The Bavarian Data Protection Authority for the Public Sector published GDPR Compliance Requirements for Windows 10 and 11 on 1 August 2023
Amy Wittmann
Attorney at Law @ Wittmann Legal Services | Data Protection, AI Governance, Digital Law, Defense Contracts
Microsoft Windows versions 10 and 11 can "phone home": Telemetry data, especially, is transmitted from the computer to the manufacturer and may contain personal data depending on the configuration.
Transmission of telemetry data may be enabled by default. Responsible parties need to review and adjust settings if necessary.
Multiple paths lead to deactivation. What is possible and what needs to be done depends on the Windows edition being used.
Windows is a highly popular operating system, particularly versions 10 and 11, which are likely used by well over a billion people worldwide. Windows is also indispensable in the IT landscape of Bavarian public institutions. IT managers and administrators understand that the security of Windows installations is not inherent but must be painstakingly developed. Effective firewalls, regular updates, and a purposeful configuration that may deviate from default settings are necessary to protect against attacks.
?
During the customary prioritization of measures against external attacks, not all IT managers and administrators at Bavarian public institutions might be aware that Windows itself can, depending on version, edition, and settings, covertly and even undesirably transmit data to the manufacturer. The fact that Microsoft uses innocuously technical terms like "Telemetry," "Diagnostic Data," or "Feedback" for these data streams doesn't change the fact that they can encompass personal data. Transmitting personal data through telemetry must be just as lawful as any other data transmission, particularly when considering additional requirements for transfers to third countries. Fulfilling the accountability obligation (Article 5(2) of the General Data Protection Regulation) is at least challenging in this regard. A comparatively straightforward alternative in principle is to prevent the transmission of telemetry data through appropriate settings.
?
1. Background
?
Modern operating systems like Windows 10 and 11 consist of a multitude of components, subsystems, drivers, services, and utilities that fulfill various functions and intricately depend on each other. In the specific context of deployment within a particular Bavarian public institution, some system components are essential, while others are less or even irrelevant to the task-oriented functionality of the specific system. However, certain services and functions may necessitate communicating outward or receiving information from there. This is the case with tasks such as license management, malware definitions, updates, or certificate revocations. These services typically interact with specific "endpoints" usually operated by Microsoft. Through the transmission of telemetry data ("remote measurement data"), the workplace's operating system effectively "phones home." Telemetry allows the manufacturer to gather information about the usage and performance of the operating system, as well as compatibilities (such as with drivers) and system crashes. Moreover, even information with strategic relevance, like the spread of new malware, is collected. Telemetry fundamentally holds a legitimate justification and often serves at least a meaningful purpose for the manufacturer – indirectly contributing to data privacy objectives such as "security" and "availability." For the manufacturer, a variety of data potentially holds significance. Their interest in obtaining meaningful data is essentially understandable. Nevertheless, due to the inherent "black box" nature and the complexity of the operating system, it is inherently challenging to ascertain precisely which data is being transmitted. Responsible entities cannot readily determine which data is being shared, whether personal data is included, and if so, what specific data. Additionally, it remains uncertain whether the recipient utilizes telemetry data for purposes beyond optimizing the "sending" operating system, such as for their marketing or proprietary search engine, or even shares it with third parties, possibly as training data for AI products.
2. Editions and Options
In Windows 11, you can choose the extent to which diagnostic and usage information should be sent to Microsoft under "Settings - Diagnostics & Feedback":
Figure 1: Settings dialog "Diagnostics & Feedback" in Windows 11.
The documentation for Windows 11 provides three options for collecting diagnostic data:
The "Security" setting cannot be adjusted through the graphical interface. In Windows 10, there is still an "Enhanced" option, which falls between "Default" and "Full." The "Send diagnostic data (Security)" option does not transmit Windows diagnostic data from the device. This is therefore the recommended option from a data privacy standpoint. However, the "Send diagnostic data" option is only available for the Windows "Enterprise" and "Education" editions and can be chosen only through a group policy or the registry, not through the Graphical User Interface (GUI). As shown in Figure 2, the "Security" option is not provided there.
Figure 2: The Windows 11 GUI can only deactivate "optional" diagnostic data. The reasons for omitting the "Security" option in the "Pro" and "Home" editions cannot be explored in detail at this point. In any case, the fact that this option is unavailable in these editions could be relevant for smaller and medium-sized Bavarian public institutions, as the "Pro" edition is explicitly aimed at small and medium-sized enterprises and is also used by public entities. Therefore, responsible parties should explore their options for using the "Enterprise" or "Education" edition. The features of the "Home" edition could come into play when employees of Bavarian public institutions use personal devices for work purposes (for instance, under specific conditions for educators).
领英推荐
3. Many Paths Lead to the Goal
A group policy can be established using the Group Policy Management Console. The desired setting (complete deactivation of diagnostic data) can be chosen there under "Computer Configuration – Administrative Templates – Windows Components – Data Collection and Preview Builds – Allow Telemetry" (see Figure 3a). It's a bit misleading that the group policy "Allow Telemetry" must first be enabled in order to select the option "Disable Diagnostic Data (Not Recommended)" (see Figure 3b). As experienced Windows users know, the "Off" button might be hiding under "Start."
Figure 3a: Group policy for diagnostic data collection Figure 3b: Deactivation of diagnostic data collection
Alternatively, adjustment can also be made through a registry entry: Modify or create the REG_DWORD registry setting named "AllowTelemetry" with the value "0 (Zero)" under the registry path "Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection."
4. Further Restriction Options
The Windows diagnostic data discussed in sections 2 and 3 serves as a prominent example of inherent data transmission within Windows. However, the settings elucidated apply solely to system elements that Windows recognizes as its own. Windows system components, in isolated cases, can send additional information to Microsoft that isn't diagnostic data. Furthermore, other Microsoft applications (such as Office) aren't entirely mute towards the manufacturer.
Considering these factors, it is recommended to systematically examine and, if necessary, uninstall or deactivate pre-installed apps and by-default enabled system services. This approach parallels "hardening" in IT security, reducing the attack surface. Conversely, the radical approach of simply deactivating all system services establishing a network connection to Microsoft without further scrutiny is not unconditionally recommended: some services require a connection for proper operation or are interdependent in a manner that deactivating them might compromise overall functionality. Useful Windows updates, for instance, could be obstructed.
In addition to instructions on deactivating diagnostic data, the Windows documentation comprises a series of "Guidance for Managing Connections to Microsoft Services"2 with corresponding adjustment options. Microsoft conveniently equips administrators of the "Education" and "Enterprise" editions with the "Windows Restricted Traffic Limited Functionality Baseline" package3 (RTLFB) to expedite the numerous settings. In practice, for the respective Windows 11 version, you should utilize the baseline as a foundation and complement it with adjustments tailored to your requirements and system environment. Before deployment, a meticulous assessment of all effects must be conducted, as this baseline, for instance, also deactivates time synchronization (even within your own network).
As such, the "Windows Restricted Traffic Limited Functionality Baseline" could potentially lead to security and data privacy deficiencies if employed recklessly. After a comprehensive evaluation of the repercussions, you can apply the "Windows Restricted Traffic Limited Functionality Baseline" as follows:
You can integrate the "Windows Restricted Traffic Limited Functionality Baseline" into your existing software distribution process and make necessary specific adjustments via Group Policy.
An antivirus solution, update availability, and license verifiability are imperative prerequisites for the proper functioning of Windows. Consequently, entirely avoiding connections to Microsoft is not straightforward. However, by supplementing the presented measures with a third-party antivirus solution, a Windows Server Update Services (WSUS) for distributing Windows updates, and a Windows Key Management Service (KMS), the number of connections to Microsoft can be significantly reduced, if not eliminated entirely. These supplementary steps are generally recommended for Bavarian public institutions possessing the requisite technical know-how, especially in network environments with heightened security requirements (such as processing sensitive data like health data). Nonetheless, it is crucial, particularly in these scenarios, to independently and responsibly assess potential impacts on operations and security in advance.
?
5. Conclusion
Privacy-by-Design and Privacy-by-Default are data protection objectives that manufacturers might interpret and implement differently from public sector authorities and data protection supervisory bodies. Therefore, Bavarian public entities utilizing Microsoft Windows versions 10 and 11 on their workstations are obligated to review their configurations and, if necessary, make improvements. After all, Microsoft has provided an extensive and comprehensible documentation on various services and programs establishing a connection with the manufacturer. This documentation explains how telemetry data transmission for the purpose of diagnosis and feedback can be disabled, although it is not entirely straightforward outside the "Enterprise" and "Education" editions. The impending end of support for Windows 10 on October 14, 2025, as already announced, and the consequent transition to Windows 11 will offer Bavarian public institutions a valuable opportunity to delve into the topic of "telemetry data transmission" in a purposeful manner.
Footnotes:
?
?
Thank you for sharing.