
I noticed some disturbing privacy defaults in Windows 10 - jonathanporta
https://jonathan.porta.codes/2015/07/30/windows-10-seems-to-have-some-scary-privacy-defaults/
======
ewzimm
Windows is now essentially a personalized, cloud-based operating system with
the primary interface as a personal assistant, so I expected to see all these
things as defaults. The advanced features just couldn't work without it. I'm
glad there's at least an opt-out, but I do think that Windows needs an OS-wide
incognito mode, just a simple switch to record or not record data.

I generally use that on my browser for when I hand my laptop to someone else
and don't want their activity polluting my history, but now there's the risk
of the entire OS learning someone else's habits when they just need to use the
computer and don't want to log in. Sometimes, guest accounts are too
restrictive.

I do like having the option of a personalized experience, and Microsoft is
generally one of the most restrictive companies when it comes to sharing data.
With their push toward more personal cloud services, I hope they will take
special care to maintain that record, although everyone knows that certain
groups like government have ways of getting whatever they want if it's
available.

Hopefully, some of the fine-grained permissions of Windows Phone will soon
carry over to the unified platform for those who want it, but either way, I
would still do any especially sensitive work on Debian or a similar system.

~~~
Animats
_" Windows is now essentially a personalized, cloud-based operating system
with the primary interface as a personal assistant."_

Who wanted that for desktop computers or laptops? This is not going to fly
with business customers. Microsoft has already bombed twice in the business
space, with Windows Vista and Windows 8. This looks like another bomb.

Windows 7 is still pretty good, and it will probably be the main Microsoft
desktop OS for years to come, despite what Microsoft wants.

~~~
freehunter
>Who wanted that for desktop computers or laptops?

I did. Linux and OSX are still available for whoever wants them. You can stick
with Windows 7 if you want, that's just fine. I like Cortana. I like my
software knowing what I like and what I'm interested in. It makes my life
easier, which is what computers were invented for.

I can see why some people might not, and to be fair I use Linux on my work
laptop because the work I do demands it. I would never put my client data on a
Windows machine.

But like I can see your side of the argument, you have to be able to see that
some other people want personalization and learning and all that. Pandora and
Apple Music are both heavily tailored that way. Google Now on your phone knows
everything you do. Netflix can find videos for you to watch based on what
you've watched before. Amazon will recommend purchases to you based on what
you like. Hell, half the people on this site _build_ these systems. You know
how many machine learning articles there are on the front page every week?

So who wanted that? I did. And so did several million other people. For the
people who _don 't_ want it, I mean it's not even really opt-out. They ask you
up front do you want the default or do you want to pick your own privacy
settings. If you still don't trust it, Windows 7, OSX, and Linux are right
there, just a click away.

~~~
userbinator
_I like my software knowing what I like and what I 'm interested in. It makes
my life easier, which is what computers were invented for._

Philosophical question: is it really _your_ life, if your software may be
subtly persuading you in a different direction than what you would've taken if
it hadn't been making the suggestions to influence you?

There is no doubt it will make things easier for you if all you do is
effectively accept and follow everything others want you to with no
resistance. However, that's not what I'd consider "your life" anymore.

~~~
MaulingMonkey
> Philosophical question: is it really your life, if your software may be
> subtly persuading you in a different direction than what you would've taken
> if it hadn't been making the suggestions to influence you?

No less so than if your friends, family, coworkers, and society at large may
be subtly persuading you in a different direction than what you would've taken
if they hadn't been making the suggestions to influence you.

Does only the hermit truly own his own life?

> There is no doubt it will make things easier for you if all you do is
> effectively accept and follow everything others want you to with no
> resistance.

While that may be a danger to keep in mind, that's not what's being suggested.
In fact, I'd argue much the opposite is being suggested.

Instead of being told what we want and adapting to our corporate overlords,
would it not be preferable to communicate what we want, and have the companies
adapt to us instead? To service our wants and needs?

~~~
Filthy_casual
>No less so than if your friends, family, coworkers, and society at large may
be subtly persuading you in a different direction than what you would've taken
if they hadn't been making the suggestions to influence you.

In spite the fact that in the case of friends, family, coworkers I can be the
one persuading them in a different direction and I also know a bit about them
(you cannot suggest that in the case of person-company relationship both are
as strong in influencing each other, maybe in large numbers of people
protesting and that's a huge maybe):

The thing is, there are 5 billion people on Earth but far less operating
systems. So, when they tell you "my way or the highway" while at the same time
more products support their way, you'll eventually end up stuck somewhere in
the past, like the old nut in the hut living on top of a mountain, while
everyone is throwing their personal data to Microsoft and friends telling me
that it's going to be ok because "the functionality provided is convenient".
Which makes zero sense.

~~~
MaulingMonkey
> In spite the fact that in the case of friends, family, coworkers I can be
> the one persuading them in a different direction and I also know a bit about
> them (you cannot suggest that in the case of person-company relationship
> both are as strong in influencing each other, maybe in large numbers of
> people protesting and that's a huge maybe)

Companies, in many ways, strike me as amazingly straightforward to manipulate.
So easily swayed by the almighty dollar that such trite as "the customer is
always right" gets dolled out as actual management policy at times.

We block company ads, our eyes scan past the ads that remain, we spam-list
their emails and rip into them on our various review sites when they wrong us.

Companies realize, though, that talk is cheap, and see through our bullshit a
little better. And, sadly, there's very little self control by consumers at
times.

> you'll eventually end up stuck somewhere in the past, like the old nut in
> the hut living on top of a mountain

It's not so bad here. I don't even have a Facebook account. There's enough ad
blocking options out there to kill several news companies several times over.
That's before installing a proper separate firewall box.

> while everyone is throwing their personal data to Microsoft and friends
> telling me that it's going to be ok because "the functionality provided is
> convenient". Which makes zero sense.

It makes zero sense if you lack agency and choice. You have an opt out. It
makes zero sense if you provide what you didn't will to. Opt ins are superior,
I'll certainly grant. It makes zero sense if you haven't recognized the full
ramifications and potential impact of sharing the data you share. They don't
know what they're getting into.

But it also makes zero sense to dismiss "convenient functionality" as a
reasonable rationale to give data freely, by choice, if you understand the
impact and potential ramifications of it. There's a reason this stuff _works_.
Ignoring that merely blinds you to the beast, and robs you of taking as much
advantage of it, or to defend against it's detriments.

------
Animats
It looks like Microsoft has installed the "back door" that FBI Director Comey
wanted.[1][2] That may be the real motivation behind these "features". The
"backing up" of the local drive encryption key to Microsoft servers is one of
the things the FBI specifically asks for. Any press reading this, ask
Microsoft what communications they've had with the FBI regarding backdoors.

[1] [http://www.theguardian.com/technology/2015/jul/08/fbi-
chief-...](http://www.theguardian.com/technology/2015/jul/08/fbi-chief-
backdoor-access-encryption-isis) [2] [http://www.theguardian.com/us-
news/2014/oct/16/fbi-director-...](http://www.theguardian.com/us-
news/2014/oct/16/fbi-director-attacks-tech-companies-encryption)

~~~
alyx
I get this whole skepticism thing, but Microsoft has been backing up BitLocker
keys in OneDrive since at least Windows 8.

I have personally used the feature several times to recover my drive keys.

There's no evidence here that Microsoft has installed a "back door" for the
FBI.

~~~
shabbyrobe
Would you assume that they haven't and trust your secrets to that assumption?

~~~
sudioStudio64
And what secrets are those? If you think that you are secure because you don't
use bitlocker or windows AND THAT'S ALL that you do...you aren't secure, you
just have bad UI.

~~~
clessg
I might be blind, but where was that assertion made?

~~~
sudioStudio64
I might just be tired of hearing the same arguments over and over, but it I
did see the assertion that BitLocker shouldn't be used to keep your "secrets".
As if the choice of which drive encryption software you use on your laptop
should be your primary concern when securing yourself against an adversary.
(The primary concern is to thoroughly evaluate your adversary and look at your
available options for opsec and InfoSec. Maybe you need drive encryption.
Maybe you need burners. Maybe you should only use public terminals. Etc. It
also means seriously asking yourself if you actually have an adversary or just
like to think that you might some day.)

Just sort of saying..."How can you trust MS NOT to have backdoored bitlocker
just use Linux. Suck it NSA." Won't actually make you secure.

------
natmaster
I find it shocking how people readily accept Google's far worse policies, and
yet are so concerned about an easy opt out.

For instance, in Android, Google tracks with GPS accuracy your whereabouts
constantly. This isn't just what IP your desktop is attached to. Furthermore,
there is no prompt telling you this happens with a very easy way of undoing.
In fact even if you knew about this it is very hard to find a way to disable.

Secondly, Chrome send every website you visit to their servers to be logged.
Again, this is not explained in some easy opt-out screen and in fact the only
way to get around this is to use SRWare Iron, where they removed that code.

But Microsoft makes it easy for you to choose the privacy options even telling
you about them on install.

~~~
Zarel
This is completely false. For one thing, SRWare Iron is a scam:

[http://www.insanitybit.com/2012/06/23/srware-iron-
browser-a-...](http://www.insanitybit.com/2012/06/23/srware-iron-browser-a-
real-private-alternative-to-chrome-21/)

For another thing, Chrome doesn't log every website you visit. The closest
thing they do is suggest autocompletions for searches/URLs you type in the
URL, which is a straightforwardly-explained checkbox in Chrome's privacy
settings.

~~~
dhruvrrp
> Chrome doesn't log every website you visit

But it does. If you get a new android phone and log in with a google account
then it updates your browser history on chrome. Which could only be done if
your non-incognito history is stored in google's servers.

~~~
Zarel
Oh, I forgot about that - that feature wasn't available when Chrome was
launched.

To be fair, that feature also isn't very hidden; the sync settings let you
turn off history sync or use a sync passphrase which prevents Google from
seeing your browsing history.

------
codeshaman
I've never understood how people can truly believe that by checking (or
unchecking) a checkbox their privacy will be fully protected. Especially since
we're talking about a closed-source OS.

I mean I cannot possibly verify what exactly goes on in the annals of the
operating system and what happens to my data, where it is logged and where it
is stored and how it is sent.

So regardless of the settings, I always assume that my data is logged and read
by some creepy agent in the Ministry of Truth.

If it's not, then I'm just lucky.

Having grown up in a totalitarian state, that's the default way I think about
this stuff and no amount of promises (except the source code which I can
personally compile) can make me trust any 3rd party corporation.

~~~
KeytarHero
> I've never understood how people can truly believe that by checking (or
> unchecking) a checkbox their privacy is fully protected.

You mean besides the fact that collecting personal data without your consent
is illegal?

~~~
joonoro
I guess you missed this part:

> Having grown up in a totalitarian state, that's the default way I think
> about this stuff and no amount of promises (except the source code which I
> can personally compile) can make me trust any 3rd party corporation.

He does not trust corporations or governments to act within the confines of
the law.

------
jimrandomh
"Send typing and inking data to Microsoft to improve the recognition and
suggestion platform"

"Typing data" sounds like keylogging. If it's what it sounds like, that's
really emphatically not okay; that would include all passwords and the
contents of all emails sent.

Would someone with actual knowledge care to chime in and say what data is
actually sent? If it turns out that Windows 10 really is sending keystrokes to
Microsoft by default, it seems likely to cause a significant backlash from
Microsoft's business and government customers.

~~~
edwhitesell
IE and other browsers configured to use Bing have done this for a while. I
discovered it while packet sniffing for something else and seeing HTTP
requests for the things I was typing in the Address Bar.

I can't say I'm surprised, though saddened, to see this elsewhere in the OS.

~~~
hirsin
Anything that uses web-supported auto-complete (your browsers, for one,
regardless of search engine) must do this. There's literally no other way to
ask the internet "What are the possible endings/meanings of what I've typed"
without providing what you've typed, letter by letter.

Text correction doesn't require hitting the web, but learning about how people
make typos does require some targeted data collection (typing followed by
deletion and retyping, likely)

------
niyogi
It's too bad that microsoft continues to be villainized when companies like
Facebook and Google have social networks and browsers respectively that have
similar practices that users are even more unaware of when they use them.

Computers these days have become thin clients for browsers (especially for the
typical consumer). Except for the occasional open of Word or Excel, you're in
your web browser browsing the web and have a tab open for Facebook. With new
features like "sign into your browser" or ad retargeting across the sites you
visit today, consumers are already being subjected to practices that Microsoft
at _least_ gives you the ability to turn off piecemeal if you so wish. They're
just doing so at the operating system layer instead of the browser.

Think doing so at the operating system is more criminal than at the web
browser or website level? Consider that Google Chrome is moving to become
"Chromebooks" and that Android integrates Google Search. It's already
happening and we take Google's "don't be evil" mantra for face value while
continuing to poke Microsoft out of sheer habit.

~~~
twerkmonsta
Facebook and Google don't log all of my keystrokes across my entire operating
system. As far as I know, Google doesn't even log keystrokes within the
browser.

~~~
niyogi
How do you believe auto-suggest works?

~~~
metric10
You're comparing Microsoft's request to send _ALL_ typing and "inking" (I
assume that means touch and stylus events) to Google logging search terms?

No matter how you look at it, essentially reserving the right to install a key
logger on your computer is unprecedented.

~~~
jeeva
But reserving the right, or just saying 'Look, we don't know all of the cases
where a programmer will say "and if the user corrects this, tell us we screwed
up"' (for the optimist) is not the same as sending it all.

------
pdkl95
[https://projectbullrun.org/surveillance/2015/video-2015.html...](https://projectbullrun.org/surveillance/2015/video-2015.html#balkan)

Of course MS wants to get in on surveillance-as-a-business-model. It keeps
people tied to your Service as a Software Substitute, and as long long as most
people are still ignorant about how technology works, they won't notice how
the stalker-like nature of a lot of modern soft^H^H^H^Hmalware.

As for the few nerds that notice, they can probably be shut up with an obscure
option to disable (most of?) the data collection; the number of people that
even know the option exists will be insignificant. Some of those nerds can
even be distracted with promises of "open" access (to our proprietary APIs we
can remove or change without notice); if you phrase it right, it can even
sound like "open" is referring to the commons. After a while, some of them may
even build entire businesses based on feeding user surveillance data upstream.
After a generation, the days of being able to write client software will be
long forgotten.

\--

The ongoing Theft Of Privacy (and the closely related The War On General
Purpose Computing) are being fought, and this brazen behavior by Microsoft to
take advantage user ignorance is taking yet another step down a dark path.

Which side are you going to be on? The side that is trying to maintain the
remains of our privacy, an open internet, and free computing?

The apathetic side that fixes technical problems for themselves, while
everybody else gets spied upon a little bit more while their tools become even
more removed from their control? I hope you enjoy the consequences of
rewarding this kind of behavior. Why should Microsoft (or anybody else) change
when they still get paid and maintain their user-count?

Or are you the apparatchik, who thinks Cortana (or Alexa, or Siri, ... or
Google Analytics) is a useful, cool piece of software? Surely the Big Data
being collected is just going to be used for the stated purposes and could
never have a noxious effect on users or become an attractive target for
hackers or governments? If you're in this category, you might just want to
start paying attention to the larger games being played, because if you don't
start fighting for your future others may take it from you.

~~~
mikegioia
I spend an inordinate amount of time thinking about this very issue, and I
must go back and forth weekly. My first reaction is to want to defend the
ignorant, to try to educate them and work to protect them from being taken
advantage of.

But when you talk to people about it, _their_ apathy and indifference is what
leads me to stop caring. I've tried for years to educate friends, family, and
coworkers on digital privacy. The number of people who have even installed and
used a password manager is 0. If it's a struggle to even get someone to try
out, let alone USE DAILY a password manager, what hope does anyone have to
elicit a privacy-aware mentality from the general population? Why work to help
people who do not even want to be helped?

~~~
thaumaturgy
Hell, look at this very thread on HN. There are people further upthread
essentially saying, "Whatever, I like it because it's convenient."

I have adopted a passive stance on privacy and security: I stay up-to-date on
news in this area, I choose for myself products and systems that minimally
increase my risk, and I will answer questions from clients or other people.
But, I won't evangelize it. Most people really just don't care all that much.

~~~
npizzolato
> Hell, look at this very thread on HN. There are people further upthread
> essentially saying, "Whatever, I like it because it's convenient."

Is that so ridiculous a concept? People routinely trade privacy for
convenience.

Sending my location to Google through their maps is ridiculously convenient.
Getting around using public transportation, especially in a city I'm
unfamiliar with, would be a pretty awful experience without it.

While it's a small convenience, Gmail parsing my airline confirmation emails
into an easy-to-read format is pretty cool, and I like that it's done. To do
this (and have a spam filter), they must be parsing my private email in some
capacity.

I've personally never been a fan of digital personal assistants. I've only
used Google Now and found it more annoying than effective. But I can certainly
understand why getting up-to-date traffic information when you're about to
drive home from work would be a really useful thing to have. To do that, it
has to learn your daily habits.

Convenience and privacy are almost always at odds with each other. It's a give
and take, so ideally I should be getting more convenience for whatever privacy
I'm giving up. That may not be the case here, and I'm not saying where your
personal line should be, but don't assume people are ignorant just because
they're choosing convenience over privacy. (Not saying you are personally, but
others in this thread are.)

~~~
enraged_camel
>>Is that so ridiculous a concept? People routinely trade privacy for
convenience. Sending my location to Google through their maps is ridiculously
convenient.

If you cannot tell the difference between you sending your location to Google
when you need to and half the people in the world sending ALL their
information to Microsoft ALL the time BY DEFAULT, I don't know what to tell
you.

~~~
npizzolato
Did you stop reading after those three sentences? Because I talked about
digital assistants and Google Now, which is basically sending all your
information to Google all the time.

------
iambitjelly
I dont' know why so many people are surprised by the Cortana data vacuum.
Doesn't Siri send everything you say to it to Apple or a "trusted partner"?
Why would Cortana be any different?

The keylogger and Start menu ads are just creepy though. I shouldn't have to
opt-out of targeted ads INSIDE MY OS.

~~~
chadzawistowski
What do start menu ads look like?

~~~
iambitjelly
This:
[https://twitter.com/GazTheJourno/status/626736454610366465](https://twitter.com/GazTheJourno/status/626736454610366465)

According to these screen shots, this guy got skincare product ads in his
start menu.

I can't verify because I noped out of anything that smelled like ads right
from the get-go. Also, classic shell.

!!!EDIT: I know it looks shopped, which is why I said I couldn't verify it.
Windows Store app ads are quite real though.

~~~
freehunter
If you know it's fake, why would you bother posting it or even bringing it up?

"Its awesome living in a mansion! According to this picture, this is what my
mansion looks like"

"!!!EDIT: I know I don't own a mansion, but other people do and this is what
it would look like if I had one."

~~~
iambitjelly
Because the windows store app ads are themselves real, so the principal point
stands. There's no need to get up in arms over it.

------
sudioStudio64
Of course you did. Large companies have no vested interest in building systems
that do the "right thing" for you as defined by tech types like us who are
arguably more sensitive on this subject than most people.

They are building services that take your information and try to do something
interesting enough with it to make it worthwhile...and why is it on by
default? Because they want to make money off of the new features and deep
integration with your information.

This isn't news. But it certainly may be another excuse to have the exact same
conversation that nothing will come from.

Never mind that data generated and collected from cell phone usage will always
make the privacy impinging features of your laptop look tame in comparison.

Never mind that the only way to stop companies from doing this is through the
political processes that everyone seems to have written off.

EDIT: Downvoting because someone disagrees with the principal argument of the
post is lame. Cheers.

~~~
wvenable
> and why is it on by default?

Because Cortana would be useless without it and that's a big user-facing
feature of Windows 10.

~~~
JoshTriplett
Something like Cortana _could_ have been built to work locally, using your own
resources. But it wasn't. This was an opportunity to say "we're not like Siri
and Google Now, we respect your privacy", but instead they built something
just like them.

~~~
sudioStudio64
But the entire point of the service was to use data mining techniques so that
you could use natural language directives to say "add a reminder to my team's
calendar to update some presentation in O365, etc"...

Maybe you don't find it that useful, but I think that a lot of people would.
It will, in a future release, be genuinely useful. It's getting there.

~~~
JoshTriplett
All of which _could_ be done locally. There's certainly no shortage of
processing power available to do so. All of those services have APIs.

~~~
jda0
Josh, maybe you don't get how difficult Speech Recognition is now that it
comes as standard in your smartphone, but they use Google/Apple (delete as
appropriate) servers for a reason. There's a reason people were amazed at the
response time of Cortana - local speech recognition that doesn't hog the
processor is a big deal.

And connecting to O365 calendars offline? Is that not a stupid concept?

~~~
JoshTriplett
I'm well aware of how phones handle speech recognition; there are reasons they
do so via services that have little to do with the computational difficulty of
speech recognition. It's not by any means necessary to upload raw voice data
to a server and process it there, especially if we're talking about full
computers rather than just phones.

> And connecting to O365 calendars offline? Is that not a stupid concept?

I said "local", not "offline". Though in any case, you should likely have a
locally synced cache of your calendar for efficiency and the ability to read
it offline. Web apps are quite capable of working while offline.

~~~
chc
> _we 're talking about full computers_

Worth mentioning: Windows 10 is not just for "full computers."

~~~
JoshTriplett
I'm aware, but the line is becoming increasingly blurred, and there's enough
power on even the average phone to do speech recognition.

------
JoshTriplett
This goes along with the news that Windows 10 backs up your drive encryption
key by default, and that Microsoft can use it to decrypt your data. In "good
faith", of course.

~~~
MichaelGG
For most users, this protects them to a useful level. Most users don't think
losing a password is a big deal and would be very upset to learn their data is
lost because they forgot. That's an anti-feature.

The number of people that'll be protected from leaving their laptop in a taxi,
or home burglary, or selling/trading-in a device, or just snoopy relatives or
acquaintances, etc. is large and MS absolutely made the right call here.
Otherwise, you'd have "experts" giving advice to disable this feature or
suffer data loss.

Also, if they use OneDrive to back stuff up (like they should!), the security
damage is already done as most juicy files will be unencrypted in MS's hosting
and still subject to warrants.

~~~
JoshTriplett
> For most users, this protects them to a useful level. Most users don't think
> losing a password is a big deal and would be very upset to learn their data
> is lost because they forgot. That's an anti-feature.

"Would you like to store a backup for your drive encryption password on
Microsoft OneDrive? If you choose not to do so, and you forget your password,
all of your data will be lost. [Yes/No]"

And _none_ of that warrants a ToS that says they can use that backup for
anything other than helping you recover your data.

> Also, if they use OneDrive to back stuff up (like they should!), the
> security damage is already done as most juicy files will be unencrypted in
> MS's hosting and still subject to warrants.

Hence why client-side-encrypted backups are a good idea.

~~~
mejari
>"Would you like to store a backup for your drive encryption password on
Microsoft OneDrive? If you choose not to do so, and you forget your password,
all of your data will be lost. [Yes/No]"

You know when most people care about whether or not they can recover their
data? It's not when someone asks them a Yes/No question, it's when they can't
recover their data. And responding with "Well, remember 2 years ago when you
clicked 'No'?" Doesn't really help.

~~~
simoncion
Then, don't make it a [Yes/No] question, make it an [Okay] with a barely
noticeable "Change Advanced Settings" link; much like the dialog that the TFA
complains about.

~~~
MBCook
Why show the non-prompt? The users who don't want it can turn it off later, as
is the case now.

~~~
TillE
"Later", as in after the key is sent to Microsoft? Not very useful.

------
omarforgotpwd
Imagine if you discovered an exploit for TLS and just listened in on a public
/ hotel network to tons of Windows machines sending keystrokes, calendar,
contacts, etc to Microsoft in the background... At least in the Windows 95
days you had to write the key logger yourself and get it installed somehow.

~~~
ChristianBundy
_> an exploit for TLS_

The world would end immediately.

~~~
omarforgotpwd
Exploits for popular SSL libraries are discovered all the time. Surely you
haven't already forgotten about "heartbleed" and the vulnerabilities that
followed. I'm sure the NSA knows of several other exploits that they are
keeping quiet so they can keep using it, and they may even attempt to
deliberately introduce vulnerabilities. Furthermore, even without an exploit
TLS connections can be decrypted by anyone with a trusted CA private key that
can issue certificates. Connections could be decrypted plausibly by privileged
employees of ANY certificate authority, disgruntled government officials that
can compel those CAs to turn over keys, etc.

I know you're just joking (and I even laughed) but it's worth pointing out
that the scenario I describe is very realistic.

~~~
insoluble
> Connections could be decrypted ...

This is only true using a man-in-the-middle from the initiation of the
connection. SSL/TLS sends random PKI keys at the start of a connection. The
trusted CA keys are used only for identity (so you know you are really
connected to xyz.com). After all, you can have SSL/TLS connections _without_ a
trusted CA. It basically works like this: When you make an SSL/TLS connection,
each side generates a random keypair, whereafter each sends its public key to
the other side. Using these public keys, each side sends a new random
symmetric key back again to the other side, whereafter the actual data
transmission begins.

------
frogpelt
People want to be connected, join social networks, download apps, be able to
control their appliances from across the ocean, carry devices loaded with
sensors everywhere they go--and on top of all it, they want privacy.

These are fun and interesting times.

~~~
venomsnake
PGP solves all of those. Encrypt on device and prevent the cloud operator of
seeing anything.

~~~
ctdonath
IIRC, that's what Apple is trying to do: they'll provide all kinds of cloud
services, but in a way that they know as little as possible about the content
beyond what's vital to providing the relevant service.

Apple is trying to sell hardware, which a robust encrypted cloud experience
tied to that hardware will do.

Microsoft is trying to make money from the operating system; since they're
giving it away for free, they have to sell commercial access to third parties
(ads in the Start menu? _really?_ ).

Google, well, I assume they're out to mine as much data as possible, whether
or not it's user-specific.

~~~
scholia
Not actually true. Windows 10 is _not_ free, and Microsoft is not giving away
the operating system.

What Microsoft is doing is giving _consumers_ a free upgrade on Win7/8 PCs
where the operating system has already been paid for.

This is basically the strategy already used by Apple and Google (Android):
once you have bought the OS (bundled with the hardware) then you get updates
free.

~~~
ctdonath
Except that Apple makes its money off hardware sales, and Google makes money
off data mining ... for both, the operating system is just a means to an end,
a cost center required to support the separate profit centers. Microsoft is,
however, has the OS as its primary product.

~~~
Dylan16807
Doesn't matter. They make all their consumer money off of OEMs.

------
tobias3
I lost trust into Microsoft when they put an "Outlook" app into the Android
app store, which when connected to an Exchange server downloads all the
account messages and calendar data to a cloud server (probably in order to
have push messages whithout changing Exchange itself). Really Microsoft, why
do you think I have an Exchange server. Because it is easy to set up,
administer and costs nothing?

------
djloche
Wi-Fi Sense is a huge security hole, and even if you don't have windows 10, if
anyone you trust with access to your network upgrades to windows 10, that
person becomes a security problem for you.

Obvious solution is to use a strong generated string for your password (so
even if they get your password, they're not getting the password to anything
else), and then configure your router to require each device connecting to be
authenticated. Whitelist for MAC addresses + GPG + ?

~~~
urda
You're just wasting your energy if you setup MAC Whitelisting and think that's
going to help _at all_ with security.

~~~
touristtam
Please explain? I am genuinely curious of knowing how that would not help
security wise (apart from the very obvious MAC spoofing).

------
contravariant
This might be the first time you'll need a firewall to protect yourself from
internal attacks by the OS itself. I don't think I'll be updating to windows
10 any time soon.

------
userbinator
Someone I know who has been in the cracking/warez scene for over 20 years, and
did a lot of analysis on the XP activation scheme when it first came out, had
this to say about Windows 10 and the trend in general:

 _Remember Gates said, about piracy "we'll somehow figure out how to collect
sometime in the next decade"? It is happening now. And lots of other
software/service are becoming "free" or massive discount, since selling your
data is much more profit. Crack was about using software without paying money.
Maybe in future it will be without paying with personal data or privacy. We
will find a way, always. :-)_

~~~
bgroins
What he actually said: [http://www.cnet.com/news/gates-buffett-a-bit-
bearish/](http://www.cnet.com/news/gates-buffett-a-bit-bearish/)

Gates shed some light on his own hard-nosed business philosophy. "Although
about 3 million computers get sold every year in China, but people don't pay
for the software," he said. "Someday they will, though. As long as they are
going to steal it, we want them to steal ours. They'll get sort of addicted,
and then we'll somehow figure out how to collect sometime in the next decade."

------
debacle
This is more of a rhetorical question, but why does every modern OS and
browser need to try and become a computing leviathan? Why can't my hammer ever
be happy just driving nails? I don't need a hammer that cooks waffles.

~~~
slg
I'll answer your rhetorical question with another one. When was the last time
you paid for an upgraded hammer?

~~~
debacle
I haven't paid for a hammer since I was in college and Hammer XP was $5. I
keep buying nails that come with Hammer Home Edition and setting up servers
with Hammer LTS and replacing Hammer Explorer with HammerFox. All free.

I'm not Microsoft's target client because I'm a pathological customer. Every
home MS desktop user is a pathological customer. They know that.

~~~
hyperion_
I think maybe you forgot a 'not' in there, assuming you wanted to disassociate
yourself.

------
lewisl9029
This was also recently brought to my attention:

[https://news.ycombinator.com/item?id=9973629](https://news.ycombinator.com/item?id=9973629)

Windows 10 RTM has peer to peer updates over the internet as the default. I
could swear it defaulted to local-only in the preview, so I didn't even check
it until now after doing a clean install of RTM.

~~~
nhf
P2P by default except on the enterprise edition, in which case it's local
network only. They also claim to disable P2P if they detect your internet
connection is metered (I'm not sure how that's done).

~~~
lewisl9029
That makes sense. I was using enterprise edition in the insider program, but
clean installed the professional edition RTM.

This is still a really bad default for the majority of users though...

Metered connections are a per-network setting that you have to set manually,
not something they detect automatically. I highly doubt most users will be
able to discover this feature since it's buried rather deeply in network
settings.

------
wvenable
I don't intend on leaving any of these on when I install Windows 10 but some
of these seem to correspond directly with the whole "Cortana as personal
assistant" thing. And there is whole separate system for controlling what
Cortana knows about you.

~~~
gvb
See also "Killing Cortana: How to disable Windows 10's info-hungry digital
assistant" [http://www.pcworld.com/article/2949759/windows/killing-
corta...](http://www.pcworld.com/article/2949759/windows/killing-cortana-how-
to-disable-windows-10s-info-hungry-digital-assistant.html)

------
jarsin
This is why i think Tim Cook is genius for marketing Apple as the anti "We
sell all your data and spy on you" companies.

~~~
cptskippy
Apple just spies on you, they're vertically integrated so there's no need to
sell the data.

~~~
blkhp19
How do they spy on you? There's no suspicious network traffic leaving my Mac.
They might collect info about Siri queries or downloaded apps, but they're
certainly not logging keystrokes from OS X or iOS.

~~~
cptskippy
I think you're assuming they're doing something they're not.

Microsoft is capturing text input and handwriting from touch input interfaces
the same way Google's Android keyboard , Swype, or Swift Key do to improve
predictive input, spelling correction/suggestions, personal dictionaries etc.
Remember Windows 10 is touch enabled operating system like iOS or Android.

I'm not as familiar with the Apple Keyboard but I would be surprised if it
didn't do that too in some form. Their Quick Type feature states it performs
heuristics locally but it doesn't mention other aspects. Their policy states
they don't collect personal information or conversation history but that
doesn't mean they aren't capturing corrections or things they deem to be non-
personal but sound pretty personal to me (e.g. occupation, language, zip code,
area code, unique device identifier). Remember how researchers were able to
identify Netflix users based on lesser anonymized meta-data? That non-personal
information sounds pretty damn personal in comparison.

I hope you're not using a 3rd party keyboard on iOS with Full Access enable
because if so then you agree to the same thing Microsoft is asking for.

I'm surprised you're ok with Apple recording Siri Queries and sharing them
with Walk N’Talk Technologies who has humans listening to them but you're
opposed to Microsoft doing anything similar in Cortona. How do you feel about
Google Now? Did you ever use Google 411 because that was just a quick way to
get a massive archive of audio samples.

~~~
urda
I think you're reading way too much into all of that, attempting to make a
mountain out of a molehill just to prove an imaginary point.

~~~
cptskippy
What imaginary point are you referring to?

~~~
urda
> Their policy states they don't collect personal information or conversation
> history but that doesn't mean they aren't capturing corrections or things
> they deem to be non-personal but sound pretty personal to me

> Their policy states ... but that doesn't mean they aren't capturing
> corrections or things they deem to be non-personal but sound pretty personal
> to me

> sound pretty personal to me

It's pretty clear actually. What you may think about situation may have zero
factual grounding. You'll need to provide some citations and references
instead of just saying what you think or feel the situation may be.

~~~
cptskippy
You're wrong though about it having zero factual grounding. They collect data,
like everyone else, this is a fact. They state that openly in their privacy
policy, they even go so far as to define what they consider personal vs non-
personal information. We also know that that Siri collects and transmits a
bunch of this "non-personal" information to a 3rd party for analysis.

On their QuickType page they say "your conversation data is kept only on your
device, so it’s always private." That's a lie because iMessage and your
keyboard Dictionary are synced to iCloud which isn't your device. That doesn't
mean that it's in Apples hands or they can access it but it's not a factually
true statement either. They're also careful to say "conversation data" and not
something more general like "anything you input into your keyboard".

I'm not suggesting Apple does anything more invasive than anyone, I'm just
suggesting they don't do anything less based on what's observed.

~~~
tdkl
> That's a lie because iMessage and your keyboard Dictionary are synced to
> iCloud which isn't your device.

Is it opt-in or opt-out ? Because I use iCloud for Safari bookmark sync only
and it never bugged me for syncing anything. Local iTunes encrypted backup is
fine.

~~~
cptskippy
I couldn't find anything about the dictionary, admittedly I didn't look very
hard, but iMessage is opt-in.

------
switch007
Shouldn't Windows at this stage just fork and split in to two? One can be the
dumping ground of all kind of social/phone/tablet crap where consumers sign
away their unborn children, and the other for businesses and people that want
to get stuff done?

------
sb057
The most troubling part is "Telemetry", which only Enterprise edition clients
can disable completely.

------
aluhut
I like how they put that "Customize Settings" Link down there. I missed it the
first time I did it completely.

Nice job design devils.

~~~
nsns
How exactly did we reach a stage when this is acceptable behavior for
respectable company? Such shady practices should have never become mainstream.

~~~
saiya-jin
it is not acceptable, just some people here favor their little convenience (ie
saying something instead of few taps on screen) over long term privacy. heck,
some even defend targeted ads. Sad thing is, mainstream users won't even know
about these things coming.

what i like about the situation - it might actually make some bigger
organizations turn away from what MS can offer. biggest issue are usually Win-
only or IE-only intranet apps, but with proper management steering, changes
(in the way technology for apps is chosen) can be done. Now just to have
proper substitute for Active directory, and it's game over for their OS there.

------
SlashmanX
Why isn't more being made of the fact that on default Windows 10 installs, it
will automatically connect you to open WiFi hotspots? That is a MAJOR security
risk and yet not 1 single comment here about it

------
joering2
The little four-squares icon that popped up few weeks go on my Windows 7
desktop notification zone, spamming me with messages to update for free to
Win10, cannot be uninstalled, is deeply rooted into parts of OS Win7 through
KB updates and crashes at least twice a day. With hibernated computer, it
somehow forces LAN to awake, as a result blu-screening otherwise perfectly
well hibernated session.

For this reasons alone, I think Win7 will be my most loved and probably last
version of Windows I will ever use.

------
task_queue
The idea of an operating system integrating with services like that still
bothers me even though it is done in Mac OS X and Ubuntu.

~~~
wvenable
I use a local account on Windows 8 (which is pretty much configured to run
like Windows 7) but that completely keeps me from being able to use the
Windows Store and therefore any of those universal apps.

I'm sure if I choose the same option in Windows 10 a large part of the OS will
be completely closed off.

~~~
moron4hire
Not that you're missing out, not being able to access the universal apps.
Hell, Skype even pulled a 180, got rid of their universal app and went back to
regular, ol' desktop apps.

~~~
mynameisvlad
Uh, no they didn't. The Universal app is still there and was updated a month
ago. They've always had both Universal and Desktop apps available, especially
since there are people on Win7 and below that wouldn't be able to run the
Universal app.

Edit: Apparently they deprecated it inside the app itself, not in the store.
I've kept the message above.

~~~
moron4hire
All of my installations told me "we're discontinuing this app, here, download
the desktop app."

~~~
mynameisvlad
Maybe that was the update? Granted, I haven't used the Universal app in a long
time because it's not nearly comparable in featureset to the desktop one. It'd
be nice if there were update logs more than "General fixes" but oh well.

~~~
moron4hire
I hate Skype so much, but I don't know of anything better. Google Hangouts has
been extremely unreliable for me.

------
dimino
I'll bet everything in my pocket that Windows 10 does not keylog every stroke
and send it back to Microsoft servers for storage.

It's intellectually dishonest to think that's what s going on, because it
ruins the conversation about what they're _actually_ doing.

~~~
jblow
Whether they don't right this second doesn't matter. Their terms of service
say they _can_. If they decided it was unthinkable that they would ever do
this, they could have written their TOS to be less overreaching. But they
didn't do that. Therefore they think it's a possibility (if in fact they are
not already doing it. Are you so sure? How do you know?)

~~~
dimino
They also didn't specifically preclude the possibility of commandeering my
computer by pushing an update that'll force me to mine bitcoin for them, but I
can be pretty damn sure that's not going to happen.

But let me rephrase anyway: I'll bet everything in my pocket that Windows 10
does not, nor will they _ever_ , keylog every stroke and send it back to
Microsoft servers for storage.

I can be sure of this the same way I'm sure about many other things I have no
definite proof of -- I see nothing remotely resembling evidence that this
might take place.

~~~
touristtam
Windows 10's Term & Condition is wide enough to encompass what ever MSFT might
come up in the future to track and catalog you as a good, willing, consumer.
MSFT has stated that Windows 10 should be the last version of the OS in the
current retail format, and therefore, technically, any update/upgrade will
still be considered as Windows 10.

MSFT might not want to log everything you write on their OS, but who knows
what they will deemed acceptable tomorrow under the same EULA?

------
ackalker
I think it is about time that we (the users) reclaim the right to our data and
what we do with it. Never since the days of mainframes and timesharing have we
been turning over so much of our (personal) data and the processing of it to
third-party, centralized servers. Our computers are starting to look like
nothing more than fancy graphics terminals, just a few steps up from the
VT100's of yore.

It's about time we start doing something about this.

------
outworlder
Some of these are scary. But sending to M$ what I'm typing? That's the exact
definition of a keylogger - it's straight up bundled malware.

------
CSDude
Upon seeing these options in the installation, I thought I downloaded beta
version that needs these for feedbacks Realizing I have installed retail
version, I regretted my decision now I will read the all EULA for the firet
time in my lifetime to see what it gets without asking. And probably I will
just keep windows for games only.

~~~
coldpie
Are the games really worth it? There's a lot of games out there. You can live
with missing a few Windows-exclusive titles.

~~~
outworlder
A FEW?

Games that run on OSX and Linux are the exception. Granted, there are now very
high quality offers unheard of in the past (Kerbal Space Program, to mention
one).

If you are on OSX, you have access to a bigger selection of games (Elite:
Dangerous, for instance, or EVE Online - both using Wine). On Linux, good
luck. Steam improved things a little, but it's still an oasis in the
wasteland.

AAA games are still mostly locked to Windows.

~~~
touristtam
"Just" need to convince devs to port their code to yet another platform .....
sic. Let's see how long MSFT and Valve can pretend they cannot get along.

------
radley
I saw this earlier on Twitter via @adrianchm. Win 10 includes keylogger
setting, auto-re-opt-in malware protection, no opt-out for updates, and _ADS_
in the start screen:

[http://prntscr.com/7ykzbh](http://prntscr.com/7ykzbh)

------
akash_m
Also if you use Cortana, its default settings are sending MSFT location
history, search history etc. I turned it off on Edge as well as by default.

------
jwalton
As I noted here:
[http://www.thedreaming.org/201..](http://www.thedreaming.org/201..). you
shuld also go to "Settings" -> "Accounts" -> "Sync your Settings" and turn off
Password syncing, which is enabled by default. I would _hope_ that passwords
are encrypted with my Microsoft account password (and I would further hope
that only a hash of this password is stored on Microsoft servers) but no where
is any of this explained. There's a "How does sync work" link at the top of
the page, but clicking on it takes you to a Bing search which explains how to
turn syncing on and off.

------
hafichuk
They can technically do anything they want with the input you provide.
Personally I would never trust an opaque operating system even _if_ they
provided clear details as to what the configuration options are and how they
are used.

------
lnanek2
Would be nice if he even tried to lookup what these things are used for. It is
well known things like OneNote let you search handwritten notes, for example,
using fuzzy logic and context. So it is a clear benefit to users. Instead he
seemed to just hand wave something negative about each.

Similarly, MS originally defaulted to not allowing cross site advertising
identifiers by default and was criticized by organizations that make their
money off this like Google and Firefox. Seems like they can't win no matter
which default they pick.

------
JimmaDaRustla
Said this in another thread:

Not sure what the fuss is about, the same old rule applies: if you want your
data to be private, don't use any form of cloud services - server based
voice/video chat, cloud storage services (google drive, skydrive, icloud),
digital assistants (siri, cortana, google now), any contextual based delivered
services which "learns" anything about you to provide you with any form of
automated and/or dynamic experience.

If you want to be treated like you live in a box, then you're going to have to
live by it.

Everyone complaining and "fed up", closing their MSDN accounts, boycotting
MSFT products - you're in an echo chamber which won't be heard as our devices
become more service oriented rather than boxed solutions. MSFT is trying to
stay relevant, not undermine their massive user base. Whether it is right or
wrong, I don't have an opinion on, but if you think MSFT is a pioneer in this
space, you're being unjustly biased.

I guess the only thing we can complain about is that we aren't given a
"closed/boxed" solution and able to accept the TOS to services we want on an
adhoc basis - we have to go and disable services and hope that the TOS we
agreed to needn't apply.

Perhaps these are growing pains for the direction services are heading because
we shouldn't have to accept invasion of privacy as a default.

------
CyberX
Microsoft Windows 10 invasion . Yes like Matrix, The Terminator . Wowww stop,
not is the right way.

I think that Microsoft are crazy to think that can control the pcs of users
because launch Windows 10 upgrade for free. Tks Microsoft for the upgrade, but
not is with it that the enterprise will buy my privacy, control my PC, what I
install, what I do with my computer, etc, etc, etc, the machine is mine and I
want to continue owner of it. I not want show to me many things that I not
want to see, install app that I not want and use in my pc, use of the my
internet connection to send things to internet. Want my collaboration, ok I
can think in this, but when I want, not when Microsoft want.

Sure have many users that not understand what are happens, but are much users
that are advanced users and know what happens and how neutralize this privacy
invasion.

My first impression in these day about Windows 10 is cool for other side. I
think that can be the right successor of Window 7, but ... no using the
unilateral ideas to force users share all with Microsoft, that Windows 10 will
be a good OS. Need respect the privacy of the users. If not is like windows 8,
8.1 that not win the market because try to force all to have new hardware,
etc. If go in this direction we have Linux, Windows 7 to use and who know,
Android OS to PCs, is now a good time to this smiles. Yes, this is a
technological war, users in a side and Google, Microsoft and others in the
other. But who buy computers, OS, software are the users. The true own of
market. Sorry for errors english not is my native language, but I think that
is possible understand.

------
tripzilch
> Who are the trusted partners? By whom are they trusted? I am certainly not
> the one doing any trusting right now.

In security, "trusted" has a very simple and straightforward definition:

    
    
        Trusted (adj.) - Liable to create a security breach.
    

That's what it means, nothing more, nothing less. It means that YOU are going
to have to trust these third partners to not screw you over.

Whether you know who they are or not, it means that you trust them with your
private data.

"Trusted" is never a good thing. With proper security and privacy logic in
place you shouldn't need to "trust" anyone.

Indeed it means that I "trust" the NSA (and local Dutch agencies conscripted
by them) with any data that I send or receive that is not strongly encrypted.
I don't get a lot of choice in the matter, so I'm going to have to "trust"
they won't screw me over with it, sell it to bad actors, keep it safe for as
long as they keep it. No it's not a very smart idea to "trust" them, but I
don't get a lot of say in the matter ...

------
animex
"You" are the product now.

------
Encosia
Am I the only one seeing the irony in a speculative post about privacy on a
site that uses Google Analytics and Disqus?

------
ino
Apple must have known this a few months back and the result was their privacy
centric marketing campaign.

------
mrpigeonpants
It just makes you reminisce back to a simpler time when you'd save all of your
personal data and key logs to floppies and then mail 'em to Microsoft.

Sigh...I can still smell the sharpie ink and wet postage drying on the back of
a manila envelope.

------
BuckRogers
I have a 2nd partition with Windows 7 on my desktop, but I run UbuntuMATE (in
Redmond panel mode) 99% of the time. I don't think I'm going to update from 7
to 10 anymore, just don't see the point with this and the hardware lock-in. I
like my real license that I already have.

If I make any changes to my system I'll probably delete UbuntuMATE and Win7
and just run Mint. Seems really slick and mostly respects the user. Just
despise those notification catchers in most distros like Mint. UM in Redmond
mode is the only one that just flashes the taskbar icon upon notifications,
which makes perfect sense to me. Less to manage/check on.

------
awalGarg
I am pretty much a noob at Windows (linux guy here) :P, but what kind of
personalization does windows offer from this data? And is that personalization
possible with client side processing only?

------
slxh
All companies should be legally required to make those invasive privacy
settings opt-in and not opt-out... and maybe attach some jail time
consequences for CEOs for violating these new laws.

------
systemz
Microsoft can't lock-in user to OS because most of the apps are now
multiplatform so they are locking-in to their services and profiting from big
data.

EU will take a look on those practices soon :)

------
bwesk
Windows 8 suddenly turns out to be the best OS Microsoft ever made.

~~~
larrymcp
Friend, I humbly submit that XP was their best.

------
arm
If these are still the defaults for the $199 boxed version of Windows 10 Pro
(including all the things like ads in the OS), I’ll be pretty disappointed. OS
X is free as well (and has been for years), but Apple hasn’t pulled crap like
putting ads in the OS (probably at least partly because it’s nontrivial to run
OS X without buying Apple hardware… all the more reason to be disappointed if
Microsoft _still_ includes tracking and ad crap when you’re actually paying
for the OS).

------
animex
You are the product now.

------
oneJob
some copy from Microsofts "The Future Starts Now" campaign: "<p><i>Learning
and growing with you - The more personal experience of Windows 10 includes
Cortana, your truly personal assistant. Cortana works across all of your
Windows 10 devices to learn your preferences, offer suggestions, set
reminders, play your music, answer questions and more. Welcome to a future
with Windows 10. It can recognize you, respond to you and even learn with you.
So you can create and share in ways you never thought possible. Now is the
time to do great things. #Windows10</i></p>"<sup>[1]</sup>

It's not like it's hidden in their terms and conditions. And, bluntly, I'm
assuming many people reading this are working on similar technology for
smaller companies. But, to paraphrase Nick Naylor in 'Thank You For Smoking',
you just need to pay the mortgage, right?

Additionally, the conversation on this page seems to betray that most of us
didn't read the memo that the concept of privacy has changed and now no longer
includes concepts like, "You only get to know things about me that I disclose
to you." That has now transformed into what might be captured in the
sentiment, "You may not use what you know about me in any way explicitly
disallowed by the terms & conditions". I can't find it now, but back in the
day, wayyyy back, Brin and Page made the argument that one day people would
trust their personal information to companies the same way that they trust
their money with banks. This is that vision realized.

[1] [http://blog.pcm.com/2015/07/29/windows-10-the-future-
starts-...](http://blog.pcm.com/2015/07/29/windows-10-the-future-starts-now/)

------
ergest
I'm sticking with Windows 7 until Windows 15

~~~
saiya-jin
you mean the next version after 10, when they get things right again? nah,
I'll skip to version 23, or 42 to be sure (but they might screw their new
feces sampling API to be little too intrusive for my taste...)

------
sharjeel
ReactOS suddenly makes a lot of sense to me now!

------
mc808
Besides the fact that you can't turn off automatic updates (which makes
Windows little more than a zombie node in Microsoft's vast botnet), the
default setting is also to "send updates to ... PCs on my local network, and
PCs on the Internet." Similar for the defaults in Windows Defender.

------
kabdib
All obtainable with a subpoena, I would imagine.

No way.

~~~
api
MS is so aggressively international, I can imagine that they might cave to
subpoenas from other governments. So now my home country plus at least the
rest of the G8 can request my data.

Nope.

------
varp
The only way to reliably opt out of Microsoft collecting your personal data at
this point, is to opt out of the whole Microsoft experience. Everyone knows
(or should know) that toggle switches are not guaranteed to do what their
respective labels say they would.

------
Supersaiyan_IV
As a Windows Insider that has helped Microsoft squash bugs the last few months
you must realize that sending bug report data is ridiculously important.
Especially on a rolling-release model that this has become.

------
mappu
Hijacking this thread - if anyone used the official media creation tool to get
a x86_64 Professional ISO, can you please post MD5/SHA1 hashes? Mine don't
match anything on google.

~~~
acqq
[https://techjourney.net/download-official-windows-10-iso-
via...](https://techjourney.net/download-official-windows-10-iso-via-usb-dvd-
media-creation-tool-without-product-key/)

"Note that the file hashes (CRC32, SHA1, MDA and etc.) for Windows 10 ISO
images created by Media Creation Tool are unique as time stamps and other
factors are different for each computers."

~~~
ionised
So basically they're saying there are no file hashes for you to check, because
the only way to download an ISO is through the Media Creation Tool.

I don't know why they don't just let you download the ISO directly without
some pointless middle-man downloader tool.

~~~
acqq
The tool doesn't just download some ISO, it actually downloads a lot of
different files and then transforms the content it downloaded using the user's
CPU and resources, producing the wim files that would finally go to the media.
Why, I don't know.

------
129CBRider
Had to go through the entire system and stop Win 10 from sending all my
personal info to Microsoft! The need to stop trying to be Apple.

------
Aoyagi
Everyone is ignoring the biggest problem: "apps" everywhere!

(this message was brought to you by someone who earns money through language)

------
129CBRider
Had to go through the entire Windows 10 and stop it from sending all my
personal info to Microsoft!!!!! Stop trying to be APPLE!

------
prapam2
Didn't Microsoft run ads on Google collection personal information. Now they
are doing the same!

~~~
gillianseed
Yep, 'Scroogled' they called it.

------
gillianseed
Incredible, how does this all fit with Microsoft's 'Scroogled' campaign ?

------
giancarlostoro
Too much conspiracy, but how we all wish it was just theories.

------
rick838
No guarantee the switches do what they say.

------
bronlund
I hope governments are starting to understand what they have gotten themselves
into by using this crap. Microsoft should be banned from all public offices :D

------
tripzilch
What IS "inking data", anyway?

------
gowthamgts12
Nice one pal.

------
sillygeese
> _I am pretty surprised by the far-reaching data collection that Microsoft
> seems to want. But, I am even more surprised by the fact that the settings
> all default to incredibly intrusive._

I can't see why anyone would be surprised anymore. This has been going on for
years now.

------
mahouse
I'm not sure, but I think Windows 8 had the same options and they were on by
default too.

------
wahsd
"trusted partners" including every single American intelligence agency and
whatever despotic and totalitarian regime we happen to be supporting at any
given moment.

I guess that "free" upgrade business model includes harvesting data globally
to sell to surveillance state agencies through round-about ways < _cough_ >
palantir < _cough_ >

------
graycat
Okay. Good to know. So, when I decide to upgrade from Windows XP, I will
install the legal DVD I have of Windows 7 and stay with that for years!

No Windows 8, 10, etc. for me until Microsoft makes some fantastically strong
and solid statements about compatibility with old software, security, and
privacy.

~~~
theg2
Worried about security and privacy...yet still uses Windows XP?

~~~
userbinator
Are people actually believing Microsoft's FUD?

The "security" of newer Windows is mostly anti-user, anti-freedom. XP doesn't
enforce code signing, and SFP is only advisory, so you can run whatever you
want, hack and customise the OS code easily to get it to behave how you want.
Most of the exploits that gave XP a bad name in the early days were from IE in
its default configuration, which basically no one on XP will be using now.

It takes time to get bugs get discovered and fixed. There's a lot of new code
in these newer versions and I bet they'll be uncovering more bugs in it as
time goes on, some of which won't be applicable to XP because the code isn't
even present.

As for "privacy"... XP most certainly does not phone home with anywhere near
the amount of info that Win10 collects, as this article shows.

I'd be more inclined to say "Worried about security and privacy...but still
wants to upgrade to Windows 10?"

My next jump after XP will likely be some form of Linux with WINE - with
everything that can phone home removed.

------
sudioStudio64
Well, today was the day. I finally got my fill of this site.

Thanks for the memories HN, but this just isn't worth it. I could have been
coding. From now on I will be.

Adieu.

------
leeleelee
May I ask...to those who are so deeply opposed to sharing your personal data
with corporations and their partners:

Let's assume, worst case scenario -- you enable every single data sharing
option on your Android phone as well as let's say, Windows desktop. And you
use chrome browser, logged in, etc. All the time.

Now, the question is: explain to me, what you expect to be the negative
outcome and how it affects your daily life.

I am genuinely curious. Or is this just a fear of the unknown and projecting
into the future all of the bad things that _may_ happen (or also may not)?

~~~
pjc50
It's rather like stopping paying for your health (or other) insurance. If I
don't have it, it probably has no effect on my daily life. All the things I
need it for are things that _may_ happen in the future.

Information once leaked is very hard to recover and may have a deleterious
effect on your career. Just ask Hulk Hogan.

------
chx
You are worried your data is sent to MS and sold to advertisers? All your
personal data has already been stolen by foreign hackers so why worry? Privacy
is already dead. We would need to rethink an awful lot of things to get it
back.

~~~
pluma
> foreign hackers

Don't drink the Kool-Aid.

------
moron4hire
This looks like all the same sort of stuff Google defaults you into on
Android. I mean, not that it's any better because of that, but this is the
state of things now. You're not going to find better unless you install FOSS.
Unless you're ready to go full-in on one of the BSDs or a Linux-that-
isn't-Ubuntu, navigating the waters of figuring out how to get a phone that
has all the features you want with such an OS, figuring out how to do all the
work you need to do, then you're in for a penny, in for a pound.

Apple, Google, Facebook, Twitter, LinkedIn, the FBI, NSA, CIA, DHS, they all
have my data already. Thanks to OPM, the Russians and Chinese probably have my
data now, too. What does it matter if Microsoft has it? They probably already
have it. Maybe it's even _better_ to make sure _everyone_ has my data, rather
than allowing it to be used as a competitive advantage by one or a small set
of corporations. Cat's out of the bag. Horses have left the stable. Whatever
other metaphors you want to throw in there.

So decide, and decide now: either go full-in on FOSS, or shut up and eat your
cookie. Otherwise, this exercise hasn't been about privacy, it's been about
anti-Bill-Gates-and-Steve-Ballmer-Microsoft sentiment.

~~~
rifung
Excuse me if I just don't fully comprehend your argument, but isn't FOSS an
orthogonal issue to this? After all, even if software is open source, that
doesn't stop it from mining your data. You just know that they are doing so. I
suppose you can remove that feature, but it seems you're also able to disable
the features here as well.

In any case, I'm all for FOSS but it doesn't seem to be a solution to this
problem, which admittedly, is not even really a problem to everyone.

~~~
moron4hire
Yes, I agree that it's not really a problem for everyone. The issue isn't
actually privacy. The issue is "find a reason to bash on MS for this month".

Now, I think the incentive structures for FOSS projects are a little different
such that the FOSS environment isn't going to converge on the idea of
collecting such data. But clearly, throw any sort of system that wants to make
money into the mix, coupled with the fact that users just refuse to pay for
software anymore, and every giganto corp from Mozilla to Canonical are going
to independently come to the same conclusion of collecting this sort of data.

The problem is not that privacy is important. The problem is that privacy
isn't as important to people as not having to pay cash for software. So the
people who are complaining about this are never going to be happy with
anything Microsoft does. Either MS collects too much data, or they are tone-
deaf to the market and aren't keeping up with cutting edge features. Either MS
"hides" non-default settings, or they are falling behind in the state of the
art of UI design.

I mean, Apple or Google wouldn't have even given you the little link that
people have been complaining about as "hidden", even though it's right there
on the screen. They would have expected you to hunt the setting down in some
settings dialog somewhere. What MS has done here is _standard_ MS UI design
theory, has been for over two decades.

But it's cool to bash on MS. And the only way such people are going to be
satisfied _and_ stay consistent, is to completely bail out of any software
where anyone involved has a need to make income.

~~~
saiya-jin
apple and google are scumbag corporations (not only) when it comes to
privacy... so is it OK if another big corp joins them? you basically say yes,
I say NO.

~~~
moron4hire
If by literally saying no I am basically saying yes, then I guess I have a lot
to work on in terms of writing clarity.

------
brudgers
Microsoft's privacy policy reflects the fact that Microsoft has to comply with
the most conservative interpretation of the most restrictive privacy
regulations from the set of all privacy regulations found anywhere in the
world. It amounts to "Microsoft does not guarantee privacy." The reason is
that Microsoft cannot make such a guarantee because of the diversity and
strength of privacy regulations.

I'm not saying that strong privacy regulations are a bad thing or that
Microsoft's policy is a good thing. Just that Microsoft's policy reflects
reality where competitors and activists and politicians are inclined to use
privacy regulations for purposes orthogonal to any actual concern about
privacy. The connected world is full of caches and Microsoft does not control
them. Users can do stupid things that Microsoft cannot prevent.

Agree with the terms and use Windows. Don't use Windows if you disagree. The
website hosting the blog runs google-analytics by default. It doesn't ask my
permission. It runs Disqus by default. It doesn't ask my permission. The
privacy badger ate too many cookies and died years ago. Microsoft is late to
the wake.

