I figured that this would happen sooner or later, and it seems that today's the day.
From CBC News:
Microsoft's Windows 10 operating system collects "excessive" data on users, violates privacy laws in "numerous" ways and must be fixed within three months, France's national data privacy watchdog announced Wednesday.
The findings could herald decisions expected in the coming months in Canada and other European countries over an operating system that has raised a rash of privacy concerns about how it tracks users.
France's Commission Nationale de l'Informatique et des Libertés (National Commission for Information Technology and Civil Liberties, or CNIL in French) says in a notice posted online today that it has warned Microsoft about the breaches and the software giant could be penalized if it doesn't "cease the excessive collection of users' data and browsing history without their consent."
The agency alleges Microsoft is violating France's data privacy law by:
- Using Windows 10 to track all the programs users install on their system and the amount of time they spend using each one.
- Allowing users to set a relatively weak, four-digit PIN code to access online services, including online payment history, without capping the number of incorrect PIN attempts before someone is locked out of the account.
- Targeting users with Microsoft and third-party advertising based on their browsing history, without prior user consent.
- Tracking and targeting users with browser cookies without informing them or implementing an opt-out.
- Transmitting personal information back to the United States, where Microsoft is headquartered, under the auspices of the EU-U.S. "safe harbour" agreement, despite a decision last October by the European Court of Justice ruling the agreement invalid.
Prompted by media reports and letters from several French political parties, France's data privacy agency began looking into Windows 10 shortly after the operating system launched in July 2015.
The agency is considered one of the toughest in Europe and has already gone after Google over the European Union's "right to be forgotten" rule.
Other European national privacy watchdogs are also looking at Windows 10, as is the Office of the Privacy Commissioner of Canada.The story is blowing up online, with coverage on Bloomberg, The Register, WinBeta, and ZDNet, to name a few. Naturally, WinBeta has given the most space to Microsoft's response:
“Earlier today Microsoft received a notice from the French data protection authority, the Commission Nationale de l’Informatique et des Libertés or CNIL, raising concerns about certain aspects of Windows 10. The notice gives Microsoft three months to address the issues.
"We built strong privacy protections into Windows 10, and we welcome feedback as we continually work to enhance those protections. We will work closely with the CNIL over the next few months to understand the agency’s concerns fully and to work toward solutions that it will find acceptable.
“The CNIL noted that the Safe Harbor framework is no longer valid for transferring data from European Union to the United States. We fully understand the importance of establishing a sound legal framework for trans-Atlantic data transfers, and that is why Microsoft has been very supportive of the efforts on both side of the Atlantic that led to last week’s adoption of the Privacy Shield.
“As the European Commission observed, Microsoft’s January 2016 Privacy Statement states that the company adheres to the principles of the Safe Harbor Framework. Microsoft has in fact continued to live up to all of its commitments under the Safe Harbor Framework, even as the European and U.S. representatives worked toward the new Privacy Shield.
"As we state in our privacy statement, in addition to the Safe Harbor Framework we rely on a variety of legal mechanisms as the basis for transferring data from Europe, including standard contractual clauses, a data transfer mechanism established by the European Commission and approved by European data protection authorities, to cover data flows from the European Union to the United States.
A couple of things here:“Microsoft will release an updated privacy statement next month, and that will say Microsoft intends to adopt the Privacy Shield. We are working now toward meeting the requirements of the Privacy Shield.”In short, Microsoft is committed to preserving the privacy and security of its customer’s data and has built Windows 10 around protecting that data, and will be working with the CNIL to address their concerns. An updated privacy statement will be coming from Microsoft in August, confirming Microsoft’s intention to adopt the European Commission’s Privacy Shield for which the company has already expressed support.
1. The "safe harbour" part of CNIL's charges is the smallest part, and adopting Privacy Shield will do nothing to address the rest of CNIL's concerns. The fact that Microsoft supports Privacy Shield does not mean that Windows 10's data collection isn't extreme to the point of possible illegality. Privacy Shield is all about preventing data collected about EU citizens from being transferred from corporations in the EU to, for example, the NSA; it protects the rights of Europeans whose personal data is transferred to the US, and it's necessary because U.S. data protection laws aren't on par with the EU's (more detailed analysis here). It doesn't protect Europeans from overreaching corporations, however, in the EU or anywhere else, because that's not its purpose.
2. Windows 10's much-hyped security features are worthless when Windows itself behaves like malware. The French charge is that Microsoft's commitment to preserving the privacy and security of its customers' data stops abruptly when Microsoft themselves want to monetize that same data -- that they're harvesting data to which they have no legal right, and they're doing it for the sole benefit of Microsoft.
Microsoft's "response" is pure smoke, intended to confuse the issues just enough to keep shareholders from panicking. In the meantime, they're busy negotiating behind the scenes, trying to avoid expensive litigation that they're almost certain to lose, and the significantly higher penalties that come from fighting this sort of regulatory action in court. Because there seems to be little doubt that Microsoft is in the wrong, here, something about which people have been trying to warn them for months.
Remember when Microsoft's worst legal problem looked to be the possibility that New York's AG might file a lawsuit against them for overly-aggressive GWX tactics? Hard to believe that was only ten days ago, isn't it?
The GWX campaign is coming to an end in only nine days, and Microsoft is still desperately flogging their deeply flawed product:
The one thing that they could have done, though, which might have convinced a significant chunk of those Windows 7 holdouts to make the switch, while also avoiding the regulatory action with which they've just been hit by CNIL, was fixing the privacy issues with the product. Seriously, if they'd just fixed the damn thing when those privacy issues were first raised, months ago, they wouldn't be in this mess.
But Microsoft didn't want to, and didn't figure that the rules on this applied to a fish as big as they are, so they didn't -- they just tried every other dirty, underhanded trick in the book instead, to trick or outright coerce people into switching. I've got to admit, it feels pretty damn satisfying to see them finally getting what they deserve for treating their customers so shabbily.
Lots more to come on Redmond's Windows 10-related legal woes, I'm sure, and you can bet I'll be watching. With popcorn.