along the way.

In the meantime, you can have class action news and updates sent straight to your inbox by signing up for ClassAction.org’s newsletter here.