News

Windows 10 Runs Afoul of Dutch Privacy Regulations

• By Kurt Mackie
• October 13, 2017

Microsoft's privacy features in the Home and Pro editions of the Windows 10 "Anniversary Update" and the "Creators Update" were found to violate privacy laws set forth by the the Dutch Data Protection Authority (DPA).

The DPA, also known as Autoriteit Persoonsgegevens, published a notice Thursday stating conclusions from an August report. It found that Microsoft isn't being clear about its use of the data it collects. Consequently, users lack the ability to grant consent through Windows 10's settings. If Microsoft doesn't end the violations of the country's data protection law, then "the Dutch DPA can decide to impose a sanction on Microsoft," the notice indicated.

The Dutch DPA's researchers ran tests to compile their findings, but they had to rely on an internally used Microsoft tool to get some of the technical data because "Microsoft does not provide users access to the telemetry data collected on the device or sent to Microsoft," according to the August report (PDF). The telemetry information is difficult to track.

"After the installation, it is impossible, even for technically advanced system operators, to trace what personal data Microsoft is actually collecting via telemetry," the researchers noted, "Let alone for average users."

The researchers had limited access time to use Microsoft's tool. Moreover, the tool "doesn't capture telemetry data collected during start-up and install," the report noted.

Despite those limitations, the Dutch DPA researchers found multiple privacy concerns, especially with the "Full telemetry" privacy option turned on (Microsoft has been offering two privacy options, "Basic" and "Full," since the release of the Windows 10 Creators Update). The Full option collects "detailed information about app usage, as well as data about websurfing behaviour through Edge and (parts of) the content of handwritten documents (via an inkpad)," the researchers noted. In addition, the Full level is turned on by default, forcing users to opt out. There were many other claims in the nine-page report.

Microsoft's Response
Microsoft published a response saying that Microsoft has been "on a journey" since the launch of Windows 10. It has already reconciled privacy concerns with "Swiss and French data protection authorities," and it has a priority to be "compliant under Dutch law," too.

France's data protection commission had issued complaints last year about Windows 10's privacy, but indicated in June of this year that Microsoft had complied with its objections. Specifically, Microsoft now informs users about advertising IDs and it strengthened its PIN security, among other details.

Microsoft, while saying it is seeking to be compliant with Dutch law, also questioned the accuracy of the Dutch DPA's claims.

"We have also shared specific concerns with the Dutch DPA about the accuracy of some of its findings and conclusions," wrote Marisa Rogers, Microsoft privacy officer for the Windows and Devices Group, in Microsoft's response. "A summary of the points in the DPA's announcement, which we believe do not accurately reflect the data protection compliance of Windows 10 Home and Windows 10 Pro under Dutch law, can be found here."

However, it seems that Microsoft's rebuttals are mostly confirmations of the Dutch DPA report's claims. For instance, regarding the collection of Web surfing behavior, Microsoft's "Fact Sheet" rebuttal stated that "If the user selects 'Accept' on this screen [regarding the sending of diagnostic data], it's true that we will collect data about the use of apps and surfing behavior through the browser Edge."

The Dutch DPA also found that Windows 10 was sending telemetry information that wasn't described in Microsoft's documentation. Examples included a "deviceID" devices identifier, a "customDeviceId," the "contents belonging to a hyperlink," "referrer URLs" and "when tabs are closed," among others. Microsoft also tracks the news articles that are read by users, although that information collection process not documented, according to the report.

New Privacy Additions
Rogers noted that Microsoft improved its privacy communications earlier this year. It added a Privacy Dashboard, and "new privacy features." In an announcement, she also described new privacy enhancements that will be coming in the Windows 10 "Fall Creators Update," which is scheduled to arrive on Oct. 17.

In the Windows 10 Fall Creators Update, Microsoft will add "direct access to the Privacy Statement within the setup process." Also, the Privacy Screen interface for selecting privacy options will have a "Learn More page" so that users can "jump to specific settings for location, speech recognition, diagnostics, tailored experiences, and ads while you choose your privacy settings," the announcement explained. The "tailored experiences" phrase refers to how advertisements get served up to end users.

The Windows 10 Fall Creators Update also will start prompting users before an application can gain access to device capabilities, "such as your camera, microphone, contacts, and calendar, among others," Microsoft's announcement explained. However, it confusingly added, "App permission prompts will only apply to apps installed after the Fall Creators Update."

For enterprise customers, Microsoft will be "providing a new setting that limits diagnostic data to the minimum required for Windows Analytics." Windows Analytics is Microsoft's management service for public clouds that also tracks PC use data in computing environments. It's not clear from the announcement whether this enterprise privacy feature will be arriving with the Windows 10 Fall Creators Update, or whether it will be added later.