Security and Privacy Concerns Continue Swirling Around the new Outlook for Windows

Aspects of Monarch Client Security and Privacy Highlighted, Especially Data Held in Azure

An April 4 posting on the respected security blog hosted by Bruce Schneier hyped the claim by Proton that the new Monarch client (aka the new Outlook for Windows) is “Microsoft’s new data collection service.” It’s repeats some of the overhyped shock and horror story that appeared in Germany in November 2023.

In this instance, it seems like a great deal of uninformed commentary intended to convince people to ditch Monarch and use another email client. That’s absolutely a choice that people are entitled to make, but it would be nice if they did so in a state of knowledge instead of reacting to classic FUD. The problem is all about perception and not really anything to do with security.

Understanding Monarch

Let’s recite some important points about the Monarch situation:

  • The current version of the Monarch client replaced the Windows 11 Mail and Calendar apps for consumer users. The best thing about the old apps is that they were free for personal use. Apart from that, the apps weren’t great (and that’s being kind).
  • Corporate users are in the opt-in stage of the Monarch development cycle that extends out to at least 2029 before Microsoft will replace the classic Outlook for Windows client. Some major functionality gaps remain for Microsoft to fill before corporate users are likely to want to even consider moving to what’s been called “a slightly prettier version of OWA.”
  • Microsoft has acknowledged that their initial plans to replace classic Outlook with Monarch won’t fly. For instance, they removed the restriction that limited Outlook support for Copilot for Microsoft 365 to Monarch.
  • Many consumer users have mailboxes on servers that they access using the POP3 and IMAP4 protocols. These are old mailbox access protocols (SMTP is needed to send messages) that don’t support many of the features of modern email clients, like the focused inbox or delayed send. Holding the message data in Azure also makes search much faster because the remote server doesn’t have to be contacted. In addition, if users take advantage of client-side features like flagging email for follow-up or categorizing messages, the data is stored in Azure and isn’t affected if the user workstation ever encounters a problem that requires a reinstallation of Windows.
  • To make advanced features available to consumer users, Microsoft extracts messages from their host IMAP4 or POP3 servers and processes the messages in ‘phantom mailboxes’ stored in Azure. The Monarch client accesses the processed messages from the Azure mailboxes rather than the host servers.
  • This kind of processing to add feature support is not new. The original Acompli client introduced the concept for their service in 2012. At that time, processing happened on Amazon Web Services. After Microsoft bought Acompli in late 2014 and renamed the client to be Outlook Mobile, they moved message processing to Azure. Outlook Mobile works like this today. In 2019, Microsoft said that over 100 million people used Outlook Mobile for iOS and Android. That number is likely much higher today.
  • User passwords are needed to fetch email from host servers and process the messages on Azure. It would be possible to cache credentials for a single session, but then users would likely complain that they’re asked to enter passwords too often.

The situation is therefore that Microsoft synchronizes data from mail servers to Azure to process email so that it can make features available to Monarch using a technique that’s been used by hundreds of millions of users since 2012. Microsoft has not communicated how Monarch works with independent email servers in a clear and concise manner, and that’s probably the root cause of much of the criticism.

Letting Consumers Know What’s Happening

Proton is rightly concerned with privacy and highlighted the fact that Monarch displays a screen to inform users that Microsoft and its 801 partners process data for a variety of reasons, including the personation and measurement of ads. Email services have costs and the companies providing these services attempt to recover those costs in different ways. The golden rule is that if you don’t want to see ads, pay for your email service (client and server).

In this instance, because Microsoft partners with other companies to display ads in the Monarch client, they are forced by consumer protection legislation like the European Union’s Digital Services Act to inform end users that these arrangements are in place. Ads have appeared in the free version of the consumer version of OWA connected to Outlook.com (served by the same infrastructure that supports Exchange Online) for years. Outlook.com even includes an advertising preference settings panel to allow users to see details of the partners Microsoft works with (Figure 1). There’s nothing new about Microsoft email clients displaying ads. What’s different is Microsoft being forced to highlight the number of ad partners they work with.

Advertising preferences for an Outlook.com account.

Monarch client security
Figure 1: Advertising preferences for an Outlook.com account

I think consumers understand that they must pay in some way for the service they receive and while the ads are irritating and often unwelcome, they’re a fact of life associated with access to many services. It’s not as if we’re all innocent victims waiting to be gobbled up by the pernicious tactics of a malevolent Microsoft.

Getting Back to Monarch Client Security

If you use the Monarch client with a free personal account, you will see ads. If you use the Monarch client, it will use your credentials to synchronize with your server to process your email and make it suitable for consumption by the client. Does this mean that your personal security is compromised? I doubt it. Microsoft is rather good at managing credentials. Office 365 has more than 400 million paid seats and account compromise there is usually the result of password spray attacks, the root cause of which is often poor tenant administration (not enforcing MFA) or poor password choice by individual users.

Entra ID handles accounts and credentials for more than Office 365 (at least 610 million accounts) and there’s no evidence that Microsoft manages these accounts in anything but a reasonable manner.

At The End of the Day, It’s Consumer Choice

I am not an apologist for Microsoft. I don’t like seeing ads in any technology (but have tolerated it in many services over the years) and think that Microsoft is sometimes too eager to monetize its installed base. For instance, I hate the way that Microsoft thinks it can encourage Microsoft 365 accounts to attend certain technology conferences, and that’s in a paid-for service. I also find the insertion of paid-for messages in the inbox of Outlook.com users distasteful and an overreach. Direct injection of spam into an inbox (Figure 2) is never acceptable. Spending some more effort to block the obvious malware that arrives in inboxes instead of how to make users unhappy with planted ads would be a good thing for Microsoft to do.

Ads inserted into an Outlook.com inbox.
Figure 2: Ads inserted into an Outlook.com inbox

It’s bad to have ads in Monarch, but would those who complain loudly now wish to pay for an ad-free client? If they do, then there’s plenty of services that are willing to take their money, including paid-for versions of Proton Mail (a free version is available). Or IMAP4 and POP3 users could move to a free client, like the ever-reliable Thunderbird. You pay your money and make your choice.


2 Replies to “Security and Privacy Concerns Continue Swirling Around the new Outlook for Windows”

  1. the mail and calendar worked fine, just don’t take it away and leave consumers the choice to use it or the outlook client
    also, give consumers the choice to have their mail sync’d to azure for access to more features, don’t just do it automatically
    also, make outlook at least have the mailbox features that mail and calendar did, don’t reduce functionality

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.