Windows 10 breaches French law by collecting too much personal information from users and failing to secure it adequately, according to the French National Data Protection Commission (CNIL).
Some of the privacy failings identified can be remedied by users willing to delve deep into the Windows 10 settings, but one of the commission’s gripes is that better privacy should be the default setting, not one users must fight for.
CNIL served Microsoft with a formal notice on June 30, giving it three months to comply with the law, but only made it public on Wednesday.
The commission conducted seven tests of the data sent back to Microsoft by Windows 10 in April and June of this year. Among Microsoft’s faux pas was the collection of data about all the apps downloaded and installed on a system, and the time spent on each one, a process CNIL said was both excessive and unnecessary.
Microsoft also failed to protect user data sufficiently, it said, by allowing users to secure their Microsoft accounts containing their purchase history and their means of payment with a PIN consisting of just four digits, and by allowing unlimited attempts to unlock the account.
If Microsoft doesn’t comply with CNIL’s demands by Sept. 30, then it could face a fine of up to €1.5 million (US$1.66 million) for the poor PIN security, and lesser fines for the other measures, the commission said in its formal notice to the company.
The company also tracked its customers without permission, setting and activating an advertising ID when Windows 10 was installed that allowed apps to target advertising to users. It also put advertising cookies on the computers without giving users a chance to opt out first, CNIL said.
Furthermore, despite Windows 10’s system of continuous updates, the company has not taken account of a significant legal change in the European Union since the launch of the operating system.
On Oct. 6, the Court of Justice of the European Union invalidated the Safe Harbor Agreement for the transfer of personal data. That made it illegal to use its provisions to justify the export of Europeans’ personal data to the U.S., yet Microsoft continued to do so, CNIL said.
The French data protection authority is not the only one in Europe that has been studying Windows 10’s treatment of personal data; others are continuing their investigations.
CNIL does not always make public the cease-and-desist notices it issues — companies have a right to privacy, too — but decided to in this case because of the seriousness of the breaches and because they affected so many Windows users, more than 10 million of them in France.
Microsoft representatives did not immediately respond to a request for comment.