[German]Explosive development for Microsoft and their Windows 10? The data protection officer from Baden-Württemberg (Germany) has demanded that the data transfer in Windows 10 be switched off and improved as soon as possible. This is mandatory to fulfill the GPDR requirements in government environments.
A controversial topic in the past
The collection and transfer of data to Microsoft through Windows 10 (telemetry) has always been the focus of data protection advocats. I’ve discussed some data protection problems in companies within my German blog post Windows 10 und das Datenschutzproblem in Firmen a while ago. Microsoft has since revised its data protection agreement several times.
Just before the release of the Windows 10 Creators Update, Microsoft once again explained in a blog post what data is collected under Windows 10. This ranges from location data and speech recognition information to advertising data on product preferences and diagnostic telemetry data, which are also collected.
During an upgrade to Windows 10 Creators update, the default settings should be retained. In dialog boxes (see above), a wizard displays the relevant settings and enables convenient customization. Logically, these default settings are not copied for a new installation. The user will then see a separate selection page to adjust the privacy settings.
This seemed to break down the resistance of the data protection activists. Both the US EFF activists and Swiss data protectionists accepted Microsoft’s move. Also French data protection experts from CNIL ended their investigations against Microsoft. And the Bavarian data protection authority certified Windows 10 Enterprise to be data protection compliant. I’ve blogged about that within several articles within my German blog.
Administrators are ‘sandwhiched’
Windows 10 Enterprise, which is intended for companies and authorities, promises ‘adjustable telemetry data acquisition’, and telemetry may be disabled via group policy. The last item, however, brings administrators into completely different problems. I blogged about that within my article Windows 10 Enterprise: Updates and the Telemetry trap. Disabling telemetry seems to stop Windows Updates, which isn’t acceptable.
German data protection authorities says stop that thing
Despite considerable data protection and security concerns, Windows 10 and Office 365 are now to be used nationwide by German authorities. But the General Data Protection Regulation (GPDR), which is mandatory by the end of May 2018, requires certified products in government environments. If encrypted telemetry data is sent from Windows 10 (and Office 365) to Microsoft, no one knows what it contains, so it cannot be compliant with the GPDR.
(Source: Pexels CC0 Lizenz)
Stefan Brink, state data protection commissioner of Baden-Wuerttemberg, says: ‘A look at the known security holes’ (which I can’t classify at the moment) ‘Microsoft should make improvements [to Windows 10] as soon as possible and comply with the GPDR by the end of May at the latest.’ In my opinion, this applies not only to Windows 10, but also to Office 365 and other Microsoft products.
Until then, system administrators of the affected systems should “ensure that as little data as possible is transferred by means of appropriate basic settings” – which brings us back to the problems mentioned in the previous sections.
Stefan Brink points out, that the hardware and software used must be continuously checked and evaluated. He states that he “does not give a general approve of products with binding effect for the whole government”. That’s exciting, due to the fact, that ‘Windows as a service’ breaks a certification twice a year with feature upgrades.
State data protection officer Stefan Brink clarifies the legal requirements for public procurement. He says, that he will oppose against the use of problematic products and thus oppose their continued use – “even with binding effect from May 2018”. This applies to Windows 10 (and Office 365). Quote: “A service provider who cannot or does not want to meet these requirements will in future be excluded from the group of those with whom a data protection officer can cooperate.”
Stefan Brink told German magazine heise online: “Every user of Windows 10, as well as other operating systems and applications, must have full control over their data. There must be full transparency regarding the transmitted data and the user must be able to deactivate each transmission”. Warm words, the data protectionist must admit that the scope for action is extremely limited, especially when it comes to stable and secure communication in government networks.
Till now comments from the relevant working groups (e.g. BSI) on the data protection conformity (GPDR) of Windows 10 aren’t yet available. Brink expects a statement from the data protection conference ‘before mid-2018’ as to whether the use of Windows 10 is legal. I’d say hello, Microsoft, we have a problem. It will be exciting to see how this topic develops.