With the Enterprise Edition of Windows 10, companies and authorities can prevent personal telemetry data from being passed on if they use the “Security” level. The Conference of Federal and State Data Protection Authorities (DSK) has now officially recognized the relevant findings of a sub-working group. The associated legal security is limited, however, as some questions are still open.
More than a year ago, the DSK adopted a test scheme for the data protection-compliant use of Windows 10. Experts from the Bavarian State Office for Data Protection Supervision (BayLDA), the Federal Data Protection Authority and the supervisory authorities of Mecklenburg-Western Pomerania and Lower Saxony got down to work. The Federal Office for Information Security (BSI), which had already undertaken a study that cost a total of 1.37 million euros, was involved as a “guest”.
BayLDA announced the first results at the beginning of the year. After further investigations, the DSK confirmed this in a resolution last week at its 100th meeting and pointed out the consequences for users. According to tests in the IT laboratory of the Lower Saxony data protection officer Barbara Thiel, it was shown that under the setting “Windows Restricted Traffic Limited Functionality Baseline” and telemetry level “Security”, no telemetry data was transmitted to Microsoft.
The auditors examined Windows 10 Enterprise in version 1909 in three test scenarios. They also found that usage data is transmitted at the “Basic” telemetry level. Without the mentioned restricted Windows mode “Restricted Baseline”, a connection to the endpoint settings-win.data.microsoft.com was also called under “Security”. According to Microsoft, this is controlled by several Windows 10 system components including the telemetry function.
Microsoft has assured that there will be no data transfer in the security level, writes the DSK. The endpoint is being called “possibly because of a software problem.” The data protectionists still consider this to be in need of clarification, as the BSI has also classified this constellation with the configuration changes that can be made by Microsoft as questionable.
The investigation is also only a snapshot because the software is constantly being developed, writes the DSK. Those responsible could therefore “not finally be relieved of their obligation to test and provide evidence for the data protection-compliant use of Windows 10”. You would have to make sure that no telemetry data is verifiably transmitted to Microsoft. “A filtering of Internet access” by the operating system comes into question.
Pro and Home
According to the DSK, the conditions apply “all the more” to the use of the Pro and Home editions of Windows 10, “in which the telemetry level cannot currently be set to security”. In these cases, it is also necessary to “examine other measures to prevent any transmission of personal telemetry data” or to prove that such transfers are lawful.
The DSK demands that Windows 10 in all editions offered should offer the option of “deactivating telemetry data processing through configuration”. In order to achieve this, the data protectionists continue to seek talks with Microsoft. This also applies to Microsoft Office 365, the use of which they consider illegal.
With both program packages, the DSK wants to ensure that the “Schrems II ruling” of the European Court of Justice on the transfer of personal data to “insecure third countries” such as the USA is taken into account. They apparently do not want to be satisfied with Microsoft’s renewed assurances. Thiel emphasized that overall the DSK had “taken an important step so that those responsible can use Windows 10 in a data protection-compliant manner”.