Data protection laws in action, Microsoft breaches law with Windows 10
In a couple of months the world will have to deal with the European GDPR law. Many companies have not even started working to comply with that new law. I even heard stories of companies wondering if they could move data outside Europe to evade the law. Next to this law there are several other laws in different countries to comply to. The Dutch Data Protection (DPA) law controlled by the Dutch Data Protection Agency is one of those laws. They supervise the way personal data is handled by providers and will act if needed.
In May of this year they filled a complaint for how Facebook informed users about how they handle personal data. Facebook changed their way and the case is under investigation right now. Read about it right here – Facebook, breaking data protection law
Microsoft Windows 10 telemetry
Today we learned that they did a thorough investigation of Microsoft Windows 10. The investigation is about how Microsoft is collecting data with their telemetry service. If we look at Microsoft telemetry services, you will see that Microsoft offers two levels of telemetry;
- Enhanced (dropped after April 2017 with the creators update)
The Basic level, one you need to select yourself, will collect data for;
- Keeping Windows up-to-date;
- Keeping Windows secure, reliable and performant;
- Improve Windows (by means of aggregated analysis
- Showing personalised recommendations and advertisements within Windows and Edge. (dropped with the creators update)
Two other options are there but a user needs to opt out on this
- Showing personalised advertisements in Windows and Edge, including for all apps for sale in the Window store, and;
- Showing personalised advertisements in apps, with the help of the Advertising ID.
You might think that these are easy to understand, they want to make Windows better, more secure and improve reliability. but you are wrong here, if we look at the law it clearly states
“Based on Article 7 of the Dutch data protection act (hereinafter: Wbp) a company may only process personal data for specified, explicit and legitimate purposes.”
Microsoft does not explicitly describe the personal data they harvest and for what purpose. Stating that you harvest data to keep Windows more secure is not enough and there is no word on what they need to improve Windows. Microsoft failed to provide what data they needed to process what they like to achieve and didn’t inform the users of what they were collecting. The Dutch Data protection agency therefore concluded that they breached the law.
Since the creators update Microsoft changed some settings, they introduced categories of data they collect. They still however fail to detail to users what kind of data they harvest and for what. The categories are just giving some general information and that is far from acceptable.
One other issues the DPA has is that engineers at Microsoft can at will ask for more data to be collected without notifying users. They create a picture of the user environment and send it to themselves. They do this every day and without clarifying what data and why they need it. The DPA states in their report that the use of telemetry by Microsoft is legitimate as descriptions are not explicit and specific enough.
Update breaks you choice
One thing I noted already on a different level is also happening with data protection. Microsoft promised never to release a new version of Windows 10. Keeping that promise brought us something interesting. Windows 10 is keeping it version but is a fresh install every build update. So Windows 10 1607 and Windows 10 1703 are different version although they have the same version number (10).
Why do I write it is a different version? It is because all settings you do in telemetry or security wise are reset with the upgrade. If it was merely an upgrade these settings would be saved but with the upgrade they seems to just deploy a new Windows 10 version with default settings.
The DPA found that if users set the telemetry to basic in the Anniversary edition and upgrade to the Creators edition it was reset to Full. I’ve seen this also with event viewer settings and file type associations. Microsoft does not like users to change settings in Windows 10 it seems. The fact they the opt out choice of users is not respected is a very heavy breach of the law. With the new GDPR law coming up this will be even more in the picture, Microsoft has some work to do.
If you are interested in the whole report about this you need to click right here – PDF