On July 20, 2016, the French data protection agency (CNIL) sent Microsoft a formal notice about alleged excesses in personal data collection and user tracking by Windows 10 operating system.
Considering the seriousness of the deficiencies and the number of people affected (more than ten million users of Windows 10 in France), the CNIL sent a formal notice to the company highlighting five main data protection issues with the operating system:
- The system collects data which is irrelevant or excessive. For example, Windows 10 collects information on all apps downloaded and installed on the system by a user and the time spent on each of them. According to the CNIL, this data is unnecessary for the operation of the service;
- The system has security flaws. There is a 4 digits PIN to access all online services; with the PIN you have access to the list of the purchases made and means of payment used. The number of attempts to enter the PIN is not limited, endangering user security and confidentiality;
- The system does not ask for user consent before enabling an advertising ID when installing Windows 10. The advertising ID allows Windows applications and third-party applications to track user navigation and to offer them targeted advertisements without obtaining prior consent;
- The system does does not inform about cookies. In fact, Windows 10 files on users’ devices advertising cookies, without providing proper information or a right to opt out from them; and
- The system uses the Safe Harbor for transfer of data to the United States, which is no longer valid. See here.
Microsoft has been given 3 months to address CNIL’s concerns. The company responded, saying it is happy to work with the CNIL towards an acceptable solution. Here is the full text of the statement from David Heiner, vice president and deputy general counsel at Microsoft.
CNIL’s formal notice is available at https://www.cnil.fr…
Originally published on Technethics on August 2016