Microsoft butts heads with Dutch DPA over Windows 10 Privacy
The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) released a report on October 13, 2017 in which it claimed that Microsoft breaches Dutch data protection laws with the company's Windows 10 operating system.
The Dutch DPA states in the report that it found multiple privacy violations in regards to Microsoft's Windows 10 operating system.
Key concerns expressed in the report are the creation of "intrusive" user profiles, a lack of transparency in regards to what data is collected, a lack of explanation to users when it comes to the data collecting, and the use of data to show personalized advertisement.
The report makes the following key claims:
- Collection of data "of a sensitive nature at the most limited (basic) level of telemetry, for example about the use of apps".
- At full Telemetry (default level), Microsoft collects web browsing data in Edge, content of hand written documents, and other information continuously.
- Default telemetry setting data used to show personalized advertisement and recommendations.
- Telemetry data is not necessary to run Windows 10.
- Users are not informed (enough, or clearly enough) about the data that Microsoft collects, and what the data may be used for.
Microsoft published two responses to the report. First on its Dutch Microsoft Pulse blog, and then as a claim and response type of document here (PDF).
The PDF document lists claims that the Dutch DPA made and Microsoft comments on these claims. Microsoft's main arguments are the following ones:
- Microsoft does inform users about data that it collects during setup, in the privacy statement, on its websites (including technical documentation on Telemetry data collecting).
- Telemetry data is needed by Microsoft engineers for investigation of Windows issues. Data collection changes over time depending on legitimate use cases.
- Microsoft is transparent when it comes to the purpose of data collecting for personalization (including tailored experiences which started in the Creators Update).
- Telemetry data is "highly technical data", data about things, and reveals "very little or nothing" about users.
- Handwritten content collecting is limited to "small samples of inking and typing input".
- Tailored Experiences use diagnostic data for personalization, but the advertisement ID does not.
Microsoft states that it does inform users sufficiently about the data that it collects, and about the impact of the privacy settings of the Windows 10 operating system. The Dutch DPA however stated that it believes that the information that is presented to users is not clear enough.
Windows 10 users need to click on "read more" links, or read the privacy statement to understand the extend of the data collecting. While users may do so, and even access detailed information about telemetry levels on Microsoft websites, it seems likely that most computer users won't do that (judging from past behavior when it comes to reading terms of service during installation or sign up).
Microsoft wants to work with the Dutch DPA however according to the blog post.
Now You: Are the claims valid? What is your opinion on this?
At the same time the Dutch government accept their own expanded spying on Dutch citizens…..
Yes, very much so.
Fortunately there’s going to be a referendum on the subject held on March 21 next year although it isn’t binding in law unfortunately: https://www.loc.gov/law/foreign-news/article/netherlands-referendum-to-be-held-on-surveillance-law/
Also, I’m wondering if the EU law on Data Protection Reform passed last year offers any hope to have the Dutch surveillance law nullified: http://www.europarl.europa.eu/news/en/press-room/20160407IPR21776/data-protection-reform-parliament-approves-new-rules-fit-for-the-digital-era
Interesting article on Reuters today concerning hacking of Microsoft’s bug tracking database which took place in 2013: https://uk.reuters.com/article/us-microsoft-cyber-insight/exclusive-microsoft-responded-quietly-after-detecting-secret-database-hack-in-2013-idUKKBN1CM0D0
Makes you wonder if all the data they’re siphoning in from ordinary users these days is safe if their hands.
Why did M$ impose mandatory and cumulative updates/upgrades for Win 10, unlike Win 8.1/7, MacOS and Linux.?
Why did M$ impose mandatory Telemetry & Data collection for Win 10, unlike Win 8.1/7, MacOS and Linux.?
Windows has about 90% desktop market share in the world today.(in 2024 also.?) More than likely, Win 10 is an NSA/CIA spyware. Why.? = eg M$ help the US government spy on their users and the US government help M$ make more profit$ and are given immunity from prosecution, like what has been done by the Dutch and French government, eg the US Department of Defence is the first few US agencies to adopt Win 10…
https(colon)//wwwdotthevergedotcom/2016/2/17/11031508/us-department-of-defense-windows-10-upgrade
Not only do you need to pay for the OS, but it spies on you too! That’s what we call “late-stage capitalism”. Once one entity gets big enough and becomes a monopoly that the vast majority of users are stuck with, they implement unwanted policies on the public whether the public wants it or not, without an “off” switch. See also, the recent decision that ISPs can data-mine and sell browsing data of customers in the US.
And the only reason the US and friends don’t speak out against Microsoft, is because Microsoft is sharing all the data that is collected with them.
Tommy won’t rat on Jimmy for swiping cookies from the cookie jar, as long as Jimmy shares the cookies with Tommy!
As a user who is sick of this madness, I switched to Debian. They aren’t out to make higher profits every quarter, so they don’t have any reason to invade my privacy for an extra fifty cents.
For more than 20 years I am thinking that firms like Apple, Microsoft, Apple and firm like that (also think Philip Morris (Think cancer), Coca-cola (Thinks e-products and sucker)) has to come to the International Court of Justice to explain why they’re making money for there shareholders on the way they do and not to satisfy there customer and then there shareholders.
And not on the never-ending way of no result like its going for decades already with fines who the companies can write of on their tax returns.
No, Its crystal clear to me that the only way is not only to convict the shareholders and directors but also sell the company to the citizen of the European Union (Or world wherever the company does his or here buisness) than going on for another 100 years of a minimum measurement result.
https://europa.eu/european-union/about-eu/institutions-bodies/court-justice_en
https://en.wikipedia.org/wiki/International_Court_of_Justice
“Telemetry data … reveals “very little or nothing” about users”
There is no “may or may not, just a little, i swear on god”, etc on a court. Only YES or NO, truth or lie.
so it means:
Yes, telemetry data reveals something about users.
Next question is:
Can you show us some of these data dear M$ just to be sure that they are “nothing”?
Martin posted an article called “Windows 10 Full and Basic Telemetry Data collection information” on 6 July, 2017. When you look at whats being collected its hard to believe MS couldn’t generate a fairly complete picture of the person using the system.
see…
https://www.ghacks.net/2017/04/06/windows-10-full-and-basic-telemetry-data-collection-information/
When I read something like “Handwritten content collecting is limited to “small samples of inking and typing input”, I start thinking extended biometric identification.
I don’t trust MS anymore.
Microsoft maintains that Windows 10 users were informed about privacy issues and that they agreed to them when they installed the OS. However, a 45 page EULA can hardly be construed as being informative especially when it can only be read in a small window which forms part of the installation procedure and was probably written in legal terms which only those in the profession would likely understand.
I wonder though whether the Dutch Authority is using the powers it has under current national law or those which will apply come May 25, 2018 when the General Data Protection Regulation becomes law EU wide: https://en.wikipedia.org/wiki/General_Data_Protection_Regulation
Either way, Microsoft is going to be forced into a corner with no escape very soon.
The U.S. Supreme Court case involves law enforcement wanting to access an email account on a server in Ireland. MS argues that it cannot be compelled to provide access to something stored outside the U.S.
========================
Justice Department lawyer Jeffrey Wall said Microsoft could easily retrieve the information “domestically (from Redmond) with the click of a computer mouse.”
https://www.nbcnews.com/politics/supreme-court/microsoft-feds-email-privacy-showdown-supreme-court-n811106
========================
If MS can access email contents that easily on their MSN/Hotmail accounts, then they can use those emails to create a profile of the user.
I dropped Hotmail when MS started demanding a phone number/alternate email account. Basically that allows MS to create a database of email accounts cross-referenced to phone numbers (which, at some point, have names attached to them). In my opinion, MS is after every bit of personal info it can glean from its users which can be marketed – up to and including “personally identifiable information.”
I admit I dropped Hotmail a number of years ago and have no idea if their policy is the same.
@TelV
“By the way, if you use Firefox check the storage/default folder in your profile daily because Microsoft uses IndexedDB to keep an eye on you.”
What are you talking about, MS has a folder in storage/default? Is it a folder from a website? Just curious. I’m using Win7 Pro on this computer and I have never ever seen a MS folder in storage/default in Pale Moon, Waterfox, Firefox, or in Nightly. Is Win 8.1 really that effed up? :-D
Starting with Firefox v56 and newer you can automatically clear indexedDB from the storage/default folder. Pale Moon clears it also. In FF go to menu/Options/Privacy & Security/History – check the box for ‘Clear History when Firefox closes’ – Settings – check the box for “Offline Website Data”. The moz-extensions folders for webextension settings will be what remains.
If you use CCleaner you can also use it to remove a file or folder.
https://s1.postimg.org/7soj73jga7/CCleaner_file_folder_removal.png
I have a Hotmail account, but never use it. But I have to maintain it because I have a Windows 8.1 machine. That in turn means a user has to login with a Microsoft account in order to gain entry to the Windows store. I use a local account to log in to the PC though.
By the way, if you use Firefox check the storage/default folder in your profile daily because Microsoft uses IndexedDB to keep an eye on you.
Legally, you can’t agree to something when you know very little about what the other party intends.
Its like giving someone permission to use your house and a week later there’s a parking lot where your house used to be. You say to them “I only gave you permission to use my house” and their reply is “we did use your house, we used your house to make a parking lot. You gave us the permission to do it.”
No one can give consent to ‘anything’ if they don’t know what that ‘anything’ entails. Obviously governments have been turning a blind eye and ignoring these legal realities.
@TelV –>
Legally, you can’t consent to the collection of data where you don’t what data is actually being collected. It is not possible to legally valid consent.
Subsequently, the EULA isn’t worth anything, This is the law in nearly all countries and what the Dutch authorities have stated quite obviously. The same basic legal standards apply in most countries.
Nearly all users do not believe the EULA means ‘we will strip any data that we like from your computer’. The EULA states that Microsoft can access any file on your system where it deems that it may breach some law in some country. This means that Microsoft can take literally anything from your computer for some ‘valid’ reason.
Is that the EULA that you think you gave permission for?
The Windows 10 EULA isn’t written in vague terms though. It states quite clearly in Article 3 that the user consents to use of the data which Microsoft collects (regardless of the reason why they do so). It’s debatable whether users can subsequently suggest that they didn’t understand what that meant: https://www.microsoft.com/en-us/Useterms/Retail/Windows/10/UseTerms_Retail_Windows_10_English.htm
But there’s a case due before the Supreme Court shortly concerning privacy related email storage so it’ll be interesting to see what transpires from that: https://www.washingtonpost.com/politics/courts_law/supreme-court-to-consider-major-digital-privacy-case-on-microsoft-email-storage/2017/10/16/b1e74936-b278-11e7-be94-fabb0f1e9ffb_story.html?tid=a_breakingnews
Only use Windows 10 in VirtualBox on Linux with internet connection to Windows 10 VM turned off.
Windows VM for windows software’s.
Wine Staging for windows games.
Linux for everything else.
Thats the biggest issue. People often wanna play new games. Gaming is limited for linux. I think main reason is money. Everything in this world surrounds money and business
When it comes to Microsoft.. my opinion is transparent.
I predict the Dutch DPA will eventually be taking on Firefox over privacy too.
Good. No company should have any access to your data without your knowledge and consent. They’ve gotten away with it so far because the average person doesn’t understand the technology or the ramifications.
Why Firefox? It can collect some telemetry about performance but it can be completely turned off in the settings.
Chrome OS and Google Search, Android and every other system which collects private information are the ones that need to be turned off.
These companies are taking advantage of people.
As a Dutchman I am happy to live in a country where at least some instances are concerned about individual online privacy, even when they do not nearly enough. Don’t forget that when you roam online while logged in to Google or Facebook, or when you use an Android phone without modifications, you’re being spied upon in an even worse way that what Microsoft does. So what the DPA tries to do here is good, but it also is too little, too late.
Also don’t forget that those spying companies are not the only ones who actively keep endangering our fundamental right to online privacy. Governments can be equally bad, especially under the guise of “fight against terrorism” which they think justifies all means, even the worst. The same Dutch government is planning right now a new “drag net” law which would allow them (police, secret services, etc.) to monitor not just actual suspects online: it would allow them to collect and save detailed data about __everyone’s__ online behavior, indiscriminately, in the hope that data analysis may help them to discover suspect activities.
Luckily, a part of the public is slowly waking up to the problem. A spontaneous Dutch citizen’s initiative did in just a few weeks time collect the over 300.000 signatures needed to force a formal referendum about the “drag net law” proposal, meaning that next year we will get an opportunity to vote “yes” or “no” about it (although the government still could ignore the outcome of such a referendum).
I do hope that people will gradually awaken to the fact that nearly all software nowadays is spyware, unless you curtail it with the help of firewalls, block lists, stringent cookie destruction settings, and so on. The more citizens begin to publicly express concerns about their privacy, the more official institutions such as the DPA may be pushed towards to taking a little more protective action.
This DPA initiative still is a local one, and therefore very limited in scope and power. So I also hope that the European Union, which has already shown a few weak efforts in the right direction, will gradually begin to develop a more unified and more powerful legislature to protect the privacy of citizens all over Europe.
But as long as most people seem to be willing (even eager) to give software companies detailed insight in their browsing, traveling, eating and sleeping habits (and all this in exchange for ease-of-use plus the possibility to share cat photos) I remain deeply worried and pessimistic about the future that lies in Store for us.
Henk, In the US and Great Britain, the NSA & GCHQ, respectively, already collect everything through a project called PRISM, and a couple of others. Everything from cell phones, to Internet, to regular landlines are recorded, catalogued, and stored. And that’s just the government.
Amazon’s Echo and the Google Home also record everything, catalogue it and then resell the contents for profit. http://bit.ly/2imM3iz
Big Brother is here whether we realize it or not.
Good comment.
Countries should be working for the benefit of its citizens, not for the benefit of multinationals.
The western governments may be weak and but the Chinese government is not. MS had to develop a special version for them
Type ‘win 10 china’ into your browser search box and read the blogs.
The Chinese government started by banning Windows 8 for the spyware and then Windows 10 for the same reason.
Do you know Microsoft bowed to China and made a spyware-free version of Windows 10 for Chinese use? Meanwhile us in the so-called “free world” are subjected to all this tech company spying and pay-to-use “software as a service” extortion schemes were we cannot actually own the software we buy anymore. They’ve pretty much already convicted themselves by admitting to China that the spying mechanisms within Windows indeed exist, they have no chance in European court. Hopefully Communist America will follow after that!
Kudos to the European government, they’re more willing to fight Microsoft’s ugly behavior.
Luckily, there’s no European government.
Unfortunately there is. Ever heard of EU?
The comment means a government FROM Europe, not a government OF Europe.
Finally some long awaited reactions start brewing : France, Commissioner Ms Vestager, now the Netherlands. But it’s all much to slow, weak and overly polite. Such crappy companies need more powerfull actions, and the public does need much more protection by their governments..
And then again such infantile reaction from that m$. Why would their engineers need to know the content you type in your documents, or what you search on the internet ?
In what way will that knowledge make their software any better ? Are they too dumb to test their products by themselves ? And can’t they really be polite and good-mannered enough to just ask their users for the input they eventually would want to communicate ?
At this point in time it’s pretty much a given that Windows has lost any semblance of being an OS that can be used safely by governments, NGO’s, and businesses, it’s taken less than 2 years to destroy what took over a decade to build.
Spot on – I wouldn’t touch it with a 10 foot pole.