The lack of clear information about what Microsoft does with the data that Windows 10 collects prevents consumers from giving their informed consent, says the Dutch Data Protection Authority (DPA). As such, the regulator says that the operating system is breaking the law.

To comply with the law, the DPA says that Microsoft needs to get valid user consent: this means the company must be clearer about what data is collected and how that data is processed. The regulator also complains that the Windows 10 Creators Update doesn’t always respect previously chosen settings about data collection. In the Creators Update, Microsoft introduced new, clearer wording about the data collection—though this language still wasn’t explicit about what was collected and why—and it forced everyone to re-assert their privacy choices through a new settings page. In some situations, though, that page defaulted to the standard Windows options rather than defaulting to the settings previously chosen.

In the Creators Update, Microsoft also explicitly enumerated all the data collected in Windows 10’s “Basic” telemetry setting. However, the company has not done so for the “Full” option, and the Full option remains the default.

The Windows 10 privacy options continue to be a work in progress for Microsoft. The Fall Creators Update, due for release on October 17, makes further changes to the way the operating system and applications collect data and the consent required to do so. Microsoft says that it will work with the DPA to “find appropriate solutions” to ensure that Windows 10 complies with the law. However, in its detailed response to the DPA’s findings, Microsoft disagrees with some of the DPA’s objections. In particular, the company claims that its disclosure surrounding the Full telemetry setting—both in terms of what it collects and why—is sufficient and that users are capable of making informed decisions.

The DPA’s complaint doesn’t call for Microsoft to offer a complete opt out of the telemetry and data collection, instead focusing on ensuring that Windows 10 users know what the operating system and Microsoft are doing with their data. The regulator says that Microsoft wants to “end all violations,” but if the software company fails to do so, it faces sanctions.

Source: Dutch privacy regulator says Windows 10 breaks the law

Note: the DPA is fine with MS collecting your data, as long as you know what data it is you are collecting. For a product you buy, this seems insane to me, which is why I am running Linux Mint on a day to day basis nowadays.

Earlier this month, software engineer Christopher Moore discovered that Shenzen, China-based phone manufacturer OnePlus was secretly collecting a trove of data about users without their consent and communicating it to company servers. Moore had routed his OnePlus 2’s internet traffic through security tool OWASP ZAP for a holiday hack challenge, but noticed his device was regularly transmitting large amounts of data to a server at open.oneplus.net.

According to Moore’s analysis, captured information included his phone’s IMEI and serial number, phone numbers, MAC addresses, mobile network names and IMSI prefixes, and wireless network data. OnePlus was also collecting data on when its users were opening applications and what they were doing in those apps, including Outlook and Slack. With the cat out of the bag, OnePlus admitted to the non-consensual snooping in a post to its customer service forum on Friday, but said the intent of the program was improving user experience on its OxygenOS software.

“The reason we collect some device information is to better provide after-sales support,” OnePlus wrote. “If you opt out of the user experience program, your usage analytics will not be tied to your device information.”

“We’d like to emphasize that at no point have we shared this information with outside parties,” the company added. “The analytics we’re discussing in this post, which we only look at in aggregate, are collected with the intention of improving our product and service offerings.”

According to OnePlus, it will also stop collecting “telephone numbers, MAC Addresses and WiFi information,” and by the end of October, the company will clearly prompt all users on how and why it collects data and provide users with an option to not participate in its “user experience program.”

Multiple users responded by saying their concerns were not resolved, as some of the data collected—like telephone numbers and wireless network information—was of limited use from a support perspective and instead could have been mined for its value to marketers.

As TechCrunch noted, the opt-out provision also does not appear to actually stop the data collection, but simply removes tags linking the data to a specific device. So no matter which way you slice it, this is not a very good situation for OnePlus users to find themselves in. As Moore noted, there are few good options to stop the data collection entirely:

Source: OnePlus Admits It Was Snooping on OxygenOS Users, Says It Will Tweak Data Collection Program

Encrypted messaging app Telegram must pay 800,000 roubles for resisting Russia’s FSB’s demand that it help decrypt user messages.

The fine translates to just under US$14,000, making it less of a serious punishment and more a shot across the bows.
[…]
Telegram founder Pavel Durov has posted to Russian social site VK.com that it’s not possible to comply.

“In addition to the fact that the requirements of the FSB are not technically feasible, they contradict Article 23 of the Constitution of the Russian Federation: ‘Everyone has the right to privacy of correspondence, telephone conversations, postal, telegraphic and other communications,’” he wrote.

He indicated his intention to appeal, and keep doing so “until the claim of the FSB is considered by a judge familiar with the basic law of Russia – its Constitution”

Source: Russia tweaks Telegram with tiny fine for decryption denial

However, does this mean that Telegram is being seen to speak up for privacy whilst in reality it’s not?