The use of cloud services in recent times has increased due to its convenience. The hard drives are replaced by the cloud storage feature of many services providers (Google Drive, cloud etc.). Uploading the user data on cloud storage makes it accessible from anywhere unlike a hard drive. But while the users transfer their data into the cloud storage, a question arises as to who all can access the data and the privacy it entails.
This article is a peek into cloud services provided by Microsoft i.e. One Drive, and the data privacy its users enjoy.
Below mentioned are certain legal frameworks Microsoft adhere to:
Generally Microsoft sticks to the principles of the EU-U.S. and Swiss-U.S. Privacy Shield frameworks regarding privacy and data protection. Considering transfer of personal data, Microsoft does not rely on the EU-U.S Privacy framework as legal basis.
(Referring to judgment of the Court of Justice of the EU in Case C-311/18)
In California, Microsoft adheres to The California Consumer Privacy Act. Providing exclusive rights to California consumers for data privacy. This act aims to provide control and transparency to users by informing them, about the data they collect, how they use it and if they share it with the third party.
Microsoft follows the General Data Protection Regulation (GDPR). It is one of the toughest privacy laws in the world. It was adopted by the European Union (EU) in 2016 and lays obligation on organization(s), who collect data from citizens of EU anywhere in the world.
The Online Services Data Protection Addendum (DPA), contains the data processing terms. Users agree to it automatically when they subscribe to the online service terms (OST) of Microsoft.
WHAT IS ONE DRIVE?
One drive is a cloud storage feature of Microsoft. It is an online storage platform, where a Microsoft user can store data and information. Like an online hard drive, it provides its users, a place to put their files on the internet. A user needs to make a Microsoft account, and login in through it, to avail of this service.
It allows users to store files as well as other personal data like Windows settings or BitLocker recovery keys in the cloud.
Additional Feature:
The user can share content stored in the One Drive, either by sending the data or by sharing the link of the content with anyone.
For Instance: If the user wants another user to see a folder full of his pictures. OneDrive creates a link. The user shares such a link with another user. Which gives him access to such files of the user.
The audience of such a file is subject to preset control. A public link is accessible to anyone and everyone.
As Microsoft claims, “our mission is to empower every person and every organization on the planet to achieve more. We are doing this by building an intelligent cloud, reinventing productivity and business processes and making computing more personal. In all of this, we will maintain the timeless value of privacy and preserve the ability for you to control your data”.
Microsoft also claims: You control your data. When you put your data in One Drive, you remain the owner of the data. These statements are scrutinized further.
Can Microsoft engineers access One Drive?
It appears that they can, through a Windows PowerShell console that requires two-factor authentication. But only if there is a specific incident, which demands it. It requires a specific request. After such a request is accepted. An appropriate engineer goes through the approval process. Only after the approval. The authorities allow him to access the drive for a limited period.
These access control steps are supposed to, “Reduce the chances of an engineer to inappropriately access the customer data”. This points out the chances that, an engineer has access to the user data stored in One Drive.
IS THE USER’S DATA SAFE, WHILE IN TRANSIT?
One drive uses TLS (Transport layer security) encryption for data transfers between data centres and clients. TLS only provides encryption between user and service provider. The data transfers through TLS go through a message authentication code check, to prevent undetected loss or alteration of data during transmission. For Instance: If a user sends any text, it goes through a check by the service provider.
This means such data is open to access, to internet providers, hackers, even the government if need be.
The data is not end-to-end encrypted. End-to-end encryption encrypts data between the users. Which does not include the service provider. For Instance: If the user sends any text, it can only be read by the recipient.
Does user data enjoy privacy at data centres?
User’s content is safe at data centres as it is encrypted at rest with a unique AES256 key. And these unique keys are encrypted with a set of master keys that are stored in the Azure Key Vault.
What is the altitude of Privacy One Drive provides?
Microsoft mentions that, while any user uses OneDrive Microsoft collects data about:
- The usage of the service (Device information),
- content stored by the user (For instance: Location information of photos, so that user can search photos through location), and to improve and provide better services
If the user saves the content in the private folder, the content will be private. But if the user saves such content in the public folder. Anyone who finds the folder on the internet can access it.
If any device which is synced with the user’s one drive account is used to share content to a social network like Facebook. Such content gets uploaded to that social network or a link to such content is posted to the social network, which makes the content public.
To delete such content, the user has to delete it from the social network as well as from OneDrive.
- OneDrive provides authorisation via the link: When the user wants to share his content with his friend. An E-mail with a link is sent to the friend. Which contains an authorisation code. Anyone with such an authorisation code can access the user’s content.
To revoke the authorisation code, the user has to revoke the permission. Which eventually deactivates the link, along with the access.
IS THE USER’S DATA SHARED WITH THE GOVERNMENT OR A THIRD PARTY?
One Drive stores content & data. Something that users create, communicate and store. Such as photographs and documents stored on One Drive.
Microsoft mentions that, user’s data is shared with the government. If the government requests for user’s data, the company requires a warrant before considering such a request and disclosing content to law enforcement. Such requests come from all over the world.
The service provider may or may not inform the user regarding such disclosure of his content to the government.
| In the year 2019 | ||
| Microsoft received 83 requests from law enforcement for cloud customers. | ||
| In 33 cases these requests were rejected. | In 50 cases, Microsoft was forced to provide such information. Out of which: | |
| 27 cases required disclosure of user’s content Information. (Photographs, documents etc.).19 of those requests were from U.S. law enforcement. | 23 cases required disclosure of non-content information (e-mail, name etc.). | |
REFERENCES
- Microsoft privacy statement, MICROSOFT (Oct. 12, 2020, 10:30 PM), https://privacy.microsoft.com/en-us/privacystatement.
- Privacy at Microsoft, MICROSOFT (Oct.12, 2020, 11:30 PM), https://privacy.microsoft.com/en-US/.
- Law enforcement requests report, MICROSOFT (Oct. 12, 2020, 12:00 AM), https://www.microsoft.com/en-us/corporate-responsibility/law-enforcement-requests-report.
- How OneDrive safeguards your data in the cloud, MICROSOFT (Oct. 12, 2020, 09:30 PM), https://support.microsoft.com/en-us/office/how-onedrive-safeguards-your-data-in-the-cloud-23c6ea94-3608-48d7-8bf0-80e142edd1e1
- The History of the General Data Protection Regulation, https://edps.europa.eu/data-protection/data-protection/legislation/history-general-data-protection-regulation_en
Disclaimer: “Vestralex assumes no responsibility or liability for any errors or omissions in the content of this Article. The information contained in this article is provided on an “as is” basis as sourced with no guarantees of completeness, accuracy, usefulness or timeliness. This article contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. This article and the information contained herein is not intended to be a source of advice or analysis with respect to the material presented, and the information and/or documents contained in this article do not constitute advice. All copyrights and trademarks contained herein are properties of their respective owners, any representation of such rights and marks is purely for informational purposes only. This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.”
Vestralex Winter Internship Program
Vestralex Winter Internship Program (VWIP) is an initiative undertaken by Vestralex to help raise legal literacy and general awareness about practices and procedures in law through intern participation and content creation.
