Watchdog Says Microsoft Windows 10 Records "Excessive Data"

Microsoft might never hear an end to the criticism of Windows 10, which has been painted as an overbearing snoop on users’ data.

France’s Chair of the National Data Protection Commission (CNIL) has publicly warned the Seattle-based company that it needs to “stop collecting excessive data and tracking browsing by users without their consent” and “take satisfactory measures to ensure the security and confidentiality of user data” that has been gathered by Windows 10.

CNIL’s criticism is broad. It says Microsoft gathers too much data with a tool that notes what apps are installed on a user’s device and how long each is used. According to CNIL, that data is then sent outside the European Union, despite the EU’s Court of Justice banning the practice in October 2015. The organization also pointed out that Microsoft installs advertising cookies on devices without user consent and that the company doesn’t limit how many times someone can try to access an account (which leaves devices open to brute-force password-guessing attacks.)

These findings led CNIL to issue a formal notice to Microsoft telling the company to fix these problems within a reasonable timeframe. If the company fails to do so, an internal investigator could recommend that CNIL issue an official sanction on the company, which could impact Microsoft’s business in the EU. CNIL also said that other privacy watchdogs in the EU are conducting their own investigations into Microsoft’s practices to determine whether or not they also want to tell the company to stop mistreating its users.

For its part, Microsoft vice president and deputy general counsel David Heiner told Reuters that the company plans to coordinate with CNIL to “work toward solutions that it will find acceptable.” CNIL gave the company three months to respond before further action will be taken.

This isn’t the first time Microsoft has been criticized for the implications Windows 10 has for consumer privacy. The operating system has complex privacy settings that didn’t actually work as intended.

It also collected data through the Cortana voice assistant and Edge browser, but it was unclear how exactly that information would be used. And to top it all off, the operating system was originally set up to automatically tell parents every website their children visit with no warning to those kids.

The end result is an operating system which is automatically installed via Windows’ built-in software updating tools — that is set up by default to collect as much information about its users as possible. Microsoft responded to some complaints in September 2015 but it’s clear that it hasn’t fixed everything, despite repeated criticism.

Tech companies have been extremely slow on the uptake regarding privacy, even though it’s something consumers have come to value highly. Microsoft already knows that protecting data is important— it won a vital privacy-related case against the United States government just last week. But it hasn’t applied those values to its own products, and warnings like CNIL’s still have to be made public so people can use a Windows device without fear of snooping.

Privacy concerns aren’t the only problem with Windows 10. There’s also the auto-updating, for example, and consumers who skipped Windows 8 might be put off by the unfamiliar interface. Yet when one considers just how many people use the operating system — 10 million in France alone — the idea that Microsoft needs to take privacy more seriously is easy to support.

Luckily, countries around the world are taking steps to defend privacy and introduce rules to make sure people control how their data is used. It’s not perfect, but at least these issues are being given the attention they deserve.