Microsoft might not be GDPR-compliant: What does this mean?

The European Data Protection Supervisor (EDPS) recently flagged that Microsoft’s products may not comply with GDPR in their report​, in particular, Microsoft’s telemetry and data collection/ sharing from Windows 10 and Office 365. As reported, it appears that the company’s software products “reveal serious concerns over the compliance of the relevant contractual terms with data protection rules and the role of Microsoft as a professor for EU institutions using its products and services”.

Should there be any concerns about this? Is this a security risk or a necessary evil? Did Microsoft considered the GDPR implications?

Tim Mackey, Principal Security Strategist at Synopsys Software Integrity Group shares his thoughts.

  1. Should there be any concerns about this?

There are numerous concerns to both governmental and consumer usage of Windows based on this report. Importantly is the level of control provided in versions of Windows 10 other than the Enterprise version. Many organisations may elect to acquire the Professional Edition of Windows 10 without recognising that it incorporates telemetry which could cause sensitive information about their customers to be transmitted to Microsoft.

This is particularly problematic given the data itself is transmitted to the US and while Microsoft may have stringent privacy practices limiting access to transmitted data it remains a reality that users should have full knowledge of what data is held by an organisation they interact with.  

  1. Do you consider it a security risk or a necessary evil?

Telemetry, or phone home mechanisms, have become common place as software vendors seek methods to not only gauge usage of their products, but also to better understand their users.

Properly implemented, telemetry can be beneficial, but disclosure is key. An example of a properly implemented telemetry setting might come from an auto-support feature in a server which detects an impending hardware failure and alerts an IT team. In this example, the telemetry is either contained within the customer environment or part of a support contract.

In the latter case, disclosure of the nature of the telemetry would form part of the contract. If the user wished no auto-support, then the feature is disabled but the server functions without incident – until a part breaks.

This example is in stark contrast to the “product improvement” scenario employed by many vendors. In such cases the telemetry data is sent to the vendor with no expectation that it might be useful. The data then needs to be analysed at which point it might turn into a future feature, but since the data was part of the design guidance it likely is retained for an indeterminant period of time.

Throughout this process there are multiple opportunities for security issues ranging from mishandling of the data, accidental collection of sensitive information, through to misconfiguration of access controls on storage systems.

Given the only data ever breached in a cyber-security incident is data which is present in the breached organisation, ensuring only targeted data collection with full disclosure to users is a key component to any data gathering and processing effort.

  1. Have they considered the GDPR implications?

Microsoft has taken the desire for telemetry and placed it above the expectation users have that their usage of any desktop operating system enables them to conduct themselves in private. With the possible exception of the Enterprise Edition of Windows 10, data collection is enabled by default and no defined mechanism exists to opt-out.

Despite the GDPR Article 5 requirement covering lawful data collection, its’ doubtful users are aware of the nature and scope of telemetry data in Windows 10, and that engineers may extend data collection parameters based on internal desires.

Importantly, given the observation that ETW telemetry is only materially reduced by selecting the Security setting in Windows 10 Enterprise seems to indicate that Article 5 (1)(c) was viewed by the Windows 10 team to not apply to users of other editions of Windows 10.