French Data Protection Authority Accuses Microsoft Of 'Excessive Data Collection' In Windows 10

News
By Lucian Armasu
published

Windows 10 has been quite a controversial operating system for Microsoft, and unlike the situation with Windows 8, it hasn’t been because of an interface design choice. This time, the issue stems from Windows 10’s broader privacy policy, the collection of all sorts of user behavior data by default, and the company’s more aggressive upgrade tactics.

The Commission Nationale de l'informatique et des Libertés (CNIL), which is the French Data Protection Authority, served a formal notice to Microsoft because of what it believes are multiple violations of French and EU privacy laws by the company’s Windows 10 operating system.

Excessive Data Collection

The biggest violation, according to the agency, is that Microsoft collects excessive amounts of telemetry data about Windows Store usage, such as all the apps downloaded and installed on the system, as well as how much time the user spends using each one of them. The agency believes this sort of collection is “not necessary for the operation of the service.”

Weak (PIN) Security

The CNIL also accuses Microsoft of weak PIN security, because Windows uses the PIN to protect confidential data, including data related to payments made through the Microsoft account.

When Microsoft announced Windows Hello authentication protocol, and other Windows 10 security features, it was strange to see that one of authentication methods was a four-digit PIN number that didn’t have a limit to how many attempts you could try before the device would temporarily block access.

Microsoft’s security experts should know that a four digit PIN could be easily bruteforced (only a maximum of 10,000 attempts is necessary, which could take only minutes on fast hardware), so it’s unclear why the company hasn’t added any protection from bruteforce attempts.

iOS recently moved to six-digit PINs and it implements ever-bigger delays between successive PIN attempts, and users could even enable the phone to erase itself after ten failed attempts. Android has similar protections for PIN authentication.

The EU Data Protection laws usually require consent to be explicit, rather than implicit. The CNIL accuses Microsoft of enabling an advertising ID by default, which tracks browsing behavior for targeted advertising without specific permission from users.

No Option To Block Cookies

The agency also complained that Microsoft doesn’t alert users when it sends them cookies, and it also doesn’t give them the option to block those cookies.

The EU “cookie law” has been controversial, mainly because most sites will keep serving those cookies regardless and users will just have to agree to accept them if they want to use the site. This problem arises from a combination of lack of enforcement on EU’s part against companies that violate this law, which means the companies are under no pressure to change their behavior, and because the EU may not have defined the law itself in a way that makes sense for today’s internet.

Data Transfers On “Safe Harbor” Basis

The Court of Justice of the European Union (CJEU) invalidated the Safe Harbor agreement between the EU and the U.S. in October last year. Since then, it has been essentially illegal to transfer data to the U.S. under the Safe Harbor agreement. In practice, many companies have continued to do it, mainly because the European Commission promised to draft up and implement an alternative as quickly as possible.

The CNIL is giving Microsoft three months to comply with all of its demands, or the company could face sanctions. However, if Microsoft complies, and in this case, that could mean transferring the data under the new Privacy Shield agreement, the EU would not sanction it over the issue.

"The purpose of the notice is not to prohibit any advertising on the company’s services but, rather, to enable users to make their choice freely, having been properly informed of their rights," said CNIL, the French Data Protection authority, in an official announcement."It has been decided to make the formal notice public due to, among other reasons, the seriousness of the breaches and the number of individuals concerned (more than ten million Windows users on French territory).For the record, the CNIL wishes to state that formal notices are not sanctions and no further action will be taken if the company complies with the Act within the specified timescale, in which case the notice proceedings will be closed and this decision will also be made public.Should Microsoft Corporation fail to comply with the formal notice within the specified timescale, the Chair may appoint an internal investigator, who may draw up a report proposing that the CNIL’s restricted committee responsible for examining breaches of the Data Protection Act issue a sanction against the company," added the agency.

Lucian Armasu
Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
15 Comments Comment from the forums
  • Puiucs
    "all the apps downloaded and installed on the system, as well as how much time the user spends using each one of them"
    i'm sorry, but who the hell thinks this is a problem? this is one of the most idiotic things to complain about that i've seen in many years.
    Reply
  • junkeymonkey
    ''BRUSSELS (Reuters) - The French data protection authority on Wednesday ordered Microsoft Corp to stop collecting excessive data on users of its Windows 10 operating system and serving them personalized ads without their consent.''

    so in france when they install 10 there was no 'I AGREE'' to all the terms to proceed to finish the install of the os ??

    anyone who can read and comprehend knows better than to install 10 to start with - face it there OS's are not getting any better and its all about them your out . just microsofts tactics to con/ trick/ lure/ stromg arm ect.... you in to the 10 trap should tell you beware right off the bat main this was Microsoft and free just did not add up to start with .

    but look at the bright side you got DX12, DX12 omg you got DX12 ,yup you got it all right ..

    at least it seems there government is looking out for there folks personal well being and privacy who's looking out for you here in the U.S ? God bless America ...
    Reply
  • therealduckofdeath
    True. Steam shares that information right out to the internet to anyone who knows or can guess your steam user ID.
    I can agree that it's imperative that a person shouldn't easily be connected to an account by software devs. If that's the case in the Windows Store, that's a reason to shut it down immediately. But, how many times and how often you use apps with your account is something every app store shares.
    Reply
  • clonazepam
    I fully support the French/EU developing an operating system that suits their needs.
    Reply
  • anbello262
    I really don't believe it's such a big deal. And to theEone calling it 'win10 trap', that's right off exaggerating, for me.
    After all, you most likely use google (or sites that use their ads), so all your internet habits are already well known by companies. Most people have Facebook, and that provides a lot more info than any win10 cookie. And, most likely, win7/8 do their fair share of data collection too.
    I seriously doubt you use a secure OS and do all your browsing through Tor, so thinking that 'your privacy is safe' just because you avoid win10 is quite naive in my opinion.

    And, again, in my own personal opinion, I really don't see the issue with corporations gathering my data. They won't do anything with it that will affect me. Some stranger that I'll never meet in my life knows about my computer habits? So what?
    Reply
  • jossrik
    You can turn most if not all of that stuff off anyhow, not necessarily saying M$ is making that easy or well known, but there you have it, and, as has been said, companies have been collecting used data for years, even before PCs got big there was the neilsen rating and such to collect data, the thing I don't like is people acting like it's never happened before without their strict consent. It's not like they're sending my ex my browsing habits.
    TL;DR: They're both off their rockers. French for acting like this is new, M$ for acting like it's supposed to be that way.
    Reply
  • hannibal
    The problem is that Apple do the exact same thing, it knows exacly what app I use, how much etc. Steam is another as mentioned above, google collect a lot of information Also.
    Maybe france should ban internet...
    ... But nothing wrong in that customers should be protected but I really hope that then the whole ict industry would be accused because They all use same data collecting methods, now it seems more like some companions has to follow the rules and some don't have to. And that is not right when we talk about companions that compete with each others. They all should follow same rules!
    Reply
  • mitch074
    The notice isn't about the fact that Win10 collects that data, but that it's collected without user information not consent, and on top of that safeguarded with a protection which can be broken in seconds.
    Reply
  • shrapnel_indie
    18309041 said:
    I really don't believe it's such a big deal. And to theEone calling it 'win10 trap', that's right off exaggerating, for me.
    After all, you most likely use google (or sites that use their ads), so all your internet habits are already well known by companies. Most people have Facebook, and that provides a lot more info than any win10 cookie. And, most likely, win7/8 do their fair share of data collection too.
    I seriously doubt you use a secure OS and do all your browsing through Tor, so thinking that 'your privacy is safe' just because you avoid win10 is quite naive in my opinion.

    And, again, in my own personal opinion, I really don't see the issue with corporations gathering my data. They won't do anything with it that will affect me. Some stranger that I'll never meet in my life knows about my computer habits? So what?

    Problem is, you got the U.S.Guv mandating (at their will and request) they get all info on record of individuals, followed up with a "oh, yeah. You can't tell anyone that we wanted the info and data on file on account 'xxxxxxxxxx'" (Thankfully, at least according to Google, they only comply if the request isn't too broad and/or encompassing.) Why should this matter? What if the Govt that makes the request uses it to profile who to watch, as if they were (regarless of they are or are not) enemies of the state. The determination may be based on a simple statement of "I don't like so-and-so" which may have no bearing on your disposition of the gov't they work in.
    Reply
  • junkeymonkey
    I guess lets face it , like for me only reason I use windows today is just for the ease of gaming , Linux does all the rest just as good or better for a lot less money and its not under attack as windows all ways seems to be from like hackers or malware out side of gaming who needs windows anyway ?? as far as I see it that's all they got going for them anymore that's about it

    how many of you chose windows because of IE11 or that great edge ?? it just because you can load and go games due to microsofts strangle hold on developers with there direct x or any of the window proprietary code , that's it .
    Reply