Is Microsoft keeping secret records of customers and for what purpose?

Truth be told I have never been a fan of Microsoft. Don’t get me wrong you have to respect what Bill Gates has managed to do and how he has influenced many companies. I have to also mention the good work he and his wife are doing in third world countries.

However I have never liked the numerous faults in Microsoft software, or how you have to upgrade to the latest version to get the fix that you need or how they do business. This is basically now good business practices, or the only business model around but there is a limit to what I’m willing to tolerate.

My story is a bit long winded but the ending is worth the price of your time and as all good stories go, it may have a moral for you to learn from, at the end. Enjoy the read, the story is true!

Around 18 months ago Microsoft was commissioned to set up and install software for a company which I was employed at. Microsoft was to set up and install Cloud based Exchange service, Outlook and some other pieces of software. Sometime after I started work there I was approached by an employee who was concerned that on a regular basis his PC would prompt to run a backup job of his Outlook. My first reaction was the user must had accidentally pressed some button and set up the job to run. Having gotten over my initial reaction and only witnessing this on this person’s PC, the incident peaked my interest.

I quietly asked around as to what, why, who, where, when and how this may have happened. The person who drew my initial attention to the issue certainly didn’t do either by accident or deliberately. Failing to get any satisfactory answers for the support services and managers around at the time I turned my attention to the people that did the work and are currently maintaining the system. This is a very important point, as you would imagine, anyone setting up and maintaining a system should keep good record and would be able to quickly respond to what I see as a simple question, who set the job up?

When I asked the Microsoft representative, she was prompt and efficient with reassurance that I would get a response quickly within days. A couple of weeks went by and I decided to call. I was quickly greeted with apologies and comments such as I thought that XYZ was going to call you and explain. All I wanted was a couple of simple questions answer, so that I could determine the next step.

Here is the good part I waited all the time only to be told when I did call that they could not tell me anything!!! The only lead I had vanished without a trace by those simple words. This did two things for me one, it left me very frustrated, and I waited for weeks to be told nothing. Secondly, I wanted to know what Microsoft should have been able to tell me given that they are the service provider and getting well paid to not only provide the service but provide reasonable answers to questions.

Wait there is more, I’m only getting started.

Fast forward a few months, projects are going on all around me and I’m not invited into any of the meetings. The server and desk teams roll out Microsoft System Centre End Point Security models throughout the organisation. By the time I found out the deed is done and we have gone from a good product providing measureable results, to one were within weeks thousands of machines are infected with viruses, malwares and Trojans. The company’s intrusion detection system is going crazy with alerts but the Microsoft product doesn’t seem to be detecting them, removing them or stopping them.

I went to the organisation’s senior managers and informed them that the Microsoft solution seems to be failing as documented by the risk assessment showing that Microsoft wasn’t the best Anti-Virus protection solution. I was directed by the senior managers to engage with Microsoft directly.

The fun was about to start. I tried to explain to Microsoft what was happening on the network but they didn’t seem to get it. They asked me for signature patterns of viruses, malware and Trojans - try explaining to someone that you don’t have soft copies files to submit but screen shots.

At this point I was asked how I submit request for signature updates based on the information I had available to me and once again I’m greeted with the usual I will get back to you. Over a period of time, which seemed like a century, I exchanged a number of emails and phone calls, wondering what is so difficult. To this day I haven’t had a satisfactory reply to this question or others. I’m still waiting for a reply to what I consider a very simple question - “how do I?”

By now you must be wondering…what the hell has the title got to do with the story? Last week I was having a discussion with my manager, you know the type. The one sided discussion where the manager doesn’t have the facts, or a clue, about things they do, and no matter what you say it’s going falls on deaf ears. It is during the discussion that my managers drops a bomb shell, apparently the Microsoft representative neglected to inform me, she was directed to record all of my requests to her. Over a period of 10 months or less I have made about 4 maybe 5 requests of which I have never had a satisfactory reply from Microsoft. I have no idea as to what has been recorded or who directed my requests to be recorded. But to say that I’m less impressed with Microsoft the company now than ever, is an understatement. I want the Privacy Commission to step up and look into this outrage.

Remember that I mentioned early Microsoft set up cloud based solution for the company, well my last request to Microsoft was regarding who has access to certain information in the cloud based solution, within weeks of the new privacy act coming into force. The information I was inquiring about was leaked and available on the Internet for anyone to buy. I was told both over the phone and in writing how seriously Microsoft takes privacy, only find out that it can’t answer simple questions and also secretly keep records on those that submit requests. Under the privacy act I should be able to get access to this information, but then again I should have also been told they were doing this and why.

For those of you that don’t recall many years ago, Microsoft released one of its desktop operating system environments, the US Department of Defense (DoD) caught Microsoft operating sending back information to its HQ. When DoD confronted Microsoft about this they refused to comment or provide any information to validate the incident.

Why is Microsoft keeping records on customers submitting requests? Who is seeing these requests? Who has the authority to make this request, to record details? How are you selected for tracking? How accurate are these records? How long has this being going on for and how long are Microsoft going to keep this up? How long will Microsoft going to keep the records for?

Perhaps the most disturbing is who else is doing this and for what purpose, it is a good tool to keep people in-line.

To borrow a line form the George Orwell novel 1984, “Big Brother is watching you”. Hopefully, we will not all end up the same why as the hero of the novel did…sorry no spoilers on the novel ending.

This article was written by a CSO who wished to remain anonymous.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Join the CSO newsletter!

Error: Please check your email address.

Tags Microsoftsecurity

More about BillBrother International (Aust)CSOEnex TestLabMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Anonymous

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts