Microsoft in hot water over Windows 10 privacy in France

Windows 10 Privacy, it seems like a never ending story that just won't get away. France's National Data Protection Commission (CNIL) served Microsoft with a formal notice on July 20, 2016 asking the company to comply with the French Data Protection Act within three months.

The claim? Microsoft's Windows 10 operating system is used for "collecting excessive data and tracking browsing by users without their consent". Additionally, the commission wants Microsoft to "ensure the security and confidentiality of user data".

A working group analyzed Microsoft's Windows 10 operating system and privacy policy in April and June 2016 to make sure that Windows 10 complied with the French Data Protection Act.

Windows 10 Privacy issues

The working group found the following issues during its investigation:

• Irrelevant or excessive data collected: CNIL states in its report that Microsoft is collecting data during operation that is not required "for the operation of the service". Microsoft collects Windows app and Windows Store usage data for instance, and there apps installed and time spend in apps. According to CNIL, this is not required for operation of the operating system.
• Lack of Security: Windows 10 users who enable PIN protection may set a four digit PIN that is then used for authentication. This PIN provides access to the operating system including Windows Store account data. The operating system does not limit the number of attempts to enter the PIN.
• Lack of individual consent: Windows 10 enables an advertising ID by default when the operating system is installed that may be used by apps, third-parties and Microsoft to "monitor user browsing and to offer targeted advertising without obtaining users' consent".
• Lack of information and no option to block cookies: Microsoft places advertising cookies on users' "terminals" without "properly informing them of this in advance or enabling them to oppose this".
• Data still being transferred outside EU on a "safe harbor" basis: Personal data is transfered to the United States on a "safe harbor" basis, but this should not be the case since "the decision issued by the Court of Justice of the European Union on 6th October 2015".

CNIL gives Microsoft a three month period to work on the issues identified by the commission. Failure to comply might lead to sanctions against Microsoft.

Remarks

Some findings of the commission are puzzling or require explanation. The commission states that users may set up a four-digit PIN for easier access to Windows, and while technically correct, users may select a PIN with more digits as well.

While Microsoft could highlight the fact that selecting a shorter PIN code makes it easier for attackers to get in using brute force, I cannot really see the company at fault here.

The advertising ID is enabled by default, but only if users don't select the custom installation options when presented to them. One could argue that this should be opt-in and not opt-out, or that Microsoft should display the options on first launch to give users a chance to modify them, but is is quite common on the Internet and in software that things like these are opt-out.

Now You: What's your take on the commission's findings?