Microsoft to obtain opt-in consent, enhance transparency for Windows 10 privacy settings

PIPEDA Report of Findings #2018-004

June 20, 2018

Complaint under the Personal Information Protection and Electronic Documents Act (the “Act”)

Allegations

1. The complainant explained to our Office that he upgraded from Windows 8.1 to Windows 10 when the latter was first made available in July 2015. He chose the Windows 10 “Express” option during the installation process, which resulted in the application of certain default privacy settings. He claimed that he later found it difficult to understand and make privacy setting adjustments post-installation. As he was concerned about how his personal information would be collected, used and disclosed by Microsoft, he ultimately chose to revert back to Windows 8.1. In addition, after reverting back to Windows 8.1, he continued to receive unwelcome prompts to upgrade to Windows 10 and did not know how to prevent them.
2. Based on the complainant’s allegations and the information he provided to our Office in subsequent discussions, we investigated whether Microsoft failed to ensure adequate knowledge and consent for its collection, use and disclosure of users’ personal information via Windows 10.
3. For clarity, the scope of our investigation into this issue was limited to consent for the collection, use and disclosure of users’ personal information with respect to the default settings associated with the Windows 10 upgrade and installation process.
4. Further, we do not address in this report the complainant’s allegations with respect to Microsoft’s notifications encouraging customers to upgrade to Windows 10, as in our view, this issue falls outside the scope of the Act.

Summary of Investigation

Overview

5. Our investigation initially focused on the Windows 10 version available at the time of the complaint (Version 1507). During the course of our investigation, Microsoft released two new versions of Windows 10: the Anniversary Update and shortly thereafter, the Creators Update. As such, this report begins with our investigation and preliminary findings relating to Version 1507, followed by our analysis of the Creators Update (Version 1703).
6. We issued a preliminary report of investigation to Microsoft, identifying certain contraventions, accompanied by recommendations with a view to bringing Microsoft into compliance with the Act.
7. Concurrent with the issuance of our preliminary report, Microsoft released a further update to Windows 10 (Version 1803), which addressed certain of our concerns. Microsoft subsequently agreed to implement further measures to resolve our remaining concerns. This latest update and Microsoft’s subsequent commitments are addressed in the Recommendations section of this report.

Background

8. Windows 10 has been promoted by Microsoft as a unified platform offering one operating system which is always up-to-date and can be used on many types of devices. Whereas previous Windows operating systems have been aimed at desktop computers, Windows 10 is cloud-based and designed to also work with mobile devices such as smartphones and tablets.
9. Windows 10 was initially offered to existing Windows 7 and 8.1 users as a free upgrade and was installed by hundreds of millions of individuals. In July 2016, Windows 10 ceased to be offered as a free upgrade.
10. Microsoft provides information in relation to its Windows 10 privacy practices in various ways, including: (i) via its Privacy Statement; (ii) through the Microsoft Settings app; and (iii) during the installation process.^{Footnote 1}

Microsoft’s Privacy Statement

11. Microsoft’s Privacy Statement^{Footnote 2} is a unified statement for all of Microsoft’s consumer services, including Windows. It explains, in dedicated sections, generally what personal data Microsoft collects, how it is used, how it is shared, how to access and control user data, and how it uses cookies and similar technologies. It also provides more product-specific details in dedicated sections for numerous Microsoft services, including Windows and Xbox Live. Further privacy-related information is available to users by clicking “Learn more” at the bottom of each product-specific section of the Privacy Statement. The Windows section of the Privacy Statement also provides detailed explanations regarding various functions or settings that will be discussed later in this report.
12. Microsoft claimed that a unified statement is more comprehensible for users than offering a different statement for each service (as was done in the past). They indicated that a unified statement is also more aligned with current industry practices. It was noted during investigation that, while there is a unified statement (approximately 48 pages in length), approximately 10 pages of that are dedicated to Windows 10 features, accessible via a hyper-linked Table of Contents at the top left of the Privacy Statement.
13. The Version 1507 installation process did not make the Privacy Statement available to users until after they had made their consent choices (discussed further below). It was then available only in full block-text format, without formatting or internal hyper-links for ease of navigation between sections. At the outset of the installation process, Microsoft provided the URL with which the user could access the Privacy Statement via another device, and the Privacy Statement was (and remains) available to individuals at any time on the Microsoft website. With the Creators Update, the Privacy Statement is now available via hyper-link during the installation process.

Settings App

14. Users can, at any time after installation, adjust privacy choices made during installation via the Microsoft Settings app. These settings are supported by explanations, with hyper-links to further information.

Version 1507 - Installation Process

15. Upon installation of this original version of Windows 10, a user was given a choice between selecting “Express settings” and “Customize settings”. This choice was presented to the user on a screen titled “Get going fast” (see Figure 1 below). This screen could not be skipped, and required the user to make decisions before continuing with the installation.

Text version of Figure 1

Get going fast

Change these at any time (scroll to see more). Select Use Express settings to :

Personalize your speech, typing and inking input by sending contacts and calendar details, along with other associated input data to Microsoft. Let Microsoft use that info to improve the suggestion and recognition platforms.

Let Windows and apps request your location, including location history, turn on Find My Device, and use your advertising ID to personalize your experiences. Send Microsoft and trusted partners some location data to improve location services.

Help protect you from malicious web content and use page prediction to improve reading, speed up browsing, and make your overall experience better in Windows browsers. Your browsing data will be sent to Microsoft.

Automatically, connect to suggested open hotspots and shared networks. Not all networks are secure.

Get updates from and send updates to PCs on the Internet. Send full error and diagnostic.

Connect with friends. Let Skype use your contacts and verify your phone number. SMS charges may apply.

Learn more

Cuztomize settings

“Back” “Use Express settings”

16. As illustrated in Figure 1, the “Express settings” choice was featured in a prominent blue button on the lower right corner, whereas the “Customize settings” choice was presented in small font in the lower left corner of the screen.
17. The “Get going fast” screen also included, in small font on the lower left corner of the screen, the option to “Learn more”. This link led to additional information to help users decide between the Express and Customize settings options.
18. Microsoft represented to our Office that the default Express and Customize settings reflected what it believed the average user had come to reasonably expect from a modern operating system.

Express Settings Installation Option

19. According to Microsoft, the “Get going fast” page was meant to highlight key privacy features, particularly where the feature was unfamiliar or new.
20. The Express settings choice resulted in accepting a set of Microsoft default settings (see Customize Settings below for those default settings).

Customize Settings Installation Option

21. If a user chose the Customize settings option, three different screens were presented, grouping various settings. Certain of these settings concerned users’ personal information. Each setting was presented with a toggle, turned on by default, with the option to turn it off. Microsoft stated that its objective was to provide descriptions of the setting options without overwhelming the user with too much detail. For several relevant examples, see Figures 2 and 3 below.

Text version of Figure 2

Customize settings

Personalization

Personalize your speech, typing, and inking input by sending contacts and calendar details, along with other associated input data to Microsoft.

“On”

Send typing and inking data to Microsoft to improve the recognition and suggestion platform.

“On”

Let apps use your advertising ID for experiences across apps.

“On”

Let Skype (if installed) help you connect with friends in your address book and verify your mobile number. SMS and data charges may apply.

“On”

Location

Turn on Find My Device and let Windows and apps request your location, including location history, and send Microsoft and trusted partners some location data to improve location services.

“On”

“Back” “Next”

 

Text version of Figure 3

Customize settings

Connectivity and error reporting

Automatically connect to suggested open hotspots. Not all networks are secure.

“On”

Automatically connect to networks shared by your contacts

“On”

Automatically connect to hotspots temporarily to see if paid Wi-Fi services are available.

“On”

Send full error and diagnostic information to Microsoft.

“On”

“Back” “Next”

 

22. We noted during the investigation that the Customize settings screens did not present a “Learn more” link, as was provided in Express settings.
23. Below we discuss two settings in respect of which we identified preliminary concerns, as well as those that we considered out of scope.

Send Full Error and Diagnostic Information to Microsoft (Telemetry)

24. For the Windows 10 Home and Pro versions, there were three diagnostic settings individuals could choose: (i) Basic; (ii) Enhanced; and (iii) Full.
25. These options were explained in the Privacy Statement under "Telemetry and Error Reporting" and in the "Feedback, diagnostics and privacy in Windows 10" FAQs. Microsoft also described these telemetry levels in its Windows IT Center as follows:
    • Basic: Basic device info, including: quality-related data, app compatibility, app usage data, and data from the Security level.
    • Enhanced: Additional insights, including: how Windows, Windows Server, System Center, and apps are used, how they perform, advanced reliability data, and data from both the Basic and the Security levels.
    • Full: All data necessary to identify and help to fix problems, plus data from the Security, Basic, and Enhanced levels.^{Footnote 3}
26. Full: Diagnostics was set to Full by default (i.e., Express settings). Microsoft indicated that this level identified problems, removed malware and generally kept the operating system running efficiently and securely. The Full level allowed Microsoft to gather additional data where necessary, such as registry information and diagnostics, from a small sample of computers that had Full telemetry enabled. According to Microsoft, such requests had to be approved by Microsoft’s privacy governance team before an engineer could collect these details from personal computers.
27. Enhanced: If a user chose to toggle telemetry to off, via Customize settings, this setting was not turned off, or even to Basic, but merely lowered to Enhanced. This was not explained on the Customize settings screens.
28. Basic: After installation, a user could access the Settings app to alter the level of telemetry to Basic. Microsoft explained that this was the minimum level it offered to most users because this data is needed to help keep Windows and apps secure, up to date, and running properly.

Advertising ID

29. The Advertising ID is a randomly generated number assigned to a device user. It works much like a cookie. If the Advertising ID is turned on and a user is in an app, then that app can access the Advertising ID. The Advertising ID allows an app developer to track a user’s activities over time across its apps installed on the device.
30. Microsoft explained to our Office that individuals could turn off the Advertising ID, such that:
    • (i) it is not sent to third parties; and
    • (ii) Microsoft itself does not use it. If the Advertising ID is subsequently turned on again, the unique identifier associated with the ID is reset and a new identifier is created.
31. Our Office noted inconsistencies in how the Advertising ID was explained in Microsoft’s various privacy communications. These communications explained purposes that included:
    • (i) “to personalize your experiences” (Express Settings);
    • (ii) “for experiences across apps” (Customize Settings); and
    • (iii) “by app developers and advertising networks to provide more relevant advertising” (Privacy Statement).

Features available via opt-in

32. Given the scope of our investigation (as outlined in Paragraph 3 of this report), we did not specifically address the collection, use or disclosure of information in respect of features that required opt-in consent, separate from the Windows 10 installation process.^{Footnote 4}

Preliminary Concerns – Version 1507

33. During the course of our investigation, we identified certain preliminary concerns with respect to Microsoft’s attempts at obtaining consent via the Version 1507 installation process (as outlined below). We shared those concerns with Microsoft, and Microsoft committed to address them in its subsequent Windows 10 updates.

General

34. We were initially concerned that the option to customize settings was not sufficiently prominent on the original “Get Going Fast” page. In our view, it may not have been apparent to users that they had a choice to adjust the default settings during installation.
35. We were also concerned that the written information provided by Microsoft during the “Customize settings” installation process was brief and that there was no mechanism to obtain further information. While we understand that Microsoft did not want to overwhelm the user with too much detail, we found that the explanations did not strike the right balance between the desire for brevity and providing access to sufficient information. In particular, there was no "Learn more" link available during the Customize settings process to provide sufficient details to support a reasonable understanding of the purposes for which personal information would be collected and how it would be used or disclosed pursuant to each setting.
36. As a result, during the course of our investigation, we suggested that Microsoft:
    1. increase the prominence of the option to customize settings during the installation process; and
    2. add a “Learn more” link on the Customize settings screens to allow users to obtain more comprehensive explanations of the various settings.

Advertising ID and Diagnostics

37. We also noted concerns with respect to Microsoft's written explanations to users in relation to its Advertising ID and Diagnostics settings.
38. More specifically, we noted that Microsoft did not provide an explanation as to how the Advertising ID is used to provide relevant advertising. During the course of our investigation we suggested that Microsoft use more clear, consistent and comprehensive language when describing the Advertising ID and its purposes.
39. Further, in our view, it would not have been clear to users, based on the privacy communications available, what data transfer may result from leaving the “send full diagnostic and error reporting to Microsoft” setting on, or that turning the setting off would not fully cease telemetry but simply lower it, by one level, to Enhanced. We therefore also suggested that Microsoft provide clearer explanations to users with respect to the meaning of the telemetry settings and associated options.

Creators Update – Installation Process

40. Microsoft began the roll-out of its Windows 10 Anniversary Update on August 2, 2016. It subsequently introduced its Creators Update on 11 April 2017. This resulted in material changes to the default privacy settings, and associated explanations presented during the Windows 10 installation process. We have therefore reviewed the Creators Update along with the June and September 2017 updates to the Microsoft Privacy Statement.
41. Broadly speaking, Microsoft implemented the following changes via its Creators Update:
    1. A single installation process, abandoning its previous two-tier installation process in which users had to decide between “Express” and “Customize” options.
    2. During the installation process, users were brought to a page entitled: “Choose privacy settings for your device”, where,
       • Settings were turned on by default for Location, Speech recognition, Relevant Ads and Tailored Experiences with diagnostic data, and were set to Full for Diagnostics, and
       • At the bottom of the page, there was an “Accept” button and a “Learn more” button of equal prominence.

Text version of Figure 4

Choose privacy settings for your device

Microsoft puts you in control of your privacy. Choose your settings, then select “Accept” to save them. You can change these settings at any time.

Location

Get location-based experiences like local weather and directions to your favorite places. Let Windows & apps request your location, and send Microsoft location data to help improve location services.
“On”

Diagnostics

Help us fix things and improve Microsoft products and services. Send diagnostic data (including browser, app & feature usage, and inking & typing data to Microsoft.
“Full”

Relevant Ads

Let apps use advertising ID to make ads more interesting to you based on your app usage.
“On”

Speech recognition

Talk to Cortana and Store apps that support voice recognition. Send Microsoft your voice input to help improve speech services.
“On”

Tailored experiences with diagnostic data

Get more relevant tips and recommendations to tailor Microsoft products and services for your needs. Let Microsoft use your diagnostic data to make this work.
“On”

Select “Learn more” for info on the above settings, how Windows Defender SmartScreen works, and the related data transfers and uses.
“Learn more” “Accept”

Individual Privacy Settings

42. See Figure 4 for explanations provided by Microsoft, on the installation screen, in respect of each setting. Below is additional information on each new setting, which Microsoft makes available:
    1. on the installation screen when the settings are toggled to off (or basic);
    2. via “Learn more” links;
    3. in its Privacy Statement; and
    4. in various other privacy communications.
43. Location: Microsoft explained in the “Learn more” section that it collects location information from a combination of global positioning service (GPS), wireless access points, cell towers and IP addresses. In its Privacy Statement, Microsoft further explained that it maintains only the device’s last known location, and stores up to 24 hours of location history on the device.
    
    “Learn more” explained that leaving Location on enables apps, services and Windows features to ask for permission to access and use location data and allows Microsoft to collect this data in a “de-identified format” to improve location services. The Privacy Statement stated that when Location was turned on, Microsoft may share de-identified location data with third parties “to provide and improve location and mapping services”.
    
    Upon issuance of our preliminary report, our Office understood that Microsoft was sharing de-identified location data only for the purpose of improving its own location and mapping services. Subsequently, Microsoft provided further detail and clarification regarding its disclosure of “de-identified location data”, explaining that if Location is on, it:
    1. collects limited data regarding proximate WiFi access, cell-towers, and/or device GPS coordinates, depending on device capability, with “no individual or device identifiers”, such that there is no “spatio-temporal point that could be linked to an individual” and “no location-data trajectory is associated with any given user”; and
    2. shares that same data with its 3^rd party service partner, HERE North America, LLC (“HERE”), to improve HERE’s location and mapping services, which it provides to Microsoft to assist with the delivery of improved services to Windows 10 users, as well as to various other business customers.
    Finally, we note that Microsoft explained via its Windows 10 privacy communications that even when Location is off, apps and services may still have the ability to use wireless access points to determine a device’s location.
    
    Notwithstanding the above, in practice, apps and services published in the Microsoft Store that wish to access Location data must ask the user for separate permission, via a pop-up consent box, before doing so.
    
    Diagnostics: Users may now choose to leave diagnostics at the default Full level or to toggle it to Basic – there is no longer an Enhanced level. If the setting is toggled to Basic, the installation screen indicates that “[the user will] be sending Microsoft less data to help fix errors [he/she] encounters.” Microsoft provided further details via “Learn more” and its Privacy Statement.
    1. Purposes: Microsoft explained that it uses diagnostic data for four broad purposes:
       • (i) to help fix problems or errors (at Basic and Full);
       • (ii) to keep windows up-to-date and secure (at Basic and Full);
       • (iii) to improve its products and services (only at Full); and
       • (iv) to personalize Windows user experiences (at Basic and Full, but only when Tailored Experiences is on, to which it is set by default).
    2. Basic diagnostics: Microsoft explained that Basic refers to data which allows Microsoft to know the capabilities of a device, what is installed, whether Windows is operating correctly, and to keep Windows and apps secure, up to date and running properly. Examples provided for Basic information included: device’s IP address, updates success or failure and names of applications installed. The Microsoft Privacy Statement included a link to a page in the Windows IT Center where Microsoft provided an exhaustive list of all information collected at Basic.
    3. Full diagnostics: Full included what is collected at Basic plus further diagnostic data including:
       • data about app usage;
       • Microsoft browser usage (e.g., history and search terms);
       • how users use certain features or apps;
       • inking and typing input (processed to remove identifying information);
       • the memory state of a device when a system or app crash occurs (which may include parts of a file users were using when a problem occurred); and
       • additional data about the device connectivity and configuration.
       
       The Microsoft Privacy Statement did not, as it did for Basic, include a link to more detailed information about what is collected at Full. However, a page entitled “Windows 10, version 1703 Diagnostic Data” in the Windows IT Center did provide a list of all categories of data collected at Full, as well as an extensive (but non-exhaustive) list of examples of information collected under each category.
       
       On a page entitled “Configure Windows telemetry in your organization” in Windows IT Center, Microsoft states that at Full, its engineers could request additional data if a device experiences problems that repeat or are difficult to identify. In such cases, the Microsoft privacy governance team must approve the diagnostics request. Microsoft confirmed to our Office that, in any event, the data collected would not fall outside of the categories listed in this document, unless the organization first obtained new consent from the user.
44. Tailored Experiences with diagnostic data: Microsoft identified in the “Learn more” section for “Diagnostic data” that it will use diagnostic data to personalize the user’s experiences if Tailored Experiences is on – e.g., to suggest, recommend and offer features, apps, services, hardware and peripherals, and ways to customize and optimize Windows.
    
    The scope of data used will depend on whether the level of diagnostic data is set to Full or Basic. Microsoft specified that, in any case, it does not use crash, speech, typing or inking input data for personalization. Although the Microsoft Privacy Statement does not include a section on Tailored Experiences, it provided information similar to that outlined above in the section on Diagnostics.
    
    We asked Microsoft how it ensures that sensitive information is not used for Tailored Experiences, and requested copies of any policies or procedures it has implemented to address this. Microsoft explained that it mitigates the processing of potentially sensitive information for Tailored Experiences by having all Tailored Experiences segments reviewed by a Windows attorney or paralegal to ensure the segments are not based on sensitive characteristics (such as race, political orientation, sexual orientation, religious affiliation). Microsoft asserted that this protection was adequate since:
    • (i) it is based on human (vs. algorithmic) review;
    • (ii) the diagnostics data collected reveals little about an individual; and
    • (iii) users have consented to both the diagnostics data and Tailored Experiences settings during the installation process.
    
    Microsoft provided no written policies or procedures that it had implemented to ensure that sensitive information is not used for Tailored Experiences.
45. Relevant Ads: The name for this feature changed from “Personalization… lets apps use your advertising ID” (emphasis added) in Version 1507, to Relevant Ads in the Creators Update. While the installation screen description remained brief, users could now obtain more information by clicking on the “Learn more” button at the bottom of the page, which briefly explained:
    • (i) that apps (including Microsoft apps and third-party apps) can access and use the advertising ID in much the same way that websites can access and use a unique identifier stored in a cookie;
    • (ii) what happens when this feature is turned off and that it will be reset if a user turns it on again;
    • (iii) that when a third party app accesses the Advertising ID, its use of the feature will be subject to its own privacy policy; and
    • (iv) that this feature can be used by app developers and advertising networks to provide more relevant advertising. Similar information was found in the Microsoft Privacy Statement.
    
    We note that Microsoft also has an Advertising Preferences portal where users can go to make choices related to its relevant (or personalized / interest-based) advertising program. There is no mention of this webpage/portal on the Relevant Ads installation page, or in the Advertising ID portion of the Privacy Statement.
46. Speech recognition: If the setting was toggled to off, the installation screen indicated that “[the user] can’t talk to Cortana or apps from the [Microsoft App Store].”
    
    In the “Learn more” section, Microsoft explained that it will collect voice recordings and information from the user dictionary to provide its speech recognition services. The user dictionary stores unique words, like names, which have been written by the user. Microsoft stated that both the voice data and the user dictionary are also “used in the aggregate to help improve [its] ability to correctly recognize all users’ speech.” Users may later allow Cortana to access calendar and contact information, and this will be used to personalize the speech recognition experience. The Microsoft Privacy Statement contained similar information on speech recognition.
47. We note that the following Version 1507 privacy settings were removed from the Creators Update installation process, having been subsumed by other privacy settings, and we therefore did not consider them further:
    1. Personalization: Personalize your speech, typing, and inking input by sending contacts and calendar details, along with other associated input data to Microsoft.
    2. Personalization: Send typing and inking data to Microsoft to improve the recognition and suggestion platform.

Application

48. In analyzing the facts, we applied subsection 6.1 of the Act, as well as Principles 4.3, 4.3.2, 4.3.4, 4.3.5, 4.3.6, and 4.1.4 of Schedule 1 of the Act.
49. Subsection 6.1 provides that for the purposes of clause 4.3 of Schedule 1, the consent of an individual is only valid if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.
50. Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use or disclosure of personal information, except where inappropriate. Principle 4.3.2 further specifies that an organization must make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used. To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed. Principle 4.3.4 provides, in part, that the form of consent sought by the organization may vary, depending on the type of information and the circumstances. In determining the form of consent, the organization shall take into account the sensitivity of the information. Principle 4.3.5 further provides, in part, that in obtaining consent, the reasonable expectations of the individual are relevant. Principle 4.3.6 indicates that the manner in which an organization may obtain consent may vary, depending on the circumstances and the type of information collected. An organization shall generally seek express consent when the information is likely to be considered sensitive.
51. Principle 4.1.4 provides that an organization shall implement policies and practices to give effect to the principles.

Analysis

Preliminary Concerns – Version 1507

52. With respect to the general preliminary concerns we raised with Microsoft during the course of this investigation, as outlined in paragraphs 34-36 above, we note that the new single installation process implemented via the Creators Update ensures that all users are automatically brought to the privacy settings page so that they can customize settings during Windows 10 installation. We also note that Microsoft now provides links to “Learn more” and its Privacy Statement on the privacy settings page.
53. We assess below, under our analysis in respect of the new Diagnostics and Relevant Ads settings, the extent to which Microsoft has addressed our concerns detailed in paragraphs 37-39 above.

Consent post Creators Update

Legislative Context

54. The Act provides that the appropriate form of consent will generally depend on the sensitivity of the information and the reasonable expectations of the individual.
55. It also provides that for consent to be meaningful, the organization must explain its practices in a manner that allows the individual to reasonably understand what information will be collected, how that information will be used and disclosed, and the nature, purposes and consequences of that privacy practice.
56. Our Office has previously held that when an organization pre-selects default settings, such settings must accord with users’ reasonable expectations and users must be properly informed of the settings and of the implications of choosing one setting over another.^{Footnote 5}

Individual Privacy Settings

57. On the new privacy settings installation page, all of the following settings (as described above) are now set to on (or Full, for Diagnostics) by default, with the ability to opt-out (or opt for Basic for Diagnostics):
    1. Location,
    2. Diagnostics,
    3. Tailored Experiences,
    4. Relevant Ads (Advertising ID), and
    5. Speech Recognition.
58. The following are our views with regards to the validity of consent obtained by Microsoft, during installation, for its practices associated with each of these privacy settings. For each setting, we have considered whether Microsoft was obtaining the appropriate form of consent (e.g., opt-out vs. opt-in), and whether that consent was meaningful.

A. Location

59. In our view, Microsoft could rely on opt-out consent for the Windows 10 “location” setting, but should implement certain enhancements to its privacy communications to better explain its use and disclosure of information pursuant to that setting.
60. Based on our review of Microsoft’s privacy communications, we understand that pursuant to the Windows 10 Location setting, Microsoft may use or disclose precise location information as follows:
    1. to enable apps, services and Windows features to use location data, and
    2. in “de-identified” form, to provide and improve its location and mapping services.
61. While location data can be sensitive depending on the context (for example, where it reveals a place of worship or specific medical clinic visited by the user), we note that leaving Location on does not in and of itself authorize disclosure of location data. Users must provide separate and subsequent permission before Windows will enable a particular app and other digital content obtained from the Microsoft Store to access location data. For example, where Location is on, an app wishing to access location must first request permission to do so from the user, including via a prominent pop-up consent box. In our view, this would not exceed users’ reasonable expectations.
62. We originally accepted, based on our understanding of Microsoft’s practices when we issued our preliminary report, that it would be within users’ reasonable expectations that Microsoft (by default, with an opt-out option) would use location data, in de-identified form, to provide and improve its own location and mapping services.
63. Based on this understanding, we accepted, on a preliminary basis, that Microsoft could rely on opt-out consent, during installation, for its practices pursuant to the Location setting.
64. Subsequent to receipt of our preliminary report, Microsoft indicated that it discloses such information to HERE for purposes of improving HERE’s location and mapping services, which it provides to Microsoft and others. Microsoft represented that this data does not constitute personal information. Recognizing that Microsoft has committed, as outlined later in this report, to obtain opt-in consent for the Location setting, along with all installation privacy settings, we have not fully considered whether the data shared with HERE is personal information, or the extent to which such a practice, if it were to involve the disclosure of personal information, would be within the reasonable expectation of Windows users.
65. We did, however, identify certain gaps in Microsoft’s explanations such that users may not sufficiently understand the nature and consequences of their Location setting choice.
66. In our view, users may not reasonably understand, from the privacy communications available during installation, that there are exceptions to the location setting (as outlined in paragraph 43 above). In particular, given that the “Learn more” explanation states that Microsoft will use “wireless access points” for location functionality, it should also explain that even if location is turned off, apps and services may still be able to determine a user’s location through wireless access points such as Wi-Fi scanning and Bluetooth.^{Footnote 6}
67. Further, Microsoft has not made clear to users how or by whom de-identified information will be used and disclosed improve location and mapping services.

B. Diagnostics

68. We are not satisfied that Microsoft is ensuring valid consent, via its installation process, for its collection, use and disclosure of diagnostic data. In our view, diagnostics should be set, by default, to Basic. Furthermore, Microsoft should provide greater transparency regarding certain of its practices with respect to diagnostics, to ensure that users reasonably understand how their data may be used or disclosed.
69. As a preliminary matter, we consider “Tailored Experiences” (one of the four broad purposes for which diagnostic information is used) to involve targeted marketing. Microsoft is marketing its own products and services, as well as those of third-parties, via Tailored Experiences. This is the case even where suggestions are intended to enhance the user’s Windows 10 experience, and where Microsoft is not being paid directly for making the suggestion.^{Footnote 7}
70. In our view, users would not reasonably expect Microsoft to collect and use Full diagnostic information by default. The reasonable expectations of individuals will generally depend on the nature of their commercial relationship with the organization. Windows is an operating system, for which users generally pay, and represents the necessary technical foundation upon which users will carry out all activities on their devices. They would therefore reasonably expect their operating system to limit its default collection, use and disclosure of their personal information to that which is necessary to deliver core operating system services.
71. Users would not reasonably expect Microsoft to collect the breadth of information included in Full diagnostics for purposes such as targeted marketing (under Tailored Experiences) or to improve its products and services, particularly where Basic represents the data which Microsoft indicates is necessary to fix problems/errors and keep Windows up-to-date/secure.
72. Furthermore, users may consider many of their online activities, in which they must engage via their operating system, to be private, and the information associated with those activities could be highly sensitive (e.g., browser searches in relation to a medical condition, or use of a religion-specific dating app).
73. In our view, Microsoft should collect Basic data by default, noting that nothing would preclude Microsoft from later encouraging users to opt into Full diagnostics by explaining the potential benefits (and other implications) of doing so.
74. In its Creators Update, Microsoft did, through a layered approach, significantly improve the transparency regarding its collection, use and disclosure of diagnostic data.
    1. On the installation screen, Microsoft provided a brief explanation of the information it will collect via Diagnostics and the purposes for which that information will be used, with further details available during installation via Microsoft’s layered approach. These explanations captured the key, potentially sensitive, types of information that may be collected at each level of diagnostics (e.g., at the full level - browser, app usage, and inking and typing data).
    2. Further details and examples of information collected at each level were made available via “Learn more” and the Privacy Statement.
    3. Microsoft provided full transparency with respect to the information it collects at Basic, via hyper-link to a document detailing all of the information collected at that level. We note that Microsoft also published, on its website, an exhaustive list of the categories of data, and associated examples, collected at Full. This list was not, however, available via a link in the Privacy Statement.
75. We accept that the documents referenced in sub-paragraph (iii) above provide an adequate level of detail to support users’ understanding of the information that will be collected at Full. However, we were concerned that detailed information about the categories/examples of information collected at this level was not as easily accessible to users as it was for Basic, even though Microsoft collects much more potentially sensitive data at the Full level.
76. In our view, therefore, Microsoft’s explanations, while much improved, were not adequate to support meaningful user consent for Diagnostics.

C. Tailored Experiences

77. In our view, Microsoft is not obtaining valid consent, via the Windows 10 installation process, for its Tailored Experiences function.
78. As outlined in paragraph 71, above, users would not reasonably expect Microsoft to use the breadth of Full diagnostics data (which it collects by default, for the primary purposes of keeping the operating system up to date, secure, reliable, and performant) for the secondary purpose of delivering targeted marketing.
79. Furthermore, we were not satisfied that Microsoft is adequately protecting against the use of sensitive personal information to deliver its suggestions to users, at either Full or Basic. While Microsoft explained certain practices it has in place to protect against the use of sensitive information for Tailored Experiences, we received no evidence of any written policies or procedures in this regard. In the absence of such evidence, we were unable to determine that Microsoft uses only non-sensitive diagnostic information in the delivery of Tailored Experiences. This also represents, in our view, a failure by Microsoft to comply with accountability requirements under Principle 4.1.4 of the Act.
    
    Note: If Microsoft were to adjust its default Diagnostics setting to Basic, this would address our concern with respect to the breadth of information being used by default for Tailored Experiences. In our view, provided Microsoft also implements adequate measures (i.e., documented policies and processes, training and monitoring) to ensure that sensitive information is not used for such purposes, it could then rely on opt-out consent from users for Tailored Experiences.

D. Relevant Ads (Advertising ID)

80. We accept that Microsoft can rely on opt-out consent in respect of its Relevant Ads setting, subject to improving transparency with respect to the distinction between this setting and its own relevant advertising program.
81. The Relevant Ads setting, set to on by default, results in the creation of an advertising ID, which Microsoft makes available to apps for the purpose of delivering relevant advertisements and personalized experiences across related apps. The advertising ID, a random unique identifier, is not, in and of itself, sensitive. In the context of the online advertising environment in Canada, the creation and disclosure of advertising IDs by mobile operating systems are commonplace, and such a practice should be within the reasonable expectations of users. As such, we consider that opt-out consent could be appropriate for Microsoft’s creation of its advertising ID, and disclosure of that identifier to apps.
82. We have a concern, however, with respect to the meaningfulness of the consent Microsoft obtains from users in respect of the Relevant Ads setting. In our view, Microsoft is, through its communications in relation to this setting, conflating two distinct practices – i.e.: (i) in its role as an operating system, creating the advertising ID and disclosing it to apps; and (ii) in its role as an advertiser, using the advertising ID for its own relevant advertising program.
83. To provide relevant context, Microsoft’s relevant advertising program^{Footnote 8} operates across its online services, including outside Windows, using various identifiers not limited to advertising ID. Microsoft explains its relevant advertising practices through various in-depth privacy communications, including its Privacy Statement, and allows users to make granular choices with respect to its advertising practices via an advertising portal.
84. At the same time, the name of this setting changed from Advertising ID (under Version 1507) to Relevant Ads. Furthermore, in “Learn more”, Microsoft references its own use of advertising ID, without explaining how users can make choices separately with respect to its relevant advertising program. In our view, referencing Microsoft’s own advertising practices in this manner could leave the user confused, not reasonably understanding the nature of the practices to which they are consenting via the Relevant Ads setting.

E. Speech Recognition

85. In our view, Microsoft is not obtaining valid consent for its collection, use and disclosure of personal information via the Speech Recognition setting. Opt-out consent is not appropriate for the practices associated with this setting. Furthermore, Microsoft’s explanations with respect to Speech Recognition do not make sufficiently clear to users the nature of the choice they are being asked to make. Finally, our testing indicates that Microsoft is not consistently respecting the choices being made by users in respect of Speech Recognition.
86. The Speech Recognition function, offered via Cortana, goes beyond the use of voice data on the device to respond to user requests; it is a cloud-based service for which Microsoft collects and uses:
    1. large amounts of speech data; and
    2. the “user dictionary” (as described in paragraph 47), even before the user has engaged with the device via voice commands.
87. The content of the voice instructions collected and used by Microsoft via Speech Recognition could often be sensitive. For example, it could include instructions to create a medical appointment in the user’s calendar, or to send a private text to a spouse.
88. Furthermore, in our view, a user who has, earlier in the installation process, expressly chosen not to opt into Cortana (see paragraphs 91-92), would not reasonably expect Speech Recognition, which is delivered using Cortana, to be on by default.
89. In our view, therefore, the Speech Recognition setting should be off by default. We note that this would not prevent Microsoft from later encouraging users to opt into this setting, by explaining the potential benefits of its cloud-based speech-recognition service.
90. We are also concerned that Microsoft has not prominently and clearly explained the key fact that turning Speech Recognition off only disables cloud-based speech recognition services, and does not preclude the use of its device-based speech recognition service. We fear that a user may choose to leave Speech Recognition on so that they can engage with their device via voice commands, not understanding that they could still do so (via the “Windows Speech Recognition” app) even if the setting was off.
91. This potential confusion may be compounded by the set-up process whereby users can choose to allow Cortana to be their personal assistant at the beginning of Windows 10 installation, which in turn allows Microsoft to collect and use voice input and speech patterns. More specifically:
    1. Even if the user chooses not to make Cortana their personal assistant, Speech Recognition is still defaulted to on during installation, apparently allowing the user to talk to Cortana and Store apps. This would appear to be inconsistent with the user’s earlier choice.
    2. If a user opts-into Cortana, but turns Speech Recognition off, their privacy settings after installation still show the Speech, Inking and Typing setting to be on.
92. It would appear that a user’s choice regarding Cortana overrides their subsequent choice with respect to the Speech Recognition setting, such that their latter choice is not respected.

Recommendations

93. Before we issued this report of findings, we recommended that Microsoft undertake to implement certain changes to ensure valid consent for its privacy practices associated with the default settings during the Windows 10 installation process. In particular, we recommended that Microsoft:

    Location

    • i. Explain the exceptions to the location setting on the privacy settings installation page or in the “Learn more” section, in particular to highlight that even if Location is turned off, Microsoft and apps may still be able to determine a user’s location through wireless access points such as Wi-Fi scanning and Bluetooth.
      
      We also encouraged Microsoft to implement enhanced privacy communications to explain its use and disclosure of de-identified location information for the purpose of providing and improving location and mapping services.

    Diagnostics

    • ii. Set Diagnostics to Basic by default, providing users the control to opt in to Full.
    • iii. Enhance privacy communications to ensure users can reasonably understand what personal information is collected and how that information will be used pursuant to Diagnostics, and more specifically, add a hyper-link in the Privacy Statement, under “diagnostics”, to the webpage which details the categories of information it collects at Full.

    Tailored Experiences

    • iv. Assuming Diagnostics is set to Basic by default, implement adequate measures (i.e., documented policies and processes, training, and monitoring) to ensure that sensitive information is not used to deliver Tailored Experiences.

    Relevant Ads

    • v. Clarify the nature of the choice that users are being asked to make via the Relevant Ads setting, by explaining on the installation page and/or in “Learn more”: (i) that users are not, via this setting, consenting to Microsoft’s relevant advertising program; and (ii) how users can exercise choices with respect to Microsoft’s own advertising practices.

    Speech Recognition

    • vi. Set Speech Recognition to off by default, giving users the opportunity to opt into the practice.
    • vii. Enhance privacy communications to ensure users can reasonably understand what personal information it will collect and how that information will be used to deliver Speech Recognition services, and more specifically, on the privacy settings installation page, clearly explain:
      1. that turning Speech Recognition off only relates to cloud-based speech recognition and does not preclude the use of its device-based speech recognition service;
      2. the relationship and/or distinction between using speech data via Cortana vs. the Speech Recognition setting; and
      3. the relationship and/or distinction between the Speech Recognition setting and a user’s privacy settings after installation;
    • viii. Ensure that Windows 10 gives effect to a user’s choice with respect to the Speech Recognition setting (such that it is not overridden by a previous choice related to Cortana).
    • ix. Delete any voice and associated user dictionary data that Microsoft has collected, where the user had turned Speech Recognition off during the installation (e.g., where that data has been collected because the user previously opted into Cortana).

Microsoft’s Response to our Recommendations

April 2018 Update

94. Microsoft explained that in April 2018, concurrent with the issuance of our preliminary report, it released a new version (1803) of the Creators Update, implementing, broadly speaking, two changes: (i) two new privacy settings during installation (Find my Device and Inking & Typing), in addition to the original five settings^{Footnote 9}, each set to on (or Full), by default; and (ii) certain adjustments to the supporting communications for each of these privacy settings.
95. The Find my device setting was described on the installation screen as “Turn on Find my device and use your device’s location data to help you find your device if you lose it. You must sign in to Windows with your Microsoft account to use this feature.” Microsoft clarified that while “Find my Device” is set to on by default, it will only function if the Location setting is also on.
96. The “Inking & Typing” setting is described as follows on the installation screen: “Send inking and typing data to Microsoft to improve the language recognition and suggestion capabilities of apps and services running on Windows”. Microsoft clarified that this functionality was originally included under Basic diagnostics in version 1507, under Full diagnostics in version 1703, and now under this separate setting in version 1803.

Commitments (and associated clarifications)

Opt-in Consent – all settings

97. Microsoft has committed to implement, by the end of 2018^{Footnote 10}, installation settings consistent with those recently implemented in the European Economic Area^{Footnote 11} and Switzerland (the “European version”). Once implemented, Canadian retail users (those who have selected “Canada” as their “Region”, during installation) will see separate pages for each of the seven privacy settings. On each page, the choice will not be preselected. Users will have to select their preferred choice and click “Accept”. Beside the “Accept” button, there will be a “Learn more” button of equal prominence.
98. In our view, this new consent mechanism will adequately address our recommendations (ii) and (vi), requiring Microsoft to obtain opt-in consent for Full diagnostics and Speech Recognition, respectively.

Location – tracking when Location is off

99. Microsoft committed to add language, in the “Learn more” section, to explain the extent to which Location settings may not control all types of location data. Included in the proposed language would be an explanation that even when Location is off, apps and services can still use other information, like Wi-Fi access points, to determine a device’s location.
100. Upon reviewing Microsoft’s draft language, we identified and shared with Microsoft an additional, related concern that an app or service should not use other information obtained via Windows 10 to determine a user’s location when a user has expressly chosen to turn Location off, unless it has obtained separate valid consent from the user.
101. Microsoft indicated that, based on an internal investigation of its software development practices and existing corporate-wide privacy-policies, no first-party Microsoft applications currently calculate precise location when the Location setting is off without obtaining separate explicit consent.
102. Microsoft also explained that third-party applications published through the Microsoft Store are already subject to limitations such as contractual obligations that mitigate the risk of those applications calculating precise location of a Windows 10 device when Location is off.
103. Further to our Office’s supplementary recommendation, Microsoft also committed to:
     1. with respect to third-party apps published through the Microsoft Store, add specific language in the next revision to its Microsoft Store App Policies to forbid software developers from publishing applications in the Microsoft Store that determine the precise location of a Windows 10 device when Location is off, unless separate and legally sufficient consent has been given by the end user of that application (by December 31^st, 2018); and
     2. address desktop applications, which are not typically published through the Microsoft Store, adding a similar prohibition in the next revision to the Windows Software Development Kit (“SDK”) (by December 31^st, 2018);
     3. Explain to users, in “Learn more”, that,
        1. while apps and services are prohibited from using Windows 10 information to estimate the precise location of a device without prior consent, it may be technically possible for them to do so, and
        2. users can avoid this by turning off all radio-based components of the device (like Wi-Fi, Bluetooth, cellular and GPS), noting that this will impair device functionality that relies on such connections.

Location – sharing “de-identified” location information

104. With respect to Microsoft’s sharing of “de-identified location information”^{Footnote 12}, we now understand (as outlined in the “update” in paragraph 43 of this report) that Microsoft shares such data with HERE for purposes beyond the improvement of Microsoft’s location and mapping services.
105. Microsoft has committed to obtaining opt-in consent for the Location setting, as with all other installation privacy settings. Microsoft has also agreed, based on an additional recommendation by our Office, to enhance its privacy communications to ensure that users can reasonably understand how “de-identified location information” will be used and disclosed, including by:
     1. explaining to users that Microsoft shares such information with HERE to improve HERE’s location and mapping services, which it provides Microsoft, to assist with the delivery of improved services to Windows 10 users, as well as to various other business customers; and
     2. including a link to HERE’s website^{Footnote 13}, whereby users can obtain more information about the company, its practices and its privacy policies.
106. We accept that the commitments outlined above will address recommendation (i) as well as the additional recommendations we made based on new information obtained from Microsoft subsequent to issuance of our preliminary report.

Diagnostics - transparency

107. In the version 1803, Microsoft has included in “Learn more”: (i) a link to the current list of data types collected at both levels of diagnostics; and (ii) an explanation of how to access the Diagnostic Data Viewer tool, in the Settings app, which will allow users to see exactly what Diagnostic data Microsoft has collected. In settings, users are now able to delete that diagnostic data.
108. We accept that this addresses our recommendation (iii).

Tailored Experiences – use of sensitive data

109. Microsoft provided to our Office further information and documentation to substantiate its assertion that it has procedures to ensure that sensitive diagnostic information is not used to deliver Tailored Experiences. More specifically, Microsoft provided us with:
     • (i) a copy of the onboarding form, by which, Microsoft explained, only a small number of engineers can submit a request for specified data to be used for Tailored Experiences;
     • (ii) a copy of the onboarding procedure which requires that the request be approved by a member of the Microsoft legal team and a privacy professional at a regular weekly meeting; and
     • (iii) its internal definition of sensitive information^{Footnote 14}, a reference for purposes of the onboarding procedure.
110. Microsoft noted that while its procedure did not, in fact, include a provision precluding that that sensitive data be used for Tailored Experiences, the company would never, pursuant to its internal privacy policies, approve the use of sensitive data for Tailored Experiences. Microsoft agreed, however, to add such a provision to its onboarding procedure and to communicate that change to relevant staff by June 30, 2018.
111. We accept that this documentation, as modified, will adequately address recommendation (iv).

Relevant Ads – Ad ID

112. Microsoft has, in version 1803, changed the name of this setting back to “Advertising ID”. It has committed to enhance its “Learn more” communications to explain the distinction between the Advertising ID setting and Microsoft’s advertising programs, and provide information about, and links to, additional user controls in relation to interest-based advertising in Microsoft products.
113. We accept that these enhancements will adequately address recommendation (v).

Speech Recognition – Cloud- vs. device-based

114. Microsoft highlighted certain enhancements to “Learn more” in version 1803 which, in our view, more clearly and prominently describe the cloud-based nature of Speech Recognition, as well as the potential to use device-based speech recognition even when Speech Recognition is off.
115. In our view, this adequately addresses recommendation (vii).

Speech Recognition – improper functioning

116. Microsoft explained that the setting is not functioning as intended. It was able to recreate, via internal testing, the issue we identified in paragraph 91 of this report, but it had not yet determined the exact source of, or solution to, this problem.
117. Microsoft has, however, proposed to resolve this issue, initially through one or more updates to be implemented no later than August 2018, by: (i) preventing the product issue from recurring on a forward-going basis; and (ii) asking all users for affirmative consent to activate the speech platform (most likely via existing just-in-time prompts already implemented in the operating system). It has committed to definitively correct the issue via its next major feature update by the end of 2018.
118. Microsoft has also committed to delete existing speech and associated data, by no later than August 31, for any impacted Canadian user who has not turned Speech Recognition on and not consented to the retroactive use of their data via a new consent experience (e.g., via the request for affirmative consent outlined in the previous paragraph).
119. We accept that the commitments outlined in the previous two paragraphs will address our recommendations (viii) and (ix), subject to the caveat that the affirmative consent Microsoft obtains for its ongoing use and/or retention of Speech Recognition data must be meaningful, consistent with subsection 6.1 and Principle 4.3.2 of the Act. In obtaining such consent, we would encourage Microsoft to refer to our Office’s recently released Guidelines for Obtaining Meaningful Consent^{Footnote 15}, and in particular, the seven guiding principles detailed therein.

Conclusion

120. Based on Microsoft’s commitments and recent changes to Windows 10, as outlined above, we consider this matter to be well-founded and conditionally resolved.
121. As evidence of our Office’s continuing intention to pursue this matter, we will be following up with Microsoft between now and the end of 2018. During that period, we expect Microsoft to provide our Office with monthly updates to confirm that: (i) the measures proposed to be implemented will resolve the issues identified in this report; and (ii) all commitments are implemented within agreed timeframes.