Exchange Apps/Add-ins May Share Your Personal Information with Third-Party Services
How many of you know that Microsoft Exchange on-premises and Exchange Online in Office 365 can share your personal data with third party services? For example, any map addresses found in an Exchange email are send to Bing. These addresses can be shared with a third-party service. But there is much more that can be shared with these third-party services. Do you know who these third-parties are? Let me explain what I am talking about and then I will tell you what you can do about this sharing of personal data.
Exchange Server 2013
If you go to the Exchange 2013 admin center, you will see an organization link on the left hand side that you can configure. When you click on the link you will see the following three options:
Click on the apps link and you will find that the following five apps are already installed for you by default. You cannot uninstall these apps, and you cannot delete them because the delete button is grayed out.
Exchange Online in Office 365
In Office 365 Exchange Online, you will also see the organization link in the Exchange admin center on the left hand side, but there are only two options that you can configure.
The apps in Exchange 2013 on-premises are called add-ins in Exchange Online in Office 365. The text that describes the apps/add-ins is almost identical, with some minor differences that don’t change the meaning of the text.
What Do the Apps Do?
In this article, I will use the screenshots from Exchange 2013 admin center. These apps are almost identical to the add-ins in Exchange Online. There are five apps installed by default and each serves a different purpose.
- Action Items
- Bing Maps
- My Templates
- Suggested Meetings
The first screenshot at the beginning of this article displays the Action Items app. The following four screenshots depict the remaining apps. As you can see, four of the five apps say “This app will not share your data with any third-party service.” The Bing Maps app says “This app will send addresses to Bing but will not share your data with any third-party service.”
What’s unique about these apps is that:
- They are all installed by default in Exchange 2013 and in Exchange Online in Office 365.
- They are all enabled by default.
- They can not be uninstalled or deleted, but they can be disabled.
- They all assure you that the app will not share your data with any third-party service.
- They all warn you that the app may share your data with a third-party service.
What Does This Mean?
So what does this mean? Well, that’s a good question and I don’t know the answer. Basically it says that the app will not share your data, but the app may share your data. We can all guess why each app contradicts itself. Here are some possibilities. Yes, these are all wild guesses :).
- Perhaps one group at Microsoft wrote the first paragraph, the second group wrote the second paragraph, and the third group put the two together without reading both the paragraphs. But that can never happen (wink, wink!).
- It covers Microsoft either way. If the app doesn’t share the data with the third-party then Microsoft can say we value your privacy and we told you so. However, if the app shares the data with the third-party then Microsoft can say we already warned you that the app may share your personal data. I know, it doesn’t make much sense but I am trying really hard to come up with an excuse to justify the contradiction.
- It could be one of those things where Microsoft is testing us to see if we actually read the text because people don’t always read the fine print. If you recall, in 2005 PC Pitstop inserted a “special consideration” clause in its agreement that offered money to anyone who sent an e-mail to an address contained in the license. After 3,000 downloads and four months, one person finally took advantage of the offer and received a check in the mail for US$1,000. You should check out my article from 2005 called Afraid Microsoft’s anti-spyware will muck up your hard drive, erasing your digital photos, music collection and work files?
- Perhaps when Microsoft said no, it meant yes. To really appreciate my subtle humor, you must read my article from July 2006: When Microsoft Says No, It May Mean Yes. I assure you, you will get a kick out of it.
- There is some other explanation that we don’t know. Perhaps you, the readers, can help me out and tell me what you think is the explanation.
What Kind of Information Can Be Shared?
The information shared with the third-parties can include the following personal information in any message or calendar item in Microsoft Exchange on-premises or Exchange Online in Office 365:
- The subject of your email message.
- The body (i.e. all the content) of your email message.
- The name of the sender.
- The name of all the recipients.
- Any attachments that you included in your message.
- Any phone numbers that were included in your message body or subject.
- Any postal addresses that were included in your message body or subject.
- Any URLs that you typed in your message body or subject
Disabling the App
Although these apps/add-ins can’t be deleted or uninstalled, luckily you have the ability to disable them. If you don’t like Microsoft to share your personal information, simply double-click the app/add-in and clear the box Make this app available to users in your organization. You can also change the default behavior, so it is disabled, or force the app to always be enabled so the users can’t disable this app. I guess this option is for those third-parties who receive all the personal user data (just kidding!).
When you disable the app, the Provided To column changes from Everyone to Nobody. In the example below, all the apps are disabled. Compared this to the first two screenshots where the Provided To option was set to Everyone.
Copyright © 2017 SeattlePro Enterprises, LLC. All rights reserved.