microsoft Dutch DPA: Microsoft breaches data protection law with Windows 10

[BOOZy]

Edit 1:

Quote

Microsoft breaches the Dutch data protection law by processing personal data of people that use the Windows 10 operating system on their computers. This is the conclusion of the Dutch Data Protection Authority (DPA) after its investigation of Windows 10 Home and Pro. Microsoft does not clearly inform users about the type of data it uses, and for which purpose. Also, people cannot provide valid consent for the processing of their personal data, because of the approach used by Microsoft. The company does not clearly inform users that it continuously collects personal data about the usage of apps and web surfing behaviour through its web browser Edge, when the default settings are used. Microsoft has indicated that it wants to end all violations. If this is not the case, the Dutch DPA can decide to impose a sanction on Microsoft.

 

 

Source article on the Dutch DPA website.

This article is a follow up on the announcement of the start of investigations by -aside from the Netherlands- Germany, France, Hungary, Slovenia, Spain and the UK.

 

Looks like half the EU is on Microsoft's case about telemetry collection.

The EU wide data protection directive that was enacted in 2016 enters into force on May 25 2018.

So even if Microsoft conforms (eventually) to national laws, they will have to conform to the more strict EU directive in 2018.

 

Edit 2:

To elaborate.  The first and second links go to the official press releases from the Dutch 'Autoriteit Persoonsgegevens' which is the agency that watches out for the consumer's right to data protection.

They have the authority to fine offenders.

Edited October 13, 2017 by BOOZy

[Master Disaster]

I guess MS will do an EU only release of Windows 10 to comply with our laws like they did with 7N.

[mr moose]

is there anything more detailed on this?  I have no idea what that link is, is the DPA the dutch version of consumer affairs?

 

[dfsdfgfkjsefoiqzemnd]

The link leads to an article in English, where the DPA is explained (it simply stands for Data Protection Authority, FYI)

[captain_to_fire]

49 minutes ago, Master Disaster said:

I guess MS will do an EU only release of Windows 10 to comply with our laws like they did with 7N.

How can I get my hands on Windows 10 EU version? ?

[samcool55]

1 minute ago, huilun02 said:

Why not just give MS the finger by blocking IP/hostname of all them telemetry servers across all ISPs in the EU?

Microsoft will just merge the update servers with the telemetry servers. They already merged Cortana with other essential processes so you can't turn it off anymore so they are prepared to do completely stupid things....

[Delicieuxz]

It's unfortunate and, I think, indicative of a lack of integrity in society in general that it has taken this long for a government, anybody in a position of authority in general, to simply call a spade a spade, in regards to Microsoft's dishonest, unethical, and exploitative activities and self-presentation when it comes to Windows 10.

 

I like that the DPA report brings up the issue of settings being reset by Microsoft when installing major updates, and that it points out that Microsoft doesn't present sufficient information about their data-collection to Windows owners to possibly be able to receive Windows owners' informed consent to collect their data.
 

Quote

 

"Microsoft can use the collected data for the various purposes, described in a very general way. Through this combination of purposes and the lack of transparency Microsoft cannot obtain a legal ground, such as consent,  for the processing of data."

 

"Microsoft needs to obtain valid consent from users to process their personal data. Therefore, people must be well informed and need to know precisely to what they say yes. This is not the case."

 

"If  a person does not actively change the default settings during installation, it does not mean he or she thereby gives consent for the use of his or her personal data. Additionally, the Dutch DPA has established that Microsoft has not respected existing privacy choices from some users when they upgraded to the Creators Update."

 

 

At baseline, Microsoft is a thuggish, deceitful, and immoral company. If Microsoft complies with the DPA's requirements, all Windows license owners will benefit.

 

Things still need to go even further, though, so that all data-collection is opt-in, and not opt-out, and can be turned off reliably, and easily, with a simple clearly-presented single option.

[LAwLz]

Good to hear that some governments are pushing back.

Hopefully this will lead to meaningful changes to Windows 10.

[captain_to_fire]

1 hour ago, samcool55 said:

They already merged Cortana with other essential processes

Like how Cortana can read private Skype conversations 

https://hotforsecurity.bitdefender.com/blog/goodbye-privacy-cortana-reads-skype-chats-interjects-in-conversations-19053.html 

https://www.engadget.com/2017/10/09/skype-adds-cortana-assistant-in-chats/ 

[samcool55]

3 minutes ago, hey_yo_ said:

Like how Cortana can read private Skype conversations 

https://hotforsecurity.bitdefender.com/blog/goodbye-privacy-cortana-reads-skype-chats-interjects-in-conversations-19053.html 

https://www.engadget.com/2017/10/09/skype-adds-cortana-assistant-in-chats/ 

wtf... who the hell wants that?

Just imagine sending a dirty text to someone in public and suddenly pictures of adult toys appear, no thanks...

I ditched skype last week, seems like i made the right decision.

[captain_to_fire]

7 minutes ago, samcool55 said:

wtf... who the hell wants that?

Just imagine sending a dirty text to someone in public and suddenly pictures of adult toys appear, no thanks...

I ditched skype last week, seems like i made the right decision.

Well I’m not really a sexter and I do not recommend it but even if a person doesn’t sext at all, the mere fact that those conversations are submitted to Microsoft’s telemetry is creepy notwithstanding the fact that the telemetry data they collect contains personally identifiable information. Most of the time, I use FaceTime or Hangouts but for people who have to send very sensitive conversations, they can use Telegram. 

[PlayStation 2]

Windows 10 was released before the directive was enacted. Unless Microsoft added more violations to that after it came into effect I don't know if they'd be successful in this suit.

[LAwLz]

41 minutes ago, Dan Castellaneta said:

Windows 10 was released before the directive was enacted. Unless Microsoft added more violations to that after it came into effect I don't know if they'd be successful in this suit.

Microsoft is still selling Windows 10, so therefore they have to follow the law.

Coke can't sell soda with cocaine in it just because "when we started selling it, cocaine wasn't illegal". (Just an example, I know Coke denies ever having cocaine in their soda)

So when the law was enacted doesn't really matter. What matters is that Microsoft has to follow the new law now that it is in effect.

[AlwaysFSX]

6 minutes ago, LAwLz said:

(Just an example, I know Coke denies ever having cocaine in their soda)

Off topic, do they really?

[jagdtigger]

Finally. Hopefully what we will see is a one sided but kicking fiasco where MS gets the short end of the stick...

[Drak3]

18 minutes ago, AlwaysFSX said:

Off topic, do they really?

Long time ago, yes. That's where the first part of the full name comes from.

[captain_to_fire]

26 minutes ago, AlwaysFSX said:

Off topic, do they really?

 

[Doobeedoo]

Interesting take, I wonder about direction with it in the future. Like more transparent with important stuff. 

[mynameisjuan]

If the EULA says we will collect your data, and you say ok by selecting accept I dont get how this is against any law. Shitty?.....damn right it is....but you did say its fine for them. 

[Master Disaster]

1 hour ago, mynameisjuan said:

If the EULA says we will collect your data, and you say ok by selecting accept I dont get how this is against any law. Shitty?.....damn right it is....but you did say its fine for them. 

Very simple

 

Law > EULA. 

 

No EULA (or indeed any written contract) can ever supercede or break any law from the country in which the contract is legal, any clause that does is immediately nullified and cannot be enforced.

 

BTW you can thank this fact for Valve implementing their refund policy.

[mr moose]

4 hours ago, Doobeedoo said:

Interesting take, I wonder about direction with it in the future. Like more transparent with important stuff. 

Depends on how much windows is a part of MS's core business model.  It seems to be slipping to the outside as they take on a more cloud orientated service structure.  Which means they might just become more transparent with the authorities (evidencing exactly what data is collected).  Not too sure how people don't know the data is being collected, you have to click ok on something like 3 different pages telling you about it.

 

2 hours ago, Master Disaster said:

Very simple

 

Law > EULA. 

 

No EULA (or indeed any written contract) can ever supercede or break any law from the country in which the contract is legal, any clause that does is immediately nullified and cannot be enforced.

 

BTW you can thank this fact for Valve implementing their refund policy.

Australia forced them to do that too.  In Australia the EULA isn't worth the hdd space it occupies and consumer law trumps everything else.

 

 

[vorticalbox]

8 hours ago, hey_yo_ said:

Well I’m not really a sexter and I do not recommend it but even if a person doesn’t sext at all, the mere fact that those conversations are submitted to Microsoft’s telemetry is creepy notwithstanding the fact that the telemetry data they collect contains personally identifiable information. Most of the time, I use FaceTime or Hangouts but for people who have to send very sensitive conversations, they can use Telegram. 

how do you know that google doesn't read hand out messages? Is it really any different than your carrier keeps logs of phone calls and texts you send?

 

how do you know your choice of email provider doesn't reason your emails?

[AlwaysFSX]

6 hours ago, Drak3 said:

Long time ago, yes. That's where the first part of the full name comes from.

6 hours ago, hey_yo_ said:

 

No no, the denying it thing.

[LAwLz]

11 minutes ago, AlwaysFSX said:

No no, the denying it thing.

I think they have unofficially denied it a few times, for example this time:

Quote

In an emailed statement, Coca-Cola said its secret formula has remained the same since it was invented in 1886 and that cocaine has “never been an added ingredient” in its soda.

 

They mostly neither confirm nor deny it.

[AlwaysFSX]

6 minutes ago, LAwLz said:

I think they have unofficially denied it a few times, for example this time:

 

They mostly neither confirm nor deny it.

Huh.