Skip to content
Naked Security Naked Security

Microsoft given 3 months to fix Windows 10 security and privacy

The privacy watchdog says the OS is gobbling excessive data, snooping on browsing without user consent, and weakening security by not limiting PIN entries.

France’s privacy watchdog has declared that Windows 10 is gobbling up too much data and snooping on users’ browsing without their consent.

The National Data Protection Commission (CNIL) has given Microsoft 3 months to get its act together and to get compliant with the French Data Protection Act.

That means that Microsoft has to stop collecting “excessive data” and tracking browsing by users without their consent. CNIL Director Isabelle Falque-Pierrotin is also demanding that Microsoft “take satisfactory measures to ensure the security and confidentiality of user data.”

The CNIL sent Microsoft a formal notice on 30 June.

The commission didn’t make that letter public until Wednesday.

The CNIL has been concerned about Windows 10 since Microsoft released it a year ago.

The new operating system’s release sparked a storm of controversy over privacy: Concerns have risen over the Wi-Fi password sharing feature, Microsoft’s plans to keep people from running counterfeit software, the inability to opt out of security updates, weekly dossiers sent to parents on their kids’ online activity, and the fact that Windows 10 by default shares a lot of your personal information – contacts, calendar details, text and touch input, location data, and more – with Microsoft’s servers.

Amid the past year’s furor, the CNIL carried out its own tests of the operating system to see what was really going on and whether Windows 10 was compliant with the Act.

It conducted a total of 7 tests in April and June. As well, the watchdog questioned Microsoft about its privacy policy.

Those tests revealed “many failures,” the CNIL said, including…

  • Irrelevant or excessive data collected: Microsoft is collecting diagnostic and usage data via its telemetry service, which uses such data, among other things, to identify problems and to improve products. But that also includes what the CNIL calls extraneous data, including data on all the apps downloaded and installed on the system by a user and the time spent on each one: data that’s not necessary for operation of the service.
  • Lack of security: Microsoft doesn’t limit the number of attempts that can be made to enter a 4-character PIN for authentication with online services, including to access a user’s Microsoft account, which lists sensitive data such as store purchases and payment details.
  • Lack of individual consent: An advertising ID is activated by default on installation, without users’ consent, enabling Windows apps and other parties’ apps to monitor user browsing and to target advertising at users.
  • Lack of information and no option to block cookies: Microsoft’s sticking advertising cookies on users’ terminals without properly informing them in advance or enabling them to opt out.
  • Data still being transferred outside EU on a “safe harbour” basis: Microsoft’s transferring account holders’ personal data to the US on a “safe harbor” basis, in spite of the Safe Harbor agreement having been ruled invalid by the top EU court in October 2015.

Microsoft has until 30 September to comply with the CNIL’s demands. If it fails to do so, it could face a fine of up to €1.5 million (US$1.66 million) for the poor PIN security, and lesser fines for the other measures, the commission said in its formal notice to the company.

The CNIL said that it’s not the only data protection authority in Europe that’s concerned about Windows 10 privacy and security. Investigations by other watchdogs are ongoing.

The CNIL also said that it decided to make the notice public because of the seriousness of the privacy/security breaches and the fact that they affect so many French users: the commission said that there are more than 10 million users in French territory.

Microsoft isn’t the first US tech company to get one of these notices from the CNIL: In June 2015, it ordered Google to scrub search globally in right to be forgotten requests.

In February, it also gave Facebook 3 months to stop tracking non-users in France.

In a statement provided to Reuters, Microsoft vice president and deputy general counsel David Heiner said that the company will work with CNIL to develop “solutions that it will find acceptable.”

9 Comments

Why did they wait until the free upgrade is ready to expire to tell us this? I was aware of some of the privacy concerns with Windows 10 and have been delaying the upgrade hoping they would be fixed. Now it looks like I won’t be upgrading at all. As for the telemetry mentioned in the article, Microsoft repeatedly installs a telemetry service onto my Windows 7, during the update Tuesdays. It churns my hard drive and sends a lot of data over the internet. I’ve disabled it repeatedly, they’ve re-installed it repeatedly. It’s back again with the latest updates. It runs a few minutes after booting, or, if you leave the computer on, every two or three days.

Find some of the executable (.exe, .dll) files it uses. Create dummy files with the same name and place them in the same directory as the originals. Set them as read-only. That should prevent their replacement.

They waited because this is the strategy that MS wanted to adopt; suck users in with a ‘free’ upgrade to get users using Win10 (which was not quite an accurate label as this is the price users pay). Then they take away things like ‘allowing sysadmins to block the windows store’ (which is still possible to do, despite MS efforts to remove the ability in GPO). Organisations should carefully consider adopting a new OS, however It is possible to disable the telemetry on both Win7 and Win10 using GPO or locally on each computer (delete the tasks that perform the operations) as well as most of the privacy headaches by disabling services and in my organisation’s case, the Windows Store. However, you have to keep on top of this because MS will implement other methods (because the telemetry informs them how you do this), which you simply research and disable again. Just like the users of Win10, MS are still learning. It’s cat and mouse….

Wtf 1.6m is pocket change i bet thay make x10 that from selling the data thay are taking. I am thinking that thay take the fine and all after it the upside for Microsoft is to good to give up.

Surprised the fines are so small. That would be pocket change for a behemoth like Microsoft. In a single meeting after reviewing the letter, I’m sure MS attorneys said “let them fine us, and then let them try to collect it. If we end up having to pay it after a few years of court challenge, then we’ll take it out of petty cash”. Some things are just not worth the effort. This feels like one of them,

I wish the fine was bigger,an operating system should be a layer of software between the hardware and applications that the user wants to use NOT a means of spyware that windows 10 clearly is.The fine is not nearly big enough for the crime,this is a problem when some company like Microsoft gets big and powerful.they really do as they please,they really need to be stomped on and put into line.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?