An interesting inconsistency.
That’s a synthesis of comments I see frequently when discussing OneDrive.
Some people are adamantly against cloud storage of any sort. They are convinced that large companies like Microsoft use it as a way to slurp up content for nefarious purposes.
I have bad news for those folks. Microsoft can do that whether you use OneDrive or not.
Microsoft, OneDrive, and trust
If you don’t trust Microsoft with OneDrive, why trust Windows? Both give Microsoft full access to your files. While scanning for illegal content or legal demands is possible, there’s no proof of anything further. If you truly don’t trust Microsoft, avoiding OneDrive alone won’t help.
They’re not scanning your data
I want to be clear before I go any further.
I apologize if I get repetitive on that point below. People seem to insist on taking my words to mean they are. They are not.
I can think of exactly two reasons they might examine your data, and both make sense. They’re important to understand, and I’ll talk about them below.
What Microsoft does or does not do with your OneDrive data isn’t the point of this article.
Here’s the thing: you’ve already given Microsoft access to everything on your computer by running Windows.
It’s Microsoft Windows, after all.
Help keep it going by becoming a Patron.
What does scanning mean, anyway?
Scanning can mean any number of things. What most people worry about is that the contents of their documents or photos are being examined and copied for other purposes, or, in some cases, judged (say, for legal reasons).
Scanning can also mean tracking only the metadata: filenames, file sizes, file properties, and, in some cases, computed file hash values for comparison against other known files.
Some also worry that an actual person does the scanning — i.e., looks at your photos — rather than a computer program. The only way scanning could happen at scale, of course, would be via automation.
Related
Privacy Begins with the Operating System
Your operating system sees everything you do—and that means it holds the keys to your privacy. I'll look at how much trust you place in Windows, Mac, Linux, or mobile systems, why that matters, and what steps you can take to protect yourself wisely.#26335
The operating system can do anything
People can be surprised to read in a TOS1 that they’ve granted the software or service the right to read their files.
Well, of course. How could it be otherwise?
Think about it. If Windows can’t read your files, you wouldn’t be able to do something as simple as copying a file from one folder to another.
The ability to read, write, and manipulate your files is fundamental to any operating system’s ability to do what you ask it to do. That’s why it’s often part of the TOS.
It’s so fundamental that we don’t even think twice about it.
The operating system could do anything
What that means, of course, is that any operating system could scan all your data for whatever reason it wants.
If Microsoft wanted to scan your data for AI training or anything else, they don’t need OneDrive to do it. It’s already within their grasp to do so from within Windows and send the information back to Microsoft.
Again:
But they could. We trust that they don’t, but they could.
And that’s where things get weird.
OneDrive and Windows are both Microsoft products
If you don’t trust OneDrive with your files, why do you trust Windows with them?
I’m not trying to be a jerk about this; I’m trying to make a point. If you trust Microsoft to handle the data on your computer with any modicum of privacy, it makes no difference whether you put your files in OneDrive or not.
In theory, your concerns should apply equally to both.
Related
Could OneDrive Get Hacked? What You Really Need to Worry About
Worried about OneDrive getting hacked? The truth is, while any online service *could* be attacked, it’s far less likely than your own account being compromised. Learn what really puts your files at risk—and the simple steps you can take to keep them safe and sleep easier.#126464
Some people don’t trust Microsoft, period
I hear regularly from people who don’t trust Microsoft or have become so annoyed at the company’s behavior that they walk away completely.
They don’t use OneDrive. They don’t use Windows. Most have switched to Linux for its transparency and lack of corporate shenanigans or gone with other open-source alternatives.
I get that, I truly do. If you don’t trust Microsoft (or Apple or Google or whoever), it makes complete sense to take all the steps you can to avoid using their products. It’s not always easy, but it makes sense if that’s your belief.
Is it really all or nothing?
OneDrive and Windows are both Microsoft products. If you don’t trust one, you probably shouldn’t trust the other.
But that makes this an all-or-nothing decision, and, as we know, life is never that simple. Life is full of risks, risk management, and probability. So, no, it’s not necessarily all-or-nothing. It’s more complicated than that.
The perception is that the risk of Microsoft scanning what’s stored in OneDrive is higher because it’s already on their servers. It would be difficult to detect at any technical level. To prove it would take a data leak of some sort that a) could only be traced back to Microsoft actions and not some randomly hacked account, and b) could only have come from someone’s files stored in OneDrive and nowhere else.
There’s been no proof that I’m aware of, but the fact that it’s conceptually easier for Microsoft to pull off makes some believe it’s a higher risk. Hence, they feel less exposed keeping their data on their own Windows computers while avoiding “somebody else’s computer” — a popular definition of the cloud — when that other computer belongs to Microsoft.
Those two legit reasons
I mentioned there are two reasons your data might be scanned that, to me, make a certain kind of sense.
- Proactively scanning for particularly illegal content. Most commonly, this means looking for CSAM, aka Child Sexual Abuse Material.
- Reactively scanning (or copying) in response to government or law-enforcement demands.
I’m not saying I necessarily agree with either, and Lord knows they’re both subject to abuse, but conceptually, at least, they make sense. Those two cases seem inevitable and are covered publicly in Microsoft’s Terms of Service and other official documentation.
Here’s the thing: they can do all that for files stored in OneDrive, of course. They could do it for any internet-connected PC running Windows.
Again:
But they control technology that would allow them to do whatever they want. We trust that they don’t.
Why I’m not concerned
The backlash of any actual content scanning, copying, or re-use that goes against the terms of service you’ve agreed to would be a legal and PR nightmare for Microsoft. While it’s true they have had those in the past, this would be particularly egregious, and, most importantly, costly.
It would quickly put them at a greater competitive disadvantage compared to other companies that make privacy a top selling point.
What’s also often overlooked is that corporations — Microsoft’s largest customers, after all — would throw an absolute fit if it came to light that their sensitive documents were being used for anything not formally agreed to in a corporate contract.
The cost of failure is too high, and the potential benefits for Microsoft are too low. They can use other things to train their AI without poking around in what people are storing in OneDrive.
Do this
If you’re truly, deeply, concerned about your data privacy and don’t trust Microsoft not to scan your data in OneDrive, then know that avoiding OneDrive may not be enough. Depending on the depth of your distrust, you might want to avoid all Microsoft products, including Windows.
Personally, I won’t say that I “trust” Microsoft; that’s too broad a statement covering too many possible areas2. However, I feel comfortable using Windows, and I feel comfortable using OneDrive. I don’t believe Microsoft is scanning my data in OneDrive or on my computer.
After all, I’m just not that interesting.
You may feel otherwise. Just make sure you understand the full implications.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Podcast audio
Footnotes & References
1: Terms of Service, License Agreement, or AUP, Acceptable Use Policy.
2: I don’t trust them not to hold my OneDrive files for ransom, for example.
For those who may be worried about files stored in OneDrive, there’s a simple solution for ensuring privacy. That is to encrypt the files using Cryptomator (free) or Boxcryptor (subscription).
I use Cryptomator for files I store(d) in OneDrive. When I set it up initially, I received all kinds of warnings from Microsoft that I was under attack by ransomware and received offers to help restore my files. That also proves that Microsoft does monitor files in OneDrive as part of the company’s efforts to provide protection from malware.
I no longer use OneDrive and have switched to using Google Drive, but not because I don’t trust Microsoft. I got fed up with how Microsoft is changing how OneDrive is being used for backup purposes and having to keep an eye on where my files are. Also, for the amount of online storage I do use Google Drive costs less. I don’t need a full 1TB of storage.
I will add that Google Drive doesn’t seem to have the same security protections as OneDrive. When I moved my Cryptomator vault from OneDrive to Google Drive, Google didn’t even blink.
BoxCryptor is no longer available.
How do I secure my privacy when I am working / doing research on my perpetual motion machine? First, I disconnect my laptop from the internet. Next, I plug a thumb drive into my laptop. The thumb drive is where I store all of my secret research projects! When I’m done inventing, I disconnect my thumb drive before I reconnect my laptop to the internet!
That’s a basic layer of security, and it’s good to isolate your work. But keep in mind: malware can circumvent that. For stronger protection, consider booting from a live Linux distro that runs entirely in RAM and doesn’t touch your internal drive.
As for the perpetual motion part… just a heads-up: it conflicts with the laws of thermodynamics, especially entropy. Mainstream physics considers it impossible.
Thanks for that advice Mark. I sort of trust Microsoft and Apple, it’s the U.K. government I don’t trust. For instance I have already devised a system should they become even worse. Everything encrypted: one third of the key memorised; one third of the key on a Swiss cloud server; the other third on a piece of paper hidden in our flat.
I’ve just remembered OKCarl, some people recommend an airgap computer – a computer that is never, ever connected to the internet. Any information that needs to be sent via email, or a cloud service, is copied onto a usb drive and transferred to another computer that is connected.
Hello Leo. Thank you very much for addressing this topic and all the comments I have seen in the recent time – I am not a long time follower of askLeo, But I very much respect the work you are doing and helping people and am interested. Also, you have my respect for addressing the haters- kudos-!
To be honest, I am also very critical on Microsoft. There has been incident where the one drive of somebody got scanned and the picture was identified as supposedly CSAM and was sent to law enforcement falsely. There has also been cases where Microsoft is actively trying to decrypt encrypted files.
predatory behavior is most common where Adults actually have access to kids. (Like relatives, teachers, guidance, etc.)
It is very unlikely to me that Specifically, this kind of crime is such a high priority of the government. (Wherever you may be from – even – surprisingly)
And to hunt for people who send this kind of images on the web and not go after the actual predators. It is very scary how low of a priority this is compared to scanning our data.
But hey, let’s just take away complete privacy of all individuals on the internet to tackle this crime. Seems reasonable? – Not in the slightest!
We also do not see the kind of technology that they use when scanning our data. So we do not know if it’s only matching images to known databases or looking through it with AI. (but even AI could look and flag for different things)
So it kind of seems VERY naive of a professional like you to believe (and regurgitate) what many companies are telling us – to not worry about the data because they won’t do it. And if they do, it’s about the children. And they will not take a look or evaluate this data in any other kind of way. Pinky Promise!
Also, your video, – video watcher, not the article- felt like a strawman argument. The most people I believe who criticize you for your lax stand on Microsoft and user privacy in general are not Microsoft users. We are Linux users, very much because we believe in privacy and think of the dangers of losing the privacy. – The long term implications of this interest in privacy – And because we think about all you unfortunate Microsoft users!
It is an equivalent or even worse than having a constant search warrant on your house. And you are like glass in front of tech giants. I even heard OpenAI (I know, unrelated but same to me) is already supplying law enforcement with chats without user consent If they believe, you are criminal.
– and I believe it’s written in the constitution that nobody should have access to your private compounds without due reasons, or something like that.
According to Edward Snowden, it is literally the goal of the NSA to hoard and collect ALL information. It doesn’t matter what.
And to say “I’m not that important enough to care” is ignorant to other people who actually do care. Because we are also affected by you supporting this system.
Well, I could go on and on much, much longer.
Your audience are especially old people And they are not tech savvy. So I think it is your responsibility to educate them on the dangers for our society what it means to lose basic privacy. And the fact that we already have lost so much of it.
After all, if there is no privacy digitally, free speech can not happen digitally.
(To me, that’s the equivalent of eating meat and not giving a f*** about animal well-being) – disintrest and apathy. And our governments are ot solving this issue.
I am looking forward to your Linux class.
Thank you very much for reading.
Much Love.
– Typed with a offline and opensource FUTOkeyboard voice recognition, I paid for.
So have you read every line of code in your Linux installation and every line of code in the software you run? While Leo might have been talking about Microsoft spying on you through Windows or OneDrive, the same thing applies to Macs and Linux. At some point most of us have to trust someone because most of us cannot write our own operating system using machine code. It is theoretically possible for a particular Linux distribution to have spying capability built in, just like it’s theoretically possible for Windows to have spying capability built in.
True about Linux, theoretically, but there are lots of people looking at the Linux code.
At least I can delete Onedrive or never use it in the first place. Who I do not trust is Google. They put my information in the cloud without my permission, and make it very difficult to get out of.
Yesterday, my wife and I were in my office discussion a potential future purchase–something neither of us ever purchased before, nor even discussed before. Within minutes, adverts for that exact purchase appeared on my MSN feed. Bottom line: if you are part of the Microsoft, Google, or Apple ecosystems, your data is accessible. They will capture it and use it as they see fit, within the terms and conditions to which you agreed, which almost none of us (including me) bothered to read. Am I complaining? No. This is the price we pay to live in a connected world. Can you prevent this? Theoretically, yes; however, you will probably be very unhappy with how disconnected you have to become in order to achieve that. Best advice I can give is this: Get used to it.
I detect a lot of paranoia in the landscape, and much cleverness trying to get around fear of exposure. I have been on the Internet, and using Windows since they became available. I have no problem with anyone tracking my activity or scanning my data. I have implemented reasonable safeguards which seem to work for now. In spite of the monopolistic scenario provided by Microsoft Windows, none of the other operating systems are as versatile and useful except for specialties that one chooses. I don’t like Windows 11, but it works. It allows me to do most of my activities that formerly had to be done on the hoof.
One advice to those who are worried about “being traced” and such: encrypt your precious data, and don’t do anything illegal.
I trust Microsoft, that’s not the issue for me. The issue is that I don’t want MS One drive on my computer in any way, shape of form, ti’s just a personal preference for me. I do however resent that Microsoft keeps placing one drive on the “C” drive of my computer after I have removed it, time, after time. On my computer the one drive has about 50 Mega bytes of my files in one drive (desktop, documents and pictures) Besides the “desktop stored in one drive, thre is anpther “desktop” in the C drive, that just makes me wonderhow that works. I don’t subscribe to One Drive, I don’t jave the “cloud” icon in taskbar (I have deleted it), I do not place anything in one drive myself, and I do not pay for any additional space for one drive. I cannot figure out why an otherwise reputable company would keep doing this. If I quit using Microsoft foulders and use a different name for them woud that stop them from downloading my files? Not sure if I am able to do that with the “Desktop” file folder
It’s a matter of balancing practicality against unnecessary exposure. I use Windows because (1) it came preinstalled on our computer, (2) most programs and online services are compatible with it. Court decisions be damned, they have a monopoly going, and we all gotta live with that.
Yes, Windows is made by Microsoft.
But for Microsoft to “steal” or “copy” locally stored files, (the operative term here being “locally stored”) one of two things must happen. Either (1) Microsoft reaches out to DOWNLOAD everyone’s files, or (2) they must have programmed each and every copy of Windows to UPLOAD everyone’s files.
Either one would cause the Internet itself to collapse — there’s no way it could handle such prodigous traffic — because, like I said, they gotta monopoly! To say NOTHING of the fact that either one would be massively illegal.
But voluntarily uploading files to Microsoft’s own servers yourself changes that.
Now, just like you, Leo, I don’t believe that Microsoft actually “steals” or “copies” or “scans” any of the files that people upload.
But that doesn’t mean I’m necessarily comfortable giving them custody of my files, whether they “snoop” on them or not! My reaction is alnost visceral.
Now, I’ll freely admit that this is an emotional response.
I’ll even admit that this reaction is illogical, and even irrational.
Nonetheless, that’s my response. I give them enough of my trust (and my money!) just by using Windows; beyond that, I’ll have as little to do with them as I possibly can, thank you very much.
And anyone who disagrees can go sue me.
My only comment is this: The amount of unsolicited Garbage that Microsoft send to my PC, I wonder what goes OUT !!! TWO-WAY STREET
I’m obviously ignorant here, so are you saying that in Microsoft’s TOS I have given them (that is, the corporate body, rather than an operating system that is an autonomous physical feature of MY computer) permission to read, manipulate and save on their servers anything and everything on MY computer, without my specifically asking that it be uploaded? I would find that unacceptable and I would then have to keep all my storage as independent of the internet as I could, but have I already given them everything important? By the way, I don’t buy the “I’m not important enough” argument; in this day and age you never know when for cultural, economic, religious or political reasons you might fall into a cohort deemed to be of considerable interest. If arrangements have surreptitiously been made such that my information CAN be gathered suggests to me that one day it will be used by someone – not necessarily Microsoft.
To start, I have a desktop, my primary laptop PC, and an older laptop PC I inherited from my wife when she passed away. I have Microsoft Windows 11 24H2, and (Arch-based) Garuda KDE-Lite GNU/Linux operating systems installed on all three computers (in other words, I dual-boot Windows and GNU/Linux).
My first PC was a Gateway IBM Clone desktop machine with an 8088 CPU, 640 Kb RAM, a 14-inch CRT color VGA display, and a 100MB MFM hard drive, with MS-DOS v 3.1 for its OS. After a few years, the hard drive in that machine suffered a head crash, and I was unable to find a replacement drive because the MFM technology was by that time obsolete, so it was more cost effective to purchase a few used components from a local computer shop and assemble an i386 powered system, equipped with more RAM and a larger hard drive. To learn how to put that machine together, I purchased a book titled “Upgrading and Repairing PCs”. Since that time I have never purchased another ‘store bought’ desktop computer again.
I have used Microsoft OSes, either MS-DOS or Microsoft Windows throughout my computing life from that time to the present. While I can’t say that I trust Microsoft implicitly, I do trust them enough to use their OS. Since I’m retired, and I’ve never been employed in any position higher than as a supervisor (some forty years ago), and I don’t use Bitcoin, I agree with Leo that I’m probably not interesting enough to attract the attention of crackers (Black Hatters), or Microsoft either. While the One Drive app is installed on my computers by default, and I haven’t gone to the bother of removing it, when I performed a fresh install of Windows recently, I did bypass the option to sign into One Drive, so I have a nearly empty One Drive folder on my C: partition, and my active Documents, Pictures, Music, and Videos folders have not been imported into my One Drive folder, in fact those folders don’t even exist under my One Drive folder.
I use Windows for every day computer activities, such as email and web surfing/online activities, and GNU/Linux for experimentation and research to keep up with new technologies and to better understand current technologies. If I reach a point where I no longer trust Microsoft enough to use their products, I’ll remove Windows from my computers and become a GNU/Linux purest, but at present, I like what Microsoft has been doing with Windows, especially with the Microsoft Security app, and I like the Windows 11 user interface, and how the OS works, and how it provides me with everything I need to do what ever I want to do when I’m using Windows.
In closing, I agree with Leo when he says that if you trust Microsoft enough to use their OS (Windows), then it doesn’t make any sense to not trust them enough to use One Drive as well. I don’t use One Drive because they don’t offer a GNU/Linux compatible One Drive app, and I don’t like how they try to foist One Drive Backup on me. I’ve found a different cloud service that offers 20GB storage, and they offer a desktop synchronization app for both Windows and most distributions of GNU/Linux, at https://mega.nz and their desktop app is named MEGAsync, and best of all, they don’t harp on me to use the other services they offer, several of which are free for personal use.
Ernie
“I don’t use One Drive because they don’t offer a GNU/Linux compatible One Drive app”. There are several apps for that. I use OneDriver.
I could very easily switch from Windows to Linux except that I need to keep up to date on WIndows for my work at AskLeo! and you can’t beat the user interfaces of Windows or MacOS.
Simple. Don’t want every piece of data, every photo, every Office file, every PDF, every saved link, every Google search – i.e., EVERYTHING on you machine – potentially not examined, parsed, and analyzed by Microsoft, and others? Go to Linux. It’s safe … at least for now. (And yes, I deleted OneDrive after my last two recent rebuilds, one on Windows 10, the other on Windows 11.)