Hacker News new | comments | show | ask | jobs | submit login
Dutch Data Protection Authority: Microsoft breaches law with Windows 10 (autoriteitpersoonsgegevens.nl)
193 points by danieldk 11 months ago | hide | past | web | favorite | 50 comments

>Microsoft has indicated that it wants to end all violations. If this is not the case, the Dutch DPA can decide to impose a sanction on Microsoft.

These big companies always get away with a Warning. So if I were Microsoft, then why would I not have done it this way? They can now just say "It was nice while it lasted." But that's about it.

Another point I have is that if you join the Insiders Program you have to submit your "typing data" (whatever that is). I understand that some data is required if I join the program (since I am then a tester, so some debugging data is okay). But some of the data should not always be submitted automatically, even if I am a tester. Data such as my typing data and full memory dumps.

> These big companies always get away with a Warning.

https://www.cnbc.com/2017/06/27/the-largest-fines-dished-out... - over 1.5 billion in fines, they were made to release versions without a media player, they were made to offer a browser selection window.

Yeah, but when I was driving 12km/h over the limit I got a huge fine right there and then. I wasn't told to drive under the limit up the road while the police reviewed my behavior. I think that's what OP means, one rule for megacorps, another for the rest of us.

edit: My question is that when you have a company that has a track record, why do government contracts and private enterprise keep begging on the same street corner, instead of looking for work elsewhere, that is to say, why do they keep going back to Windows and not invest elsewhere as investment would lead to an acceptable (to them) enterprise Linux (Red Hat++ exists!)

That’s not true - plenty of people/places will stop you, and tell you not to speed, and then send you out a ticket in the mail. It’s also a totally different situation - if you were under investigation for X crime (but not proven guilty yet) you’re allowed to (mostly) go about your business while you wait for the investigation to conclude

Only if the crime is relatively minor. How bad of a crime is using dragnet surveillance to create activity logs and dossiers of millions of people, then using that to profit financially, but also (very probably) providing those dossiers and activity logs to foreign governments' intelligence services?

I more often get away[1] with a warning than getting fined by governments officials. Then again, this is in The Netherlands and I'm a average white guy.

Just being understanding and being sorry generally works for me :-)

[1] This happens once every two or three years?

Well, I'ma white guy in Scandinavia, doesn't get whiter than that and the police here are not giving an inch. I have a much worse opinion of the police here than in the UK where I am from.

I wish Microsoft would keep moving their recently changed reputation forward (at least with some people they seem to be doing good by building open source tools) by being clearer about their data collection and allowing more controls over it, as well as more controls over Windows Update, seems after the Creators Edition I lost control over my Windows Updates (namely I remember being able to pick dates for running updates, now I only get the option to pick the hours that I'm allowing them to update) I'm switching to Ubuntu and running Windows in a VM as a result, at least then I only lose what's on Visual Studio.

> by building open source tools

While MS is working on some open source tools (Typescript is one example I can think of), they seem to have no problem violation licenses with their Windows tools (to only release code when they have no other choice) [0] [1].

> clearer about their data collection

Please remind me why an OS that you paid good money for (>$100) needs to collect your personal data and usage at all? :)

[0] - https://www.osnews.com/story/21882/Microsoft_s_Linux_Kernel_...

[1] - http://www.zdnet.com/article/microsoft-admits-its-gpl-violat...

(edit: formatting)

You do realize that those links are from 2009, right? Regardless of anything else good or bad the company has done, the relationship between Microsoft and Open Source couldn't be more different today than it was then.

Disclosure: employee since 2008

Yes these are old links. However, I haven't seen any change in MS's behavior regarding Open Source since.

More recently they build an emulator for running Linux binaries (Bash), which again is closed source [0].

> relationship between Microsoft and Open Source couldn't be more different today than it was then

Please mention some examples of this?

[0] - https://github.com/Microsoft/BashOnWindows/issues/178

By "more different" I mean the internal culture -- not necessarily the externally facing part. Ten years ago I was working on IronPython and IronRuby, open source reimplementations of other open source projects. Even though the originals are under a very permissive license, we weren't allowed to go anywhere near their source. Because of company policy, where external OS was essentially treated as radioactive, there was a vacuum around both process and engineering knowledge.

Today, the company has a lot of standardized procedures and tools around the consumption of external open source -- and, in fact, actively encourages it. Along with that comes awareness of appropriate and not appropriate usage. In the nine-year old example you give, that's obviously not an appropriate usage.

I'm not sure what your point is about the reimplementation of the Linux kernel API inside Windows. Most large software companies build some amount of closed source software. I don't know what decisions might lead to this being opened or not opened, but there are very few people who'd argue that a company should publish or make available all of their source code.

> Today, the company has a lot of standardized procedures and tools around the consumption of external open source

That MS consumes open source for their own good comes not at all unexpected to me. However, consuming is not contributing. I believe you made to point that MS now contributes to the OSS community. I may have misunderstood.

> I'm not sure what your point is about the reimplementation of the Linux kernel API inside Windows. Most large software companies build some amount of closed source software

Most companies don't clone FOSS but build on top of it instead. Also most companies are pretty open about using OSS (crediting the projects and their source code). I haven't seen a single written line from MS crediting GNU and the Linux community for their work. They only credit MS and their own people. (Some recent examples: [0] [1])

[0] - https://blogs.msdn.microsoft.com/wsl/2016/07/08/bash-on-ubun...

[1] - https://blogs.technet.microsoft.com/heyscriptingguy/2016/09/...

Microsoft is a for-profit company. They build up reputation to use it. They have no reason to just amass it.

When they open-source software that is specifically to try to get the dev/tech community somewhat back onto their side. Which is the customer group that complains the loudest about their data collection and which has the only real chance of wandering off to the competition.

> as well as more controls over Windows Update

I would love this. We have now lost data from overnight tests multiple times thanks to Windows Update.

Used to have them set to only update on weekends, now I can't set my computer to do that... Now I come back to work and my work is all gone because Windows restarted. Not sure why they took away power from the user with their "Creators Update" or whatever it was called...

I wonder what makes Windows worse than Android. Android seems to get consent in an equally unclear way (i.e. location tracking), collect much more personal data because phones are carried everywhere, and runs on much more devices in the Netherlands than Windows 10.

Is Android going to be the next target, please?

Android's location tracking is a feature and I believe is not turned on automatically. Most of Windows 10's data collection serves no obvious purpose and is on by default. It's also 4 screens full of toggles that make you go "uh what?!"

But I wouldn't mind if they went after android for the purpose of making it clearer what's being tracked and gathered.

"Android's location tracking is a feature and I believe is not turned on automatically."

It's not but they insist that you do in an unclear way every time you open google maps.

And when you disable location while it's in GPS-only mode and re-enable it, it defaults to the send-everything-to-Google mode.

I surely don't know, I only became aware of it, when Android suddenly started to ask me to submit reviews and pictures about my current location.

I turned Location History off and I _still_ get notifications asking me to submit reviews of the places I'm at. If anybody knows how to turn (seemingly) 24/7 location tracking off, please let me know.

Location History is something different I believe. It's whether Android / Google stores the history of places you've been too. It says nothing about whether it's doing things with your current location.

On Android 7.x:

Settings -> Location -> Recent location requests, tap each service, tap 'Permissions' and revoke the permissions for each app that has it.

Settings -> Location -> Location services, tap each service and disable everything.

That seems to fix it for me. Of course, at some random time in the future, Google will enable them again. I'm fairly certain I disabled this a few times already.

Maybe the fact that on Android you often have to agree for the apps to to gather certain data and give them permissions. Of course there is a lot of grey area here, but mostly from the specific apps, not necessarily from the OS.

Android was doing it from the start. Windows used to not do this and aggressively started pushing an update (Windows 10) that started doing this shady behaviour on machines that used to be clean.

I think that technically, this is google via google maps, as opposed to android. Thus, permission might be granted via the terms of service on your google account.

The Dutch law for the protection of personal information (wet bescherming persoonsgegevens) on which these conclusions are based, is basically just an implementation of an EU-wide directive. So if the WBP authority can agree that this breaks the law, this could climb up the ladder and result in another huge EU fine for Microsoft. I wonder if and how MS will respond or react to this release.

Probably Windows 10.1

Or an N version again.

Yes, I'm thinking this will at most result yet another N version that nobody will buy and will have 0 practical impact.

If the N version has almost no telemetry, then I bet there will be plenty of customers. Almost everyone I've talked to who is unwilling to use Win10 has mentioned the telemetry/privacy aspects.

The previous N versions only have no Windows Media Player --- something a lot of users either want or don't care about, so no wonder they weren't popular.

Nobody will buy it, because it will be unobtanium, just like the N version was.

If the standard version breaks the Dutch law then it should be impossible to sell it there. Everybody should be able to buy only this hypothetical N version.

I had no option but to get the N version of windows 7 when using MSDNAA as a student in the Netherlands (service that gives free windows to students).

I thought it was easy to obtain, but nobody actually wanted it!

Have you ever tried to obtain it? Have you ever seen it as an OEM version bundled with computers, or just a box?

The only time I've seen it was on the MSDN download page. Nowhere else.

"Nobody wanted it" was a dishonest statement. It was not available -> nobody bought it -> so nobody "wanted" it.

Listed right there next to the other editions in Stores which are required to sell it....


This took much longer than many people expected.

Next year new data-protection EU-law will be introduced, it will hit companies like Facebook, Google and MS, it will also affect your company, so take a read what's changing http://www.telegraph.co.uk/connect/small-business/business-n...

I work at an ISP.

GDPR is huge and #1 on just about every priority list. Accounting for every single piece of (even theoretically) personally identifiable information, access restrictions to said data, storage time limits, logging of access and changes (without logging anything sensitive) and everything else is a gigantic undertaking.

Every single system we have that stores or even just caches data is affected by this, and it's tying up a large amount of our resources.

As a consumer I certainly welcome the GDPR, but as someone who works in IT, holy shit our workloads have increased.

This is when it pays off to just minimize the use identifiable information.

Finally there might be a drawback to just collect just because it seems to be valuable and might be exploitable tomorrow. The vast majority of companies never even recovers the development cost of collecting the data, no wonder they don't have the energy left to secure it.

Folks who designed their applications with data reduction and data economy in mind have a much easier time with all of this.

We're not really keeping anything other than what's needed to run an ISP/telco. We kinda do need names, addresses, all of that information in order to keep track of subscriptions and bill our customers correctly.

I don't know what kind of nasty data the marketing department keeps, I'm only looking at the engine room :-)

Google/G Suite is already sending me legal mombo jumbo mails with text and checkboxes around GDPR that I don't understand.

Yeah, it's nuts. Those emails are the worst texts I've ever seen Google produce. Anyone got a translation?

Trust us, you're fine. -Google

I wish the USA had some data-protection laws in the pipeline.

But no--we just let them do as they wish.

(I don't blame anyone. Just making rent here seems like the last straw. Not the best/greatest anymore?)

I am so looking forward to how Microsoft will handle the GDPR. 4% of MSFT turnover is roughly 3.5 billion dollars. That is the sort of fine the GDPR allows for serious privacy violations (which this is).

I like what they're doing because Microsoft is just too vague about what they're really doing with all this information. At least they should be forced to be way more clear about what they're doing. But it's a bit hypocritical one side of the government is complaining about involuntary collection of personal data while the other end wants to legalize it for itself:


The premise that you can make predictions based on historical data and force it down people's throat is deeply flawed and only perpetuates those obsessed with data hoarding and analysis and are vested in seeing more value than it provides and patterns where none exist.

There is no reason for Google or Microsoft to track any individuals location, buying preferences or interests. They are fickle and change forget days hour to hour. They perpetuate echo chambers and promote narrow segmented views rather than universal information.

So historical data is useless. And the very idea of tracking location and being blase about it seeking to 'normalize' it is deeply invasive, odious and authoritarian. It's not normal to stalk people. These companies have become monsters with no ethical constraints in search of more ad revenue and there is going to be a massive backlash soon.

So, as I read the article, the main objection is that the users aren't informed clearly enough about data collection. MS can remedy this in two ways: 1) by being more clear about data collected and asking for consent, 2) by turning off data collection.

I guess they'll go for 1). No that I mind, I almost always say "yes" when asked to participate in improvement programs.

Applications are open for YC Winter 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact