The Commission Nationale de l'informatique et des Libertés (CNIL), which is the French Data Protection Authority, served a formal notice to Microsoft because of what it believes are multiple violations of French and EU privacy laws by the company’s Windows 10 operating system.
Excessive Data Collection
The biggest violation, according to the agency, is that Microsoft collects excessive amounts of telemetry data about Windows Store usage, such as all the apps downloaded and installed on the system, as well as how much time the user spends using each one of them. The agency believes this sort of collection is “not necessary for the operation of the service.”
Weak (PIN) Security
The CNIL also accuses Microsoft of weak PIN security, because Windows uses the PIN to protect confidential data, including data related to payments made through the Microsoft account.
When Microsoft announced Windows Hello authentication protocol, and other Windows 10 security features, it was strange to see that one of authentication methods was a four-digit PIN number that didn’t have a limit to how many attempts you could try before the device would temporarily block access.
Microsoft’s security experts should know that a four digit PIN could be easily bruteforced (only a maximum of 10,000 attempts is necessary, which could take only minutes on fast hardware), so it’s unclear why the company hasn’t added any protection from bruteforce attempts.
iOS recently moved to six-digit PINs and it implements ever-bigger delays between successive PIN attempts, and users could even enable the phone to erase itself after ten failed attempts. Android has similar protections for PIN authentication.
Lack Of Individual Consent
The EU Data Protection laws usually require consent to be explicit, rather than implicit. The CNIL accuses Microsoft of enabling an advertising ID by default, which tracks browsing behavior for targeted advertising without specific permission from users.
No Option To Block Cookies
The agency also complained that Microsoft doesn’t alert users when it sends them cookies, and it also doesn’t give them the option to block those cookies.
The EU “cookie law” has been controversial, mainly because most sites will keep serving those cookies regardless and users will just have to agree to accept them if they want to use the site. This problem arises from a combination of lack of enforcement on EU’s part against companies that violate this law, which means the companies are under no pressure to change their behavior, and because the EU may not have defined the law itself in a way that makes sense for today’s internet.
Data Transfers On “Safe Harbor” Basis
The Court of Justice of the European Union (CJEU) invalidated the Safe Harbor agreement between the EU and the U.S. in October last year. Since then, it has been essentially illegal to transfer data to the U.S. under the Safe Harbor agreement. In practice, many companies have continued to do it, mainly because the European Commission promised to draft up and implement an alternative as quickly as possible.
The CNIL is giving Microsoft three months to comply with all of its demands, or the company could face sanctions. However, if Microsoft complies, and in this case, that could mean transferring the data under the new Privacy Shield agreement, the EU would not sanction it over the issue.
"The purpose of the notice is not to prohibit any advertising on the company’s services but, rather, to enable users to make their choice freely, having been properly informed of their rights," said CNIL, the French Data Protection authority, in an official announcement."It has been decided to make the formal notice public due to, among other reasons, the seriousness of the breaches and the number of individuals concerned (more than ten million Windows users on French territory).For the record, the CNIL wishes to state that formal notices are not sanctions and no further action will be taken if the company complies with the Act within the specified timescale, in which case the notice proceedings will be closed and this decision will also be made public.Should Microsoft Corporation fail to comply with the formal notice within the specified timescale, the Chair may appoint an internal investigator, who may draw up a report proposing that the CNIL’s restricted committee responsible for examining breaches of the Data Protection Act issue a sanction against the company," added the agency.
i'm sorry, but who the hell thinks this is a problem? this is one of the most idiotic things to complain about that i've seen in many years.
so in france when they install 10 there was no 'I AGREE'' to all the terms to proceed to finish the install of the os ??
anyone who can read and comprehend knows better than to install 10 to start with - face it there OS's are not getting any better and its all about them your out . just microsofts tactics to con/ trick/ lure/ stromg arm ect.... you in to the 10 trap should tell you beware right off the bat main this was Microsoft and free just did not add up to start with .
but look at the bright side you got DX12, DX12 omg you got DX12 ,yup you got it all right ..
at least it seems there government is looking out for there folks personal well being and privacy who's looking out for you here in the U.S ? God bless America ...
I can agree that it's imperative that a person shouldn't easily be connected to an account by software devs. If that's the case in the Windows Store, that's a reason to shut it down immediately. But, how many times and how often you use apps with your account is something every app store shares.
After all, you most likely use google (or sites that use their ads), so all your internet habits are already well known by companies. Most people have Facebook, and that provides a lot more info than any win10 cookie. And, most likely, win7/8 do their fair share of data collection too.
I seriously doubt you use a secure OS and do all your browsing through Tor, so thinking that 'your privacy is safe' just because you avoid win10 is quite naive in my opinion.
And, again, in my own personal opinion, I really don't see the issue with corporations gathering my data. They won't do anything with it that will affect me. Some stranger that I'll never meet in my life knows about my computer habits? So what?
TL;DR: They're both off their rockers. French for acting like this is new, M$ for acting like it's supposed to be that way.
Maybe france should ban internet...
... But nothing wrong in that customers should be protected but I really hope that then the whole ict industry would be accused because They all use same data collecting methods, now it seems more like some companions has to follow the rules and some don't have to. And that is not right when we talk about companions that compete with each others. They all should follow same rules!
Problem is, you got the U.S.Guv mandating (at their will and request) they get all info on record of individuals, followed up with a "oh, yeah. You can't tell anyone that we wanted the info and data on file on account 'xxxxxxxxxx'" (Thankfully, at least according to Google, they only comply if the request isn't too broad and/or encompassing.) Why should this matter? What if the Govt that makes the request uses it to profile who to watch, as if they were (regarless of they are or are not) enemies of the state. The determination may be based on a simple statement of "I don't like so-and-so" which may have no bearing on your disposition of the gov't they work in.
how many of you chose windows because of IE11 or that great edge ?? it just because you can load and go games due to microsofts strangle hold on developers with there direct x or any of the window proprietary code , that's it .