Microsoft has launched its new Outlook client for Windows, offering a unified and modern experience for email, calendar and contacts. The new web-based Outlook is free for all Windows 11 users and will be the default client for new devices starting in 2024. However, this new version also brings significant changes that could impact privacy and user security.
Last year, Microsoft said it was working on a new email client under the Outlook brand. The project was then codenamed Project Monarch and aimed to create a cross-platform messaging experience for everyone. At the time, it was suggested that this new Outlook could be presented as a reincarnation of the Mail and Calendar application. Back then, there were many ways to launch Outlook on Windows, so Microsoft thought it was time for its operating system to have a truly universal email client.
In September, following Windows Insider testing, Microsoft made its new AI-powered Outlook available to everyone:
Sent by Microsoft
Windows has offered Mail and Calendar applications for years. Now Windows offers all Windows users innovative features and configurations of the Microsoft Outlook application and Outlook.com at no additional cost, with more to come. For Microsoft 365 subscribers, the new Outlook offers even more features, including an ad-free inbox, additional mailbox and cloud storage, advanced security benefits, and premium features in Microsoft 365 apps.
Streamline email and calendar in one app
We’re constantly trying to get things done so we have time for the things that really matter. Throughout our day, we plan and track events and appointments on digital calendars while communicating, confirming, and scheduling with others via email, whether it be a child’s teacher, a hiring manager for a potential job, or friends planning a trip . Microsoft Outlook strives to meet our ever-changing email and calendar needs, which are central to our modern lifestyles – at home, at work or on the go.
Whether your email service of choice is Outlook.com, Hotmail.com, Gmail, Yahoo, iCloud, or a provider that uses IMAP (or all of the above), you can use the new Outlook for Windows. Add your different accounts and view all your calendars in one view. Switch between accounts to view your email and contacts.
Write better emails with AI
The new Outlook for Windows lets you write better emails thanks to the AI built into the application. Keep your sentences concise and error-free with intelligent spelling and grammar checkers. If you have a Microsoft 365 Personal or Family subscription, you’ll also benefit from Microsoft Editor’s advanced AI writing tools, which offer suggestions for clarity, conciseness, comprehensive language, and more to make your emails neat and professional . Copilot and other advanced AI features will be offered later in the new Outlook for Windows.
Connect seamlessly to Microsoft 365 apps
The new Outlook for Windows is designed to seamlessly connect to the free Microsoft Word, Excel and PowerPoint web applications with just one click – perfect for quick edits and comments. You can even access and attach OneDrive files directly from your inbox. With the new Outlook for Windows, finding the documents you’ve been working on and sharing them securely has never been easier.
Advantages
The new Outlook for Windows offers several advantages over previous versions or other email applications. Among these advantages we can name:
- A more modern and clearer interface that makes navigation easier and allows you to focus on what matters most: reading and responding to emails.
- Stronger integration with other Microsoft services such as OneDrive, Teams or Office 365 for better productivity and easier collaboration.
- A unified and consistent experience across all devices, whether Windows, macOS, iOS or Android.
- Extensive customization options with more than 50 themes and fonts, display options and message rules.
- Artificial intelligence helps write emails more efficiently, with suggestions for text, emojis, files and contacts.
The new Outlook for Windows is a powerful and versatile tool that adapts to users’ needs and preferences. It offers a new way to manage your email, calendar and contacts while leveraging the latest technologies from Microsoft. It’s free for all Windows 11 users and will be the default client for new devices starting in 2024.
However, the app also has serious privacy issues
It appears that the new Outlook app is much more tightly integrated with the cloud than a user might think, opening the door to potential data collection by Microsoft. This represents a significant privacy issue. Microsoft therefore needs to answer many questions about user expectations.
When the new Outlook client first opens, the user is prompted to log in like any other email client. When you enter an email address from a popular provider like Gmail or iCloud, the client uses an Oauth2 workflow to authenticate with your browser. If you enter a third-party domain, you will be prompted for an IMAP password (if supported). This is all completely normal for an email client.
However, after authentication, a window will appear informing you that Microsoft needs to sync your emails, events and contacts with Microsoft Cloud in order to use the new version of Outlook. A cancellation option is available, but there is no option to decline and continue using your client. Additional information is provided via a support link that explains that access enables features such as email search, a targeted inbox, or recurring meetings, but does not make clear statements about the limits of this data collection:
Sent by Microsoft
To improve your Microsoft 365 experience in the new Outlook for Windows, Outlook.com, Outlook for iOS, Outlook for Android, and the new Outlook for Mac, you can now view your non-Microsoft accounts (including your email, contacts, and Events) sync with Microsoft Cloud. It’s available for Gmail, Yahoo, iCloud, and IMAP accounts in Outlook for iOS, Outlook for Android, and the new Outlook for Mac. Also available for Gmail and Yahoo accounts in New Outlook for Windows and for Gmail accounts in Outlook.com. This allows you to take advantage of many features that were previously only available to people with Microsoft 365 or Microsoft Exchange Online email accounts.
What happens when I sync my account with Microsoft Cloud?
When you sync your account with Microsoft Cloud, a copy of your email, calendar, and contacts is synced between your email provider and Microsoft data centers. If you have your mailbox data in Microsoft Cloud, you can use new Outlook client features (new Outlook for Windows, Outlook for iOS, Outlook for Android, Outlook.com, or Outlook for Mac) with your non-Microsoft account, just as you would with yours Microsoft accounts.
Your experience on your native account and across all applications from this provider will remain unchanged.
Because of this warning, a user can reasonably assume that the email client they are connecting to continues to act as an email client and that the client may be sending boundary data for processing in the cloud. However, this is not the case. Instead of your email client authenticating, your credentials are passed to the Microsoft cloud, which performs the authentication on your behalf. From this point on, all processing (including retrieving your emails) is managed in the cloud. German blog heise.de conducted a search and found no traffic flowing directly from the customer to their email provider.
This applies to OAuth and IMAP workflows, but is most noticeable when authenticating with a third-party IMAP server. In this case, the Outlook client accesses the application using the IMAP credentials provided by your email provider and forwards it directly to Microsoft’s cloud via TLS. The curious can reproduce this by setting up a transparent proxy between the Internet and the Outlook client to intercept encrypted traffic.
Email client or web application?
To answer this question, Heise used an email provider that logs the IP address and access time for every new connection. If the Outlook client communicated directly with our mail server (that is, how a client should act), the IP address recorded by the email provider must match that of the computer on which we are running Outlook. However, no attempt recorded a connection from the personal IP address; The connections came from a different IP address that, when entered into the WHOIS lookup service, indicated that it was registered with Microsoft. This would show that the Outlook client is neither of these things, but acts solely as a wrapper for Microsoft’s cloud services, and that the local client never connected.
There is a clear problem for the user here. By simply logging into the new Outlook client, a user has effectively granted the Microsoft Cloud global, unlimited access to their entire email account. The only mention of Microsoft privacy on the linked support page is a series of links to their privacy policy and service agreements, both of which provide general access to your data to improve Microsoft products and services.
It’s also important to note that there is no obvious way to disable this cloud integration when connecting to an email account or using the client in a mode where certain AI features are disabled.
By moving email client functionality to the cloud, security engineers or researchers can also no longer easily verify what the client is doing. It is possible to track requests for your data from Microsoft, but this does not indicate how much additional processing may occur. It is also important to remember that this access is continuous. It is no longer possible to prevent Microsoft from accessing your email by simply closing Outlook. Users can connect Outlook to their desktop to test it, decide they don’t like it, and simply stop using it without logging out. Until the user logs out (or revokes the session elsewhere), Microsoft continues to have access to their data.
A potential problem for companies
It is at no time clear whether the Outlook desktop app acts as a wrapper for cloud-only services or what the limits and circumstances are under which Microsoft will access your data in the cloud. Given the scale of Microsoft’s push toward new cloud-based AI integrations and the lack of certainty otherwise, it’s safe to assume that Microsoft is using this type of data for training or testing purposes.
This can also be a serious problem for companies. An enterprise end user could inadvertently give Microsoft access to large amounts of commercial or commercially sensitive data, possibly in violation of legal or security requirements. If this data were then used to train generative AI or other publicly available machine learning models, some aspects of this data could potentially be made available to everyone. This is an extreme scenario, but the concerns are clear.
Sources: Microsoft (1, 2, 3), Heise
And you ?
What do you think about automatic email forwarding to the cloud? Does that calm you down or worry you?
What data sharing features do you use or disable in the new Outlook? For what ?
What advantages and disadvantages does the new Outlook have compared to the classic version or the mail and calendar application?
How do you rate the performance, reliability and security of the new Outlook? Have you encountered any problems or errors?
What suggestions or improvements would you like to see in the new Outlook? What features are you missing or bothering you?