France’s National Data Protection Commission has formally warned Microsoft that its data collection practices in Windows 10 are in violation of French law. The group has already served Microsoft with a notification of its findings, but waited three weeks before making the determination public.
The complaint lists several Windows practices that the French investigation found to be inadequate. When Windows 10 is installed, an advertising ID is created by default and activated across all user accounts. There’s no information given on how the data used to create a Microsoft account is used or protected. It also dinged the company for collecting telemetry by default, and for the four-digit PIN Microsoft uses to provide additional security. Once entered, the PIN continues to authenticate to Microsoft services, even if the browser is closed and reopened. Repeatedly entering an incorrect PIN does not trigger a PIN reset; the team was able to enter an incorrect PIN 20 times in a row and still authenticate the original digits.
Microsoft’s telemetry practices have come under fire in the United States, since it’s impossible to turn the feature off unless you have the Enterprise, Education, Mobile Enterprise, IoT Standard, or Server 2016 Technical Preview version of the OS. These versions provide a fourth telemetry-gathering option, “Security,” which relays “only the telemetry info that is required to keep Windows devices, Windows Server, and guests secure with the latest security updates.” The existence of this fourth level, according to the French, “confirms that most of the data included in the basic level are not essential for the system to operate, so collecting such data is excessive with respect to this purpose.”
Because this telemetry gathering is excessive by definition, Microsoft is in breach of the Data Protection Act. It also fails to inform users of exactly which data Microsoft stores and collects or how that information is used. Microsoft’s unique advertising ID is active by default and is therefore in breach of the Data Protection Act as well.
While Microsoft’s practices and data gathering have been criticized by multiple sources over the past year, this is more of an administrative finding than a judicial complaint. This report gives Microsoft three months to solve the problem before it faces the prospects of fines, but the fines only amount to $1.66 million USD. That’s basically equivalent to the loose change in Satya Nadella’s couch.
Microsoft has already commented on the situation via a statement to VentureBeat. The company has promised to work with the French watchdog to resolve these issues and affirmed that it is fully committed to resolving the organization’s problems in a way that respects EU law.