The Commission Nationale de l'informatique et des Libertés (CNIL), which is the French Data Protection Authority, served a formal notice to Microsoft because of what it believes are multiple violations of French and EU privacy laws by the company’s Windows 10 operating system.
Excessive Data Collection
The biggest violation, according to the agency, is that Microsoft collects excessive amounts of telemetry data about Windows Store usage, such as all the apps downloaded and installed on the system, as well as how much time the user spends using each one of them. The agency believes this sort of collection is “not necessary for the operation of the service.”
Weak (PIN) Security
The CNIL also accuses Microsoft of weak PIN security, because Windows uses the PIN to protect confidential data, including data related to payments made through the Microsoft account.
When Microsoft announced Windows Hello authentication protocol, and other Windows 10 security features, it was strange to see that one of authentication methods was a four-digit PIN number that didn’t have a limit to how many attempts you could try before the device would temporarily block access.
Microsoft’s security experts should know that a four digit PIN could be easily bruteforced (only a maximum of 10,000 attempts is necessary, which could take only minutes on fast hardware), so it’s unclear why the company hasn’t added any protection from bruteforce attempts.
iOS recently moved to six-digit PINs and it implements ever-bigger delays between successive PIN attempts, and users could even enable the phone to erase itself after ten failed attempts. Android has similar protections for PIN authentication.
Lack Of Individual Consent
The EU Data Protection laws usually require consent to be explicit, rather than implicit. The CNIL accuses Microsoft of enabling an advertising ID by default, which tracks browsing behavior for targeted advertising without specific permission from users.
No Option To Block Cookies
The agency also complained that Microsoft doesn’t alert users when it sends them cookies, and it also doesn’t give them the option to block those cookies.
The EU “cookie law” has been controversial, mainly because most sites will keep serving those cookies regardless and users will just have to agree to accept them if they want to use the site. This problem arises from a combination of lack of enforcement on EU’s part against companies that violate this law, which means the companies are under no pressure to change their behavior, and because the EU may not have defined the law itself in a way that makes sense for today’s internet.
Data Transfers On “Safe Harbor” Basis
The Court of Justice of the European Union (CJEU) invalidated the Safe Harbor agreement between the EU and the U.S. in October last year. Since then, it has been essentially illegal to transfer data to the U.S. under the Safe Harbor agreement. In practice, many companies have continued to do it, mainly because the European Commission promised to draft up and implement an alternative as quickly as possible.
The CNIL is giving Microsoft three months to comply with all of its demands, or the company could face sanctions. However, if Microsoft complies, and in this case, that could mean transferring the data under the new Privacy Shield agreement, the EU would not sanction it over the issue.
"The purpose of the notice is not to prohibit any advertising on the company’s services but, rather, to enable users to make their choice freely, having been properly informed of their rights," said CNIL, the French Data Protection authority, in an official announcement.
"It has been decided to make the formal notice public due to, among other reasons, the seriousness of the breaches and the number of individuals concerned (more than ten million Windows users on French territory).
For the record, the CNIL wishes to state that formal notices are not sanctions and no further action will be taken if the company complies with the Act within the specified timescale, in which case the notice proceedings will be closed and this decision will also be made public.
Should Microsoft Corporation fail to comply with the formal notice within the specified timescale, the Chair may appoint an internal investigator, who may draw up a report proposing that the CNIL’s restricted committee responsible for examining breaches of the Data Protection Act issue a sanction against the company," added the agency.