Microsoft Copilot Privacy Settings Scrutinized
Microsoft Copilot quietly pulls user data from other Microsoft products like Edge and MSN by default. While users can opt out, the behavior highlights the need for careful configuration in regulated industries. The cross-product data flow requires auditing to ensure compliance and prevent unintended data movement.
- The data sharing feature is linked to Copilot's "Memory" function, which is designed to personalize the user experience by remembering preferences and context from conversations. This data is sourced from user activity on Microsoft products such as Bing, MSN, and Edge. - The toggle to control this data sharing, labeled "Microsoft usage data," is located within the "Memory" tab in Copilot's settings and is turned on by default. To fully remove existing data, users must not only disable the toggle but also select the "Delete all memory" option. - For businesses in regulated fields like healthcare, using Microsoft 365 Copilot for enterprise can be configured to be HIPAA compliant, but this is not the default state. Organizations must have a Business Associate Agreement (BAA) with Microsoft and correctly configure security settings like encryption and access controls. - Microsoft distinguishes between consumer and enterprise data usage; data from commercial customers in Microsoft 365 Copilot is not used to train the foundational large language models (LLMs). However, some Copilot services may transmit data to Bing, which is not covered by the HIPAA BAA, creating a potential compliance gap if not properly managed. - The introduction of Copilot+ PCs with on-device Neural Processing Units (NPUs) offers a different privacy paradigm by processing sensitive information locally. This local processing helps prevent patient health information and other sensitive data from being transmitted to the cloud, a key consideration for HIPAA compliance. - Users have granular control over various privacy settings beyond cross-product data sharing, including the ability to opt out of their conversations being used for model training and to turn off ad personalization based on their interactions with Copilot. - The data collected is stored in a hidden folder within the user's Exchange mailbox, making it subject to the same security and encryption as other Exchange content and discoverable through eDiscovery tools. For personal accounts, chat history is retained for 18 months by default.
