Has the truth finally been spilled on the free upgrades to Windows 10?
It seems like the France Privacy Watchdog believe so. The National Data Protection Commission in France (CNIL) have given Microsoft 3 months to resolve the Privacy issues in Windows 10 and have to get compliant with the French Data Protection Act. Microsoft has to stop harvesting the “excessive” data and no longer track browsing by the users without their consent. Microsoft have been using their Telemetry services, WiFi password sharing, forced updates, advertising applications, cookies and data transfers to harvest the information.
Microsoft share your contacts, calendar details, text/touch input, location data and more with Microsoft servers.
CNIL carried out tests to see whether or not Windows 10 was compliant with the EU acts. It conducted a total of 7 tests in April and the report back were “many failures” inclusive of:
- Excessive Data Collection: Microsoft have been harvesting information via it’s telemetry services. The data harvested included applications downloaded and installed by a user and the time spent on each application.
- Microsoft sticking advertising cookies on the PC without informing the users or providing an option to opt out
- Advertising ID is active upon installation without user’s consent that allows Windows and 3rd party applications to monitor user browsing and use targeted advertising
- Safe Harbour Breach: Microsoft is still transferring account holder’s personal data to the US. This has been against EU data protection since October 2015 where the ruling was made invalid.
- Microsoft also has no limit to the number of attempts that can be made to enter a 4-character PIN for authentication with online services, including to access a user’s Microsoft account, it lists sensitive data such as purchases and card payment details. Where is the security?
This does however put an extra strain not just on Windows 10 but on the Microsoft Cloud Portfolio which must also us EU servers and with growing uncertainty could well be subject to the same EU Data Protection Acts that Windows does. Microsoft did comment on this back in October 2015 when they informed us “We wanted to make sure all of our enterprise cloud customers receive this benefit so, beginning last year, we included compliance with the EU Model Clauses as a standard part of the contracts for our major enterprise cloud services with every customer. Microsoft cloud customers don’t need to do anything else to be covered in this way”. Reuters were given a statement from Microsoft vice president and deputy general counsel David Heiner he said that the company will work with CNIL to develop “solutions that it will find acceptable.”
Microsoft however isn’t the first US tech company told to get their act together, In June 2015, CNIL ordered Google to scrub search globally in right to be forgotten requests. It also gave Facebook 3 months to stop tracking non-users in France.