On Trusting and Not Trusting Microsoft

An interesting inconsistency.

That’s a synthesis of comments I see frequently when discussing OneDrive.

Some people are adamantly against cloud storage of any sort. They are convinced that large companies like Microsoft use it as a way to slurp up content for nefarious purposes.

I have bad news for those folks. Microsoft can do that whether you use OneDrive or not.

Microsoft, OneDrive, and trust

If you don’t trust Microsoft with OneDrive, why trust Windows? Both give Microsoft full access to your files. While scanning for illegal content or legal demands is possible, there’s no proof of anything further.  If you truly don’t trust Microsoft, avoiding OneDrive alone won’t help.

They’re not scanning your data

I want to be clear before I go any further.

I apologize if I get repetitive on that point below. People seem to insist on taking my words to mean they are. They are not.

I can think of exactly two reasons they might examine your data, and both make sense. They’re important to understand, and I’ll talk about them below.

What Microsoft does or does not do with your OneDrive data isn’t the point of this article.

Here’s the thing: you’ve already given Microsoft access to everything on your computer by running Windows.

It’s Microsoft Windows, after all.

What does scanning mean, anyway?

Scanning can mean any number of things. What most people worry about is that the contents of their documents or photos are being examined and copied for other purposes, or, in some cases, judged (say, for legal reasons).

Scanning can also mean tracking only the metadata: filenames, file sizes, file properties, and, in some cases, computed file hash values for comparison against other known files.

Some also worry that an actual person does the scanning — i.e., looks at your photos — rather than a computer program. The only way scanning could happen at scale, of course, would be via automation.

Related

Privacy Begins with the Operating System

Your operating system sees everything you do—and that means it holds the keys to your privacy. I'll look at how much trust you place in Windows, Mac, Linux, or mobile systems, why that matters, and what steps you can take to protect yourself wisely.
#26335

The operating system can do anything

People can be surprised to read in a TOS1 that they’ve granted the software or service the right to read their files.

Well, of course. How could it be otherwise?

Think about it. If Windows can’t read your files, you wouldn’t be able to do something as simple as copying a file from one folder to another.

The ability to read, write, and manipulate your files is fundamental to any operating system’s ability to do what you ask it to do. That’s why it’s often part of the TOS.

It’s so fundamental that we don’t even think twice about it.

The operating system could do anything

What that means, of course, is that any operating system could scan all your data for whatever reason it wants.

If Microsoft wanted to scan your data for AI training or anything else, they don’t need OneDrive to do it. It’s already within their grasp to do so from within Windows and send the information back to Microsoft.

Again:

But they could. We trust that they don’t, but they could.

And that’s where things get weird.

OneDrive and Windows are both Microsoft products

If you don’t trust OneDrive with your files, why do you trust Windows with them?

I’m not trying to be a jerk about this; I’m trying to make a point. If you trust Microsoft to handle the data on your computer with any modicum of privacy, it makes no difference whether you put your files in OneDrive or not.

In theory, your concerns should apply equally to both.

Related

Could OneDrive Get Hacked? What You Really Need to Worry About

Worried about OneDrive getting hacked? The truth is, while any online service *could* be attacked, it’s far less likely than your own account being compromised. Learn what really puts your files at risk—and the simple steps you can take to keep them safe and sleep easier.
#126464

Some people don’t trust Microsoft, period

I hear regularly from people who don’t trust Microsoft or have become so annoyed at the company’s behavior that they walk away completely.

They don’t use OneDrive. They don’t use Windows. Most have switched to Linux for its transparency and lack of corporate shenanigans or gone with other open-source alternatives.

I get that, I truly do. If you don’t trust Microsoft (or Apple or Google or whoever), it makes complete sense to take all the steps you can to avoid using their products. It’s not always easy, but it makes sense if that’s your belief.

Is it really all or nothing?

OneDrive and Windows are both Microsoft products. If you don’t trust one, you probably shouldn’t trust the other.

But that makes this an all-or-nothing decision, and, as we know, life is never that simple. Life is full of risks, risk management, and probability. So, no, it’s not necessarily all-or-nothing. It’s more complicated than that.

The perception is that the risk of Microsoft scanning what’s stored in OneDrive is higher because it’s already on their servers. It would be difficult to detect at any technical level. To prove it would take a data leak of some sort that a) could only be traced back to Microsoft actions and not some randomly hacked account, and b) could only have come from someone’s files stored in OneDrive and nowhere else.

There’s been no proof that I’m aware of, but the fact that it’s conceptually easier for Microsoft to pull off makes some believe it’s a higher risk. Hence, they feel less exposed keeping their data on their own Windows computers while avoiding “somebody else’s computer” — a popular definition of the cloud — when that other computer belongs to Microsoft.

Those two legit reasons

I mentioned there are two reasons your data might be scanned that, to me, make a certain kind of sense.

• Proactively scanning for particularly illegal content. Most commonly, this means looking for CSAM, aka Child Sexual Abuse Material.
• Reactively scanning (or copying) in response to government or law-enforcement demands.

I’m not saying I necessarily agree with either, and Lord knows they’re both subject to abuse, but conceptually, at least, they make sense. Those two cases seem inevitable and are covered publicly in Microsoft’s Terms of Service and other official documentation.

Here’s the thing: they can do all that for files stored in OneDrive, of course. They could do it for any internet-connected PC running Windows.

Again:

But they control technology that would allow them to do whatever they want. We trust that they don’t.

Why I’m not concerned

The backlash of any actual content scanning, copying, or re-use that goes against the terms of service you’ve agreed to would be a legal and PR nightmare for Microsoft. While it’s true they have had those in the past, this would be particularly egregious, and, most importantly, costly.

It would quickly put them at a greater competitive disadvantage compared to other companies that make privacy a top selling point.

What’s also often overlooked is that corporations — Microsoft’s largest customers, after all — would throw an absolute fit if it came to light that their sensitive documents were being used for anything not formally agreed to in a corporate contract.

The cost of failure is too high, and the potential benefits for Microsoft are too low. They can use other things to train their AI without poking around in what people are storing in OneDrive.

Podcast audio

Download (right-click, Save-As) (Duration: 10:53 — 10.0MB)

Subscribe: RSS