If your business uses Microsoft Office 365 Enterprise, you and your employees may have started receiving weekly emails with the subject line ‘Your daily briefing’ from cortana@microsoft.com.

In September 2020 Microsoft rolled out this new feature on their Windows 10 update. Cortana’s Daily Briefing emails are intended to help busy workers stay on top of their tasks and boost productivity.   

At first these emails looked to be spam, but they caught users’ attention when they were found to include snippets from the user’s personal mailbox. Details from email correspondences between colleagues, calendar entries and links to documents are all included in these emails, under headings such as “I found 2 documents that look related to this meeting”. 

This startling level of knowledge from Microsoft’s artificial intelligence (AI) led to security-conscious users asking their corporate administrators about the authenticity of these emails and the potential exposure of personal and business information, which may be sensitive in nature. If Cortana can read my emails, many thought, then so too can a hacker.

The introduction of Cortana’s Daily Briefing emails began a conversation around security and data privacy, with people wanting answers to questions such as:

  • What is Cortana?
  • How does Cortana have access to the emails and documents I’ve shared in Microsoft Teams?
  • Is there someone viewing my content? 
  • Does this not breach confidentiality? 
  • What right does Microsoft have to read and analyse my data? 

What is Cortana?

Cortana is the AI that powers Microsoft Office 365. Microsoft describes Cortana as a “personal productivity assistant that helps you save time and focus attention on what matters most”. 

The Daily Briefing emails are personalised using data Microsoft already have stored about you and your activity to provide a to-do list, showing scheduled appointments and pulling in relevant documents to help you complete your tasks. 

Cortana also uses your activity data to predict what time your working day starts, so it can send you these emails within the first few hours of you logging in. 

Breaching data privacy by default

For some, these emails have been praised as useful ways to keep on top of a busy to-do list and overflowing inbox, where, inevitably, emails are sometimes missed or overlooked. But at what cost to the security of sensitive business data?       

Nothing is ever free, and it’s long been said that when an internet service is provided free of charge, such as Facebook, then you – and your data – are the product. 

For businesses and corporations using Microsoft’s paid Enterprise package, the expectation is that Microsoft should not be able to access any data on their customers, in any form whatsoever, without express prior permission from the business.

Microsoft does offer the option to unsubscribe from the Daily Briefing emails, and opt-out of Cortana entirely, but Cortana is enabled by default, which in turn means Microsoft’s default is to read your corporate data.    

It’s like a landlord claiming that they have the right to enter your house and start seeing your belongings by default, unless you explicitly express displeasure, by which time the landlord has already accessed your home and seen all of your private possessions.

Data-handling privacy concerns

All businesses use data to improve the user experience. However, when that data contains sensitive information and is gathered without express prior consent, the argument that data leads to a better user experience begins to be called into question.   

Microsoft’s privacy statement clearly states that it’s not just AI that has access to your data, but humans are able to see it as well: “Our processing of personal data for these purposes includes both automated and manual (human) methods of processing. Our automated methods often are related to and supported by our manual methods.”

When it comes to data privacy, customer trust in a business’s ability to protect their personal data is one of the four main elements that affect any business. Trusting that their data is secure with a service provider is paramount for businesses and their clients.

With the majority of hackers accessing data in storage, rather than data in transit (after all it is much easier to attack a stationary target than a moving one), a third-party service provider having access to your business data surely raises concerns. 

Galaxkey provides an additional layer of security for your data

Microsoft is a hugely trusted company, well-known for their security measures, with the US Department of Defense choosing them over their competitors for a $10 billion contract in 2019. This is not the issue. What is of concern is a service provider having access to your business data, and reading it without your consent. 

Galaxkey is not in competition with Microsoft. Our services complement Microsoft Office 365 offering by adding an extra layer of encryption that is essential to ensure your data remains visible to your business only.    

Microsoft uses encryption keys to secure your emails from cyber attacks, but this means they also have access to those encryption keys. As long as Microsoft holds the encryption keys, their data processors (whether AI or human) can read the contents of the secured emails – as the Daily Briefing emails have demonstrated.  

Giving back control to businesses 

Galaxkey works alongside Microsoft Office 365 and Microsoft’s stable email exchange platform to ensure any business data stored with Microsoft is secured on your terms. 

With Galaxkey, your business manages and controls your own encryption keys, making your data unreadable to Microsoft, Galaxkey or any other software service providers. All emails remain stored securely within Microsoft, but Microsoft cannot access any of the content. 

If your business is serious about protecting your data, and that of your customers who have placed their trust in you, then Microsoft Office 365 alone is not enough. 

Book a 30-minute demo today and start taking back control of your business’s most valuable asset – your data.