As part of our security research, we took a closer look at encryption: How, when and where is encryption used and what type of connections are established? We also scrutinised whether the actual encryption meets the standards advertised by the manufacturer.
Result of the analysis
The result surprised us:
Encryption is used (when end-to-end encryption is activated for both communication partners):
✅ Audio calls
✅ Video calls
✅ The sharing of screens
Transmitted without end-to-end encryption (without the corresponding activation option):
❌ Files
❌ Messages
Significant security issues on the client devices
The investigation revealed significant security issues on the client devices themselves. There is no end-to-end encryption and no option to activate it via the settings. This means that messages and files are stored unencrypted on the client and can be viewed by the manufacturer Microsoft. This poses a considerable risk to the privacy and security of users. If you would like to take a look behind the encryption, please read our comprehensive research report attached.
Generic statement from Microsoft
We confronted Microsoft with the issue and received the following statement from a spokesperson: ‘’The end-to-end encryption feature meets the needs of some customers to provide a higher level of confidentiality when required. This confidentiality is mainly required in direct, non-persistent communication, i.e. video and audio transmissions, while there are already established ways of ensuring confidentiality for the transmission of messages or files. As is generally the case in Teams, these messages and files are already protected against unauthorised reading both by extensive security measures and by system-side encryption.’
You can download our complete analysis here