Microsoft Sneaks Out New Privacy Policy

In a revised privacy policy updated over the weekend, Microsoft now says that it will take the content that people upload and use it to improve Microsoft’s “integrated” suite of online services. 

The new Microsoft services agreement, distributed to consumers the Friday night before the Labor Day holiday, looks fairly innocuous. But the accompanying email makes the company’s intentions clearer: “We also clarified how Microsoft uses your content to better protect consumers and improve our products, including aligning our usage to the way we’re designing our cloud services to be highly integrated across many Microsoft products,” the email states.

Anyone who signs into Microsoft’s online services is bound by the agreement – services including Microsoft’s Hotmail, SkyDrive, Live Messenger, Photo Gallery, Movie Maker, Mail Desktop, Writer, Bing, MSN and Office.com. The effective date us vague: The policy itself claims to take effect Sept. 27, while Microsoft’s email claims the new policy will take effect Oct. 19.

Microsoft also added a stipulation that to use its services, people must agree to a class-action lawsuit waiver, which blocks or at least makes very difficult collective suits in favor of arbitration.

Microsoft appears to be taking a page from Google, which in January said that it unified and reworked its privacy policy, preparing for a world in which it would share cutomer data across its integrated services.

Google’s spin on the move was that it could help keep people on schedule if it reads a person’s calendar and knows his or her location. Pundits and legislators freaked out, even though Google later integrated those services with little uproar – a precedent which Microsoft will undoubtedly benefit from.

Here’s what Microsoft’s new policy now claims will happen.

“When you upload your content to the services, you agree that it may be used, modified, adapted, saved, reproduced, distributed, and displayed to the extent necessary to protect you and to provide, protect and improve Microsoft products and services,” it says. “For example, we may occasionally use automated means to isolate information from email, chats, or photos in order to help detect and protect against spam and malware, or to improve the services with new features that makes them easier to use. When processing your content, Microsoft takes steps to help preserve your privacy.”

The key phrase is “necessary to protect you and to provide, protect and improve Microsoft products and services.” Microsoft is making these changes to protect you, and it is making these changes to help itself.

Microsoft customers might also assume that their data may be used to provide the same kind of integrated services that Google gave in its example. But Microsoft doesn’t say that. In fact, Microsoft’s updated privacy policy lacks the sort of context (read: official blog post) that a change like this demands. Unfortunately, that blog post was added to the Microsoft Volume Licensing blog, which few consumers would ever read. The rather terse post does make clear that Microsoft prioritizes privacy, however, and doesn’t use the contents of your email or your SkyDrive documents for advertising purposes.

In fact, the example of “isolating information” from your content to stop spam and malware shouldn’t exactly reassure anyone that Microsoft has your best interests at heart. Microsoft has taken pains to remind us that Hotmail, once a haven for spam, has dramatically improved, in part by using algorithms to scan emails for malware and to use reputation to help isolate suspicious email.

But give credit where it’s due: Google, for its part, provides a ”dashboard” that summarizes what Google knows about you.

In reality, the dashboard is an extensive list of data reminding you that Google knows what restaurants you’ve reviewed on Maps, who you’ve called on Voice, sites that have been shared with you, who you most frequently email on Gmail, et cetera. Google also archives past iterations of its privacy policy, and provides extensive tools for managing the data it stores, also allowing you to delete or export the data.

Google’s one knock? If you don’t want to share content across services, Google offers you essentially the same choice as Microsoft: Don’t use it. The depth of data is a bit unsettling, but it’s comparatively easty to know what data Google is tapping into.

Microsoft does no such thing. In fact, I had to go back to 2010 to discover what data Microsoft’s online services collect, from an interview with Redmond Magazine.

“When Microsoft receives a Bing search query, we collect a number of pieces of information, including the search query provided, IP address, unique identifiers contained in cookies, browser configuration and the time and date of the search,“ Brendon Lynch told the magazine.

“As part of our privacy safeguards, search terms are stored separately from account information that could personally and directly identify an individual, such as e-mail address or phone number,“ Lynch added. "This helps protect against unauthorized correlation of these details.” Hotmail uses a similar policy, Lynch said.

Here’s the problem: Microsoft’s “window” into its own data-collection practices shouldn’t be an online interview, but a comprehensive document.

This needs to change now. Microsoft does provide its own privacy policy, detailing how information is collected and used, and how people can manage their profiles. But greater transparency into what additional data Microsoft collects is essential, as is the right to manage it, or, at worst, delete it.

Microsoft needs to offer its own version of the Google Dashboard, and try to convince people that it has their best interests in mind.

Google has proven itself a master in convincing customers to trade their personal information for targeted advertising (that generates billions of dollars of revenue).

But Microsoft is gaining fast, and the company’s choice to slip in a change to its online services agreement over a holiday weekend already smacks of sleaze. Unless the company does a better job of disclosing what information it collects, people might want to stay away.