German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI) certifies Microsoft in a new report – between the lines – that Windows 10 is a ‘data protection and privacy accident’. Telemetry can hardly be switched off for normal users. According to the current report, the BSI is investigating the security features of the new operating system further. This is critical, because German authorities are using Windows 10.
Federal Office for Information Security (BSI)
The Bundesamt für Sicherheit in der Informationstechnik (BSI, in English Federal Office for Information Security) is responsible for Germanys national cyber security. His President Arne Schönbohm describes the task of his federal office as follows:
As the national cyber security authority, it is the task of the BSI to support users in government, business and society in using IT products and software securely.
He wrote further, that more than a third of computer users worldwide use Windows 10, and the trend is rising. For this reason, BSI started an security investigation of Windows 10, with the aim, to derive concrete recommendations it in terms of digital consumer protection to make digitization a bit safer.
A first report criticises Windows 10 telemetry
After doing first investigations about Windows 10 privacy and security, the BSI has published a short press release (in German), dated November 20, 2018. There the German Federal Office for Information Security (BSI) writes:
The Windows 10 operating system sends extensive system and usage information to Microsoft. Although it is technically possible to prevent the collection and transmission of telemetry data by Windows, this is difficult for users to implement. This is the result of an investigation of the central telemetry component of Windows 10 carried out by the Federal Office for Information Security (BSI).
The examination of the telemetry component is part of an extensive safety analysis of Windows 10, in which the BSI examines safety-critical functions of the operating system. ERNW GmbH from Heidelberg is carrying out a study on behalf of the BSI. The subject of the study is Windows 10 Enterprise LTSC 1607 64 Bit German. Before completion of the study, the analysis results will be compared with the current LTSC version.
The aim of these investigations is to assess the security and residual risks for the use of Windows 10, to identify framework conditions for a secure use of the operating system and to create practical recommendations for the hardening and safe use of Windows 10. Information on the study (called SiSyPHuS) and the first partial results are available on the BSI website.
In its analysis, the BSI comes to the conclusion that the telemetry component built into Windows 10 has extensive options for accessing system and usage information and sending it to the manufacturer:
- Although the users can set different telemetry levels, the telemetry service dynamically assigns existing telemetry sources to these levels during operation. For this purpose, the service loads configuration data several times per hour.
- A prevention of the collection and transmission of telemetry data by Windows is technically possible, but difficult for the simple user to implement.
- In addition, applications installed on the computer, such as Internet Explorer and Microsoft Office, have the option of recording telemetry data and sending it to the manufacturer even without the central telemetry service of the operating system.
Details may be obtained from the BSI’s web site as PDF files (available in English). The first results from the study called SiSyPHuS Win10 are a slap in the face for Microsoft and those responsible for using Windows 10. The BSI officially states that data collection and transmission can be completely deactivated (which I simply doubt). According to the statements of the BSI, this is, however, only possible at great expense and forces users to switch off certain services.
If I haven’t overlooked anything when reading the BSI information published so far, it don’t go into the problem that the deactivation of certain telemetry settings has collateral damage during the provision of updates. In addition, the Windows 10 LTSC SKUs of Windows 10 are not available to private individuals and small companies.
Even in companies and public authorities, LTSC variants of Windows 10 are usually not used. There a Windows 10 Enterprise (or Pro) is in broad use. One reason is, that Microsoft argues that Windows 10 LTSC is only used for mission-critical applications, but not for daily business in office and enterprise environments.
BSI is still continuing Windows 10 from a view of security and privacy compliance – but current telemetry settings won’t fit the requirements for use in German government environments. Some German federal data protection officers called for Windows 10 to be banned for these reasons in government environments.
This isn’t the first time, that Microsoft has been under fire with its products. Two weeks ago I reported within my blog post Dutch report says Microsoft Office is not GDPR compliant about a similar case in the Netherlands. An investigation for dutch governement found, that Microsoft spies on users for individual use through its Office Pro Plus modules. Office 2016 Pro Plus and Office 365 isn’t compliant with the General Data Protection Regulation (GDPR).