ITsecurity
twitter facebook rss

Serving Formal Notice to Microsoft Corporation

Posted by on July 23, 2016.

Just three days after my last post on Windows 10 privacy issues, The Chair of the National Data Protection Commission keyboard-895556_640(CNIL) issued a formal notice on Microsoft Corporation to stop collecting excessive data. The formal notice gave Microsoft Corporation three months to comply with the French Data Protection Act.

The CNIL found that Microsoft was collecting diagnostic and usage data via its telemetry service and much of that data was not necessary to identify problems or to improve products. One has to wonder how to split the line between identifying problems and privacy invasion in the first place.

It also found that data is still being transferred outside the EU on a “safe harbor” basis. CNIL noted that this practice has not been possible since the decision issued by the Court of Justice of the European Union on 6th October 2015.

An Investigative Team utilized Windows 10 Home 1511 and Pro 1511 for research. Some of the findings include:

  • Windows 10 installed an advertising ID by default
  • 13 cookies were installed as soon as one accesses the Microsoft privacy statement
  • Using the PIN login option does not lock the account on failed entry, even after 20 tries
  • Personal data is being transferred to the US on a “Safe Harbor” basis

It seems the CNIL has thrown the book at Microsoft, citing:

  • MS breached the obligation to inform individuals (but not us at ITSecurity.co.uk)
  • MS breached Article 32.II of the Data Protection Act
  • MS breached the obligation to obtain prior consent
  • MS breached the obligation to ensure data security
  • MS breached the obligation to have legal basis for transferring data outside the EU

And on the telemetry data grab they had this to say:

“[Microsoft] Breached the obligation to ensure that the data concerned are appropriate, relevant and not excessive.”


Share This:
Facebooktwittergoogle_plusredditpinterestlinkedinmail

Leave a Reply

Your email address will not be published. Required fields are marked *

Submitted in: Martin Zinaich | Tags: ,