[German]The transfer of telemetry data to Microsoft can be completely disabled in Windows 10 Enterprise November 2019 Update (Version 1909). This is the result of an analysis by the Bavarian State Office for Data Protection Supervision.
Review: Windows 10 telemetry
Windows 10 and telemetry data acquisition is a controversy in many debates. European Data Protection Supervisors (like BSI) has classified Windows 10 as a ‘data protection accident’ (see my German article BSI-Einstufung: Windows 10 ist ein ‘Datenschutz-Unfall’). Data protectionists demanded that Microsoft should be able to disable data transfer in Windows 10.
In November 2019, there was then the decision of the data protection conference on Windows 10 data protection. There, the data protection conference also approved a test scheme ‘Datenschutz bei Windows 10’. This scheme is intended to enable those responsible who already use Windows 10 or intend to do so to independently check and document compliance with the legal requirements of the GDPR in their specific case. However, the tenor was also:
The data protection commissioners of the federal and state governments see little scope for using Microsoft’s Windows 10 operating system in a legally compliant manner.
But the BSI had tested Windows 10 Enterprise LTSC 1607 for telemetry data transfer. The result was that the telemetry data transfer could not be switched off completely.
In view of the fact that data protection authorities have been dealing with the transfer of telemetry data from Windows 10 computers to Microsoft for some time, the Data Protection Conference established a sub-working group “Windows 10” of the Working group “Technology”. This sub-group was ordered to prepare an assessment of the data flows to Microsoft in terms of data protection (GDPR) law.
New classification by Bavaria
In December 2019 this sub-working group met for a laboratory analysis of Windows 10, under the leadership of the Bavarian State Commissioner for Data Protection. Microsoft employees were also invited (of whom more than 10 people, mainly from the technical area, came from Microsoft in the USA) to answer any technical questions that might arise during the laboratory analysis.
In the lab, a test scenario using a Windows 10 Enterprise version 1909 was examined for data transfers to Microsoft. All data transmission from this computer were recorded within the laboratory network using a man-in-the-middle analysis. During the test, the Windows 10 Enterprise V1909 system was configured with information and tools officially provided by Microsoft so that the telemetry level “Security” was set. The aim was to prevent all telemetry data transmission, if possible.
In the course of this laboratory analysis it was determined that the telemetry data of the Windows 10 Enterprise V1909 test system can be completely deactivated. Only calls to (Microsoft) servers that provide current cryptographic certificates could not be deactivated by this configuration, as these are required for the day-to-day operation of a Windows 10 system (e.g. if an invalid SSL root certificate is recalled), the data protectionists write. But even these calls can be prevented by specific system configurations (not recommended for security reasons).
From the result, the data protectionists say, it could be determined at this meeting in the technical laboratory that the telemetry data, which is controversially discussed in terms of data protection law (GDPR), can be deactivated when using the Enterprise version of Windows 10 V1909 (and thus also the Education Version) in the scenario examined.
The conclusion of the data protectionists: If this result is confirmed in the real use of Windows 10 in companies, at least the handling of telemetry data with Windows 10 Enterprise (even in managed environments) does not represent a data protection obstacle to the use of this operating system.
In Windows 10 Pro (and Home, which shall not used in business environments), as is well known, Telemetry cannot be switched off completely. So an additional analysis could possibly become another work order of the Data Protection Conference (DSK).
Note: This is a good message at first, but this isn’t the final step, just the begin of the long journey. It ends, if Microsoft deactivates telemetry by default in all Windows 10 installs within the European community. And the person responsible for data protection in enterprises is obligele to verfify each feature update to it’s GDPR conformity. Due to the fact, that many instances also use Microsoft Office, there is also an non GDPR conform product, that has to be avoided or evaluated. So, there are still many steps to go.