Recently, one of our customers contacted us to investigate the extent of some unwanted and unexpected behavior regarding browsing data of employees.
Employees started contacting IT support because private browser bookmarks, private login credentials etc. showed up on their work machines. All affected employees stated that they never created these bookmarks on work systems. And interestingly, the data seemed to have been collected over quite some time.
Our customer wanted to understand how private data ended up in their environment. Obviously, private employee data in the enterprise landscape could cause some data privacy trouble (GDPR).
Our customer suspected that Microsoft Teams might be related to this because the company’s employees are allowed to join Teams meetings from private devices. Since this option was often used in many companies during COVID-related work-from-home times, we suspect that a larger number of enterprises may be affected by this problem.
Investigation
We created two scenarios to analyze the behavior of a fresh Windows 11 installation with Teams:
- Windows 11 installation with only a local user account
- Windows 11 installation with a Microsoft online account
Scenario 1: Without a Private Microsoft Account
Our customer provided us with AD accounts and we set up a fresh Windows 11 VM that was not logged in to any Microsoft online account. In this VM, we created a browsing history and bookmarks in Microsoft Edge. Afterwards, we simulated an employee who needs to attend a Teams meeting, therefore logging in to the Teams app using the company account.
When logging in with the Teams app, we got the prompt “Stay signed in with all your apps” where the “OK” button is much better to see than “No, sign in to this app only”.
The result of clicking “OK” is that the Edge default profile (“Profil 1”) is now connected to the company account (as can be seen under edge://settings/profiles).
At the next start of the Edge browser it prompts that it now synchronizes all browser data to all your devices (“Wir synchronisieren jetzt Ihre Browserdaten auf allen Ihren Geräten”). The e-mail address that we blurred is the company e-mail address.
Note, that you cannot prevent the synchronization at this point in time anymore because it is already happening in the background. You can only disable synchronization under “Anpassen” (“Configure”), but everything that already got uploaded will stay in the company account.
Now that we restarted the Edge browser, we see under edge://settings/profiles that the selected profile is the work account and that by default it synchronizes everything, for example history, passwords, bookmarks etc.
Furthermore, the browser got some branding of our customer and the Edge tray icon now contains a little suitcase.
A similar behavior of Edge can be found when logging into Microsoft websites with Edge.
Scenario 2: With a Private Microsoft Account
The first scenario was executed without a Microsoft account. However, nowadays Windows 11 installations are usually connected to a Microsoft online account. That’s why we created a test account at Microsoft that should simulate a normal, private account.
In our second scenario we created a fresh Windows 11 VM, logged in with the test account and created bookmarks and browsing data in Edge. Afterwards, we logged in to the Teams app with the work credentials and chose to log in to all Microsoft apps.
Now, the behavior of Edge was different to Scenario 1. It did not create or switch profiles. It still synchronized its data with the private account:
This means, the bookmarks etc. stayed in the Edge profile connected to the Microsoft test account.
Afterwards, however, it is easily possible to create a work profile in Edge:
After creation, the synchronization of data to the company is active:
The different profiles can be distinguished in the Edge tray icon:
Conclusion
Our investigation shows that one wrong click in Microsoft Teams is enough to accidentally reconfigure Edge so that it transmits data your employer – even if your employer really does not want to obtain your private data. This seems to be a larger issue for Windows setups that were set up without a Microsoft online account – one possible reason for this may be a Windows 10 to Windows 11 upgrade or that somebody chose not to configure a Microsoft online account. In this edge case (pun intended), Edge simply starts ingesting and synchronizing data as soon as the company account is registered.
There are dialog boxes asking you to make a choice and that tell you what’s going to happen. However, the screenshots show the design of the dialog boxes which makes it more likely that people just click “OK”.
In any way, we assume that our customer is not the only company that is affected by this involuntary collection of employees’ private browsing data.
In the end, this behavior might result in a large data privacy issue. Employers are not allowed to look into their employees’ private browsing data but need to find a way to identify private browsing data so that they can remove it because they are not allowed to keep it. Alternatively, they need to ask their employees to check for private browsing data and to remove it manually. And ultimately, they need to find a way to prevent unintended data synchronization of more private browsing data in Edge work profiles.
To audit the synchronization settings of a certain Edge instance, open edge://sync-/internals. Information on how Edge profiles can be configured centrally in the M365 Admin Center can be found in the documentation of Microsoft Edge enterprise features (Get started with configuration profiles). Some Policies, more specifically the SyncDisabled and SyncTypesListDisabled policies, that may be applied to a profile influence the behavior. However, this may only prevent future involuntary data transfers – private data that has already been synchronized to a company account will not be affected by changes to the policies.
Cheers,
Florian