If you work remotely on the web, you’re probably getting comfortable with multiple video chat tools. At Freedom of the Press Foundation, we’ve published a high-level comparison of some common video chat applications, and many others maintain detailed comparison spreadsheets to help you compare dozens of tools. We also wanted to dive deeper into what we know about a few individual tools. This “fact sheet” will detail some security, privacy, usability, and anti-abuse properties of Microsoft Teams. In particular, we’re focusing on properties that are critical to high-risk users, like journalists, and developed a series of questions to help examine these properties.

In our fact sheets, we’ll be taking a closer look at several tools in common use at media organizations. We can’t possibly cover them all. In addition to Microsoft Teams, we’ll examine…

Each of these platforms changes regularly, so check back to see our regular updates. And if you see anything wrong, let us know.

Background

Microsoft Teams is the long-established Redmond hegemon’s answer to workplace chat tools, such as Slack. Like Slack, it features online chat channels, file sharing, and video meeting calls. It also integrates into existing Microsoft Office 365 installations for access to workplace calendars, files, and contacts.

Teams is a relatively new product that has largely evaded the spotlight that Zoom has taken while rapidly growing its user base since the COVID-19 pandemic began. Its feature set overlaps with many competing platforms, but unlocking features, as with other Microsoft offerings, requires figuring out exactly the right combination of account types, subscriptions and services that require it. Additionally, its own default settings could, in some conditions, be susceptible to similar harassment attacks that Zoom had become known for.

Evaluating the platform’s security properties

Does the platform support two-factor authentication? By what methods?

Yes, depending on the type of account you use to log in. For two-factor authentication, standard Microsoft Live accounts can use SMS text messages, an alternate email address, authenticator apps, and a proprietary Microsoft Authenticator option which features the ability to authenticate from the app itself. Some newer security keys are also supported for Microsoft accounts but require setting up a device-specific PIN you have to remember when logging in, without a clear means of resetting it if you forget it.

Teams may be set up to use an organization-specific authentication framework using Office 365, in which case 2FA options are limited by the combination of authentication services used and what 2FA methods organizational admins have chosen.

Does the platform support transit encryption? How is it implemented?

Yes. TLS between clients and servers and MTLS between Microsoft’s servers. Secure Real-Time Transport Protocol (SRTP) is used for encrypting video chat.

Does the platform support end-to-end encryption? How is it implemented?

Microsoft is currently working on bringing end-to-end encryption to future releases of Teams for one-to-one, unscheduled calls. Both users on each end of a call will need to manually enable end-to-end encryption on their ends, and only video and audio content will be end-to-end encrypted — other data in the call like chat messages will not be end-to-end encrypted.

Has the platform undergone an independent security audit? If so, what were the results, and how did the platform respond to any identified vulnerabilities?

Microsoft claims to conduct some form of audits as part of its compliance framework (PDF). It has not shared publicly whether the Teams video conferencing feature specifically has undergone an independent security audit. Microsoft did not respond to a request for comment.

Has the platform been breached before? How did they respond?

Microsoft as a whole has had breaches throughout its history, but also has a recent history of cooperating with security researchers on patching vulnerabilities relatively quickly, as demonstrated through its mitigation of installer package and gif sharing vulnerabilities, both of which were patched timely.

Evaluating the platform’s privacy properties

How does the platform handle contact discovery?

Microsoft Teams is designed for intra-organization use and includes mechanisms for looking up other members of an organization. However, if someone outside your organization opts in to share their contacts they may be able to see if you have a Teams account if you are in the contacts they shared. Personal and small business Teams users may look up contacts through phone and email by default. This must be switched off manually to prevent it.

Can I use the platform without making an account?

You need an account to create a video chat meeting, but not to join one, depending on the settings for that meeting.

What user metadata and content is logged by the platform?

A very long — but not definitive — list of data and content that may be collected is provided in Microsoft’s privacy statement. This includes contacts, demographic data, voice data, image metadata, location data, and more. This is not, however, a complete list of all possible content and metadata that could be collected with any particular combination of Microsoft-owned products or services tied to a Microsoft account, each of which may be collecting additional metadata. Examples of video-related metadata were not included in Microsoft’s privacy statement. Microsoft could not be reached for comment on retention of video chat metadata.

What can they sell?

Microsoft says they do “not use your email, chat, files, or other personal content to target ads to you.” There are currently no known uses of Teams data used by Microsoft for ad targeting. Although Teams is available with limited features for free, Teams is often bundled as part of the Microsoft 365 suite, which requires a paid subscription.

How long does the platform hold on to my data after I delete it, or close my account?

Teams may be configured to work under many compliance frameworks each with its own policies on how long data is retained after it (or the associated account) has been deleted.

Generally, Microsoft accounts retain user data for 90 days after an account is deleted. After that period, the account is disabled and customer data associated with it, including cache and backups, is deleted: https://www.microsoft.com/en-us/trust-center/privacy/data-management.

Can I self-host?

No.

Does the platform publish a yearly transparency report?

Yes.

Does the platform alert users to requests for their data?

Generally yes, “except in the most exceptional circumstances.” According to their FAQ, this includes “emergencies where notice could result in danger (e.g., child exploitation investigations), or where notice would be counterproductive (e.g., where the user’s account has been hacked).”

How much of my content and metadata can the service hand over in the case there’s a legal request? Has the platform been court-tested?

The scale of potential reach in a legal case is expansive and conditional. Microsoft accounts may be linked to dozens of Microsoft properties including Skype, XBox Live, Bing, Office 365, LinkedIn, and potentially other services owned by Microsoft but not yet listed in their privacy dashboard. Windows devices that you are signed into a Microsoft account on at the system level may be able to collect data on location, voice (Cortana), media viewing history through certain apps, Edge web browsing history, bookmarks, settings and more.

We are not aware of any unsealed cases involving Teams video chat and Microsoft could not be reached for comment. Teams is part of Office 365, which features a dedicated e-Discovery dashboard designed to make it easy to extract your Teams content by a Teams admin for legal orders.

Does the platform offer the ability to broadcast?

Yes, with a specific set of licenses. Other prerequisites include region availability.

Can I use this platform to host closed room meetings?

Yes, a meeting may be closed to Teams instance users only if a Teams admin turns off the “Anonymous users can join a meeting” option.

Can I control who can access my call if I want to?

Rooms are closed by default so that the chat attendee/presenter has to approve guests outside an organization before they can join. To approve guests, a guest waits in the “lobby” and the owner can see their presented name (only) before being allowed in. There is no mechanism available for meeting presenters to verify that the person dialing in is the person they say they are, as any invited guest can make up their own name, and are not required to provide an email address or other identifier. The invitation link for giving to attendees is identical across recipients. Additionally, the setting for “Who can present” in public meetings is set to “Everyone” by default.

What is the maximum meeting group size?

100 for meetings hosted with free accounts, 300-1000 for interactive meetings hosted by paid accounts, depending on the license in use, and 10,000 for live events.

Are there accessibility features? If so, what are they?

Microsoft provides extensive guides and documentation on using Microsoft Teams with screen reader software, including JAWS, NVDA, and Narrator on Windows, VoiceOver on macOS and iOS and TalkBack on Android. The guides themselves are also designed to be readable by the screen readers. Some features may not be fully supported, for example, virtual cursors used in Microsoft Teams have to be enabled in JAWS to make that feature work in Teams.

Who can record meeting video? Audio? Chats? Minutes?

Only the meeting organizer or attendee from the same organization can record video/audio, and it's saved in a “Stream” server provided in Office 365, the underlying platform that supports Microsoft Teams. Chats are saved in Teams and accessible to members of a Teams… team.

Can I mute users in the call?

Yes, a presenter can mute other attendees in a call. Those attendees can unmute themselves afterwards without approval from the presenter.

Can I kick users out of the call?

Yes, a presenter can kick attendees out of a call. Attendees may try to re-join a meeting after being kicked out, but they would be sent back to the waiting room and need to be approved to re-enter. Since guests from outside a Teams organization may select their own name, the same invitation link may be used again with a new name without any way for a meeting presenter to know it’s the same person.

You made it to the end!

Now that you’ve read all about the platform, you can evaluate whether it’s right for your situation. If you want to check out another platform, consider looking to our short guide for a high-level comparison, or videoconferencing.guide for many more details. And as always, contact our training team if you need more assistance.