Windows 10, the telemetry and the GDPR privacy problem…

[German]We have January 2020, Windows 7 reaches the end of live and users shall upgrade to Windows 10 (according to Microsoft's plans). People who jumps on Windows 10 with enthusiasm should keep the telemetry in mind. Just realizing that even applications like the Windows editor Notepad reports its activities to Redmond. Yesterday and today I stumbled upon two information regarding 'Data protection in Windows 10' – that sheds a not so bright light on Windows 10.


First of all: The topic I am going to pick up here is not really new. I have reported here in the blog several times about telemetry in Microsoft products. But occasionally, some pieces of a puzzle fall into a picture. Exactly this happened the last two days. 

A short review …

I had mentioned a few hours ago within the blog post Operating system/Windows Market Share (December 2019), that every fourth Windows user refuses to upgrade to Windows 10 (I also suspect the telemetry issue behind this). And I read yesterday an article in an old German engineering magazine about issues with 'Windows 10 GDPR compliance'. 

German data protection conference about Windows 10 privacy issues

In November 2019 the German Data Protection Conference has published a review scheme 'Privacy on Windows 10' (Datenschutz bei Windows 10). The data protection conference is a meeting of the independent data protection authorities of the Federal Government of Germany and its countries (Bundesländer, DSK). The message of a resolution, created at the German Data Protection Conference, was:

The federal and state data protection commissioners see little scope for using Microsoft's Windows 10 operating system in a legally compliant manner, according to General Data Protection Rules (DGPR).

The data protectionists watch guards write within the check list:

The question of whether "Windows 10" is compliant with data protection cannot be answered in a general way. Windows 10 is the term for a product family in which the actual operating system is only a part of the delivered functionality, which also changes continuously due to updates.

The range of functions and the data transmissions to Microsoft therefore depend on the specific edition, version and the configuration carried out. The determination of the exact test object is therefore the foundation for the data protection test.

This is logically, since a Windows 10 Pro is to be seen differently than an Enterprise or an Enterprise LTSC. However, the data protection watch guards wrote:


In addition, there must be data protection statements about the circumstances under which Windows 10 is used and which features (e.g. Cortana or Windows Defender) are used.

This means that a data protection statement must be available about which processing activities are carried out using Windows 10 and which personal data are processed there and to what extent. It also means that you need to know what personal information is transferred to Microsoft and for what purposes.

Since the telemetry data is transmitted to Microsoft in encrypted form, nobody knows what personal data is processed there and to what extent. So it's not possible, to set up a data protection statement, if it's not known, which data are transferred via telemetry. Since Windows 10 is also 'as a service', is constantly updated by apps and new features may simply flutter into the current builds via updates. The data protection watch guards wrote within their November 2019 paper:

The processing of the following check scheme is necessary because the transmission of data to Microsoft in no edition or version can be completely stopped by changing the configuration settings and the communication behaviour and configuration options of Windows 10 can change with new versions.

So this check, if Windows 10 fits the data protection statement have to be done with every (app and service) update. This is simply unmanageable for 'the person responsible for data protection within an organization'. The conclusion: Windows 10 can't be used within the European Community in accordance with GDPR. 

A look at the data protection records

Yesterday I was reminded via twitter to check within my Windows 10 privacy dash board the records collected from Windows 10 telemetry and associated with my Microsoft account. Tero Alhonen postet the following on twitter.

He once looked at the entries under Privacy within the Windows 10 privacy dash board and checked the entries for apps. He also found, that Windows Notepad records it's user activities. Microsoft keeps the exact data that is stored secret. You can only find out under 'Show details' some (windy) explanation, why Microsoft collects the data.

I immediately opened the browser and viewed the entries under App Privacy on my Microsoft account. I found on a seldom used test machine entries from browsing history to the use of OneDrive to the start menu experience. Even third party applications like PhotoFiltre, which I have called up for testing purposes, can be found there. So we could state 'Hello Microsoft, we have a problem' – Windows 10 can't be used in accordance with European GDPR.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Windows and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *