A Game of Trust

Microsoft is trying a bit to hard and missing the fundamentals on winning trust. We have had the parade of Windows 10 privacy default setting faux pas that persist in the face of Microsoft senior executive statements to the contrary, an abbreviated list of such issues:

• Windows 10 is spying on almost everything you do – here’s how to opt out
• Windows 10 shares your Wi-Fi password with all your friends – stop it using this guide
• Watch out: A dangerous Windows 10 scam is being circulated online
• Giant porn stash turned a Windows 10 upgrade into every man’s nightmare
• Windows 10: How to maintain your privacy without disabling its best features
• Windows 10: How to protect your privacy and still install apps from the Microsoft Store 

and now they are making a game of it …

Hitting an email box near you could be a copy of an invitation from Microsoft to play their ‘Trusted Cloud Game’. See hyperlinked screen shot below: 

On the face of it, all well and good, we know gamification is a very effective way of communicating with audiences. Generally, a viable approach, as it has a high rate of engagement and most importantly the messaging is found to be memorable for users, perfect qualities to get users attention on such a sensitive subject as Trust, Privacy and Security as we engage cloud technologies.

In this instance however the problem is in the execution. Click on the invitation link in the email to play the game and you get asked to login with your Microsoft Account. All very harmless, till you get prompted to elect to share the data in your Microsoft account with a completely unknown entity. The unknown entity is a little known company called mLevel, requesting access to your data including:

• Sign in automatically. Signing in with your Microsoft account will automatically sign you in to this app.
• View your profile info and contact list.
• mLevel will be able to see your profile info, including your name, gender, display picture, contacts, and friends.
• Access your email addresses
• mLevel will be able to see the email addresses in your profile.

A quick visit to their site confirms the suspicion that they are nothing more than a Microsoft vendor who have made ‘The Game’, but this is exactly the issue stakeholders in Microsoft just DO NOT GET. An astounding ambivalence over inviting 3^rd parties in such a surreptitious way to gain access to our profile data, contacts, friends, email addresses etc. 3^rd parties we know nothing about but risk inviting into our lives because Microsoft lets them in under their auspice. I might still Trust Microsoft but I do not Trust strangers, and certainly not a company that wishes to access my Microsoft Account data. From another perspective, the Microsoft Brand is so strong I am surprised it is allowed to be used in such a way, almost like a trojan horse.

Clicking into the 3rd party T&C’s my eye immediately catches this contrary statement, quote:

‘We do not sell or license personal information to third parties. We may disclose the information collected with third-party service providers with which we have an agreement.’

Oh fine, you will not sell my data, just give it away according to an agreement I have had no say in! Is that meant to build confidence?

Then just to really show how much they don’t care about your data, quote:

‘We cannot guarantee the security of the information collected from third parties (Microsoft in this case), despite our efforts to maintain the security of such information’.

There are other issues in the T&C’s but the above makes the point. 3^rd party click through to hell awaits those who are too trusting online and get suckered into compliance with such requests.

Yes you can, as it says, go back into your Microsoft Account settings and retract the permissions but that should not be necessary in the first place. These permission controls are a very blunt instrument, all or nothing with no fine end user control.

If this is an issue with the Microsoft Account login, ie: it is poorly engineered so has to disclose such data to work with third parties, then it is NOT FIT FOR PURPOSE. If on the other hand it is an elective, then it is very poor relationship management, amateurish or simply inexperienced delivery.

Attempting to use an anonymous account proves how invidious this is. mLevel are auditing the data they collect to ensure they get EVERYTHING. Quote: “Your Microsoft Account is missing information required for you to access the mLevel learning activities.”

If you get past this you will then be asked to install a plugin, the final straw for me and I bombed out. Last think I want on my machine are 3rd party plugins clogging up the works. Just look at the headache the security flaws in Adobe Flash plugin and Oracles JAVA causes users.

An example of how not to make friends and alienate people.

Unlike in the real world where trust chains founded on friendships are valued and strong, they are cheap currency and as weak as spider’s silk in the digital realm.