Microsoft butts heads with Dutch DPA over Windows 10 Privacy
The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) released a report on October 13, 2017 in which it claimed that Microsoft breaches Dutch data protection laws with the company's Windows 10 operating system.
The Dutch DPA states in the report that it found multiple privacy violations in regards to Microsoft's Windows 10 operating system.
Key concerns expressed in the report are the creation of "intrusive" user profiles, a lack of transparency in regards to what data is collected, a lack of explanation to users when it comes to the data collecting, and the use of data to show personalized advertisement.
The report makes the following key claims:
- Collection of data "of a sensitive nature at the most limited (basic) level of telemetry, for example about the use of apps".
- At full Telemetry (default level), Microsoft collects web browsing data in Edge, content of hand written documents, and other information continuously.
- Default telemetry setting data used to show personalized advertisement and recommendations.
- Telemetry data is not necessary to run Windows 10.
- Users are not informed (enough, or clearly enough) about the data that Microsoft collects, and what the data may be used for.
The PDF document lists claims that the Dutch DPA made and Microsoft comments on these claims. Microsoft's main arguments are the following ones:
- Microsoft does inform users about data that it collects during setup, in the privacy statement, on its websites (including technical documentation on Telemetry data collecting).
- Telemetry data is needed by Microsoft engineers for investigation of Windows issues. Data collection changes over time depending on legitimate use cases.
- Microsoft is transparent when it comes to the purpose of data collecting for personalization (including tailored experiences which started in the Creators Update).
- Telemetry data is "highly technical data", data about things, and reveals "very little or nothing" about users.
- Handwritten content collecting is limited to "small samples of inking and typing input".
- Tailored Experiences use diagnostic data for personalization, but the advertisement ID does not.
Microsoft states that it does inform users sufficiently about the data that it collects, and about the impact of the privacy settings of the Windows 10 operating system. The Dutch DPA however stated that it believes that the information that is presented to users is not clear enough.
Windows 10 users need to click on "read more" links, or read the privacy statement to understand the extend of the data collecting. While users may do so, and even access detailed information about telemetry levels on Microsoft websites, it seems likely that most computer users won't do that (judging from past behavior when it comes to reading terms of service during installation or sign up).
Microsoft wants to work with the Dutch DPA however according to the blog post.
Now You: Are the claims valid? What is your opinion on this?Advertisement