Man in a hat peeking over a desk
|

Worth Reading – Is Microsoft 365 Copilot Tracking Your Prompts? The Real Enterprise Answer

ByMike McBride Reading Time: 2 minutes

I don’t often talk about this with non-IT people because I’m always afraid they will start to get paranoid, but I also wonder why they would be surprised.

Yes, your Copilot prompts and responses are stored in the M365 tenant when you’re using an Enterprise account, and someone “could” read them.

This is also true:

Microsoft’s retention documentation explains that generative AI message data can be stored behind the scenes in hidden mailbox folders. These folders are not meant to be directly browsed by ordinary users or administrators. They exist so compliance administrators can search them through eDiscovery tools.

That is an important boundary. The data can exist. It can be searched. But the intended access path is compliance tooling, not casual workplace monitoring.

https://open.substack.com/pub/the365edge/p/is-microsoft-365-copilot-tracking

You may read that and think that means your employer can see every prompt you enter in Copilot. To some extent, that is true; in the same way, they can see every email message or Teams chat you type with your work account. It is a work account after all. The key piece missing from that simple statement is that it’s not easy to do, and, by design, there are usually very few people who can collect and review that data. Usually, the effort required to do that isn’t worth it. So, if it has happened to you, it’s likely because someone or something has raised a suspicion that warranted an investigation. Most users never reach this level of scrutiny.

As one of the people who could do that, let me also assure you, we don’t have time to go through your Copilot prompts for fun. It’s not something I’m volunteering to do, and even when asked, I’ll push back on the need to spend that much time on it. Your manager can’t do it without me. I don’t want to do it unless it’s absolutely necessary, and Microsoft is storing them, not reading and cataloging them. (Unless you do something that violates a policy, like prompting Copilot about committing violence, but you’re not doing that, are you?)

We’ve all got better things to do than read all your Copilot interactions, but it wouldn’t hurt to remember that they are kept for however long your employer decides to keep them, too. They may come back to embarrass you down the road.

By the way, I’m going to be conducting a webinar for the International Data Protection User Group on June 10, explaining how Copilot and other interactions show up in Purview eDiscovery. You can register for the event and start getting involved in future events here: https://luma.com/hx9jm3oy. I’ve attended some of the previous sessions, and it’s a great way to learn more about Purview. 

 

Similar Posts

Likes

Leave a Reply

Your email address will not be published. Required fields are marked *

To respond on your own website, enter the URL of your response which should contain a link to this post's permalink URL. Your response will then appear (possibly after moderation) on this page. Want to update or remove your response? Update or delete your post and re-enter your post's URL again. (Find out more about Webmentions.)