New South Wales Education Department Caught Unaware After Microsoft Teams Began Collecting Students' Biometric Data

New submitter optical_phiber writes: In March 2025, the New South Wales (NSW) Department of Education discovered that Microsoft Teams had begun collecting students' voice and facial biometric data without their prior knowledge. This occurred after Microsoft enabled a Teams feature called 'voice and face enrollment' by default, which creates biometric profiles to enhance meeting experiences and transcriptions via its CoPilot AI tool.

The NSW department learned of the data collection a month after it began and promptly disabled the feature and deleted the data within 24 hours. However, the department did not disclose how many individuals were affected or whether they were notified. Despite Microsoft's policy of retaining data only while the user is enrolled and deleting it within 90 days of account deletion, privacy experts have raised serious concerns. Rys Farthing of Reset Tech Australia criticized the unnecessary collection of children's data, warning of the long-term risks and calling for stronger protections.

Use only OPEN SOURCE systems. NEVER Microsoft.

[eadon-com]

Else, you are funding evil.

Re: Use only OPEN SOURCE systems. NEVER Microsoft.

[simlox]

Here in Denmark we also suffer from commercial software in education: Already in our equivalent to high-school, the students are locked into Office365, and that becomes the de-facto office suite from that on. The engineering students all learn Matlab. Very hard to change to Python later on. Also a good reason that all education shall be done on Open Source only, no matter if the proprietary software is given "for free".

Re:

[thegarbz]

Also a good reason that all education shall be done on Open Source only, no matter if the proprietary software is given "for free".

So they aren't prepared how to use their computers when they enter the workforce / real life? I think you missed the purpose of education. Now if you suggest we should be teaching about Linux at church then I agree with you.

Re:

[eadon-com]

Isn't it the exact other way around? Kids should be taught with Open Source operating systems and software, so they are INDEPENDENT of abusive globalist corporations like Microsoft. Otherwise, we have no hope of freedom. For example, corporate software is used to spy on us, and to control us. Kids either use windows already, or are smart enough to learn it on the side. I learned it on the job.

Re: Use only OPEN SOURCE systems. NEVER Microsoft.

[vbdasc]

What is your answer? Is it "c) Cement
Microsoft monopoly by addicting the new generation to its products so they can continue bombarding us with increasingly enshittified crap in the coming years with impunity"? It certainly seems so.

Re:

[thegarbz]

The Microsoft monopoly can't be resolved in the school. The point of a school is to prepare people for the workforce. Training someone on a system they won't use isn't that. The workforce won't change their systems to suit what some kid learned at school, they'll simply hire someone else.

The problem here on Slashdot is that we're tech nerds, and can't fathom the concept that someone isn't able to simply use anything you put in front of them. Linux is a great idea in something like a CS course, where people

Re:

[Murdoch5]

100%, I was going to make a similar comment. You can't use the software of a company that is basically Epstein in digital form, and claim surprise when the children get violated. Microsoft's track record speaks for itself, they are a company that focuses on digital molestation, stalking, invasive data collection, and actively harming users. If you hire a known child molester to watch your kids, you can't claim innocence when your children get violated.

stronger protections that can't be waved with an E

[Joe_Dragon]

stronger protections that can't be waved with an EULA or forced to give up to us app.

Time to jail MS executives...

[gweihir]

These people think the law does not apply to them.

Re: Time to jail MS executives...

[RazorSharp]

We cannot jail them because, as they have demonstrated many times, the law does not apply to them.

Re:

[mjwx]

We cannot jail them because, as they have demonstrated many times, the law does not apply to them.

Indeed, jail the wrong people and all of a sudden papers are inundating people with stories about "two tier justice systems". Doesn't matter what they're guilty of, they demand to get away with it and the gullible lap it all up.

Re: Time to jail MS executives...

[drinkypoo]

It does not. That was proven when Bush's AG Ashcroft let Microsoft off with a hand slap instead of breaking them up.

Re:

[gweihir]

You may notice that this happend in the UK. Well, the UK-GDPR does apply there (closely resembles the EU GDPR), but that unfortunately only comes with penalties for the organizations. Hmm.

Re:

[strikethree]

These people think the law does not apply to them.

And you seem to think that it does.

I believe I know how this will play out... and you will find yourself mistaken. Microsoft is, ultimately, a USA corporation and the USA is not explicitly following the rule of law anymore.

Granted, there always needs to be wiggle room... but this shit is beyond ridiculous and could take down the USA entirely.

We need worldwide Data / Privacy standards

[Inglix the Mad]

Like the title says. I know governments will despise it, but it needs to happen. The law also needs penalties so severe, and immediately enacted upon breach, that it terrifies company leadership. So not just a little fine, a "You do this and you will probably not make a profit for years, assuming your business is not disintegrated" kind of fine.

Unfortunately it has to be this way because even with "large" fines it's become a cost of doing business thing. Since business treats it that way, it needs to become a "put you out of business" kind of fine.

The fine should probably include a claw back of all compensation of C-Levels for the duration of the breach. They want to claim the ship only runs true with them at the helm, they have take the responsibility for everything the ship does daily.

Re: We need worldwide Data / Privacy standards

[toutankh]

I think it should hit where it really hurts: putting people in jail. For some reason when companies do horrible stuff they get away with it by paying fines. Make it someone's personal responsibility.

so force them to live in australia?

[Joe_Dragon]

so force them to live in australia?

Re:

[Inglix the Mad]

You want to hurt wealthy people, take away their money. Look at all the crap they go through to get that little bit more when they already live in luxury that would make someone like Croesus blush with envy. I'm not talking a little fine her, I mean making them dirt effing poor.

I do agree that in the case of something like the opioid crisis the Sackler family helped create, with the associated loss of life, prison should be mandatory and scaling with the effect. As we look at the opioid crisis, tell me t

Re:

[DarkOx]

Except the problem here is government. It was the government that broke the law, when their IT group chose teams or perhaps accepted an updated EULA that violated their own data privacy laws. It does not sound like Microsoft ever offered or was asked to provide a customized teams, that did data collection differently.

Imagine if someone in the food service department went over to the local home store a bought a bunch of containers, not food safe, and put the school lunch supplies into them. Would you blam

Re:

[Joe_Dragon]

But can an updated EULA override and signed contract?
Should the school just shutdown each time the EULA is updated for legal to look it over? (but even to log into set all users to disabled may need you to get past that new EULA)

Re:We need worldwide Data / Privacy standards

[Inglix the Mad]

EULA's need to go the way of the Dodo as they stand now anyway. They're nothing less than "COMPANY GETS TO DO WHATEVER IT WANTS AND IF YOU DON'T LIKE IT TOUGH" documents. We've spent 50 years creating legal fictions that give corporations more rights than people, and it has to be rolled back.

Re:

[strikethree]

EULA's need to go the way of the Dodo as they stand now anyway.

EULAs are a legal fiction created out of whole cloth by Microsoft. I am uncertain why any judge anywhere grants them any sort of legality as there is nothing to base a legal finding in.

But, here we are.

Re:

[DarkOx]

No the School should not deploy software updates until any revisions to the EULA have been reviewed.

If Microsoft is in the habit of not allowing downlevel clients to connect for at least long enough for that to be possible and something else to be put in place if the changes are unacceptable, than the product was NEVER fit for use, and again the fault lies with the administrators that chose it.

It isnt like Microsoft does not have licensing groups that exist specifically to work with education, and other lar

Re:We need worldwide Data / Privacy standards

[HiThere]

That's not a good answer, because there ARE crucial updates.
Much better it just to ensure that EULAs have, at most, no legal force. Possibly they could be considered assault. (They clearly *are* a threat.)

and when web ui forces new EULA on cloud login?

[Joe_Dragon]

and when web ui forces new EULA on cloud login?

Re:

[HiThere]

If EULAs have no legal force, they have no reason to do that. If they do it anyway, it's just a nuisance.

Re:

[strikethree]

What laws or customs allow the creation of EULAs? What laws enforce what EULAs claim?

They are pure paper with legal sounding jargon. That is all. I am honestly surprised at how long this legal fiction has been running.

Re:

[Big Hairy Gorilla]

Sounds about right to me. But I'll add some things that others have said.. Someone here, explained this to me, and it rang true: Lawyers insist on buying from companies because of liability issues, let's say you have someone/something to blame in case shit happens. So then purchasing policies are crafted to only include products by Microsoft, for example, and even if someone out in the trenches wants to do things differently with open source software, they aren't allowed to.

Now we know, ironically, as you h

Re: We need worldwide Data / Privacy standards

[drinkypoo]

This is an accurate take. Every entity which has a responsibility to protect others' data or any allegedly secure data and then chooses to use a Microsoft solution in particular (but really any closed source software) with the potential to intercept that data should be considered to be in violation of privacy laws. Microsoft is an especially egregious choice because the EULAs give them the right to take any data they like and show it to anyone for any purpose they deem relevant. No government entity should

Re:

[thegarbz]

Like the title says. I know governments will despise it, but it needs to happen. The law also needs penalties so severe, and immediately enacted upon breach, that it terrifies company leadership.

Errr, no company was the problem here. This was the government IT systems setup incorrectly. How do you legislate around your own incompetence? Which government department is responsible for fining itself?

Re:

[sit1963nz]

Err...how about its privacy by default and that IT admin have to actually turn on the "extra features"
Opt in, not Opt out.

Easy Fix...

[Anonymous Coward]

Make ALL 3rd Party data collection OPT IN ONLY!

Re:

[G00F]

Looks like they stop it it, and had MS delete data. Although MS claims it takes up to 90 days to delete data.

Big shock, violating children now

[ebunga]

They violate the consent of adults with impunity, so of course they're going to do the same to children.

I was unaware

[Baron_Yam]

Since the dawn of Facebook I've been doing my best to keep out of databases, but I use Teams a lot for work, so presumably Microsoft has a lot of data on my face and voice now, all linked to a user ID that matches my real name and a geographical location that is significantly off by IP but very close to the billing address they have for my employer.

In other words, I have to assume I'm 'in the system' and no longer have the faintest hope of anonymity even against less than state-level actors.

I can guess why it was enabled by default

[UnknowingFool]

More and more MS enables things by default that are all about collecting data most likely so they can sell it. Telemetry (On). Periodic screenshots of users' displays (On). Metadata about gaming habits (On). Biometric data (On)

Tip of Microsoft's Anti-Privacy Iceberg

[BrendaEM]

That's strange, there is always data in Microsoft Edge's cache--on machines I don't use it on.

NSFW

[groobly]

Am I the only one who when they see "NSW" thinks it says "NSFW"?

Re: NSFW

[Slashythenkilly]

You probably spend a little to much time in shady forums...lol

Re:

[crunchygranola]

The shady forums don't give you a warning. Or so I hear from a friend.

Everyone be horrified

[NotEmmanuelGoldstein]

... enabled a Teams feature ...

Microsoft willfully reduced the privacy of their customers without informing them: Why has this abusive treatment of their users not been turned over to the police?

Every customer should be horrified that Microsoft is recording their meetings. There's no way Microsoft did this because users wanted it. It was an obvious monetization of the lives of their users. It's worse, when Microsoft made a point of giving this product to children, then deliberately spying on them.

The point of a corporation is to