Site icon Sophos News

Microsoft given 3 months to fix Windows 10 security and privacy

France’s privacy watchdog has declared that Windows 10 is gobbling up too much data and snooping on users’ browsing without their consent.

The National Data Protection Commission (CNIL) has given Microsoft 3 months to get its act together and to get compliant with the French Data Protection Act.

That means that Microsoft has to stop collecting “excessive data” and tracking browsing by users without their consent. CNIL Director Isabelle Falque-Pierrotin is also demanding that Microsoft “take satisfactory measures to ensure the security and confidentiality of user data.”

The CNIL sent Microsoft a formal notice on 30 June.

The commission didn’t make that letter public until Wednesday.

The CNIL has been concerned about Windows 10 since Microsoft released it a year ago.

The new operating system’s release sparked a storm of controversy over privacy: Concerns have risen over the Wi-Fi password sharing feature, Microsoft’s plans to keep people from running counterfeit software, the inability to opt out of security updates, weekly dossiers sent to parents on their kids’ online activity, and the fact that Windows 10 by default shares a lot of your personal information – contacts, calendar details, text and touch input, location data, and more – with Microsoft’s servers.

Amid the past year’s furor, the CNIL carried out its own tests of the operating system to see what was really going on and whether Windows 10 was compliant with the Act.

It conducted a total of 7 tests in April and June. As well, the watchdog questioned Microsoft about its privacy policy.

Those tests revealed “many failures,” the CNIL said, including…

Microsoft has until 30 September to comply with the CNIL’s demands. If it fails to do so, it could face a fine of up to €1.5 million (US$1.66 million) for the poor PIN security, and lesser fines for the other measures, the commission said in its formal notice to the company.

The CNIL said that it’s not the only data protection authority in Europe that’s concerned about Windows 10 privacy and security. Investigations by other watchdogs are ongoing.

The CNIL also said that it decided to make the notice public because of the seriousness of the privacy/security breaches and the fact that they affect so many French users: the commission said that there are more than 10 million users in French territory.

Microsoft isn’t the first US tech company to get one of these notices from the CNIL: In June 2015, it ordered Google to scrub search globally in right to be forgotten requests.

In February, it also gave Facebook 3 months to stop tracking non-users in France.

In a statement provided to Reuters, Microsoft vice president and deputy general counsel David Heiner said that the company will work with CNIL to develop “solutions that it will find acceptable.”

Exit mobile version