Welcome to my local bakery! We have to collect your credit card number before you enter. No one can access your credit card number though. I write it on a piece of paper and put it in a safe. Here, look at this list of people that have seen me put credit card numbers into a safe!
I’m sure you understand, we need to collect your credit card number because that’s how we make money at this bakery. No I will not explicitly explain how. Don’t you feel like I’ve improved your experience?
The document I linked explains how why and when. It also explains how we verify that and who does the verification. Also O365 customers have access to audit logs and the rest. At some level everything is about trust there is no way you can verify any large organizations activities.
That’s a big document with lots of acronyms and references to specific standards for compliance that law professionals might be familiar with, but is otherwise completely meaningless.
You also mentioned that collecting user data is how Microsoft is paid in the GP comment. That’s pretty clear to me. I thought when I paid Microsoft, that was the main revenue stream.
The document provided in theory communicates what you said so succinctly before, but with more legal and confusing language.
If it says the opposite, then just asking me to assume that this document that’s extremely difficult to read explains why outlook should ingest information I wasn’t told about, since I live in a jurisdiction where Microsoft doesn’t need to, and why that’s actually a neutral or possibly “good” thing for me, is a bit silly.
—
Edit: if I’m misunderstanding what you said earlier by:
> We have to collect customer data that's what we get paid for.
Then I’m sorry. I don’t mean to frame you as saying something you don’t mean to.
I should have been more specific. We have lots a data classifications we maintain and we have different rules for different classifications. Customer content we can't access without customer consent. We are paid to store customer content. Customer content is like your work doc stored in one drive. Some classification are only accessed in aggregate. Some are easier to access but cleared after a short period ect. We all have to go though a large training every year about the different classifications and that's not easy to communicate in a short comment.
We store data everywhere to meet european GDPR standards regardless of where you live. We have logs but they can only contain sanitized information.
Any document which attempts to describe how a large origination handles data is going to large and complex. As sometimes different standards conflict. For example we have to keep records of anyone who changes the system for some period of but we also have to delete data that has end user identifiers. When stuff like that happens we have to go to lawyers and have language that describes how we handle thoes conflicts. That doesn't lead to a small doc.
You can trust open source, because it is transparent. You can verify, so you can trust. Perhaps it's time to start rolling back the layers of secrecy. Sunshine is and always will be the best disinfectant.
Unless you run it yourself you don't know. They could run a modified version ect. You can't know and at some level you have to trust that they do what they say.
I’m sure you understand, we need to collect your credit card number because that’s how we make money at this bakery. No I will not explicitly explain how. Don’t you feel like I’ve improved your experience?