Windows 10 users now have twice the amount of privacy says French regulators

privacy ms

Last year the French National Data Protection Commission (CNIL) berated Microsoft for the collection of “irrelevant or excessive data” and issues a formal notice against the company.

The organisation then had 4 main complaints:

  • Irrelevant or excessive data collected
    The CNIL found that “collecting diagnostic and usage data via its telemetry service” was acceptable, but found that the default Windows 10 settings, which collect additional information, go too far. The complaint says collecting “information … on all the apps downloaded and installed on the system by a user and the time spent on each one” is “excessive.”
  • A lack of security
    This complaint says the option to secure a PC with a four-digit PIN is insecure as it does not limit the number of attempts to enter the PIN.
  • Lack of individual consent
    According to this allegation, Microsoft’s advertising ID enables Windows apps and other parties’ apps to monitor browsing and offer targeted ads without proper consent.
  • Cookies
    The agency complains that Microsoft puts cookies on users’ websites without sufficient consent.
  • Data transfer outside the EU
    CNIL says data from French Windows users is being transferred to the United States on a “safe harbor” basis, a practice that should have stopped after a decision issued by the Court of Justice of the European Union on 6th October 2015.

In the interim Microsoft has made a number of changes to Windows 10 to address this, including a new mandatory first boot screen where users are asked to make informed choices regarding their privacy settings.

Now the CNIL has issued a statement, saying Microsoft’s efforts have brought them “back into compliance” by taking the following actions.

  • Irrelevant or excessive data collected
    The company has reduced the volume of data collected under the “base” level of its telemetry service by nearly half, identifying system problems and solving them. It limited this collection to the data strictly necessary to maintain the system and applications in good working order and to ensure their safety.
  • Lack of individual consent
    The users are now informed, by a clear and precise mention, that an advertising identifier is destined to follow their navigation to offer them targeted advertising. In addition, the installation procedure for Windows 10 has been modified: users can not finalise the installation until they have expressed their choice of enabling or disabling the ad identifier. They may, moreover, return at any time to that choice.
  • A lack of security
    The company has strengthened the robustness of the 4-digit PIN code, enabling users to authenticate themselves to access all of the company’s online services, including their Microsoft accounts, with over-common combinations being denied. In addition, in the case of incorrect entry, the company has set up an authentication timeout mechanism (temporary suspension of access, the duration of which increases with the attempts).

In addition, Microsoft has also:

  • inserted references to information in line with article 32 of the “computing and freedom” law;
  • completed applications with the CNIL for its treatments of combating fraud;
  • joined the Privacy Shield to govern international transfers of personal data;
  • put an end to the deposit of cookies without prior collection of the consent of users for many of its Windows 10 web sites, and is committed to do so for all before September 30, 2017.

Microsoft’s actions have been enough for the CNIL to close their complaint, though Microsoft remains under close scrutiny by the Article 29 Working Party, a group formed of representatives from data and privacy regulators in each of the European Union’s member states.

Are our privacy-minded readers satisfied by the halving of mandatory telemetry, or will any amount except 0 bytes be too much? Let us know below.