Dutch Data Protection Agency Says Windows 10 Still Violates Privacy

Posted on August 28, 2019 by Paul Thurrott in Windows 10 with 28 Comments

The Dutch Data Protection Agency (DDA) announced today that Windows 10 is still in violation of European Union privacy laws. And it is requesting further changes to the ways in which Windows 10 collects data.

Despite complying with previous requests for the rampant data collection in Windows 10, a recent “check brought to light that Microsoft is remotely collecting other data from users,” a DDA statement notes. “As a result, Microsoft is still potentially in breach of privacy rules.”

The DDA forwarded its findings to its Irish counterpart, the Irish Data Protection Committee (DPC).

“The DPC has had preliminary engagement with Microsoft and, with the assistance of the Dutch authority, we will shortly be engaging further with Microsoft to seek substantive responses on the concerns raised,” a DPC statement adds.

Microsoft continues to say it is committed to its users’ privacy and that it has improved the privacy protections in Windows 10 over the past few years.

“We welcome the opportunity to improve even more the tools and choices we offer to these users,” a Microsoft statement says in response to the charges.

Ah boy. Here we go again: More tools and choices.

Microsoft’s response to EU privacy concerns has always been consistent: The firm keeps adding new privacy interfaces to the system that don’t actually change what Windows 10 collects, but rather simply better documents it. I call this behavior “privacy theater” as it’s the technological equivalent of waiving one’s hands to redirect the viewer’s attention.

Windows 10’s data collection is, of course, mostly benign and designed to provide Microsoft with the data it needs to improve its platform. But the software giant could make all of these problems go away by simply giving users a way to turn off data collection. It has steadfastly refused to do so, regardless of the number of Windows 10 users—now over 830 million—and that most users would obviously just leave data collection on, unaware of the issue.

Instead, we get privacy theater. So we can look forward to more “tools and choices”—further complicating the user experience—instead of meaningful change.

Join the discussion!


Don't have a login but want to join the conversation? Become a Thurrott Premium or Basic User to participate

Comments (28)

28 responses to “Dutch Data Protection Agency Says Windows 10 Still Violates Privacy”

  1. proesterchen

    From a privacy standpoint, making any and all data collection subject to an informed opt-in by the user is the absolute least data protection agencies across Europe should be arguing for.

    The fact that companies the world over try to avoid opt-ins like the plague should tell you just how below-market the price is that they are currently able to pay you to acquire your data.

    • wright_is

      In reply to proesterchen:

      That is written into law. All data collection must be opt-in and you can't refuse anyone service if they refuse to hand over their personal data. (Obviously there are exceptions, such as telephone, rental etc. contracts, where certain personal information is required.)

      Also, all information collected can only be used for the explicit purpose that has been declared. Therefore, for example, if a telephone hotline says they use audio recordings of conversations for training purposes, they can't later use it in court.

      Online advertising providers are having a hard time of it as well, before they can use a tracking cookie, they must get explicit permission to set it. The problem is, if they did that, people would know they are being tracked...

      • lvthunder

        In reply to wright_is:

        So that's why there is that stupid cookie banner on every website. Thanks EU.

        So you mean to tell me if I call a telephone hotline and say something to them and then I sue them the company can't use the recording of that call to defend themselves. That's a pretty lame law.

        • AnOldAmigaUser

          In reply to lvthunder:

          While I have no love of the stupid cookie banners, I will thank the EU for looking out for the individual, since our government will not. Sad.

          Actually, the law, in almost all cases, should favor the individual over the corporation or government entity, as the playing field is already tilted heavily against the individual.

          That said, your example misses the point. The recording, prior to the conversation, which tells you that the recording is for training and quality purposes, can simply be changed to add a clause that the recording, or a transcript will be retained as a record that could be used in court. That is not an onerous requirement.

          Of course, if you are calling with a complaint that is not addressed, and later decide to sue the company over that issue, the recording should show that they did not actually act on the complaint...unless you are in the habit of bringing frivolous lawsuits.

        • wright_is

          In reply to lvthunder:

          Why is it lame? They have said it is used for training purposes, they never said they were making the recording to indemnify themselves...

  2. nfeed2000t

    When I click the Windows icon and search for a program or local file, my text gets sent to Microsoft. I as a consumer don't want to share data and I would assume an enterprise doesn't wish to share data with Microsoft.

  3. doug betts

    I wouldn’t call the data being collected benign I call it important. Among other things it must include information about how Windows is performing under different hardware configurations.

    The fact that GDPR wants no information collected unless the user consents is disturbing to me because it will hamper Microsoft’s ability to discover and fix problems quickly.

    I think Microsoft does not want to declare what is being collected because it would complicate the process of collecting said information and slow everything down. It’s difficult to be quick and nimble at their size and caving to more complications would be counterproductive and once they start that path they must be thinking what’s next.

    Where are the white hat hackers? Are they not capable of reverse engineering the data stream coming from a computer to determine what information is being sent to Microsoft? Or have they already done that and they don’t want to tell us because they see it’s benign and they generally are Anti-corporation anyway.

    • Greg Green

      In reply to doug betts:

      User data was used to justify nearly every aspect of Windows 8. Obviously MS is using the data wrong. That’s another reason not to let them have the data.

    • proesterchen

      In reply to doug betts:

      If Microsoft desire user information for the benefit of their product(s) and company, they are free to offer incentives to people for sharing their data.

      For some people, promises to improve the Microsoft products they are currently using may be enough to hand over their personal data. For others, not such much.

      Point is: the data is the user's to share or not, not Microsoft's.

    • Stooks

      In reply to doug betts:

      All collection of data on all platforms from all vendors should be opt in...period. All of them should have a simple on/off switch.

      I gladly give Microsoft my data because I do believe they are using to make their products better....but it needs to be consented too before it is given.

  4. kshsystems

    The EU is after the ultimate in privacy by default, and Microsoft wants to ensure platform debugging information by default.

    The two goals don't seam to be compatible with each other

  5. dontbeevil

    cool... but now focus also on google

  6. justme

    Honestly, all I want is an off switch.

    EDIT: An off switch Microsoft will respect. I do NOT want Microsoft to arbitrarily turn the switch on every time Windows updates itself.

    I understand and respect that there are plenty of folks happy to share data with Microsoft. Me, I would like the choice - if I share with Microsoft, its because I *choose* to, not because I *must*. Benign or not, it should be the user's decision to share, not Microsoft's.

    One common defense of Microsoft's telemetry collection is that it helps to improve Windows. If that is the case, why doesn't Microsoft restrict their data collection to its Insiders and leave the rest of the user base out of it. After all, Insiders generally WANT to help improve Windows. Improving Windows is the whole reason the Insiders program exists.

    Do you know if there is a list anywhere of the improvements to Windows their telemetry collection has led to?

  7. wright_is

    Or, to be compliant with EU law, turn off all data collection by default and ask the user if they want to turn it on.

    Interestingly, I posted last time around that disabling the service "DiagTrack" (“User experience and telemetry in connected mode”) in the Services dialog. After the upgrade to 1903, Windows automatically re-enabled the service.

  8. Tony Barrett

    I think we all know that a big 'off' slider to block any data collection is needed to fix this, and all Microsoft's data collection policies should be opt-in rather than opt-out, but as MS know the majority don't even read those pages and just skip by them leaving all settings at default - exactly the way MS want it - they're not too bothered at this point. MS preach privacy, but collect a staggering amount of data from the average Win10 user, and data collection in Win10 is built right into the core product, meaning the data is fundamental to MS in monetizing its user base.

    • wright_is

      In reply to ghostrider:

      Except that GDPR specifically states that it has to be opt-in and that you can't refuse service if they don't opt-in.

      • warren

        In reply to wright_is:

        GDPR opt-in requirements only applies to personally-identifiable data. This includes stuff like your name, home address, phone number, license plate, exact location, and so on. It also applies to religious / philosophical beliefs, race, health, and genetic data.

        That's not the sort of information that the telemetry collects.

        Telemetry gathers info related to the internal operation of Windows itself, such as measurements of how long certain actions take, or how often certain features are used. You cannot be identified by name based on how many milliseconds it takes for the Start menu to show up on your machine, or what version of the NVidia graphics drivers happen to be installed when a game crashes.

        And as it turns out, GDPR Article 6(1)(f) actually allows collecting and processing these sorts of data points without explicit consent anyways. ¯_(ツ)_/¯

        • wright_is

          In reply to warren:

          IP address, registered serial number (or derived identifier), GUID or anything that would allow the data about the PC to be uniquely identified (and because PCs are generally personal devices) are also considered personal information, according to the EU courts.

          For example, log files on a web server should only store a maximum of the first 2 octets of an IP address, or if they store the full address, the logs should be deleted at the end of the day.

          There is some thinking that doing a logrotate after 24 hours and encrypting the old log file is acceptable, for security purposes, and deleted after 100 days, but this hasn't been tested before a court.

  9. Thom77

    "Windows 10’s data collection is, of course, mostly benign"

    Dont worry about that tumor Thurott ... it's mostly benign.

    • Paul Thurrott

      In reply to Thom77:

      I see what you're trying to say, but honestly it is. It could be entirely benign. It's certainly not maliciously intended.

      • juan

        In reply to paul-thurrott:

        It could be entirely benign.

        It could be.

        Maybe it isn't maliciously intended.


        But it sure looks suspicious the way that they do everything in their power to not allow people to opt out...

      • wright_is

        In reply to paul-thurrott:

        Part of the problem is, Microsoft won't even document what they collect.

        • warren

          In reply to wright_is:

          Incorrect. You can see all the telemetry information sent to Microsoft, down to the exact byte, by using the Diagnostic Data Viewer.

        • lvthunder

          In reply to wright_is:

          My guess is there probably isn't one person at Microsoft who knows all that they collect. It's probably this team collects this for this reason and this team over here collects something else for another reason.

          • proesterchen

            In reply to lvthunder:

            This argument falls in the same bucket of diversion tactics as the "no _person_ will likely (earlier, now proven to be untrue version: ever) listen to recordings of your voice commands" argument regurgitated by countless pundits over the years.

            It is fully within Microsoft's ability to collect all internal uses of the data collected from users, in fact, it is the prudent thing to know who has access to this set of sensitive data and limit its use to those who can successfully explain how their product can be improved and retain control of the data that gets shared with them.

          • wright_is

            In reply to lvthunder:

            And that is okay? I think that defines the problem very well. It needs to be properly documented, it is a legal requirement.

            I'm busy going through all of our security settings in our domain and applications for all employees to ensure they can see the information they need to perform their job and that they can't see any other information that is not related to their job. It is a long and tedious task. Why? Because it is part of GDPR, and that is good so.

  10. longhorn

    What's interesting is that Microsoft was able to deliver Windows 95 to Windows 7 with maybe 1% of the data points that Windows 10 emits. Oh, I remember, they had paid testers back then.

    The Windows 10 plan:

    1 Fire the testers

    2 Dump a shitload of telemetry into Windows (thousands of data points)

    3 Call it a service

    4 Contribute to climate change by upgrading/re-installing a billion computers TWICE a year (calculate the energy cost for this)

    What can go wrong?