The chair of France"s National Data Protection Commission (CNIL) has issued a formal notice to Microsoft letting it know that it collects far too much information and that its pin security is too deficient.
The CNIL"s “seven on-line observations in April and June” this year show that Microsoft"s Windows 10 doesn"t comply with the French Data Protection Act. The points highlighted include:
- Irrelevant or excessive data collected.
- A lack of security.
- Lack of individual consent.
- Lack of information and no option to block cookies.
- Data still being transferred outside the EU on a “safe harbour” basis.
CNIL said Microsoft is collecting usage data from Windows 10 systems about apps installed on machines and how long users spend on each one. CNIL says a lot of the data collected is not necessary “for the operating of the service.”
With regards to the lack of security, CNIL is concerned that Windows 10 allows users to choose a four character PIN to authenticate themselves to use their Microsoft account. It notes that the attempts to enter the PIN are not limited meaning information is not secure or confidential. CNIL says that the PIN should be suspended after 20 attempts to login rather than requiring the user to just reboot the machine every five attempts; if the PIN is suspended the user could log back in with their actual password, which is more secure.
The advertising ID which is linked to users was also an issue for CNIL, they said:
“An advertising ID is activated by default when Windows 10 is installed, enabling Windows apps and other parties" apps to monitor user browsing and to offer target advertising without obtaining users" consent.”
CNIL sums up saying:
“The company [Microsoft] is transferring its account holders" personal data to the United States on a “safe harbour” basis but this has not been possible since the decision issued by the Court of Justice of the European Union on 6th October 2015.”
The body has given Microsoft three months to comply with the data protection act, CNIL says this is a formal notice and Microsoft hasn"t yet been sanctioned for non-compliance. If Microsoft fails to comply in the timescale given, “the Chair may appoint an internal investigator, who could draw up a report proposing that the CNIL"s restricted committee responsible for examining breaches of the Data Protection Act” issue a sanction against Microsoft.
Microsoft VP and deputy general counsel, David Heiner said:
“We [Microsoft] will work closely with the CNIL over the next few months to understand the agency"s concerns fully and to work toward solutions that it will find acceptable.”
Source: Tech Republic