French Data Protection Authority Accuses Microsoft Of 'Excessive Data Collection' In Windows 10

Windows 10 has been quite a controversial operating system for Microsoft, and unlike the situation with Windows 8, it hasn’t been because of an interface design choice. This time, the issue stems from Windows 10’s broader privacy policy, the collection of all sorts of user behavior data by default, and the company’s more aggressive upgrade tactics.

The Commission Nationale de l'informatique et des Libertés (CNIL), which is the French Data Protection Authority, served a formal notice to Microsoft because of what it believes are multiple violations of French and EU privacy laws by the company’s Windows 10 operating system.

Excessive Data Collection

The biggest violation, according to the agency, is that Microsoft collects excessive amounts of telemetry data about Windows Store usage, such as all the apps downloaded and installed on the system, as well as how much time the user spends using each one of them. The agency believes this sort of collection is “not necessary for the operation of the service.”

Weak (PIN) Security

The CNIL also accuses Microsoft of weak PIN security, because Windows uses the PIN to protect confidential data, including data related to payments made through the Microsoft account.

When Microsoft announced Windows Hello authentication protocol, and other Windows 10 security features, it was strange to see that one of authentication methods was a four-digit PIN number that didn’t have a limit to how many attempts you could try before the device would temporarily block access.

Microsoft’s security experts should know that a four digit PIN could be easily bruteforced (only a maximum of 10,000 attempts is necessary, which could take only minutes on fast hardware), so it’s unclear why the company hasn’t added any protection from bruteforce attempts.

iOS recently moved to six-digit PINs and it implements ever-bigger delays between successive PIN attempts, and users could even enable the phone to erase itself after ten failed attempts. Android has similar protections for PIN authentication.

Lack Of Individual Consent

The EU Data Protection laws usually require consent to be explicit, rather than implicit. The CNIL accuses Microsoft of enabling an advertising ID by default, which tracks browsing behavior for targeted advertising without specific permission from users.

No Option To Block Cookies

The agency also complained that Microsoft doesn’t alert users when it sends them cookies, and it also doesn’t give them the option to block those cookies.

The EU “cookie law” has been controversial, mainly because most sites will keep serving those cookies regardless and users will just have to agree to accept them if they want to use the site. This problem arises from a combination of lack of enforcement on EU’s part against companies that violate this law, which means the companies are under no pressure to change their behavior, and because the EU may not have defined the law itself in a way that makes sense for today’s internet.

Data Transfers On “Safe Harbor” Basis

The Court of Justice of the European Union (CJEU) invalidated the Safe Harbor agreement between the EU and the U.S. in October last year. Since then, it has been essentially illegal to transfer data to the U.S. under the Safe Harbor agreement. In practice, many companies have continued to do it, mainly because the European Commission promised to draft up and implement an alternative as quickly as possible.

The CNIL is giving Microsoft three months to comply with all of its demands, or the company could face sanctions. However, if Microsoft complies, and in this case, that could mean transferring the data under the new Privacy Shield agreement, the EU would not sanction it over the issue.

"The purpose of the notice is not to prohibit any advertising on the company’s services but, rather, to enable users to make their choice freely, having been properly informed of their rights," said CNIL, the French Data Protection authority, in an official announcement.

"It has been decided to make the formal notice public due to, among other reasons, the seriousness of the breaches and the number of individuals concerned (more than ten million Windows users on French territory).

For the record, the CNIL wishes to state that formal notices are not sanctions and no further action will be taken if the company complies with the Act within the specified timescale, in which case the notice proceedings will be closed and this decision will also be made public.

Should Microsoft Corporation fail to comply with the formal notice within the specified timescale, the Chair may appoint an internal investigator, who may draw up a report proposing that the CNIL’s restricted committee responsible for examining breaches of the Data Protection Act issue a sanction against the company," added the agency.

This thread is closed for comments
15 comments
    Your comment
  • Puiucs
    "all the apps downloaded and installed on the system, as well as how much time the user spends using each one of them"
    i'm sorry, but who the hell thinks this is a problem? this is one of the most idiotic things to complain about that i've seen in many years.
  • junkeymonkey
    ''BRUSSELS (Reuters) - The French data protection authority on Wednesday ordered Microsoft Corp to stop collecting excessive data on users of its Windows 10 operating system and serving them personalized ads without their consent.''

    so in france when they install 10 there was no 'I AGREE'' to all the terms to proceed to finish the install of the os ??

    anyone who can read and comprehend knows better than to install 10 to start with - face it there OS's are not getting any better and its all about them your out . just microsofts tactics to con/ trick/ lure/ stromg arm ect.... you in to the 10 trap should tell you beware right off the bat main this was Microsoft and free just did not add up to start with .

    but look at the bright side you got DX12, DX12 omg you got DX12 ,yup you got it all right ..

    at least it seems there government is looking out for there folks personal well being and privacy [??] who's looking out for you here in the U.S ? God bless America ...
  • therealduckofdeath
    True. Steam shares that information right out to the internet to anyone who knows or can guess your steam user ID.
    I can agree that it's imperative that a person shouldn't easily be connected to an account by software devs. If that's the case in the Windows Store, that's a reason to shut it down immediately. But, how many times and how often you use apps with your account is something every app store shares.