EU Parliament blocks new Outlook apps over privacy concerns

The way the apps store passwords and emails in the cloud poses security problems

Access to Microsoft's new Outlook apps has been blocked for members of the European Parliament because of "serious security issues."

Microsoft launched new Outlook apps for iOS and Android just over a week ago. The new apps are basically a rebranded version of a mail app made by Acompli, a company Microsoft bought in December for a reported US$200 million.

Access to the apps though was blocked on Friday by the Parliament's IT department, DG ITEC, in order to protect the confidentiality and privacy of its users, according to an email seen by the IDG News Service.

"Please do not install this application, and in case you have already done so for your EP corporate mail, please uninstall it immediately and change your password," it said.

The apps will send password information to Microsoft without permission and will store emails in a third-party cloud service over which the Parliament has no control, DG ITEC added in a message on the Parliament's intranet.

Microsoft's new Outlook app basically acts as an email inbox for Exchange, Outlook, iCloud, Google and Yahoo mail accounts.

The service retrieves incoming and outgoing messages, calendar data and address book contacts and pushes them securely to the app. Those messages, calendar events, and contacts, along with their associated metadata, "may be temporarily stored and indexed securely both in our servers and locally on the app on your device," according to Acompli's privacy policy. Email attachments will also be temporarily stored on its servers.

Email accounts that use Microsoft Exchange require users to provide email login credentials, including username, password, server URL, and server domain, it said, adding that other accounts such as Google Gmail accounts using the OAuth authorization mechanism do not require to store a password.

Each user's credentials are double-encrypted using a server per-account unique key and then using a client device unique key, therefore the credentials can only be unlocked by the collaboration of both the server and the app at runtime, according to Acompli's security page.

It's not just the European Parliament though that thinks this is not secure enough: a number of other organizations have banned the new Outlook app because of how it stores passwords.

The University of Wisconsin for instance announced last week it would start blocking the app as of Monday. The app stores login information in the cloud, which clearly poses a security risk because the cloud service is not overseen by the University, it said in a blog post, adding that other universities are having similar issues.

In the Netherlands, the Delft University of Technology reportedly also started blocking the apps because they store contact data and passwords in the cloud.

A Microsoft spokesman said the app's security and privacy capabilities, as well as the controls available to IT administrators, meet the company's thresholds. If customers have concerns though, they can follow guidance on Controlling Device Access on Microsoft TechNet to block the app and continue using the Outlook Web Access (OWA) for iPhone, iPad, and Android apps, he added.

Loek is Amsterdam Correspondent and covers online privacy, intellectual property, online payment issues as well as EU technology policy and regulation for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to loek_essers@idg.com

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsMicrosoftsecuritye-mailsoftwaremobileEuropean Parliamentprivacymobile applications

More about EUEuropean ParliamentGoogleIDGMicrosoftNewsTechNetTechnologyYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Loek Essers

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place