As Delve is getting into more and more tenants, people obviously talk about it more and more. One can find blog posts and articles here and there, with excitement as well as with skepticism—like any innovation.
While reading the online content about Office Graph and Delve, one of the biggest concerns I’ve met is privacy. For example:
- I’m concerned that subcontractors and other external partners of my company will be able to discover and see content that was not intended to be shared with them (see my “First time with Delve” story).
- Let’s say I’m planning to apply for a new position opening in the company, but I don’t want my current manager to know about it yet. I have already checked the related HR documents (job description, apply criteria, rules and policies, etc.). Office Graph stores all of my activities, including that I viewed these documents. What if my manager checks it and figures out I’m planning to leave his team?
- Let’s say, as a woman, I get pregnant, but I don’t want to share this information too early. But, I want to know my rights, the benefits I can get from the company, etc., without “releasing” the information of being pregnant.
- Office Graph “knows” everything about me: what content I view, what meetings I have, who I send emails to and get emails from, which documents are presented to me, etc. How does Office Graph handle the sensitive content? What if I don’t want to share what people I communicate and collaborate with and what content I work with?
Let me clarify how privacy works in Office Graph and Delve, and what kind of relationships can be “surfaced” and how.
Sensitive content
Office Graph, and therefore its presentation layer, Delve, always provides security-trimmed results, similar to the “traditional” Search experience in SharePoint and Office 365. If you don’t have permissions to see a document, it won’t be presented to you at all. If you do have permissions to it, you can find it.
Office Graph does the security trimming in the backend; there is no way to “hack” or work around it. Delve cannot be a “security leak” in your organization.
For example: Let’s say you attend a strategic meeting with other C-level managers of the company, and there’re some content presented there. If the permission settings on these documents are set correctly and only the proper managers can see it, you don’t have to worry about Delve at all. People who have no access to the documents cannot see this in Delve at all. These documents won’t be presented to them in any way, because Office Graph does security trimming before it sends the content to Delve.
Conclusion: if some content is sensitive AND its permissions are set correctly, people cannot “discover” it by accident.
Sensitive “relationships”
In some cases, the content itself is public, but we don’t want to let others know we view it. For example, when I want to apply for a new position in the company. Or when a woman gets pregnant.
Office Graph fully respects privacy. To explain how it does, I have to explain how Office Graph works and how it stores all the information. Office Graph is a real, mathematical graph. It has nodes and edges. It’s nodes are the users and the content, edges the relationships. The edges always point from the Actor of the relationship (user) to the object of the relationship (document or another user).
Each edge (relationship) has several characteristics, like type or weight (importance). One of these characteristics is the visibility information. An edge (relationship) can be public or private:
- Public: A public relationship is visible for everyone. An object that is connected to the Actor by a public edge can be discovered by others using Delve (with security trimming, of course!) For example, “modify” or “create” relationships are always public; people can discover content modified or created by someone else as Actor.
- Private: An object, which is connected to the Actor by a private edge, cannot be discovered by other users. For example, an edge that represents a “view” relationship is always private. If I view a document, nobody will know about it.
For Example: When I open the HR documents for a new position opening, Office Graph stores an edge (relationship) that points from me (Actor) to the HR document (Object). If I only view (read) the document, this relationship will be private — nobody can discover the content by its relationship to me.
Conclusion: If someone opens documents for view only, the relationship gets stored into the Office Graph as a private edge. This means I get to have a connection to these documents but nobody else will be able to surface it. I am safe, even if I am in the first period of my pregnancy or planning to leave the company.
Summary
The innovation of Office Graph and Delve raises up several questions. One of the most important concern is privacy — how these new tools support and respect privacy. This concern is reasonable, of course: nobody wants others to discover information that they’re not supposed to discover.
For permission management, the same mechanism is used in Office Graph as in Search: everything is security trimmed on the engine level; nothing can be surfaced to the user interface. There is no way to work around this.
Moreover, in Office Graph we can also find two different edges: public edges allow us to discover content, but private edges don’t. Sensitive relationships cannot get discovered at all.
great post, thanks!