The French National Data Protection Commission (CNIL) has issued a formal notice to Microsoft to stop what they call “excessive” data collection in Windows 10 and user tracking through a number of apps, including Edge and other pre-installed apps.

Microsoft has been given three months to comply with the French Data Protection Act and “stop collecting excessive data and tracking browsing by users without their consent,” with CNIL going through a number of examples that the company needs to deal with in order to get Windows 10 right for French users.

CNIL claims Windows 10 collects “irrelevant or excessive data” with its telemetry services, including apps downloaded and installed on a system, but also the time users spend running each one of them. This is excessive data, CNIL says, “as these data are not necessary for the operation of the service.”

Furthermore, the organization claims that Windows 10 lacks strong security because the four-character PIN that can be used to lock a device running the operating system doesn’t come with a restriction on the number of attempts allowed to each user. This claim, however, is false, as Windows 10 prompts users to write a security captcha after failing to authenticate with a PIN code for several times, while eventually requiring a full system reboot.

And last but not least, the French authorities also explain that an advertising ID is activated by default when Windows 10 is installed in order to allow apps to deliver targeted ads, and advertising cookies are being configured without users being given the option to block them.

Microsoft: We’ll update our privacy policy
Microsoft has already issued a statement regarding this complaint and has explained that the privacy policy will be updated in the three-month window to comply with all requirements.

David Heiner, Vice President and Deputy General Counsel, also says that Microsoft already considers users’ privacy a priority and adds that the company will work together with the CNIL to fully understand the notice and address all worries accordingly.

“We built strong privacy protections into Windows 10, and we welcome feedback as we continually work to enhance those protections. We will work closely with the CNIL over the next few months to understand the agency’s concerns fully and to work toward solutions that it will find acceptable,” he said.

You can read both the official CNIL formal notice and Microsoft’s response in the box after the jump, and we’ll update the article when new information on this case is provided.

Spoiler: CNIL and Microsoft Statements

CNIL
--

Following the launch of the new operating system, Windows 10, in July 2015, the CNIL was alerted by the media and political parties to the possibility that Microsoft Corporation was collecting excessive personal data. Meanwhile, a Contact group was created within the G29 (working party including national data protection agencies in Europe) to examine the issue and conduct investigations in the various member states concerned. It is within this context that the CNIL carried out seven on-line observations in April and June 2016 and questioned Microsoft Corporation on certain points of its privacy policy to check that Windows 10 complied with the French Data Protection Act.

This has revealed many failures :

Irrelevant or excessive data collected:

The CNIL found that the company was collecting diagnostic and usage data via its telemetry service, which uses such data, among other things, to identify problems and to improve products. To this purpose, Microsoft Corporation processes, for instance, Windows app and Windows Store usage data, providing information, among other things, on all the apps downloaded and installed on the system by a user and the time spent on each one. Therefore, the company is collecting excessive data, as these data are not necessary for the operation of the service.

A lack of security:

The company allows users to choose a four characters PIN to authenticate themselves for all its on-line services, notably to access to their Microsoft account, which lists purchases made in the store and the payment instruments used, but the number of attempts to enter the PIN is not limited, which means that user data is not secure or confidential.

Lack of individual consent:

An advertising ID is activated by default when Windows 10 is installed, enabling Windows apps and other parties’ apps to monitor user browsing and to offer targeted advertising without obtaining users’ consent.

Lack of information and no option to block cookies:

The company puts advertising cookies on users’ terminals without properly informing them of this in advance or enabling them to oppose this.

Data still being transferred outside EU on a “safe harbour” basis:

The company is transferring its account holders’ personal data to the United States on a “safe harbour” basis but this has not been possible since the decision issued by the Court of Justice of the European Union on 6th October 2015.

Given the above, the Chair of the CNIL has decided to issue a formal notice to Microsoft Corporation to comply with the Act within three months. This proceedings only commits French Data protection authority. The other data protection authorities belonging to the WP29 Contact group are continuing their investigations within their respective national procedures.

The purpose of the notice is not to prohibit any advertising on the company’s services but, rather, to enable users to make their choice freely, having been properly informed of their rights.

It has been decided to make the formal notice public due to, among other reasons, the seriousness of the breaches and the number of individuals concerned (more than ten million Windows users on French territory).

For the record, the CNIL wishes to state that formal notices are not sanctions and no further action will be taken if the company complies with the Act within the specified timescale, in which case the notice proceedings will be closed and this decision will also be made public.

Should Microsoft Corporation fail to comply with the formal notice within the specified timescale, the Chair may appoint an internal investigator, who may draw up a report proposing that the CNIL’s restricted committee responsible for examining breaches of the Data Protection Act issue a sanction against the company.

--
Microsoft - David Heiner, vice president and deputy general counsel
--

“Earlier today Microsoft received a notice from the French data protection authority, the Commission Nationale de l’Informatique et des Libertés or CNIL, raising concerns about certain aspects of Windows 10. The notice gives Microsoft three months to address the issues.

We built strong privacy protections into Windows 10, and we welcome feedback as we continually work to enhance those protections. We will work closely with the CNIL over the next few months to understand the agency’s concerns fully and to work toward solutions that it will find acceptable.

“The CNIL noted that the Safe Harbor framework is no longer valid for transferring data from European Union to the United States. We fully understand the importance of establishing a sound legal framework for trans-Atlantic data transfers, and that is why Microsoft has been very supportive of the efforts on both side of the Atlantic that led to last week’s adoption of the Privacy Shield.

“As the European Commission observed, Microsoft’s January 2016 Privacy Statement states that the company adheres to the principles of the Safe Harbor Framework. Microsoft has in fact continued to live up to all of its commitments under the Safe Harbor Framework, even as the European and U.S. representatives worked toward the new Privacy Shield. As we state in our privacy statement, in addition to the Safe Harbor Framework we rely on a variety of legal mechanisms as the basis for transferring data from Europe, including standard contractual clauses, a data transfer mechanism established by the European Commission and approved by European data protection authorities, to cover data flows from the European Union to the United States.

“Microsoft will release an updated privacy statement next month, and that will say Microsoft intends to adopt the Privacy Shield. We are working now toward meeting the requirements of the Privacy Shield.”

Source - Softpedia

 

France?

 

France ?

food for thought

where is Microsoft and Apple based ? The two most widely used OS . The WWW or world internet ?

ever since the dawn of mankind and war what was the most important stuff ? to know where your enemy's cave is and keep your own hidden.

who controls the strongest armed forces of the world ?

intelligence/counterintelligence and it seems France doesnt like the fact that their computers are being watched , not that it didn't happen long before Win10

 

Anyone who thinks this actually changes anything raise your hand...

 

It won't stop the state apparatus in France from watching electronic activity, nor NSA echelon

but it may keep M$ out of the pants of the French Winblows user , somewhat

The US govt went after them way back when.. as they tried to kill every other
web browser by integrating IE into Windows explorer.
I remember uninstalling IE4 immediately because it completely took over your desktop, changing the theme and colors etc.
and decidedly went back to Netscape ( lol ). I never trusted MS again..
except when some critical security updates were announced, and autoupdate was forever disabled !

Windows 10 has never bothered me.. because I don't let it.

@Batoumba where can i get one of those? does she come with brie and a baguette?

 

Last edited by a moderator: Jul 21, 2016

I had read that, it kind of made me smile for several reasons, but I didn't report the news here in the optic of not relaunching the whole pro win 10 vs anti win 10 war. Since someone else did, and it's honest of you to do so Ankit I admit, I'll allow myself a comment.
Now it's indeniable that windows 10 spies on its users (not just telemetric spying, but even telemetric surveillance is being done excessively, far beyond what's necessary for getting the service better for users), in my point of vew it had already been established, now it's indeniable : this is a spyware.
This might just be a first step. The CNIL as independant as it might seem on paper is doing that at the request of our governement. They want to put a certain numbers of elements together to be able to constitute a solid case against Microsoft and a certain number of their practices. From the spying to the not paying taxes to anyone here in Europe.
The states in Europe do spy on their citizens but they want to have the exclusivity of that they don't want to share it with companies who share their data with the American governement and agencies. Those are very serious privacy and security issues.
They need amno to have Microsoft behaving better - like they did in the past, Microsoft had to pay several hundred of millions of damages in the past after legal action through EU justice system, the OS they sold then in the EU had to be modified in every countries in Europe where it was distributed so that it didn't force the customer hand on choosing internet explorer - and I think they are getting some.
Other European countries will join in on that (including Germany, very sensitive on privacy issues), and M$ who is already suffering from poor sales, far from their initial aims that they tried to accomplished by forcing upgrades, may not be done yet with the sh..storm.

 

I've been involved in an interesting Slashdot discussion about it today. Whoever is interested to see it go here: https://yro.slashdot.org/story/16/07/20/1919216/france-windows-10-collects-excessive-personal-data-issues-microsoft-with-formal-warning

Cheersemois? I've always loved France. They don't let anyone shit in their soup!

edit: As I keep saying - people all over the world using an OS that is made by one company in the USA or anywhere else is just insane. That cannot and shouldn't work. It was OK when only a couple of million people were using their OS, but not any more. An OS that everybody uses should be made by everybody and open source [Linux or BSD]. Programs can be made by companies and are individual choice. It's either we will choose to have an OS free of any kind of corporatist/capitalist garbage, or we will all be ruled by a handful of corporations and use an OS like Windows 10, full of garbage, spyware, malware, crapware, bloatware and whatever they think you should have on your computer. It's either they have control of our computers, or we have control of our computers. I personally like my computer to be like I want it to be - free of all unnecessary shit I don't need.

 

Last edited: Jul 22, 2016

I have often wondered why all of exalted nerd - dom has utterly failed to bring their beloved Linux to the masses..
I see it has great potential, but it seems they would rather hide in their basement and drool over their own command line
prowess, to give their lives the significance of being in a "select" and annointed group.

prove me wrong

 

If you think you are free, raise your HANDS.

 

If you downloaded and played with Ubuntu 16.04, Debian 8.4, or one of the "Mint" flavours, that would be proof enough. It is not 2006 any more, mate.

Regarding the console, I use as much command line in Linux as I use in Windows. Occasionally, because I like it. You don't have to if you don't like it. But it can really come in handy in Linux as much as in Windows.

 

I just wish it would actually become a competitor @SineWave , as you say, it has come into its own
since 2006. I admire it as an OS, aren't there any geeks who would deign to monetize this thing
and get it appearing more in the market? I bought a Red Hat distro long long ago... before
there was much of anything except on the server or industry side use. I have used ubuntu, and it was cool
but when I tried to delve deeper into it, it became totally opaque to me as I am not a programmer,
and I just couldn't push myself to become enough of an Über-geek to use this beyond trivial purposes.
I would be willing to bet you know your way around a few or more programming languages.

 

@SineWave , would you please stop raising your hand
just kidding my friend. just the timing where your post sits. yeah I love Linux too, its sure come a long way hasn't it

 

Kind of off topic but Linux + Mozilla + Qwant seems the combination to go with

 

Here is the difference between Pre-Y2K and today. Tech companies used to stay out of politics, today they have become part of the government. Specifically, the US government. These are all US corporations, promoting US politics, enforcing US "laws", supporting the US military, and conducting industrial espionage on behalf of the US. WTF is taking the world so long to realize this I don't know. I am assuming in part it is because the rest of the world's governments want the same spying privileges and in part because most people are still tech illiterate, especially all those old politicians that can't even figure out how to use their emails properly. Anyway, remember the difference, these companies are no longer civilians, they are actively working with the government. Is that even capitalism? What is the US becoming if there's no longer a free market in the tech industry, which in turn controls pretty much the entire global economy?