French Agency Cites Windows 10 Privacy Concerns
An agency in France wants Windows 10 to conform with the country's data privacy laws.
Microsoft now has three months to get it done, according to an announcement on Wednesday by the Commission Nationale de l'Informatique et des Libertés (CNIL), France's data protection commission. If Microsoft fails to comply, sanctions could be issued on the company.
CNIL tested the Home and Pro editions of Windows 10 and received explanations in late May from Microsoft about certain software behaviors. However, it seems Microsoft's explanations weren't wholly satisfactory. CNIL listed the following objections:
- Windows 10's telemetry collects information that isn't necessary for the service, such as the information on the applications installed on a machine and the time spent using them
- Microsoft ties a personal identification number PIN to its Microsoft account, but PIN entry attempts aren't limited, which is insecure
- An "advertising ID" gets installed with Windows 10, which lets applications made by Microsoft or other software companies "monitor user browsing" and target users with ads, without consent
- Advertising cookies are placed on machines without consent
- Data get transferred to the United States following Safe Harbor rules, but that process is obsolete
On that last point, the European Commission approved a new "Privacy Shield" legal approach covering data transfers between European Union countries and the United States. Microsoft issued an early statement backing the Privacy Shield, which got European Commission approval on July 12.
Implementation of the Privacy Shield by Microsoft will be coming, according to a statement from David Heiner, vice president and deputy general counsel at Microsoft. "Microsoft will release an updated privacy statement next month, and that will say Microsoft intends to adopt the Privacy Shield," Heiner said, according to this Betanews story.
Heiner also claimed that Microsoft "built strong privacy protections in Windows 10."
The Privacy Shield basically just gives EU citizens the ability to sue in U.S. courts if they become aware of privacy abuses. However, U.S. authorities typically impose gag rules when they request data from service providers, making legal action difficult. The Electronic Privacy Information Center, a privacy and civil liberties advocacy group, recently described the Privacy Shield legal protections as "flawed" since concerns that arose during the committee process got ignored in the final draft.
Microsoft clearly loosened privacy with Windows 10, which is modeled after mobile operating systems that constantly delivery data to improve and support various services. Privacy-conscious Windows 10 users have to go through various settings controls to turn off the default features that might be somewhat iffy in terms of privacy, for instance. That's different from the default experience seen with Windows 7.
One basic problem is that the right to privacy is still a U.S. Supreme Court debate issue that's further undercut by nontransparent U.S. legal procedures. In addition, companies profit from harvesting customer information, which is easily done through software and is either called "marketing" or "telemetry" and disclosed to users through multiple, complex end user legal agreements, with little opt-out ability. It's possible that European agency pressures could change that dynamic somewhat, if corporate profits should be at stake.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.