Does Windows snooping break data privacy laws?

Topic

New Reply

I received a very well-considered question from DB: Mr. Leonhard, I just read your article about the forced Windows 10 update on InfoWorld. I also see
[See the full post at: Does Windows snooping break data privacy laws?]

Reply | Quote

Replies

The issue(s) raised by the instructors question are numerous and it is difficult to provide concise answers to them because the laws are evolving in the area of electronic data capture and retention. When a party is put under an affirmative burden to which potential legal liability is attached, that party is no longer in a position where they may merely assume that a counterparty providing an operation or service is not compromising their compliance with all applicable laws and regulations. In the case of Windows 10, a hybrid cloud/desktop OS, the EULA for the OS is so open-ended as to the activities granted to MS without further consent through time seems very risky inasmuch as a compromised party might theorize that liability arose in the acceptance of the EULA itself because a reasonable person would understand they had inadequate control of the counterparty, namely MS. Unfortunately, the encryption of telemetry by MS only addresses the risk of interception during transmission, not the risk of actions by MS which has the encryption key. The problem arises not just in the laws like FERPA and HIPPA, but also for public companies that need to comply with Sarbanes-Oxley Act where the Public companies must attest to the state and adequacy of their internal controls. If you are in this situation, it is difficult to be entirely comfortable with Windows 10 if your entire usage relationship is governed by the existing EULA. I think there would ultimately need to be sidebar agreements and something equivalent to an SAS 70 report to provide comfort that the client had behaved responsibly and conducted adequate due diligence before exposing data to uncertain data sharing and uses by MS. These comments are more to issues one would expect in the enterprise environment, but I would note their are many small business and independent contractors who are not likely immune from these concerns. I apologize for this comment because the topic strays from the primary mission of your blog but I suppose this is somewhat topical because of the new questions which are arising.

Reply | Quote

Your comment is MOST welcome. I’m not an expert on a lot of things – law being an excellent example – and appreciate any insight you can give.

Reply | Quote

Thank you for the comment, Frank. I am the author of the posted letter to Woody. I’ve been driven in circles trying to figure out what I felt should have been a simple answer to my questions. I surely cannot be the only person who has considered this but I was surprised at the utter lack of information available which is why I reached out to Woody.

I am grateful for your input.

Reply | Quote

I think the best thing your letter writer can do is consult the legal department of his employee. This way all bases can be covered. Who knows, maybe it could lead to more information from Microsoft.

Reply | Quote