After the privacy hell-hole that was Windows 10 circa 2017-ish, you’re doing better, the Dutch Data Protection Authority (DPA) told Microsoft on Tuesday, but you still aren’t legally kosher, privacy-wise.
A very quick recap: Users howled. Regulators scowled. Microsoft tweaked in 2017. The DPA investigated those tweaks. The upshot of its investigation: the DPA has asked the Irish privacy regulator – the Irish Data Protection Commission, DPC – to re-investigate the privacy of Windows users.
What a long, strange privacy trip it’s been
A recap with more flesh on its bones: in 2015, Microsoft released Windows 10. From the get-go, France’s privacy watchdog – the National Data Protection Commission (CNIL) – had concerns about the operating system’s processing of personal data through telemetry.
Window 10’s release had sparked a storm of controversy over privacy: Concerns rose over the Wi-Fi password sharing feature, Microsoft’s plans to keep people from running counterfeit software, the inability to opt out of security updates, weekly dossiers sent to parents on their kids’ online activity, and the fact that Windows 10 by default was sharing a lot of users’ personal information – contacts, calendar details, text and touch input, location data, and more – with Microsoft’s servers.
After conducting tests, CNIL determined that there were plenty of reasons to think that Microsoft wasn’t compliant with the French Data Protection Act. In July 2016, it gave Microsoft three months to fix Windows 10 security and privacy.
After the CNIL’s warning and a slap from the Electronic Frontier Foundation (EFF), Microsoft made a series of changes to tackle the privacy concerns around Windows 10.
In January 2017, Microsoft launched a web-based privacy dashboard that let users pick and choose what information gets sent to the company – be it tracking data, speech recognition, diagnostics or advertising IDs that apps glue on to your system for targeted marketing.
OK, so Microsoft made some changes. Was it enough? No.
In October 2017, the DPA said that after looking into the privacy of users of Windows Home and Pro, it had concluded that Microsoft was still illegally processing personal data through telemetry. Specifically, it found that…
Microsoft continuously collects technical performance and user data. This includes which apps are installed and, if the user has not changed the default settings, how often apps are used, as well as data on web surfing behaviour. These data are called ‘telemetry data’. Microsoft takes continuous pictures – as it were – of the behaviour of Windows users and sends them to itself.
The Dutch privacy watchdog ordered Microsoft to make more changes to Windows, which the company did in the April 2018 update. The DPA outlined what was expected from that update, to pull everything up to speed with the impending General Data Protection Regulation (GDPR):
Microsoft will ensure that users are better informed about the data it collects and what this data is used for. In addition, users can take active, straightforward steps to control their own privacy settings. In light of the new EU privacy law (the General Data Protection Regulation), which comes into force on 25 May 2018, the Dutch DPA has insisted that the update be implemented across the entire EU. Microsoft has agreed to do this, and the Dutch DPA will monitor implementation.
…all of which leads us up to now. So, how did that April 2018 update do?
Better, but maybe still in violation
The DPA said on Tuesday that the changes made in the April 2018 Windows update have led to “an actual improvement” in data privacy. But at the same time, it appears that… “Microsoft also collects other data from remote users.” Upshot:
As a result, Microsoft may still violate the privacy rules.
Therefore, the DPA says, it’s time for the lead privacy regulator in Europe – that would be the Irish DPC – to investigate further concerns about how Windows collects user data.
The Dutch data privacy regulator is also advising Windows users to “pay close attention to privacy settings when installing and using this software.”
Microsoft is permitted to process personal data if consent has been given in the correct way. We’ve found that Microsoft collect diagnostic and non-diagnostic data. We’d like to know if it is necessary to collect the non-diagnostic data and if users are well informed about this.
Does Microsoft collect more data than they need to (think about data minimalization as a base principle of the GDPR)? Those questions can only be answered after further examination.
The Irish DPC confirmed to TechCrunch that it received the Dutch regulator’s concerns last month. The publication quoted a DPC spokeswoman:
Since then the DPC has been liaising with the Dutch DPA to further this matter. The DPC has had preliminary engagement with Microsoft and, with the assistance of the Dutch authority, we will shortly be engaging further with Microsoft to seek substantive responses on the concerns raised.
And this is what Microsoft had to say on the matter:
The Dutch data protection authority has in the past brought data protection concerns to our attention, which related to the consumer versions of Windows 10, Windows 10 Home and Pro. We will work with the Irish Data Protection Commission to learn about any further questions or concerns it may have, and to address any further questions and concerns as quickly as possible.
Microsoft is committed to protecting our customers’ privacy and putting them in control of their information. Over recent years, in close coordination with the Dutch data protection authority, we have introduced a number of new privacy features to provide clear privacy choices and easy-to-use tools for our individual and small business users of Windows 10. We welcome the opportunity to improve even more the tools and choices we offer to these end users.
Are you so over ads while onboarding?
As one reader noted when we wrote up the 2017 privacy dashboard introduction, they were seeing ads every time they logged on to Windows 10. TechCrunch notes that during the onboarding process for Windows 10, Microsoft makes multiple requests to process user data for various reasons, including to serve ads to users.
As Naked Security’s Paul Ducklin responded at the time, he never saw ads on Windows 10, including at login, in spite of installing and reinstalling the operating system “any number of times” in the test rig he was using to get malware screenshots to use in his articles. But then, he knows where to look for the right options, he said:
When I do my installs I pick ‘custom’ and not ‘express settings’ at the relevant setup configuration prompt, and then turn all the options off using the toggles. I assume this helps reduce the tat that I see compared to what some other people are seeing.
TechCrunch also noted that Windows 10 uses its digital assistant, Cortana, to provide a running commentary on settings screens, including nudges to agree to the company’s T&Cs… If you want to run Windows, that is. From TechCrunch:
‘If you don’t agree, y’know, no Windows!’ the human-sounding robot says at one point.
Is that nudging one of the DPA’s concerns? It’s not clear yet. Time will tell, so tune in to next month’s/year’s episode, as this long-running privacy-regulator wrestling match continues. We’ll let you know when we do!