Last fall, I was monitoring outbound traffic from IoT devices on my home network using Wireshark. When I looked at the captures later, I noticed something strange. There appeared to be web browsing activity to https sites. I had deliberately avoided any web browsing during the testing period, so why was I seeing what appeared to be web browsing activity?
When I checked the IP address the traffic came from, I noticed it was my Windows 10 desktop computer. I knew I had not browsed the web there. The only thing I had done during the monitoring time was to edit a document with Microsoft Word. So I decided to investigate whether perhaps Microsoft Word itself was doing the “web browsing”.
I started Wireshark on my desktop PC. The only traffic I saw was the normal background noise of any network – neighbor solicitation, ARP requests, and the like. Then I opened up a document using Microsoft Word. Suddenly there was a flurry of activity, including https traffic! Here is a screenshot of a portion of what I captured (here is a link to the full-size image):
What is going on here?
This is just a small portion of data exchange that occurs when I open a document in Word. As you can see, a significant amount of data is being exchanged. In one packet alone, over 6kB of data is being sent to the site “prod.roaming1.live.com.akadns.net”. We can’t tell what data is being sent, because it is encrypted with Transport Layer Security, the same technology used to exchange information with secure web sites (those that have a URL beginning https://).
Research reveals that “akadns.net” is Akamai Technologies, a Content Delivery Network (CDN). Such networks allow for high performance distribution of content. Companies needing to provide efficient data exchange for high-traffic applications can pay a CDN to host their data, much as an individual or business often pays a third-party company to host their web site. The “live.com” portion of the site provides a clue as to who this hosting is being done for. Looking this up using the standard “whois” command (in Linux) reveals the following:
Registrant Organization: Microsoft Corporation Registrant Street: Registrant City: Redmond Registrant State/Province: WA Registrant Postal Code: 98052 Registrant Country: US Registrant Phone: +1.4258828080 Registrant Phone Ext: Registrant Fax: +1.4259367329 Registrant Fax Ext: Registrant Email: email@example.com
This makes perfect sense. I am opening up a document in Microsoft Word, and data is being exchanged with an a CDN that is serving Microsoft.
So is Microsoft spying on me?
I can’t know for sure, because the data being exchanged is encrypted. I do know that a significant amount of data (measured in kilobytes) is sent every time I open a Microsoft Word document.
There are certainly other valid reasons why data could be being exchanged. My first thought was a license check. Microsoft might be verifying that my copy of Word is properly licensed. However, the data is exchanged each time I open Word. Presumably, a license check would only need to be run say once a day at most.
Perhaps Word is just checking for software updates. Data would need to be exchanged in both directions to do this. However, I would again question why a software update check would need to happen every time Word is opened. As with a license check, it would seem that once a day would be more than adequate.
Perhaps someone else knows more
I’ve done a fair amount of searching on the web, and have been unable to find much discussion of what data Microsoft Word exchanges over the internet when it is opened. I have seen a few discussions from network administrators who describe how things break when access to the CDN site is blocked, but that’s about it.
If any of my readers know more, I’d be interested in hearing from you. Or perhaps you have a different setup, and the ability to capture network data. I am running Office 365. It would be interesting to compare notes with someone running, say, the stand-alone version of Microsoft Word. Please use the comment feature of this blog so others can see the information as well.
I’m certainly not saying that Microsoft is spying on the content of my Word documents. I don’t know what they are doing, because the data exchanged is encrypted. I do know that a pretty large exchange of data (many kilobytes sent and received) occurs each time I open Microsoft Word.