EU Parliament Blocks Outlook Apps For Members Over Privacy Concerns

jfruh writes Microsoft last week released Outlook apps for iOS and Android, but one group that won't be getting to use them is members of the European Parliament. They've been advised by their tech staff that the apps are insecure and that they shouldn't download them — and if they have, they should change their Outlook passwords.

The magic 8 ball

[Overzeetop]

The magic 8 ball could have told them that.

Re:Why?

[clorkster]

Why make it download emails from a Exchange server and then reupload it to some out-of-organization server?

According to the article this is not the reasoning that is being given for banning the app. As with any aggregator app that runs on a phone, there are many rather plain reasons why data such as emails and attachments would be temporarily stored on the app provider's servers.

The real issue that is being objected to here is that the app double-encrypts login credentials for various email providers using both a unique-per-client key that they generate and a key that is derived from the specific piece of hardware accessing the data. This encrypted data is then stored in "the cloud". The counterpoint to this methodology is gmail's use of OAuth to avoid storing any credentials - regardless of the sophistication of the encryption scheme - in a public cloud setup.

Re:

[Coren22]

I guess they don't use BlackBerry either, as they either store passwords on the carrier BES server, or run a BES server that has full access to the domain, and internet access (and forwards all email to the BES servers run by RIM).

Pretty much a given?

[gstoddart]

With all the news stories about how America can (and will, and does) force companies to hand over what's in their clouds ... why the hell any member of the EU Parliament would think that using anything from Microsoft isn't a stupid idea is beyond me.

Unless you own every piece in that communication chain, you more or less have to start treating Microsoft as an entirely un-trustworthy entity ... because for legal and privacy purposes, they pretty much are.

I think MS (and other American cloud providers) are going to start finding themselves very unwanted ... because they literally can't be trusted.

They can't be trusted because they do stupid things like this, and because they want to monetize everything, and because they're more or less covered under the PATRIOT Act.

In deeming themselves above everybody's laws, and entitled to all data ... America is essentially no longer trustworthy.

Re:

[drinkypoo]

In deeming themselves above everybody's laws, and entitled to all data ... America is essentially no longer trustworthy.

Was America ever trustworthy? The short answer is no.

Re:

[cavreader]

Please give an example of a country that is? And the EU (and a whole bunch of other countries)works hand in hand with the NSA collecting and sharing data. Why do you think the EU politicians stopped their vitriolic accusations in record time? Could it be that their own intelligence agencies pulled them aside and quietly told them they were cooperating with the NSA so shut the hell up? The naivety displayed by the people raging about the NSA in particular and America in general is breath taking. By failing t

Re:

[drinkypoo]

Wut. Why the hell is this drivel modded up

The same reason my comment was modded down, and four other of my unrelated comments too, for good measure: Jingoism. My country, right or wrong. Well, the USA is my country, and I want it to be better. These dildos who mod anything critical of the USA down exemplify the kind of asshole who is the problem with this country. MERICAFUCKYEAH, don't tell me it's not perfect or I'll shoot you

Re:

[james_gnz]

I expect this was a quip, rather than serious. Was the USA ever trustworthy, going back to the formation of the Union between 1776-1789? I'm not an historian, but I'd guess they started out relatively trustworthy. I'm given to understand they had some high ideals. Power corrupts though, I suppose.

Re:Pretty much a given?

[drinkypoo]

I'm given to understand they had some high ideals.

That's mostly propaganda, and a misunderstanding of the nature of the founding fathers. A small handful of them clearly had high ideals. But how can you take people seriously when they declare that all men are created equal and declare that they are starting a democracy, then fail to give the vote to over half the population? The truth is that they were creating a government in which they themselves (and their ilk) would hold the reins of power, and to this day the nation (like the world) is controlled by those who are both wealthy and racially privileged. It's a government by, of, and for money.

EU: Send Beer (OK, money too)

[bill_mcgonigle]

why the hell any member of the EU Parliament would think that using anything from Microsoft isn't a stupid idea is beyond me.

Well, because they want the feature set. The EU should start dumping truckloads of money on Inverse [www.sogo.nu] and Samba until the open source solution is superior.

Sogo is close to being done (the hard bits like single instance modifications of repeating events aren't) and Samba4 is teetering on stilts; though it works in ideal circumstances, lots of problems aren't handled and there is missin

It's actually worse than that!

[s.petry]

Read TFA. Microsoft is doing what EVERY SINGLE SECURITY PROFESSIONAL TELLS YOU NOT TO DO! Caching passwords on a remote server. I don't care how many times you claim to encrypt the password, and I don't care what encryption algorithm they claim to use. You never, ever under any circumstances cache a users password. This is simply inexcusable and Microsoft deserves every bit of heat they get for this.

If I was told that a client sent an auth string and received a Kerberos ticket that got cached, I would not have the same opinion or harsh criticisms. This is plain old idiocy and laziness!

Re:

[Coren22]

RIM? If you don't run your own BES server, the RIM servers (or carrier BES server) have the password stored on them in order to download the mail. If you run your own BES server, it has full control on your domain in order to access mailboxes, and it has internet access to send mail to the RIM servers, where it is cached.

Oh, and RIM is a Canadian company, one of the Five Eyes, so in most respects no different than being American. I would love to see what the EU intends to use for email on phone.

http://en [wikipedia.org]

An old joke worth repeating:

[operator_error]

Microsoft Outlook/Exchange is a massive client-server security risk that doubles as a collaborative email & calendaring application.

Very likely...

[Fotis Georgatos]

...some people @ EU parliament are doing their job just finely right

It should have been called perhaps earlier, that's the only thing to consider at this point.

The company I work for blocked this last week

[Terje Mathisen]

After checking out how the Outlook app handles emails and authentication, our security group pushed out an update to the blocklists, making it impossible to install this app on any phone connected to our company mail servers. (Connecting to those email servers already requires you to accept a minimum set of company security requirements, like secure unlock, not just a swipe, and the capability to remotely wipe the phone.)

Terje