[capguy255]

I've used communication compliance for various things and in short - if a communication flags on a policy set up by an admin, it generates an alert that is reviewed by an analyst. By default, the username and associated metadata are masked. The analyst can tag the communication as compliant, non-compliant, or ask a second tier analyst to review.

The analyst can also open up an investigation in the eDiscovery module, which prevents the documents from being deleted and allows attorneys or analysts to perform additional searching and tagging. The username, mailbox, and other metadata is not masked in eDiscovery, and so in order to access the investigation someone would need additional permissions.

The upshot though is that even if the classifier detects a message, a human analyst would need to decide how to tag the message, and the decision for how to do so would need to be done according to a defensible policy.

To your concern about not having to look at every word/message - it's less invasive to only investigate targeted communications than to read every message, or sample a fixed number or percentage of messages. I'm not entirely convinced that a ML approach is that much more useful than having a list of risk keywords because there isn't an easy way to measure and tune to the percentage of true positives detected or how many false positives you need to review to find true positives.

Supervised machine learning like this is used pretty regularly during lawsuits to make the exchange of information more efficient but when people use an algorithm to avoid reviewing documents there is typically a process to demonstrate within a certain confidence level and margin of error that the relevant documents have been produced. But if used in a corporate investigation where you would want a higher confidence level and lower margin of error. And to get a higher statistical degree of confidence you need to review more.

[GekkePrutser]

I really don't understand how a company could distrust their employees as much as this to have a process and people in place to do all this crap. If they trust them that little, why are they even in business?

I can understand some industries might need it for some compliance thing. Law enforcement perhaps. But really some of the things that MS are tagging are completely arbitrary. Just the way you might want to leave, this is not something that could ever be associated with any kind of governmental compliance. It is simply not wrongdoing at all nor any indication of it.

I work closely with our insider threat team and they don't do anything preventative like this. They just investigate when allegations have been raised, and even then they are really hands-off in terms of internal comms. They have to get special permission to access that, showing proof of the allegations. They behave like the police would, get explicit permissions (akin to a warrant in law enforcement).

The process you describe is more akin to what an intelligence organisation would do, with dragnet surveillance. Totally not acceptable in a business environment IMO.