What Attorneys and Their Clients Need to Know About Windows 10 and Microsoft’s New Privacy Policies

August 1, 2015 – More than 14 million users have already downloaded Windows 10; the new operating system has been described both as “glorious” and as “incredibly intrusive.” With respect to the latter, Microsoft’s newly revised Services Agreement and Privacy Statement took effect today. These lengthy policies are somewhat mind-numbing, but one thing is clear: Microsoft claims the rights to collect, store, review, and disclose massive amounts of users’ data – including the content of their emails, text messages, and video communications. Further, while Microsoft no doubt aggressively polices its own intellectual property rights, its policies purport to require users to essentially surrender all such rights in content they share with anyone else online.

A quick caveat: These are brand new policies, and I’m sure there are many things lawyers, clients, and consumers should know about them and about the privacy implications of Windows 10. This post most definitely is not intended to be a comprehensive survey of the topic!

Highlights of Windows 10’s Privacy-Invading Functions and Microsoft’s New Policies

In short, according to Zach Epstein of BGR.com, “Windows 10 is … spying on nearly everything you do.” According to Microsoft, its “consumer products, websites and services” collect information such as

  • your full name, email address, mailing address, and phone number
  • passwords and password hints
  • your age, gender, and occupation
  • the stocks you track
  • credit card numbers and security codes
  • “data about how you interact with [Microsoft’s] services,” such as “the features you use, the items you purchase, the web pages you visit, and the search terms you enter”
  • “data about your contacts and relationships” – but only if you use a Microsoft service “to manage contacts, or to communicate or interact with other people or organizations.” (I’m not sure there’s anyone using a Microsoft system who doesn’t use it to “communicate or interact.”)

It gets worse. Microsoft “collect[s] content of your files and communications” including “the content of your documents, photos, music or video…. It also includes the content of your communications sent or received using Microsoft services, such as the subject line and body of an email, text or other content of an instant message, audio and video recording of a video message, and audio recording and transcript of a voice message you receive or a text message you dictate.” Microsoft “systematically scan[s]” this content “in an automated manner…”

But don’t worry – Microsoft wants you to know that “you have choices about the data we collect. When you are asked to provide personal data, you may decline.”

Of course, since all of these privacy-invading functions are activated by default, you won’t be asked to provide the personal data. And, apparently, opting out of these functions requires you to navigate more than a dozen screens within Windows 10 and to access a separate website. Further, don’t think you’re protecting yourself by enabling “Do Not Track” features in your browser: “Microsoft does not currently respond to browser DNT signals on its own websites or online services, or on third-party websites or online services where Microsoft provides advertisements, content, or is otherwise able to collect information.”

Potential Waiver of Intellectual Property Rights

In addition killing what remained of privacy on the internet, Microsoft also purports to require its users to give up important intellectual property rights: When you share Your Content with other people, you expressly agree that anyone you’ve shared Your Content with may, for free and worldwide, use, save, record, reproduce, transmit, display, communicate … Your Content. If you do not want others to have that ability, do not use the Services to share Your Content.” I have serious doubts about the enforceability of this provision – but users should be aware of it.

Further, although Microsoft acknowledges that it does not own the content users share, “you grant Microsoft a worldwide and royalty free intellectual property licence to use Your Content, for example, to make copies of, retain, transmit, reformat, distribute via communication tools and display Your Content on the Services. If you publish Your Content in areas of the Service where it is rendered available online publicly or without restrictions, Your Content may appear in demonstrations or materials that promote the Service.” A perpetual, royalty-free, virtually unlimited license is pretty close to ownership, Microsoft’s assurances to the contrary notwithstanding.

What Are an Attorney’s Ethical Responsibilities?

Note that the Service Agreement and Privacy Statement explicitly do not apply to Microsoft’s products aimed specifically at businesses, such as Office 365 For Business. Presumably, most lawyers use those products rather than similar products marketed for “personal” or “home” use, so that somewhat limits the impact on lawyers’ computing – though even with professional products, Microsoft uses the content of communications. (I would be curious to know, though, how many solo practitioners and small firms use personal versions of Office products.)

The more interesting questions involve a lawyer’s responsibilities in dealing with clients – and, to a lesser degree, others (witnesses, vendors) – who use Microsoft products and services.

At the very least, attorneys must take “reasonable” steps to protect client information. See, for example, ABA Model Rule 1.6: “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” This rule gives little guidance, though, when the client and/or the lawyer have consented to an entity like Microsoft accessing their data and communications. In that case, arguably, at least, the access or disclosure is not unauthorized.

Some states impose a higher obligation on attorneys. Section 6068(e)(1) of California’s Business and Professions Code, for instance, imposes on a lawyer to “maintain inviolate the confidence, and at every peril to himself or herself to protect the secrets, of his or her client.” Despite the hardline language of this section, the California Bar Association recognizes that some degree of risk is inherent in electronic communications.; accordingly, the key issue seems to be whether the attorney understands the technological risks and takes efforts, such as use of firewalls and spam filters, to protect data.

The American Bar Association and state and local bar associations have provided some suggestions for protecting client confidences while using evolving technology, but most of those opinions involve issues such as using public wifi – not scanning of communications by your own operating system. The Model Rules of Professional Conduct, adopted by many states, allow disclosure of client information if it is “impliedly authorized in order to carry out the representation.” That language would seem to shield attorneys from any potential discipline arising out of Microsoft’s acquisition of communications or other client information. Note, though, that the California rules do not include a similar exception.

At a minimum, every attorney must stay apprised of the privacy, or lack of privacy, inherent in the technologies she uses, with the understanding that what efforts to protect client information are “reasonable” varies depending on the technology at issue. Educate client, and educate self about tech used by clients. I suggest having frank conversations about what technologies you and those you communicate with online, use. Then, an attorney and client can decide together whether the risk of disclosure is acceptable. For highly sensitive information, or information that could fetch a high price if intercepted – think, representation of a Chinese dissident or a celebrity involved in a messy divorce – different security protocols may be warranted.


Leave a Reply

Your email address will not be published. Required fields are marked *