Microsoft has built itself into the company with the world’s highest valuation, while managing to avoid (for the past several years, anyway) the attention of the U.S. Justice Department, federal regulators and Congress. Its peers, meanwhile, including Facebook, Amazon, Google and Apple, have found themselves embroiled in time-consuming and energy-sapping investigations.
But for Microsoft, those days of freedom may be coming to an end. Windows 10 and Office have fallen afoul of the European’s GDPR privacy regulations, and the consequences may be serious, and even spur investigations in the United States.
The biggest danger to Microsoft is the way in which Windows gathers and uses data. Even before the GDPR regulations, which went into effect in late May 2018, some European countries had their doubts about Windows and privacy.
In 2017, the Netherlands’ Data Protection Agency (DPA) concluded that the way in which Windows 10 gathers telemetry data from its users violated that country’s data protection laws. The agency didn’t fine Microsoft but did require that Microsoft change the way it gathers and uses the data. Those changes were incorporated into the Windows 10 April 2018 update. Among them were a tool Microsoft released, with great hoopla, called the Diagnostic Data Viewer. Microsoft said in a blog post that the tool is part of the company’s commitment to be “fully transparent on the diagnostic data collected from your Windows devices, how it is used, and to provide you with increased control over that data.”
Transparent it isn’t. The tool is so complex and arcane that even many programmers can’t understand or use it. Rather than providing a simple way to let you know what information Windows gathers about you, it forces you to scroll or search through incomprehensible headings such as “TelClientSynthetic.PdcNetworkActivation_4” and “Microsoft.Windows.App.Browser.IEFrameProcessAttached” with no explanation of what they mean. Click a heading and you get a listing of spaghetti code you can’t possibly understand. Looking at it, it’s hard to imagine how anyone could talk about the Diagnostic Data Viewer and transparency in the same breath.
The Dutch DPA has taken a long time examining that and other changes Microsoft made, to see whether Windows now complies with the agency’s regulations, as well as with the newer GDPR rules. The DPA concluded that the changes complied with what the DPA originally asked Microsoft to do. But its examination “also brought to light that Microsoft is remotely collecting other data from users. As a result, Microsoft is still potentially in breach of privacy rules,” according to the agency. So the DPA turned over the case to the Irish Data Protection Committee (DPC), because Microsoft’s European operations are headquartered in Ireland. That agency will determine whether Microsoft is violating the GDPR.
The signs don’t look good for Microsoft. The DPA’s investigation noted, “We’ve found that Microsoft collect diagnostic and non-diagnostic data. We’d like to know if it is necessary to collect the non-diagnostic data and if users are well informed about this.”
How well informed are Windows users about the non-diagnostic data? As far as I can see, not very. The Diagnostic Data Viewer certainly provides no help. And as TechCrunch points out, Windows is coercive about getting people to accept its privacy agreement during the operating system’s installation. TechCrunch notes that during installation, Windows asks several times if you want to allow the gathering and use of data about you, including for targeting ads. Cortana provides a running commentary. At one point, TechCrunch says, Cortana bluntly warns, “If you don’t agree, y’know, no Windows!”
If the investigation finds Microsoft is violating the GDPR, the consequences could be serious — up to a $4 billion fine, according to Forbes, as well as the requirement that Microsoft change the way that Windows gathers and uses data.
It’s not just Windows that European regulators are targeting for privacy issues. Various versions of Office are in their crosshairs as well. Dutch authorities found that “Microsoft systematically collects data on a large scale about the individual use of Word, Excel, PowerPoint and Outlook. Covertly, without informing people. Microsoft does not offer any choice with regard to the amount of data, or possibility to switch off the collection, or ability to see what data are collected, because the data stream is encoded.”
In addition, a German state has banned the use of Office 365 because of the way Office handles data.
Even more problematic for Microsoft is what the U.S. might do based on GDPR findings. U.S. regulators and Congress aren’t immune to publicity generated overseas, especially in a political climate in which big tech has become Washington’s latest bogeyman. If Europe fines Microsoft for its privacy practices, U.S. investigations may follow. Already many states, including California and New York, are creating their own tech privacy rules, and Microsoft is one of the targets.
What does all this mean? Although Microsoft has so far dodged a bullet when it comes to privacy issues, those days may be coming to an end. The last time the company faced down federal regulators, in the 1990s, it led to a long, slow decline in the company’s fortunes. If it happens again, it could end up being, in the words of Yogi Berra, “déjà vu all over again.”