The new Outlook app by Microsoft will replace the apps Mail and Calendar on Windows, and the classic Outlook desktop app in the future. This app may transfer email login information to Microsoft Cloud servers, if users use IMAP or SMTP accounts. This happens only if the sync feature is enabled according to Microsoft.
Put plainly; email account logins and passwords are transferred to Microsoft if users set up third-party email accounts via SMTP or IMAP in Outlook and if syncing is enabled.
Microsoft’s statement
Microsoft explained in a statement to Heise Online that the synchronization of emails delivers a consistent user experience for all accounts added in Microsoft Outlook. One such feature is the ability to mark emails as read or unread.
Users of Outlook are informed about the features in a support article. What Microsoft fails to mention to Heise and also in the support article is that it is transferring and storing login information when sync is enabled.
Microsoft confirmed that it is storing access data of IMAP providers that use the BasicAuth method in encrypted form in the user’s mailbox. Basic Authentication is a method that HTTP user agents use to provide username and password when requests are made. It is considered insecure, but still widely used.
This means, nevertheless, that Microsoft is storing the login information using encryption for these type of accounts.
Email providers that use newer standards, OAuth for instance, are handled different. Login information of providers like Gmail or Yahoo Mail are not stored by Microsoft. Microsoft has no access to the password of the account according to the statement.
The OAuth token used for authentication is only accessible by the user and the Microsoft service that communicates with the target servers.
While Microsoft may not have access to the account password, it still owns the infrastructure that has access to the OAuth token. Heise comes to the same conclusion. Microsoft has access to authentication data that it can use, and uses, to access email accounts.
Microsoft’s Syncing notification
Microsoft informs users of Outlook about the synchronization functionality, but the notification does not reveal that access data is transferred when sync is enabled and certain email accounts are added.
Outlook users need to enable the synchronization before it becomes available. Each third-party account added in the Outlook app can be synchronized or not. Microsoft says that users need to accept the syncing with the Microsoft Cloud each time a third-party account is added.
Still, there is no clear information that account data is transferred to Microsoft when users enable the synchronization.
Microsoft states furthermore that it stores the account data for as long as the email client is used actively by the user. The Account Lifecycle Process determines when inactive account data is deleted.
Outlook users may delete the data when they delete their account and select the option to remove the data from all devices.
Closing Words
The new Outlook app is a work in progress and most users may want to stay away from it at least for now. It needs to mature and the fact that Microsoft is gaining access to account access data, at least in theory, is the icing on the cake.
Alternatives like the open source Thunderbird email client respect user data and are without doubt the better option, at least for now.