Windows 10 privacy changes appease watchdogs, but still no data "off-switch"

Analysis: Microsoft favors the "just enough" approach to appease privacy regulators, but it ignores a fundamental customer complaint.
Written by Zack Whittaker, Contributor

Even with its new privacy changes, Microsoft still won't let you completely opt-out of data collection in Windows 10.

The software giant said Wednesday that it's revamping some of its privacy practices in regards to the amount of data collected by Windows 10, as well as what data is sent back to the company.

Heralding the changes as being "based on your feedback," Windows chief Terry Myerson said in a blog post that upcoming changes to Windows 10 will include new privacy controls and settings, which will "help ensure you are in control of your privacy."

The changes include a "new Microsoft privacy dashboard on the web that lets you easily see and manage your activity data," he said.

News of those changes coincided with a statement by the Swiss data protection and privacy regulator, the FDPIC, which on Thursday said it would drop its threats of a lawsuit after the company "agreed to implement" a string of recommendations it made last year.

"In response, Microsoft made proposals to the FDPIC for rectifying these and other shortcomings, which the FDPIC assessed and amended," read the statement. "The modifications that have now been agreed will ensure that more precise information is provided on data processing. In addition, the new settings page will make it clear to users during the installation process that they must decide on and give their consent to the processing and transmission of data."

The news closed the books on an investigation that began in 2015, shortly after Windows 10 was released.

The Swiss connection

Since the operating system's debut, Microsoft has been embroiled in an ongoing row over how much data Windows 10 sends on its users to the company's headquarters.

The launch of Windows 10 was marred by accusations that the software had tricked users at the setup screen into allowing telemetry logging and other data collection to support Windows' various features. The "express" installation activated almost every data collection option, including location, search history, and other data that would be transmitted to the company's servers, the regulator said in its most recent report. Even after being told not to, Windows 10 was still found to be "talking" with Microsoft.

Swiss privacy regulators were one of the first to complain about the collection techniques.

With a population of just over eight million, Switzerland may not seem to hold much regulatory weight, but the privacy regulator's position can wedge the door open for its European data protection neighbors.

Though the Swiss appear satisfied, other critics are waiting for more.

The French data protection watchdog, the CNIL, was equally unimpressed by Microsoft's actions, and it served the company with a notice in July to demand that it clean up its privacy settings.

In an email, the CNIL said that the changes "seem to comply" with its complaint, but it's "now analyzing more in [sic] details Microsoft answers in order to know whether all the failures underlined in the formal notice do now comply with the law."

The Electronic Frontier Foundation (EFF), which was previously a vocal critic of the Windows 10 privacy settings during its launch, said in a brief tweet that it awaits "more details," but it called the changes "important and welcome."

We asked the EFF for more but didn't hear back at the time of writing.

The "almost" opt-out catch

Microsoft appears to -- for now -- have resolved its various disputes with regulators, but it still hasn't met a core criticism of the software.

Myerson said in the blog post that the setup screen will now contain two options -- either full or basic -- neither of which is a complete opt-out of data collection.

In other words, there's still no "off" switch -- only "almost off."

"We've further reduced the data collected at the Basic level," Myerson said. "This includes data that is vital to the operation of Windows. We use this data to help keep Windows and apps secure, up-to-date, and running properly when you let Microsoft know the capabilities of your device, what is installed, and whether Windows is operating correctly. This option also includes basic error reporting back to Microsoft."

As noted by The Register, Windows 10 Home or Pro users "still won't be able to turn off telemetry completely, and your only other option will be to hand it all over in full."

Microsoft still hasn't said exactly what gets collected as part of the basic level of collection, except that the data is used to improve its software and services down the line; a reasonable ask --but one that nonetheless lacks specifics.

Microsoft said it wants users to "trust" it. And while the likelihood that the company is doing anything nefarious with users' information is frankly unlikely, the running risk is that the data could somehow be turned over to a government agency or even stolen by hackers is inescapable.

That risk alone is enough for many to want to keep what's on their computer in their homes.

While changing the privacy controls is a move in the right direction, it's still short of what many have called for.

By ignoring the biggest privacy complaint from its consumer users -- the ability to switch off data collection altogether -- Microsoft has favored the "just enough" approach to appease the regulators.

Without a way to truly opt-out, Microsoft's repeated pledge (eight times in the blog post, no less) to give its users "control" of their data comes off as a hollow soundbite.

Editorial standards