[TeMPOraL]

Ok, so if I compile an executable that pops up a screen with a picture I drew + lots of personal and medical information about me, and phones me whenever it's executed, and then just leave it on my machine only for it to phone home from Redmond, can I sue them for copyright, GDPR, HIPAA violations and whatnot? How good is their "new unique binaries" detection? Could I do the same with just a bunch of files wrapped in a good ol' self-extracting archive?

Seriously, what in hell? Like always, blatant violations of users in the name of "security".

[lazyasciiart]

I'm not sure how you would invoke HIPAA with no medical professionals involved. It doesn't just magically apply because you wrote down your own medical information.

[Bartweiss]

There seems to be a widespread misconception that any information covered by HIPAA is always covered, when the reality is that it's only protected health information by covered entities. There also seems to be a lot of confusion about what's a violation: as far as I know only covered entities can be liable, not people they wrongly pass information on to.

Now, if a covered medical software company accidentally let a build with accessible PHI go to Microsoft, I guess it's possible they could be HIPAA liable. But that's a pretty narrow case, and not one that's a threat to Microsoft.

[antsar]

> not one that's a threat to Microsoft

Until the medical software company sues Microsoft for damages to recoup the HIPAA fine. This is probably buried in some clickwrap contract though. (IANAL; not sure how enforceable such a contract would be)

[Silhouette]

You could replace HIPAA with GDPR again, since almost any medical information about an identifiable individual will constitute sensitive personal data that requires the stronger protections under that law.

[icebraining]

Microsoft might claim it's a Legitimate Interest (recital 49 might be useful here, though I'm not sure it applies).

[Silhouette]

I suppose it could claim that, but I suspect it would be a tough sell with the regulators if Microsoft is uploading large amounts of data the user probably didn't even know about and some of that data turned out to include sensitive personal data.

[crummy]

Are many folks compiling sensitive personal data into binaries?

[Silhouette]

Presumably most people don't compile that sort of data into executables, but the situation seems to be unclear about whether other types of file might also be uploaded through similar mechanisms, and there also seems to be something going on involving MS executing the files and allowing remote connectivity, so the issue still seems relevant.

[lazyasciiart]

I'm not sure the GDPR protections are invoked by you giving them personal data they didn't ask for, but it'd be an interesting case! (Seems like anyone could screw a company by putting their name+address in the comment field of an anonymous survey, etc?)

[Silhouette]

If the data was uploaded deliberately through a system they operated, it is hard to see how they would be anything other than the data controller within the GDPR framework, unless maybe they actively tried to avoid collecting the personal data and it was supplied anyway. But it would be hard to argue that was the case if they were uploading data in ways the user of the computer in question probably wasn't even aware of.

(As an aside, if they are sweeping data on such a broad scale without being transparent about it and the only authorisation for doing so is buried deep in some legal document, it would be interesting to consider whether they were not only potentially in breach of GDPR but also various criminal computer misuse laws.)

[lazyasciiart]

I couldn't find any internet information on data not deliberately collected, so it's possible that nobody has figured out how GDPR applies (or I had the wrong search terms).

[delfinom]

1. You can turn it off and on fresh install it even asks you for permission to upload unknown executables

2. In business/corporate environments especially, there are many options that should be group policied by a proper functioning IT team as one of their many tasks.

[NewsAware]

Too much FUD in this thread. Thanks for something level-headed.

[secabeen]

Running unknown executables in a sandbox and watching what they do is pretty common in advanced malware prevention software, and I expect that there's something in the TOS for Defender that grants them the permission to do this.