Skip to content
Naked Security Naked Security

Microsoft, Google and Apple clouds banned in Germany’s schools

Citing privacy issues, Germany just banned its schools from using Microsoft Office 365, Google Docs, and Apple's iWork cloud services.

Germany just banned its schools from using cloud-based productivity suites from Microsoft, Google, and Apple. The tech giants aren’t satisfying its privacy requirements with their cloud offerings, it warned.

The Hessische Beauftragte für Datenschutz und Informationsfreiheit (Hesse Commissioner for Data Protection and Freedom of Information, or HBDI) made the statement following a review of Microsoft Office 365’s suitability for schools.

Microsoft launched its Azure Deutschland presence in 2016, with a focus on the ‘data trustee’ model. A third party partner, Deutsche Telekom, provided the Azure services and used a private cloud to ensure that none of the resident data went through the public internet. Even Microsoft needed to jump through plenty of hoops to get at its customers’ data. That was a bid to placate German customers who were sensitive about data sovereignty and wanted to keep their data on German soil.

That made HBDI confident enough to allow schools there to use Office 365 in August 2017, just so long as they only used the German cloud.

An issue with data Microsoft is storing, and where

Then, in August 2018, things changed. Microsoft pulled out of the data trustee arrangement in Germany and started using its regular data centre model instead, removing the barrier between the rest of the global Azure cloud and its own German data centres.

School boards in Germany carried on promoting Office 365 in spite of the privacy issues this raised, explained HBDI, prompting it to review the situation. Its conclusions (translated in part below) were dire. It doesn’t have a problem with cloud access for schools in general, it said, just with the data that Microsoft is storing, and where.

The problem is twofold, it explained. Firstly, it isn’t happy with Microsoft storing personal data (especially children’s data) in a European cloud that could be accessed by US authorities, adding:

The digital sovereignty of state data processing must be guaranteed.

Its other issue is with Microsoft’s data slurping. It warned:

With the use of the Windows 10 operating system, a wealth of telemetry data is transmitted to Microsoft, whose content has not been finally clarified despite repeated inquiries to Microsoft. Such data is also transmitted when using Office 365.

HBDI is taking its lead from the Federal Office for Information Security, which posted a technical analysis of Windows 10 telemetry in November 2018 (chapters 1.2 onwards are in English).

Consent won’t cut it

You can’t solve this problem by asking users for consent, the HBDI added. If you can’t be certain what data Microsoft collects or how the company will use it, then you can’t give informed consent.

The problem is that lots of schools in Germany want software like this, HBDI acknowledges. So what can they do? That’s up to Microsoft, it says. The company must satisfy the issue of third-party data access and Windows 10 telemetry, then they can talk. Redmond-based tech giant probably shouldn’t leave things too long, it concludes:

By that time, however, schools may benefit from other instruments such as serving on-premises licenses on local systems.

Google and Apple in the same boat

Although the majority of the report focused on Microsoft Office 365, HBDI explicitly called out other cloud service providers, so schools can’t use Google Docs or Apple’s iWork either:

What is true for Microsoft is also true for the Google and Apple cloud solutions. The cloud solutions of these providers have so far not been transparent and comprehensible set out. Therefore, it is also true that for schools, privacy-compliant use is currently not possible.

18 Comments

Good for Germany not willing to be bullied by MS and the Goog!
Unlike those countries governments that promote spying/data theft on everyone, like; China, US, Saudi, and the UK.
What strange bedfellows greed makes.

Does anyone know whether this only applies to the German state of Hesse? Or to all of Germany? Are privacy laws in Germany specific to each state? Also, does this apply to K-12 schools or Higher Ed? Or both? Thanks.

Only Hesse, but, usally other states follow the rulings if it is federal law. Since this was decided by a state court, not a federal theres no legal binding for this outside Hesse.

“With the use of the Windows 10 operating system, a wealth of telemetry data is transmitted to Microsoft, whose content has not been finally clarified despite repeated inquiries to Microsoft.”. That’s odd, as there is documentation on how you can turn off these services in windows 10 and a document that precisely details what is sent when the computer is set for Basic telemetry. The issue is when advanced telemetry is enabled, At that point ANY data could be sent within a debug/crash report to Microsoft, thus Microsoft can’t define the actual data sent.Every enterprise company and educational facility should be following these guidelines by default.

You should not be force to do this. Windows store, these stupid tiles, cortana and all other things should be disabled by default.

M$ should NOT include spyware in an OS. Especially as it cannot be turned off! The collection, storage and selling of people’s data should be highly illegal with 7 digit fines and 3 digit jail sentences for each instance!!

But you CAN turn it off for enterprise and edu cational versions, which government and educational faculties should be using for this very reason.

Use Linux? Really? Lets be realistic here very few people outside of techies use Linux and very few businesses use it, why would we want to educate our children to use such a specialist system that in the real world they will never see or use. Linux evangelists always say things like ” we should all use Linux” like it is some panacea of an OS, lets face it Linux is simply not a mainstream OS.
There you go Grenade thrown!!!!!

Personally, I don’t want my kids to be taught how to use a system, or how to use specific computer programs. I want them to be taught how a computer works. I want them to learn to configure and code.

I see many advantages to using Linux for that and, should they ever need to write a document, spreadsheet or presentation, they will find nothing intimidating in LibreOffice or Google Docs and won’t be conditioned into thinking that Windows is somehow essential for such things.

In my experience, people who learn how to use computer programs tend to view computers as devices for running those programs. Simplistically, they have a hammer and every problem is approached as if it’s a nail.

People who are curious about how computers work have a much healthier sense of what a computer is good for and what kind of problems it can help them solve.

I do not want my kids to think device-centric. I want them to be able to separate what they do from what they do it with. just like with money and other networked facilities.
I am not sure that people who are curious about computers do not usually see a computer as something they can do something with, rather than separate data from the hardware. Compared to money: people who are interested in computers often start collecting hardware and see data-management as a manual activity, a lot like recommending that if people save for their pensions they can all get vaults to do things with their money. Instead of separating what they do (pay, check their balance, look backwards for patterns) on money stored physically somewhere else and managed with the machines and employees as means.

That’s great if they are coding, but the reality is 90% of people who use a computer do so for the applications and not in order to code or learn how it works. I am just saying that the reality is that 90% of businesses don’t use Linux on the desktop and we need to accept that. We need to give people the knowledge they need to use a computer in the work place. For those people who want to take it further then they can learn more and I agree learning coding etc is very valuable. IT techies just need to be less elitist and accept that Linux is not the answer for 90% of working life, that is just the reality in the real world where I live and work.

Like most people that drive cars, do not understand how a transmission works. But they can do the task of driving just fine. While some like to know how it works so they know how to push the limits, and some keep them running for others to drive. Like our jobs, we keep others working at their job.

I am not sure about the attainability of this. Sounds a lot like prohibiting networks for water, electricity, gas, payments or sewers on grounds that the labourers handling the stuff cannot be controlled directly.
In order to mature, software needs to separate hardware and storage from the software so the operator/user is served optimally, instead of forcing ownership and tech-admin of hardware on them.
Collabora is too limited, openexchang’es docx software not known enough and probably not mature enough. Though some will experiment with nextcloud/owncloud and Onlyoffice or Collabora.
So if one wants to use computing in teaching one will be either using VDI, the low-tech-admin G Suite or need to become a techie that maintains OSs, dekstops and hardware for others and provides support.
Sounds like fat-cl;ient suppliers will still be lining their pockets (particularly apple) because they mix equating stand-alone with secure and quality with actions on the client.

Just to correct the most critical flaws of this article:
School/education affairs are an accountability of the state, not the “Bund”/Federation (Germany as a federal republic)
There have been no “bans” nor other actions of any data protection authority or school authority of any state in Germany so far.
The statement is an opinion of the “Hessischer Beauftragter für Datenschutz und Informationsfreiheit”. Well, a grave one, but just an opinion.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?