France’s privacy watchdog has declared that Windows 10 is gobbling up too much data and snooping on users’ browsing without their consent.
The National Data Protection Commission (CNIL) has given Microsoft 3 months to get its act together and to get compliant with the French Data Protection Act.
That means that Microsoft has to stop collecting “excessive data” and tracking browsing by users without their consent. CNIL Director Isabelle Falque-Pierrotin is also demanding that Microsoft “take satisfactory measures to ensure the security and confidentiality of user data.”
The CNIL sent Microsoft a formal notice on 30 June.
The commission didn’t make that letter public until Wednesday.
The CNIL has been concerned about Windows 10 since Microsoft released it a year ago.
The new operating system’s release sparked a storm of controversy over privacy: Concerns have risen over the Wi-Fi password sharing feature, Microsoft’s plans to keep people from running counterfeit software, the inability to opt out of security updates, weekly dossiers sent to parents on their kids’ online activity, and the fact that Windows 10 by default shares a lot of your personal information – contacts, calendar details, text and touch input, location data, and more – with Microsoft’s servers.
Amid the past year’s furor, the CNIL carried out its own tests of the operating system to see what was really going on and whether Windows 10 was compliant with the Act.
Those tests revealed “many failures,” the CNIL said, including…
- Irrelevant or excessive data collected: Microsoft is collecting diagnostic and usage data via its telemetry service, which uses such data, among other things, to identify problems and to improve products. But that also includes what the CNIL calls extraneous data, including data on all the apps downloaded and installed on the system by a user and the time spent on each one: data that’s not necessary for operation of the service.
Lack of security: Microsoft doesn’t limit the number of attempts that can be made to enter a 4-character PIN for authentication with online services, including to access a user’s Microsoft account, which lists sensitive data such as store purchases and payment details.
Lack of individual consent: An advertising ID is activated by default on installation, without users’ consent, enabling Windows apps and other parties’ apps to monitor user browsing and to target advertising at users.
Lack of information and no option to block cookies: Microsoft’s sticking advertising cookies on users’ terminals without properly informing them in advance or enabling them to opt out.
Data still being transferred outside EU on a “safe harbour” basis: Microsoft’s transferring account holders’ personal data to the US on a “safe harbor” basis, in spite of the Safe Harbor agreement having been ruled invalid by the top EU court in October 2015.
Read more at Sophos....