France Orders Microsoft to "stop collecting excessive data" in Windows 10 - Microsoft has 3 Months to Comply

[LAwLz]

 

According to France's National Data Protection Commission (CNIL), Microsoft does not comply with the French Data Protection Act and has been given 3 months to make the necessary chances to comply. French authorities has done several investigations and found that Microsoft is failing on a number of different privacy-related aspects.

 

In the investigation, Windows 10 was found to collect irrelevant or excessive data, lacking security, users were included in the data collection without their consent, lack of information and no option to block cookies and also transferring personal data back to the US on a "safe harbour" basis (an agreement which is not valid since October 2015).

 

Source: CNIL

 

Full statement:

Spoiler

Following the launch of the new operating system, Windows 10, in July 2015, the CNIL was alerted by the media and political parties to the possibility that Microsoft Corporation was collecting excessive personal data. Meanwhile, a Contact group was created within the G29 (working party including national data protection agencies in Europe) to examine the issue and conduct investigations in the various member states concerned. It is within this context that the CNIL carried out seven on-line observations in April and June 2016 and questioned Microsoft Corporation on certain points of its privacy policy to check that Windows 10 complied with the French Data Protection Act.

 

This has revealed many failures :

 

Irrelevant or excessive data collected: 

The CNIL found that the company was collecting diagnostic and usage data via its telemetry service, which uses such data, among other things, to identify problems and to improve products. To this purpose, Microsoft Corporation processes, for instance, Windows app and Windows Store usage data, providing information, among other things, on all the apps downloaded and installed on the system by a user and the time spent on each one. Therefore, the company is collecting excessive data, as these data are not necessary for the operation of the service.

 

A lack of security:

The company allows users to choose a four characters PIN to authenticate themselves for all its on-line services, notably to access to their Microsoft account, which lists purchases made in the store and the payment instruments used, but the number of attempts to enter the PIN is not limited, which means that user data is not secure or confidential.

 

Lack of individual consent:

An advertising ID is activated by default when Windows 10 is installed, enabling Windows apps and other parties’ apps to monitor user browsing and to offer targeted advertising without obtaining users’ consent.

 

Lack of information and no option to block cookies:

The company puts advertising cookies on users’ terminals without properly informing them of this in advance or enabling them to oppose this.

 

Data still being transferred outside EU on a “safe harbour” basis:

The company is transferring its account holders’ personal data to the United States on a “safe harbour” basis but this has not been possible since the decision issued by the Court of Justice of the European Union on 6th October 2015.

 

Given the above, the Chair of the CNIL has decided to issue a formal notice to Microsoft Corporation to comply with the Act within three months. This proceedings only commits French Data protection authority. The other data protection authorities belonging to the WP29 Contact group are continuing their investigations within their respective national procedures.

 

The purpose of the notice is not to prohibit any advertising on the company’s services but, rather, to enable users to make their choice freely, having been properly informed of their rights.

 

It has been decided to make the formal notice public due to, among other reasons, the seriousness of the breaches and the number of individuals concerned (more than ten million Windows users on French territory).

For the record, the CNIL wishes to state that formal notices are not sanctions and no further action will be taken if the company complies with the Act within the specified timescale, in which case the notice proceedings will be closed and this decision will also be made public.

 

Should Microsoft Corporation fail to comply with the formal notice within the specified timescale, the Chair may appoint an internal investigator, who may draw up a report proposing that the CNIL’s restricted committee responsible for examining breaches of the Data Protection Act issue a sanction against the company.

 

 

 

Microsoft has responded that they will work with the CNIL to solve these issues. As noted by BetaNews, Microsoft does not actually deny any of the accusations.

 

Here is Microsoft's full statement:

Spoiler

Earlier today Microsoft received a notice from the French data protection authority, the Commission Nationale de l'Informatique et des Libertés or CNIL, raising concerns about certain aspects of Windows 10. The notice gives Microsoft three months to address the issues.

 

We built strong privacy protections into Windows 10, and we welcome feedback as we continually work to enhance those protections. We will work closely with the CNIL over the next few months to understand the agency's concerns fully and to work toward solutions that it will find acceptable.

 

The CNIL noted that the Safe Harbor framework is no longer valid for transferring data from European Union to the United States. We fully understand the importance of establishing a sound legal framework for trans-Atlantic data transfers, and that is why Microsoft has been very supportive of the efforts on both side of the Atlantic that led to last week's adoption of the Privacy Shield.

 

As the European Commission observed, Microsoft's January 2016 Privacy Statement states that the company adheres to the principles of the Safe Harbor Framework. Microsoft has in fact continued to live up to all of its commitments under the Safe Harbor Framework, even as the European and U.S. representatives worked toward the new Privacy Shield. As we state in our privacy statement, in addition to the Safe Harbor Framework we rely on a variety of legal mechanisms as the basis for transferring data from Europe, including standard contractual clauses, a data transfer mechanism established by the European Commission and approved by European data protection authorities, to cover data flows from the European Union to the United States.

 

Microsoft will release an updated privacy statement next month, and that will say Microsoft intends to adopt the Privacy Shield. We are working now toward meeting the requirements of the Privacy Shield.

 

Source: BetaNews

 

 

 

 

I am very pleased to hear this. Back when it was first discovered that Windows 10 collected a big amount of information about the user a lot of people said things along the lines of:

Quote

If it is as bad as you say then you can bet your arse we will hear about it, especially from defense force and other governments around the world who will just not use it.

As it turns out, we didn't hear about it back then because the investigation was still work in progress. It is now done and the French government is not happy about how Microsoft is acting.

 

Hopefully this will lead to a positive change for users. A chance which gives users more information and control over how and what personal information Microsoft collects.

[manikyath]

it is impressive that the same country that made microsoft store passwords plaintext back in the 90s, is now actually requesting something sensible.

 

anyone want to take a bet on how much of this rage france is having is because it's encrypted?

[suicidalfranco]

it's just telemetry man 

we just want to know how many times you open the groove app man

it's anonymous man

why you care man, google does it too man

 

ayyyyyy lmao

 

never be so excited to wait and see how the LTT Microsoft Defence Force will answer to this

[zMeul]

I'm just hoping this becomes EU policy and it's not just limited to France

[M4st4M1nd]

I'm so glad somebody finally spoke out about this. The data collection must come to an end.

[ThinkWithPortals]

Good on France.

[You_are_a_cunt]

2 minutes ago, zMeul said:

I'm just hoping this becomes EU policy and it's not just limited to France

Unless they region-lock this, it would be redundant to have a "France only" version, imo.

Don't expect our government to give a rat's ass though (they're too busy robbing us)

[AlTech]

24 minutes ago, LAwLz said:

According to France's National Data Protection Commission (CNIL), Microsoft does not comply with the French Data Protection Act and has been given 3 months to make the necessary chances to comply. French authorities has done several investigations and found that Microsoft is failing on a number of different privacy-related aspects.

 

In the investigation, Windows 10 was found to collect irrelevant or excessive data, lacking security, users were included in the data collection without their consent, lack of information and no option to block cookies and also transferring personal data back to the US on a "safe harbour" basis (an agreement which is not valid since October 2015).

 

Source: CNIL

 

Full statement:

  Reveal hidden contents

Following the launch of the new operating system, Windows 10, in July 2015, the CNIL was alerted by the media and political parties to the possibility that Microsoft Corporation was collecting excessive personal data. Meanwhile, a Contact group was created within the G29 (working party including national data protection agencies in Europe) to examine the issue and conduct investigations in the various member states concerned. It is within this context that the CNIL carried out seven on-line observations in April and June 2016 and questioned Microsoft Corporation on certain points of its privacy policy to check that Windows 10 complied with the French Data Protection Act.

 

This has revealed many failures :

 

Irrelevant or excessive data collected: 

The CNIL found that the company was collecting diagnostic and usage data via its telemetry service, which uses such data, among other things, to identify problems and to improve products. To this purpose, Microsoft Corporation processes, for instance, Windows app and Windows Store usage data, providing information, among other things, on all the apps downloaded and installed on the system by a user and the time spent on each one. Therefore, the company is collecting excessive data, as these data are not necessary for the operation of the service.

 

A lack of security:

The company allows users to choose a four characters PIN to authenticate themselves for all its on-line services, notably to access to their Microsoft account, which lists purchases made in the store and the payment instruments used, but the number of attempts to enter the PIN is not limited, which means that user data is not secure or confidential.

 

Lack of individual consent:

An advertising ID is activated by default when Windows 10 is installed, enabling Windows apps and other parties’ apps to monitor user browsing and to offer targeted advertising without obtaining users’ consent.

 

Lack of information and no option to block cookies:

The company puts advertising cookies on users’ terminals without properly informing them of this in advance or enabling them to oppose this.

 

Data still being transferred outside EU on a “safe harbour” basis:

The company is transferring its account holders’ personal data to the United States on a “safe harbour” basis but this has not been possible since the decision issued by the Court of Justice of the European Union on 6th October 2015.

 

Given the above, the Chair of the CNIL has decided to issue a formal notice to Microsoft Corporation to comply with the Act within three months. This proceedings only commits French Data protection authority. The other data protection authorities belonging to the WP29 Contact group are continuing their investigations within their respective national procedures.

 

The purpose of the notice is not to prohibit any advertising on the company’s services but, rather, to enable users to make their choice freely, having been properly informed of their rights.

 

It has been decided to make the formal notice public due to, among other reasons, the seriousness of the breaches and the number of individuals concerned (more than ten million Windows users on French territory).

For the record, the CNIL wishes to state that formal notices are not sanctions and no further action will be taken if the company complies with the Act within the specified timescale, in which case the notice proceedings will be closed and this decision will also be made public.

 

Should Microsoft Corporation fail to comply with the formal notice within the specified timescale, the Chair may appoint an internal investigator, who may draw up a report proposing that the CNIL’s restricted committee responsible for examining breaches of the Data Protection Act issue a sanction against the company.

 

 

 

Microsoft has responded that they will work with the CNIL to solve these issues. As noted by BetaNews, Microsoft does not actually deny any of the accusations.

 

Here is Microsoft's full statement:

  Reveal hidden contents

Earlier today Microsoft received a notice from the French data protection authority, the Commission Nationale de l'Informatique et des Libertés or CNIL, raising concerns about certain aspects of Windows 10. The notice gives Microsoft three months to address the issues.

 

We built strong privacy protections into Windows 10, and we welcome feedback as we continually work to enhance those protections. We will work closely with the CNIL over the next few months to understand the agency's concerns fully and to work toward solutions that it will find acceptable.

 

The CNIL noted that the Safe Harbor framework is no longer valid for transferring data from European Union to the United States. We fully understand the importance of establishing a sound legal framework for trans-Atlantic data transfers, and that is why Microsoft has been very supportive of the efforts on both side of the Atlantic that led to last week's adoption of the Privacy Shield.

 

As the European Commission observed, Microsoft's January 2016 Privacy Statement states that the company adheres to the principles of the Safe Harbor Framework. Microsoft has in fact continued to live up to all of its commitments under the Safe Harbor Framework, even as the European and U.S. representatives worked toward the new Privacy Shield. As we state in our privacy statement, in addition to the Safe Harbor Framework we rely on a variety of legal mechanisms as the basis for transferring data from Europe, including standard contractual clauses, a data transfer mechanism established by the European Commission and approved by European data protection authorities, to cover data flows from the European Union to the United States.

 

Microsoft will release an updated privacy statement next month, and that will say Microsoft intends to adopt the Privacy Shield. We are working now toward meeting the requirements of the Privacy Shield.

 

Source: BetaNews

 

 

 

 

I am very pleased to hear this. Back when it was first discovered that Windows 10 collected a big amount of information about the user a lot of people said things along the lines of:

As it turns out, we didn't hear about it back then because the investigation was still work in progress. It is now done and the French government is not happy about how Microsoft is acting.

 

Hopefully this will lead to a positive change for users. A chance which gives users more information and control over how and what personal information Microsoft collects.

The French Government are salty because of what happened in Nice.

 

So guess what? They're salty. They're not collecting excessive data. The CNIL are talking out of their asses.

 

This information collected is not at all personal. it is anonymous telemetry data. This is ridiculously stupid.

 

It is collecting exactly the information required for regular operation.

[laminutederire]

6 minutes ago, zMeul said:

I'm just hoping this becomes EU policy and it's not just limited to France

It has been around for decades in France, and still not a EU policy, so I don't have much hope in the next 5 to 10 years. That's mostly because people making those are too old to understand the importance of informatics related topics.

In France, we have strong laws and guidelines since even before computer were a thing for the masses, and we ended up fighting against lobbies because of that I guess. It all came down to two to three guys pushing laws when everyone thought it was useless,  so why not?

 

 

On the rest of the topic, haven't the CNIL already try to charge Google for such motives? 

 

Finally, the good thing is that CNIL has leverage because Microsoft depends on public research facilities in France for a few topics in security .

[Bouzoo]

Good, but sadly I'm sure that my government will do nothing about that. The only way this could apply to us is if it becomes an EU standard.

[manikyath]

10 minutes ago, zMeul said:

I'm just hoping this becomes EU policy and it's not just limited to France

the windows 98 plaintext password thing was also french law, but it at least affects the dutch windows 98SE install on my box that's never been near france.

[AlTech]

Just now, huilun02 said:

Good move. 

Hope more countriea follow.

Though they could just order their ISP's to put the entire country behind a firewall that stops all traffic to MS data collection addresses. 

 

Likr I currently do with my router

You're only hurting everybody else who uses Windows 10. So just unlock it to Microsoft's data collection or stop using it.

 

The data collection is necessary for developers and Microsoft.

[AlTech]

14 minutes ago, M4st4M1nd said:

I'm so glad somebody finally spoke out about this. The data collection must come to an end.

So let me get this straight. Next time you have a BSOD, you don't want Microsoft to find out what happened?

[laminutederire]

Just now, AluminiumTech said:

So let me get this straight. Next time you have a BSOD, you don't want Microsoft to find out what happened or not?

If it only went down to those, there wouldn't be any issues though.

[AlTech]

Just now, laminutederire said:

If it only went down to those, there wouldn't be any issues though.

No but that's similar to what they're doing.

 

They're seeing if there are any issues with apps or problems and seeing if there are any crashes.

 

This isn't at all excessive. This is basic programming telemetry 101.

[AlTech]

Just now, huilun02 said:

No. Deal with it. They had their fun with GWX prompts, now its my turn to shaft them. 

Stop using Windows 10.

[handymanshandle]

21 minutes ago, zMeul said:

I'm just hoping this becomes EU policy and it's not just limited to France

Shit, screw just being a French or EU policy, it needs to be adopted all across the board.

[handymanshandle]

1 minute ago, AluminiumTech said:

Stop using Windows 10.

Maybe I don't want to.

[laminutederire]

Just now, AluminiumTech said:

No but that's similar to what they're doing.

 

They're seeing if there are any issues with apps or problems and seeing if there are any crashes.

 

This isn't at all excessive. This is basic programming telemetry 101.

Personnally I need a bit more time than my lunch break to read exactly what's wrong, but I do trust my country's organization to not be huge jerks, and flagging freedom invasion, like Cortona based services are. The fact they're activated by default may explain why it is like spying, because a lot of people don't know it and don't even use it, that's why they don't deactivate it and Microsoft keeps getting more sensitive datas about what you type 

[AlTech]

Just now, wcreek said:

Shit, screw just being a French or EU policy, it needs to be adopted all across the board.

No it doesn't. Everybody is honestly so paranoid.

 

The data they collect is just what OS your using, and basic telemetry data.

 

Facebook gets more information from you.

 

Honestly.

[AlTech]

Just now, wcreek said:

Maybe I don't want to.

Maybe Microsoft doesn't care if you don't want to.

 

Just now, laminutederire said:

Personnally I need a bit more time than my lunch break to read exactly what's wrong, but I do trust my country's organization to not be huge jerks, and flagging freedom invasion, like Cortona based services are. The fact they're activated by default may explain why it is like spying, because a lot of people don't know it and don't even use it, that's why they don't deactivate it and Microsoft keeps getting more sensitive datas about what you type 

People should stop being ignorant.

[Bouzoo]

Just now, AluminiumTech said:

Maybe Microsoft doesn't care if you don't want to.

 

People should stop being ignorant.

The irony. 

[laminutederire]

3 minutes ago, AluminiumTech said:

People should stop being ignorant.

While people like us manage the Cortona issue first hand when installing w10, lots of people don't,  and we can't do much for their ignorance I'm afraid.

It's like people should stop being stupid, but that won't happen ever, because you'd have to kill all stupid people, and the guy wanting to kill all stupid people has to be stupid himself and has to be killed by someone else, and so on recursively until no one shall live anymore 

[handymanshandle]

Just now, AluminiumTech said:

Facebook gets more information from you.

Actually Google probably knows more about me. And anyways, the telemetry doesn't bother me that much because I when I set it up I tried to turn off as much of as I could. I don't think Microsoft should have it at all but when you're aware about it and disable as much of it as you can it gets better.

 

Now despite my hopes of them not equating me using my MSA once or twice to use the store to tie it back to this laptop as I made sure to not let it associate the MSA with the local account and don't stay signed into my MSA in the store.

 

[AlTech]

1 minute ago, laminutederire said:

While people like us manage the Cortona issue first hand when installing w10, lots of people don't,  and we can't do much for their ignorance I'm afraid.

It's like people should stop being stupid, but that won't happen ever, because you'd have to kill all stupid people, and the guy wanting to kill all stupid people has to be stupid himself and has to be killed by someone else, and so on recursively until no one shall live anymore 

What do you mean the Cortana Issue?  

 

You guys are great you know.

 

I keep Cortana enabled on all my Windows 10 devices and it's just fine.