Microsoft Corp.
Headquartered in the United States, Microsoft offers software, hardware, cloud storage, search, email, chat applications, and the social networking service LinkedIn. The latter has over 1 billion members, while the company’s search engine has 100 million daily users. It derives most of its revenue from its cloud-based solutions, as well as its Office Suite, Windows operating system, and advertising on its digital platforms.
Microsoft has emerged as a major player in AI, investing nearly USD 14 billion in OpenAI as of 2024 and announcing a plan to invest USD 80 billion in AI-enabled data centers in 2025. The company has also continued rolling out AI features in its consumer products. For instance, it has added generative AI search features to Bing and introduced AI-powered features for its premium users on LinkedIn, including a chatbot that provides job search assistance. In 2024, LinkedIn automatically began using members’ accounts and data for the training of its AI models without their prior consent. In January 2025, a lawsuit filed in the U.S. accused the platform of sharing users’ private messages with other companies to train AI models. It also deepened its collaboration with the Israeli government, providing the Israeli military with “large-scale access” to OpenAI’s GPT-4 model as well as access to its Azure cloud computing platform, to support its bombardment of Gaza.
As part of its effort to integrate its messaging and internet calling services, Microsoft announced that it would shut down Skype—once the most popular internet-based phone and video service in the early 2000s—for individual users starting in May 2025. As a result of this change, the 2025 Index will be the last time that Skype is included in our assessment of Microsoft. The company has said that Skype users will have the option to be moved automatically to Microsoft Teams, along with their user data.
In late 2023, Microsoft shareholders rejected a proposal by impact investment firm Arjuna Capital asking that the company share a report assessing misinformation and disinformation risks associated with generative AI and how it will “remediate those potential harms.” Earlier that same year, Microsoft notably laid off its entire AI ethics team. In 2024, the company did not respond to questions submitted by the Business and Human Rights Resource Centre about its “human rights due diligence efforts when investing in generative AI startups and companies.” However, LinkedIn and Bing began conducting systemic risk assessments, as required for very large online platforms (VLOPs) under the European Union's Digital Services Act, publishing their first reports in August 2023.[1]
Despite Microsoft ranking first, its performance largely stagnated. The company made a commitment to respecting human rights in its deployment and development of generative AI that failed to account for all other AI systems it deploys or develops. The company also continued to disclose little information about its human rights due diligence processes for the development and deployment of algorithmic systems. It did, however, explain how it uses algorithmic systems to curate, recommend, and/or rank content on Bing and LinkedIn, and disclosed options for users to control how content is recommended to them.
The 2025 RDR Index: Big Tech Edition covers policies that were active on August 1, 2024. Policies that came into effect after August 1, 2024, were not evaluated for this benchmark.
Scores reflect the average score across the services we evaluated, with each service weighted equally.
We rank companies on their governance, and on their policies and practices affecting freedom of expression and privacy.
Microsoft ranked second in this category, behind Meta. The company disclosed a strong and explicit commitment to human rights in accordance with international frameworks, but it failed to extend that commitment to all the types of AI systems it deploys and develops (G1). It had senior leadership oversight over how company policies and practices affect freedom of expression and information, as well as privacy (G2). It also had an employee whistleblower program and training program covering human rights issues (G3). The company disclosed that it conducts robust human rights impact assessments on how government regulations affect freedom of expression and privacy on its platforms (G4a). However, it fared poorly on due diligence processes in relation to the human rights impacts of its processes for policy enforcement, targeted advertising policies and practices, and the development and deployment of algorithmic systems (G4b, c, d).
Microsoft ranked fourth in this category, behind Bytedance, X, and Alphabet. While its score improved by four percentage points in this category, it still lacked clarity about its advertising content and targeting policies and how it enforces them (F3b,c). Further, it stopped publishing data about the number of advertisements it restricts for violating its rules (F4c). The company revealed some information about how it handles private content removal requests, such as copyright requests for Bing and LinkedIn, but it offered no insight into this process for Skype and OneDrive (F5a). It also did not make a commitment to exercise due diligence or push back on overbroad requests received for LinkedIn.
Microsoft ranked second, behind Apple, in the privacy category. It clearly disclosed which user information it collects (P3a) and some of the information it infers (P3b) and shares (P4). However, it lacked clarity about the purposes for collecting, inferring, and sharing this information (P5) as well as its data retention policies (P6). It had clear, rights-respecting policies for handling government demands for user information (P10a). However, it failed to commit to carrying out due diligence on requests made through private processes or to push back on inappropriate or overbroad requests (P10b). The company had relatively strong disclosures about some of its security policies, disclosing that it has systems in place to limit employee access to user information and sharing that it conducts internal and third-party audits on its products and services (P13). It also explained its process for notifying data subjects of data breaches and the kinds of steps it will take to address the impact of a data breach (P15). However, while it disclosed that it encrypts the transmission of user communications by default, it did not clarify if each transmission is encrypted using unique keys (P16).
[1] The LinkedIn and Bing reports reports were not publicly accessible until the EU released the risk assessment reports submitted by VLOPs in November 2024. As they were published after the policy cut-off date, they were not considered in this assessment.