Tweakers.net has reported on a new function in Windows 10 whereby users’ computers are (or can be) used for storing and disseminating updates. The question is how this function relates to the legislation usually referred to as the cookie law.

“Cookie law” pertains to more than just cookies
The legislation usually referred to as “the cookie law” pertains to much more than just cookies. The law simply prohibits the storage of data on peripheral equipment without the end-user’s permission unless this storage is necessary for the service requested by the end-user to function. In this context, see the legislative text:

  1. Without prejudice to the Personal Data Protection Act, storing or securing access to information on a user’s peripheral equipment via an electronic communication network is only permitted on condition that the particular user:
    1. is provided with clear and full information in accordance with the Personal Data Protection Act, in any event concerning the purposes for which this information will be used, and
    2. has given consent for this.
      (…)
  2. The provisions of the first paragraph do not apply if the storage or access:
    1. has the sole purpose of implementing communication via an electronic communication network,
    2. is strictly necessary in order to provide the information society service requested by the subscriber or user or – provided this has little or no consequences for the privacy of the particular subscriber or user – to obtain information about the quality or effectiveness of the information society service provided.

The cookie law could just as easily be called the “spyware law” or, more generally, the “boss of one’s own computer law”. In that context, for example, see also the case concerning DollarRevenue spyware.

The new Windows feature
It emerges from Microsoft’s explanation page that the new Windows function uses end-users’ computers for the storage of update software and for the further dissemination of the software:
Delivery Optimization downloads the same updates and apps that you get through Windows Update and the Windows Store. Delivery Optimization creates a local cache, and stores files that it has downloaded in that cache for a short period of time. Depending on your settings, Windows then send parts of those files to other PCs on your local network or PCs on the Internet that are downloading the same files.

The feature and the “cookie law”
This does sound (a lot) like “storing or securing access to information on a user’s peripheral equipment via an electronic communication network” as referred to in the “cookie law”.

Furthermore, the default setting for the function is “on”, according to Microsoft:
Delivery Optimization is turned on by default for all editions of Windows 10.

I find this difficult to reconcile with the requirement of prior consent from the law cited above. Perhaps it is stated in the licensing conditions – which I have not yet scrutinised – but as a rule, the ACM believes reporting it there is in any event too “hidden”.

At first glance the situation also does not seem to me to fall under the exception for functional storage. Disseminating updates via consumers’ computers is, after all, not strictly necessary. Microsoft could also itself buy in more server capacity for this dissemination. Furthermore, the consumer did not request this.

Final comments
These are just first impressions. Perhaps I am overlooking something, if so then it will no doubt soon be pointed out by other bloggers. Should the reasoning above hold up, however, I am curious to see whether the ACM will address the matter (perhaps in cooperation with other European regulators).

Furthermore, the question arises of whether this involves the (unlawful) use of computer capacity, as in the XS4ALL/Abfab case. For the rest, the question will likewise be whether consent has been requested in a legally valid manner.

By Mark Jansen