Microsoft given 3 months to fix Windows 10 security and privacy

France’s privacy watchdog has declared that Windows 10 is gobbling up too much data and snooping on users’ browsing without their consent.

The National Data Protection Commission (CNIL) has given Microsoft 3 months to get its act together and to get compliant with the French Data Protection Act.

That means that Microsoft has to stop collecting “excessive data” and tracking browsing by users without their consent. CNIL Director Isabelle Falque-Pierrotin is also demanding that Microsoft “take satisfactory measures to ensure the security and confidentiality of user data.”

The CNIL sent Microsoft a formal notice on 30 June.

The commission didn’t make that letter public until Wednesday.

The CNIL has been concerned about Windows 10 since Microsoft released it a year ago.

The new operating system’s release sparked a storm of controversy over privacy: Concerns have risen over the Wi-Fi password sharing feature, Microsoft’s plans to keep people from running counterfeit software, the inability to opt out of security updates, weekly dossiers sent to parents on their kids’ online activity, and the fact that Windows 10 by default shares a lot of your personal information – contacts, calendar details, text and touch input, location data, and more – with Microsoft’s servers.

Amid the past year’s furor, the CNIL carried out its own tests of the operating system to see what was really going on and whether Windows 10 was compliant with the Act.

It conducted a total of 7 tests in April and June. As well, the watchdog questioned Microsoft about its privacy policy.

Those tests revealed “many failures,” the CNIL said, including…

  • Irrelevant or excessive data collected: Microsoft is collecting diagnostic and usage data via its telemetry service, which uses such data, among other things, to identify problems and to improve products. But that also includes what the CNIL calls extraneous data, including data on all the apps downloaded and installed on the system by a user and the time spent on each one: data that’s not necessary for operation of the service.
  • Lack of security: Microsoft doesn’t limit the number of attempts that can be made to enter a 4-character PIN for authentication with online services, including to access a user’s Microsoft account, which lists sensitive data such as store purchases and payment details.
  • Lack of individual consent: An advertising ID is activated by default on installation, without users’ consent, enabling Windows apps and other parties’ apps to monitor user browsing and to target advertising at users.
  • Lack of information and no option to block cookies: Microsoft’s sticking advertising cookies on users’ terminals without properly informing them in advance or enabling them to opt out.
  • Data still being transferred outside EU on a “safe harbour” basis: Microsoft’s transferring account holders’ personal data to the US on a “safe harbor” basis, in spite of the Safe Harbor agreement having been ruled invalid by the top EU court in October 2015.

Microsoft has until 30 September to comply with the CNIL’s demands. If it fails to do so, it could face a fine of up to €1.5 million (US$1.66 million) for the poor PIN security, and lesser fines for the other measures, the commission said in its formal notice to the company.

The CNIL said that it’s not the only data protection authority in Europe that’s concerned about Windows 10 privacy and security. Investigations by other watchdogs are ongoing.

The CNIL also said that it decided to make the notice public because of the seriousness of the privacy/security breaches and the fact that they affect so many French users: the commission said that there are more than 10 million users in French territory.

Microsoft isn’t the first US tech company to get one of these notices from the CNIL: In June 2015, it ordered Google to scrub search globally in right to be forgotten requests.

In February, it also gave Facebook 3 months to stop tracking non-users in France.

In a statement provided to Reuters, Microsoft vice president and deputy general counsel David Heiner said that the company will work with CNIL to develop “solutions that it will find acceptable.”