Early Microsoft Delve users worry about privacy

During a Yammer discussion this week, some users were confused and concerned about potential privacy implications in Delve.

Just a couple days after Microsoft began rolling out Delve, its new enterprise social offering, some people are worried and confused about potential privacy implications.

Delve is a new enterprise social product that Microsoft is offering to Office 365 business customers. It shows users personalized information about recent content they've been looking at and content that's trending with co-workers.

On Wednesday, Microsoft hosted a Yammer discussion where anyone could ask questions about Delve and Microsoft employees would respond. While there was definite excitement about the product from many people who participated in the conversation, some comments pointed to a privacy challenge.

Microsoft has been thoughtful about exactly what to surface in Delve but its decisions aren't always clear to users, causing some confusion.

Delve essentially displays to users what Microsoft calls the Office Graph. The Office Graph indexes content like documents and video as well as "signals," which include things like who you email and who you share documents with.

"Every single bit of content captured in the Office Graph is captured with a permission attached," said Cem Aykan, senior product manager for Office Graph and Delve at Microsoft. For instance, documents stored in OneDrive or SharePoint have permissions allowing them to be shared with certain people.

Delve "inherits" those existing permissions, so no document will ever appear to someone who doesn't already have permission to see it, he said.

In addition, Office Graph has a notion of public and private signals.  A private signal is an email or Lync conversation between two people. Delve will never include those signals, he said. Public signals, which include your involvement in a Yammer group or on a SharePoint team, are included in Delve.

"Delve is a window into the Office Graph and it helps you discover and navigate those things," he said.

The trouble is, Delve's equation isn't always clear to users.

For instance, during the Yammer discussion, one user said that he was seeing trending documents that indicated individual co-workers who were looking at the document. Some of those files were HR documents about domestic partner insurance coverage and benefits around psychological assistance. His query drew concerns from other people who noted they wouldn't want co-workers to know that they'd looked up HR policies around maternity leave, especially before disclosing a pregnancy, or about whistle blower protection.

It turns out, that user may not quite understand how Delve displays content. Delve is comprised of "cards," or boxes that contain, for instance, an image of a document plus details like how many people have viewed it and commented on it, as well as tags. It only includes a person's name if that person has edited the document, said Aykan. Editing a document is already data that's displayed in SharePoint so it shouldn't be the kind of detail that would worry a user.

Another person noted that even though the views are anonymous, it could still be interesting to see that lots of people are suddenly looking at an HR document, like one about whistle blower protection.

There's also a "trending around" feature that's difficult to explain and understand.  As Microsoft describes it, a document might be tagged in Delve as "trending around" a colleague but that doesn't mean the colleague has actually seen the document. In fact, the colleague might not even have access to the document, which could be a private file. However, if a user has a strong relationship with someone, like a manager, and at the same time is making frequent updates to the document, Delve would show that document as "trending around" the manager, as a sort of recommendation that the document might be useful to the manager. However, Delve wouldn't display the document to the manager.

That concept is throwing some early users. "I am kind of freaking out about how to explain some of it to 10,000 people who won't read this or listen to me -- just see that their private document is trending around their manager and well -- we won't get them back," one person wrote during the YamJam.

Another wrote: "Nothing will shut down adoption quicker than perceived (or real) privacy violations."

For now, there aren't great ways to restrict documents from Delve. You can remove a document from search but then it won't be discoverable by people searching for it. Several people suggested that it would be handy to have controls that would allow businesses to restrict some content or content types from surfacing in Delve, and Microsoft workers acknowledged those comments as feature requests. Plus, Aykan said that making sure users have the controls they want is one way Microsoft will ensure usage of Delve, indicating the company is taking such feedback to heart.

Based on the experiences of pilot users, Microsoft has learned that those that were already comfortable with using enterprise social tools had an easier time getting used to Delve and understanding its value from the start than those who hadn't used enterprise social tools previously, Aykan said.

"If you look at our legacy customer base, they're comfortable working in this predefined siloed world. This is a bit of a big change for them," he said. But he thinks that initial surprise these users may find in Delve -- like discovering that another team is working on a similar project -- will lead to a great value as those users realize they don't have to create something from scratch or that they can reach out to that other team for advice.

He also said that users who have spent more time with OneDrive and SharePoint and are familiar with the governance practices around those products have found Delve easier to understand.

So how will Microsoft try to stem this kind of confusion from derailing Delve adoption? Providing transparency so that people will know what they're seeing and why will help, Aykan said. It already added a feature during the pilot phase that lets people right click on a card to see permissions related to the content. "Another angle is to provide additional choice and control so users can see who's seeing what and so they can choose to opt in and opt out. We're doing all those things," he said.

His team will also "double down" on messaging to users so that they are sure to understand that the same governance practices they're already familiar with around OneDrive and SharePoint apply to Delve. "We'll definitely provide user guidance and adoption content, both for end users as well as IT, on how to get started with Delve and some of the tips and tricks," he said.

His team has plans to add much more to Delve. In the future it will surface information from Yammer. It may also include information from email attachments -- but only in a "work view" that shows you recently viewed documents. Email attachments wouldn't appear in anyone else's view.

Microsoft is working on Windows 8, Android, and iOS apps for Delve as well.

Join the CSO newsletter!

Error: Please check your email address.

Tags MicrosoftsecurityYammerconsumerizationprivacy

More about Microsoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Nancy Gohring

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts