by

Security service or data leak?

19/02/2020

Perhaps you too have noticed that for the past week or two all the emails in your TU/e mailbox look a little different. This is because TU/e has decided to switch on the Safe Links service provided by Microsoft Outlook.

Likely prompted by the chaotic Christmas in Maastricht, TU/e has decided that it would be better if employees and students no longer had the option of clicking on links, without protection. After all, the ransomware attack in Maastricht was the result of a successful attempt at phishing carried out over the email.

Admittedly, the idea behind safe links is logical. It makes phishing more difficult because email links no longer take you directly to the link entered by the sender but to a local server that first verifies whether the link is safe. A link to, say, www.tue.nl, would then take you to controle.tue.nl/www.tue.nl or something similar.

So much for the theory. In practice there is no local server, instead a cloud service provided by Microsoft is being used. An external commercial party, in other words, that will be recording which links are clicked on. And because Microsoft is keen to receive just as much data as Google, a simple link like www.tue.nl will be replaced by something as hideous as https:// eur02.safelinks.protection.outlook.com/ ?url=www.tue.nl& data=02%7C01%7CB.F.v.Dongen%40tue.nl%7C 77eeb7c9ae574d3b41d008d7b48557da%7 C cc7df24760ce4a0f9d75704cf60efc64%7C 1%7C1%7C637176357105305878 &sdata=NfHlsBQ %2FhMLfFDUJDERGXrJZxRCpEr1gBHEKkyl%2 BgI%3D&reserved=0.

What many people do not realize is that, formally speaking, the above-mentioned URL is itself a data leak. After all, when you click on a link like this, a wealth of information about who you are (an email address is personal data) and heaven knows what else is sent to Microsoft.

Reporting the identity of the person clicking on the link is an entirely unnecessary procedure when the aim is to make links secure. But despite repeated requests by myself (and as far as I know at least three others who have lodged a complaint with Information Management and Services) the server setting will not been changed.

Thus, from now on Microsoft will be watching over your shoulder, every time you click on a link. This means TU/e is informing Microsoft about which link you are clicking on, when, who you are, and much more besides. This is the definition of a data leak, so actually we should all be reporting it. If you would like to, you can do so here: https://datalekken.autoriteitpersoonsgegevens.nl/actionpage?0.

Share this article