Microsoft has been told to reduce the data Windows 10 collects about users and tighten up the OS security or risk facing sanction for breaching data protection rules.
Windows 10 is insecure and surreptitiously collects excessive data about what users do on their computer, according to a French authority.
Microsoft's flagship OS violates the French data protection act, according to the country's Chair of the National Data Protection Commission (CNIL), which highlighted the "seriousness of the breaches".
Microsoft has three months to change how Windows 10 collects data about users in order to comply with the act. If Windows 10 still doesn't comply after this point the company could be fined up to €150,000.
Windows 10 breaches user privacy in several areas, according to CNIL, which says the data the OS collects about users is "excessive".
Windows 10 transmits user data back to Microsoft by default, with users of Home and Pro versions only able to reduce data collection to the "Basic" level. On this setting, Windows 10 collects information about security settings, quality-related info (such as crashes and hangs), and application compatibility. Users of Enterprise, Education, and IoT core editions are able to reduce the data collection further, to what Microsoft calls the "Security" level.
Given Microsoft says that the data collected at the "Security" level is the bare minimum necessary to keep Windows machines "protected with the latest security updates", the collection of any data above and beyond this is not needed, the CNIL says in its formal notice.
"It is apparent that some of these data are not directly necessary for the operating system to work," it states.
"Most of the data included in the basic level are not essential for the system to operate so collecting such data is excessive with respect to this purpose."
Windows 10 also breaches the act in how it associates an advertising ID with each user, the watchdog said. This unique identifier allows a profile to be built of which apps are used and how.
Microsoft doesn't "validly obtain users' consent" for associating them with this ID, CNIL said, due to the way the ID is activated by default when the operating system is installed.
Windows 10 also downloads advertising cookies to users' machines without informing them or seeking permission, according to CNIL.
The authority also takes issue with how Microsoft handles Windows 10 user data, questioning why it is being transferred out of the EU under the terms of Safe Harbor, the data-sharing agreement declared "invalid" by the European Court of Justice in October.
Windows 10 does not ensure security
Beyond its data privacy failings, the CNIL also criticised Windows 10 for the poor security of allowing Windows users to log in using a four-figure PIN.
Windows 10 users who have associated their Microsoft account with a Windows 10 machine can then log into that machine using a PIN.
CNIL described this four-figure PIN as a "weak password" and said Windows did not lock the account after 20 attempts to guess the PIN — only requiring a reboot after five unsuccessful attempts.
These failings mean Windows 10 does "not ensure the security of confidentiality of the data that can be accessed using the PIN on the user's computer", it states.
CNIL is also concerned that logging in using the PIN automatically authenticates that device to connect to all of the online services linked to the associated Microsoft account — providing access to email and information about "store purchases and the payment instruments and devices used".
Addressing CNIL's concerns, Microsoft VP and deputy general counsel David Heiner committed the company to working with the authority over the next three months.
"We built strong privacy protections into Windows 10, and we welcome feedback as we continually work to enhance those protections. We will work closely with the CNIL over the next few months to understand the agency's concerns fully and to work toward solutions that it will find acceptable," he said.
Heiner said Microsoft would also work towards conducting transatlantic data transfers under the terms of the newly agreed Privacy Shield agreement.