Is Office 365 actually safe to use in the education sector? The short answer is 'no'. The long answer is more complex than that: Microsoft simply doesn't provide enough protection when sending sensitive information. That appears to be the main conclusion by an extensive DPIA report commissioned by the Dutch government.
So what's the issue with Microsoft? Let's dive into it!
Microsoft is stuck with the CLOUD Act
The safety of confidential information certainly isn't a new discussion when it comes to using Microsoft products, that has been ongoing since the introduction of the CLOUD Act in 2018. So what's the issue with the CLOUD Act?
The CLOUD Act gives American authorities the right to demand users' confidential information if it's stored with an American provider. It won't matter whether this information is stored on an American server or an American one, as long as the company is of American make. We don't have to tell you that the CLOUD Act is in direct opposition to the GDPR.
Because Microsoft is an American company they must comply with the CLOUD Act. Are you using Office 365? And are you sending confidential information through email? Then you are likely in violation of the GDPR. (And your customer data likely isn't safe either, even if they are American citizens!)
CLOUD Act makes European privacy tricky
If you have any customers in the European sphere, you are probably well-aware that Europe takes privacy seriously. The GDPR is reflective of that: a way to ensure sensitive information remains private and safe. Anyone in violation of GDPR will be subject to heavy fines, like that 746 million fine Amazon had to pay in 2021. Ouch.
Though Microsoft has agreed to tackling safety concerns, these cannot mitigate the biggest risk of all: sending out confidential information that hasn't been encrypted with your own encryption key.
Using European servers simply aren't enough to protect confidential information, say European governments. The American CLOUD Act still puts them at risk that sensitive information can simply be snatched up by American authorities. No matter Microsoft's claims that they 'have never given out confidential data to authorities'. The encryption that Microsoft uses may simply be pointless because the encryption key can also be accessed by authorities.
So what about American privacy laws?
While the CLOUD Act may not mean much to the American education sector, the privacy of its students remains ever important. Especially when we look at the last two years, education has only become more online, and the matter of sensitive information becomes more entwined with the tools that educators use. One of the most important pillars of the privacy of students is the Family Educational Rights and Privacy Act.
The pinnacle of student privacy: the FERPA
The era of snail mailed report cards is long past us and has made room for digitized records that are accessible at any time, but not for any person. That's where FERPA comes in: the Family Educational Rights and Privacy Act. FERPA ensures that written consent must be obtained from a parent or student (if they are over the age of eighteen) the student's records are being shared with any third parties.
A student's records that fall under FERPA protection include:
- Personal information like their Social Security Number
- Personal characteristics like gender, race, ethnicity or religion
- Enrollment records
- Grades
- Schedules
FERPA is there to entire confidentiality of the student and make sure that no personally identifiable information is shared.
Although Microsoft offers end-to-end encryption, Microsoft does not protect students when it comes to their biggest threat: careless mistakes by their teachers.
Even though Microsoft offers end-to-end encryption, there is one factor that they cannot protect against: Human error. Educators and school administrators can still fall into the trap of a data breach by accidentally sending information to the wrong person and no amount of encryption is going to protect against that fallout.
How to securely email confidential information
The only way to keep confidential information safe is by using external encryption keys. Encryption keys ensure that only you and yours have access to the data you're sending out and making sure it's for your eyes only.
Our advice is to choose an email provider that can arrange this for you. Here's the list of benefits!
Make use of zero knowledge end-to-end encryption
We've said it before and we'll say it again: no two encryptions are alike. You're only truly safe when you're using zero knowledge end-to-end encryption.
End-to-end encryption makes sure that your data is sent encrypted (encryption in transition) and also when it is stored (encryption at rest). Microsoft uses end-to-end encryption so you can be sure to email safely. Unfortunately, that's not enough to keep confidential information safe. Sure, it makes your emails unreadable until someone wants to have a look (whether that's a hacker or the authorities). Even if you use encryption keys, they can be retrieved if you store them in a US Cloud (like SharePoint).
So what do you do then? Make use of zero knowledge end-to-end encryption of course!
The keyword here is 'zero knowledge'. Because the zero knowledge of end-to-end encryption makes use of encryption keys that are stored separately from the Cloud. No one, no hackers or nosy authorities, will have access to your encryption keys.
Smartlockr therefore uses zero knowledge end-to-end encryption to ensure that only you have access to your data.
Make sure you can recall your emails
Of course, no person is perfect and that makes we are all subject to making mistakes, like accidentally sending out confidential information to the wrong person.
So what then? Try to recall or block your email. The problem is that you can't always do that with Microsoft: You can only retrieve sent emails in Outlook when your recipient also uses Outlook. If they're using Gmail? Well then you're outta luck.
Smartlockr offers you the possibility to recall your email, even when that email has already been read. You can easily go to your sent messages where you can block the sender, the file or the entire email message.
Use an upload portal
One upload portal is not like the other: Did you know that Microsoft only allows you to send files of a maximum of 25MB? In comparison Smartlockr has a limit of 5TB! Not to even mention unsafe alternatives like WeTransfer, which also make use of storage servers in the United States by the way!
It's of course possible to send files with a safe email solution, but it's easy to get lost in the fray when sending multiple files to multiple contacts. Who, what should go where? And sometimes you want to ask your recipient to send a file securely, even when they're not using a secure email solution.
The future is in a secure upload portal. Now you can both send and receive files all in one place without losing oversight.
A user-friendly email solution is key
Finally, make sure your email solution is user friendly. Teachers in education are busy enough as it is. If your chosen email solution requires ten steps before you can send an email, you run the risk of people working around the solution.
That doesn't help anyone. So choose a solution that is easy to integrate, user friendly and takes as little time as possible for your users. Smartlockr therefore uses a toggle that you can easily tick on and off. Convenient right?
Want to know more on encryption and protecting yourself against the CLOUD Act? Then we invite you to download our whitepaper "Is it safe to store data in a US-based Cloud provider?" to get to know everything on encryption, the CLOUD Act and how to keep your information secure. Download it below!