question

melbar4-8679 avatar image
0 Votes"
melbar4-8679 asked KEITHJONGSMA-8261 answered

Windows Hello for Business - Privacy GDPR Considerations

Hi, my organisation are looking into deploying Windows Hello for Business, which uses biometrics for user authentication. Given this requires a legal basis under Article 9 of GDPR, can anyone point me in the direction of any Microsoft documentation in this regard? I was looking specifically for some mechanism to collect users' explicit consent but it does not seem to be an option in the default enrollment journey.

windows-10-security
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

KEITHJONGSMA-8261 avatar image
0 Votes"
KEITHJONGSMA-8261 answered

I do not care about all of this tech googa, I am just a ordinary internet user, as most people are, and microsoft as blocked me from the internet unless I sign up for their so called Windows Hello pin. This is wrong and blackmail. I should have the freedom of the internet without a windows hello pin. Something is fishy about this. They have e no right to block my sign in to the internet without microsofts permission. Think about it.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

StanleyPeter-3886 avatar image
0 Votes"
StanleyPeter-3886 answered

Thanks, that helps!

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Reza-Ameri avatar image
0 Votes"
Reza-Ameri answered

I should add the Biometric authentication in Windows Hello is being stored locally in the system and it won't store like in the server or Azure AD. Because it is localize in the system, it is compliance with the GDPR, because data is being stored inside the user's PC and the network administrator won't have any access to those data. Take a look at:
https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

TeemoTang-MSFT avatar image
0 Votes"
TeemoTang-MSFT answered StanleyPeter-3886 commented

Windows Hello and privacy

What data is collected, and why
When you set up Windows Hello, it takes the data from the face or iris sensor or fingerprint reader and creates a data representation—not an image; it’s more like a graph—that is then encrypted before it’s stored on your device.

To help us keep things working properly, to help detect and prevent fraud, and to continue improving Windows Hello, Microsoft collect info about how people use Windows Hello. For example, info about whether people sign in with their face, iris, fingerprint, or PIN; the number of times they use it; and whether it works or not is all valuable information that helps us build a better product. This data is stripped of any information that could be used to specifically identify you, and it's encrypted before it's transmitted to Microsoft.

The biometric data used to support Windows Hello is stored on the local device only. It doesn't roam and is never sent to external devices or servers. This separation helps to stop potential attackers by providing no single collection point that an attacker could potentially compromise to steal biometric data. Additionally, even if an attacker was actually able to get the biometric data from a device, it cannot be converted back into a raw biometric sample that could be recognized by the biometric sensor.

Note
Each sensor on a device will have its own biometric database file where template data is stored. Each database has a unique, randomly generated key that is encrypted to the system. The template data for the sensor will be encrypted with this per-database key using AES with CBC chaining mode. The hash is SHA256. Some fingerprint sensors have the capability to complete matching on the fingerprint sensor module instead of in the OS. These sensors will store biometric data on the fingerprint module instead of in the database file.
Windows Hello biometrics in the enterprise (Windows 10) - Microsoft 365 Security | Microsoft Docs
https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise#where-is-windows-hello-data-stored

More information here:
GDPR FAQs, Microsoft Trust Center
https://www.microsoft.com/en-sg/trust-center/privacy/gdpr-faqs


If the Answer is helpful, please click "Accept Answer" and upvote it.
Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I have the same question. In what part of the user enrolment experience is the user given the opportunity to explicitly opt-in?

https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-videos#windows-hello-for-business-user-enrollment-experience

0 Votes 0 ·