Skip to main content
All posts

Do You Trust Outlook?

A cross-functional team, a topic everyone cares about, a question about the right tool. The organisation — which shall remain unnamed — had drawn a clear line: Microsoft Copilot for nothing that touches company IP. Their Microsoft package would not allow for it.

"But that's essentially the same as saying we don't trust Outlook." — I heard myself say.

I meant it as a reframing. An argument that the concerns were overblown.

At least until I realised, a moment later: Yes. Maybe you can't trust Outlook.


Outlook?

Outlook is so familiar that the question feels absurd. Of course we trust Outlook. We've always used Outlook.

That's a habit. And something of a love-hate relationship.

"New Outlook" — the version Microsoft has been pushing as the default since 2023 — is a cloud application running on Microsoft servers. A tool from a company subject to the US CLOUD Act. Under that law, US authorities have the right to compel American service providers to hand over data, regardless of where that data is physically stored. In Frankfurt. In Dublin. On a server labelled "Europe".

Yes. We all sort of know this and have just accepted it. Snowden was a long time ago — what could go wrong?

"New Outlook" synchronises external accounts exclusively through Microsoft servers. Anyone who connects a Gmail, GMX, or company email account to New Outlook hands their credentials to Microsoft and lets their emails flow through Microsoft infrastructure.

Hm. Still not obvious enough? I'd argue that anyone using "Outlook" thinks they're using an application running locally on their machine — but it's cloud infrastructure for accounts that were never Microsoft accounts to begin with.

Nobody complained. Because nobody checked. Because it's called "Outlook", and we know Outlook.

Familiarity is not a security feature. It's the opposite: familiarity is the state in which we've stopped asking questions.


The Copilot question is more honest

And that's the paradox of what the organisation did. They rejected Copilot — and in doing so, without knowing it, asked the right question. Just aimed at the wrong tool.

Microsoft provides a clear commitment for enterprise customers (M365 E3/E5 with Copilot licence): Your data isn't used to train foundation models. That's a contractual promise, and it sits under the Microsoft Data Protection Addendum.

Three things remain true regardless:

First, it only applies to the right tiers. Anyone who doesn't have the enterprise package — and for many organisations with a mixed fleet of Business Basic and Professional accounts, that's not trivial to verify — operates under different terms. The free Copilot version carries the official Microsoft notice: Never add sensitive or proprietary work information in a prompt. That's there. Not in the fine print. On the product page.

Second, the promise doesn't override the CLOUD Act. These are two separate layers. One concerns Microsoft's own use of the data. The other concerns access by US authorities under legal compulsion. The same applies to Outlook. To SharePoint. To Teams. To everything running on Microsoft servers.

Third, a contractual promise is not a technical barrier. It's a promise. Whether it's kept is not technically verifiable. Whether it still reads the same way in five years depends on business decisions Microsoft can make without prior notice.

The organisation's instinct was right. They just drew the line in the wrong place.


GitHub Copilot and the tier problem

Anyone who considers this an abstract debate should take a closer look at GitHub Copilot.

Since April 2025, GitHub Copilot uses interaction data — inputs, outputs, code snippets, context — to train models for Individual users (Free, Pro, Pro+), unless they opt out. This data can be shared with "GitHub affiliates". GitHub is a Microsoft subsidiary.

For Business and Enterprise accounts, that's explicitly not the case. There, the promise holds.

That sounds like a clean separation. In practice? At least from what I've seen with clients: personal accounts carrying years of projects, code snippets, everything ever typed, exist side by side with the corporate account holding the paid licence. What lives where? Which account is active? The lines blur. The same goes for consultants managing multiple GitHub accounts across different clients. Watch out.


The pattern

It's worth stepping back and seeing the pattern.

The free internet was built over the last twenty years on one simple principle: the infrastructure is free, the business model is data. Journalists, bloggers, authors, publishers created content. Search engines indexed it. Models were trained on the result. The distilled knowledge is now sold — without compensating the original sources. Uff.

The New York Times sued OpenAI over exactly this. The Munich Regional Court ruled in November 2025 — in proceedings brought by GEMA against OpenAI — that embedding copyrighted text in model weights constitutes reproduction, and that this is not automatically covered by the text and data mining exception. The ruling is not yet final — OpenAI has appealed.

What does this have to do with enterprise software?

The mechanics are the same; the packaging is different. With the internet, it was obvious that you were feeding content into a system you didn't control. Hell, that was the great promise of free data exchange in a liberal global society. We can still afford that much idealism!

With a corporate email client or a code editor, it's not obvious. The tool is so familiar, so taken for granted, so old, that the infrastructural reality behind it has become invisible.

And the infrastructure accumulates knowledge. Through thousands of interactions, over years, across companies, across industries. What emerges from that is valuable — and it emerges on someone else's servers.

There is no free lunch. If something seems very cheap, you or your data are probably the product. That's the internet principle. It now applies to the tools companies use to build their processes.


The shopping cart story

Is this really new? The scale is.

Anecdote time:

I once worked on a project at a shopping cart manufacturer. The company wasn't particularly good at production cost controlling. That was important, but never important enough to fix — predictable enough. Walmart was one of their largest customers. And Walmart was very good at procurement controlling.

Over the years, quotes had accumulated. Cross-referenced against key cost drivers — in this case raw material prices, steel, metal, all publicly available. Eventually, Walmart could tell the manufacturer: this is your price to us. This is the margin we'll allow you. We know what it costs you to produce. We know what it could cost.

That was before AI. No models, no embeddings, no inference. Just a systematic process, accumulated data, public commodity indices, and a procurement team that understood how to reconstruct production costs from them.

Despite the apparent information asymmetry: how would Walmart know the real production costs when the manufacturer couldn't calculate them until six months after the fact?

Because it mattered enough to them. Walmart is famously aggressive about squeezing purchase and production prices. In the end, the supplier barely negotiated anymore — they became a price-taker.

What a procurement team used to accumulate over years, a foundation model replicates across a thousand suppliers simultaneously. Every quote a customer loads into an AI system today is a data point. Aggregated over time and competitors, the same picture emerges: your cost structure, your margin range, your negotiating limits. Without any theft. Simply because you produced normal business documents that are now machine-readable.


What's already inside the models

In that same meeting, the counter-question came up: is what the company calls IP actually IP anymore? Or is it already inside the models?

I ran the test. A publicly available product catalogue, a self-designed agentic quotation workflow, Claude Opus — and produced a quote. The result wasn't customer-ready. But it was alarmingly good given the quality and density of the input data.

What that shows: a significant portion of what companies treat as proprietary knowledge has been externalised into documents — manuals, product catalogues, process descriptions, public presentations. That's exactly the material models were trained on. Anyone who fills out a quote, documents a process, or writes a service description puts that knowledge into a form that can be read and learned from.

What truly can't be replicated is tacit knowledge. The unwritten judgements, the experience that exists in no document, the relationships. That's the real defensive position. But it's also not what an NDA typically protects.


And now what?

And then comes the question that's hardest to answer.

Even if a company does everything right internally — sovereign infrastructure, no Copilot, no data on foreign servers — it still sends a quote out eventually. The quote goes to the customer. The customer has every right to open it with their AI tool, analyse it, compare it with competitors, reverse-engineer the cost drivers.

That's normal business. The document belongs to the customer.

You can't prevent that. What you can prevent is how much you actively accelerate it. Building your own processes on foreign infrastructure contributes to the knowledge accumulation of systems owned by others — with every prompt, every workflow, every interaction. Not doing that at least keeps your own side of the equation under control.


What remains

The organisation that rejected Copilot had the right instinct. They drew the line in the wrong place — at Copilot rather than at the infrastructure. But the question behind it was the right one: where does our knowledge run? Whose system processes it? What happens to it?

These questions are rarely asked, because the answers are uncomfortable and because the tools that raise them are so familiar. Outlook is thirty years old. Of course it's safe. Of course we trust it.

Familiarity is not a security guarantee. It's what happens when you've stopped asking questions for long enough.

In that meeting, I stopped asking. I said something I meant as a reframing, and then realised it worked as a question instead.

Do you trust Outlook?