Source URL: https://www.surf.nl/en/news/surf-advises-not-to-use-microsoft-365-copilot-for-the-time-being-due-to-privacy-risks
Source: Hacker News
Title: Surf advises not to use Microsoft 365 Copilot for now due to privacy risks
Feedly Summary: Comments
AI Summary and Description: Yes
Summary: The text discusses a Data Protection Impact Assessment (DPIA) conducted on Microsoft 365 Copilot, revealing significant privacy risks for its users, especially in educational settings. It highlights concerns about data transparency and the potential generation of inaccurate personal data, advising against its current use until mitigation measures are implemented.
Detailed Description: The text presents essential insights regarding the privacy issues associated with Microsoft 365 Copilot as assessed in 2024. The following points summarize the major aspects of the assessment and its implications:
– **Conducted DPIA**: A Data Protection Impact Assessment was carried out in collaboration with external privacy experts, focusing on the tool’s use by employees and adult students, noting the absence of a paid education license for minors.
– **Identified Privacy Risks**:
– **Lack of Transparency**: There is no clear disclosure from Microsoft regarding what personal data is collected and stored during the use of Microsoft 365 Copilot.
– **Incomprehensibility of Data Access Information**: Users receive incomplete and confusing information when requesting access to their data.
– **Generation of Incorrect Data**: The tool is likely to create incorrect and incomplete personal data, posing risks as users may not recognize these inaccuracies due to their reliance on the AI tool.
– **Advice for Institutions**: The recommendation is for educational and research institutions to refrain from using Microsoft 365 Copilot until the identified high privacy risks are adequately addressed.
– **Ongoing Communication with Microsoft**: The conducting institution remains in dialogue with Microsoft about implementing mitigation measures to reduce the outlined risks.
– **Public Availability of Full Report**: The full findings from the DPIA are made publicly available, allowing others in the field to gain insights into the privacy implications of using Microsoft’s generative AI tool.
– **Further Information**: Interested parties are directed to a vendor compliance website for additional information or to contact the assessing team.
This DPIA draws attention to the critical intersection of AI usage and privacy, especially in educational and research contexts, highlighting the necessity for robust data governance and transparency from technology providers. Security and compliance professionals should consider these findings as part of their risk assessments regarding the deployment of AI tools in sensitive environments.