
Official list of phoned-home info revealed by Microsoft - frik
https://www.theregister.co.uk/2017/04/06/microsoft_windows_10_creators_update/
======
uranian
Most striking for me is not only access to your documents, but also:

>events generated by the operating system, and your "inking and typing data."

Sounds like a key logger virus, but then built-in the OS? Is this for real?

~~~
inkling
Ostensibly it's for debugging crash dumps.

In reality you can bet there will be NSL's and other legal tools used to co-
opt this stuff for more noble aims, like defending against terrorism and
protecting our children via fishing expeditions and secret gag orders.

~~~
r3bl
> via fishing expeditions...

If you already have access to the things I type and my metadata includes the
websites I visit, you don't really need to phish me to get my credentials.

If a service also happens to not support 2FA and doesn't have some sort of
account activity section, you can effectively have control of me over that
service, without me ever doing anything wrong and me not even suspecting a
thing.

~~~
ethbro
Inkling meant fish, as in the legal enforcement sense of using an unrelated
charge to obtain a warrant which is then used to fish for evidence of a more
serious crime.

------
darrmit
For those thinking Enterprise and/or Education may be better, it's only better
if you're using it in an environment where privacy settings are enforced via
Group Policy or some other method. Standalone (like I'm running it) is really
not much better than Pro unless you go through and manually intervene.

For example, the default telemetry level is "Enhanced":

"The Enhanced level gathers data about how Windows and apps are used and how
they perform. This level also includes data from both the Basic and Security
levels. This level helps to improve the user experience with the operating
system and apps. Data from this level can be abstracted into patterns and
trends that can help Microsoft determine future improvements.

This is the default level for Windows 10 Enterprise and Windows 10 Education
editions, and the minimum level needed to quickly identify and address
Windows, Windows Server, and System Center quality issues." [1]

On a fresh install of Windows 10 Enterprise I still have to manually disable
updates by disabling/setting permissions on scheduled tasks for updates and
I'm still prompted for things like "Use OneDrive!". Cortana is also enabled by
default.

[1] [https://technet.microsoft.com/en-
us/itpro/windows/configure/...](https://technet.microsoft.com/en-
us/itpro/windows/configure/configure-windows-telemetry-in-your-organization)

------
rubatuga
One Windows 10 version that many people are ignorant of is Windows 10 for
education, which is based on the enterprise edition. It has the ability to
disable almost all data collecting / advertising features . Cortana doesn't
even exist on this version. If you can grab this, and most university or
college students should be able to for free, it'll be a big improvement in
privacy.

Edit: from what I recall, Microsoft stated that advertising didn't have a
place in education, or something to that effect

~~~
whyoh
>Cortana doesn't even exist on this version.

This used to be the case, but it's no longer so. The latest version of
Education (1703) includes Cortana.

------
rl3
> _Engineers, with permission from Microsoft’s privacy governance team, can
> obtain users ' documents that trigger crashes in applications, so they can
> work out what's going wrong. The techies can also run diagnostic tools
> remotely on the computers, again with permission from their overseers._

So in other words: engineering access to your personal documents (and
computer) is mediated by a group of people who also shouldn't have access in
the first place. Got it.

When I close my eyes, it's almost like I can vividly picture the crappy NSA
PowerPoint slides that must exist, detailing "Windows telemetry exploitation"
or some such. At the very least, the information has to be incredibly useful
for targeting purposes.

~~~
pjc50
Someone should file a mass copyright infringement suit. Did they really have
permission to copy those documents? Charge them on the RIAA scale of thousands
of dollars per infringing copy.

There's implications for legal discovery here too. Remember the other day when
one of the documents in the Uber/Otto case was found on a user's machine? What
happens when people start sending in discovery fishing expeditions to get
documents from Microsoft?

~~~
driverdan
There is no copyright infringement. Anyone running Win10 has agreed to give
them access via the EULA.

~~~
TheSpiceIsLife
Except where I haven't.

EULA's aren't law in my opinion, and that's what laws are: _opinions_ ,
collectively. I can't be forced to agree to something that strongly violates
other contracts I'm required to be a party to, in my opinion.

All we need are rulings, and the enactment of laws, to support my opinion
along with the cessation of wholesale data collection by the OS vendor.

While we're waiting for that all we have is technical solutions.

------
yAnonymous
Wouldn't half of that make it illegal to use for government agencies in many
countries?

They're one config error away from sending classified data to Microsoft.

~~~
vonmoltke
> They're one config error away from sending classified data to Microsoft.

No they aren't, because classified data is only handled on isolated networks.

~~~
wheelerwj
lol, obviously that's not even remotely (get it?) accurate.

classified data _should_ only be handled on isolated networks.

~~~
vonmoltke
Handling classified data on an unapproved network is both illegal and a
serious security violation in every environment I have worked in. If you have
that going on, Windows phoning home is the least of your worries.

------
us0r
Microsoft is absolutely out of control with this shit. I was recently flipping
through BI articles and came across this [0]. “Using data from millions of its
subscribers … The findings come from people who use Microsoft Word and/or
Outlook”. WTF? Sure enough, I opted out of telemetry but that apparently
doesn’t include the content of business documents and email. 7 clicks to find
that option. I guarantee you 99% of Office 365 users have no idea this is
happening.

Microsoft customers aren’t getting scroogled, they are getting straight
fucked. Not only are they slurping everything imaginable up, but actual people
are going through the data and doing stories on business insider.

My problem is I actually like their products. I’m cheering for the day the EU
(the US won’t do anything so sadly I have to cheer for a foreign government)
wakes up and slaps them around. Hopefully it’s hard enough to get them to
change their ways.

[http://www.businessinsider.com/microsoft-data-the-most-
confu...](http://www.businessinsider.com/microsoft-data-the-most-confusing-
words-in-english-2017-3)

~~~
douche
I'm sure Microsoft is mining Office 365 as hard as Google is mining GMail. To
believe otherwise seems incredibly naive.

~~~
veli_joza
I don't think one is better than the other, but it comes down to average
user's expectations from cloud software and from desktop software.

My last company was very paranoid about security. Things like never leaving
your desktop unattended, changing password every 4 weeks, encrypted disks,
encrypted emails, forbidding most of cloud services... All the while happily
using Windows and Outlook.

Also, although Google knows everything about me, they have so far managed to
prevent security incidents, leaks and embarrassing deals (apart being forced
to provide backdoor to NSA). They seem to know what they are doing security-
wise.

------
vadansky
If you absolutely have to use Windows (like me) is it possible to block all
the telemetry at the router level, maybe somekind of hardware firewall? Do we
have a list of IPs to blacklist?

~~~
AlexeyBrin
You can try, but to be frank you can never be sure. The only 100% way to stop
telemetry is to work disconnected from the Internet.

A slightly safer version of Windows is Enterprise LTSB but I don't think you
can legally buy it as an individual.

~~~
thoughtpalette
I just added the above linked endpoints to my hosts file. Not sure how well
that'll work.

~~~
MikusR
You have to block using firewall. As hosts file is being bypassed. Plenty of
malware modify hosts file.

~~~
thoughtpalette
Ahhh, it seems I should've read the entire comment thread. Thanks to both of
you for the notification!

------
zwarag
Isn't it a bit of a pathetic approach to tackle this topic with: How can we
turn off this telemetry craziness. Shouldn't we USE something that just does
not scan you're stuff at all. Like Linux or something? Sure it might not be
that well round up like Win. But at least it will not penetrate your bum hole
by design and will become round up eventually.

~~~
gbrown
Well, I try to for most applications, but I'm actually moving my wife's laptop
back to windows. Linux was fine for most things, but when something breaks or
doesn't work, I have to fix it - and I don't have the time. Getting hardware
like Bluetooth or external touchscreens to work is an absolute nightmare with
the state of driver support.

~~~
usernam
It sounds like linux breaks, but you know what happens when "stuff on windows
breaks"? Well, it's the same: you'll have to fix it.

Ubuntu LTS is really hard to break unless you're constantly screwing around.
The same happens on windows.

Don't complain about community-supported distros. Buy a commercially supported
distribution with long term releases, and you're set.

~~~
driverdan
Linux still doesn't work well on a lot of laptop hardware.

~~~
r3bl
What do you mean by "doesn't work well on a lot of laptop hardware"?

I'm using Lenovo Yoga 510, not Ubuntu-certified, two-in-one device with a
touchscreen and a dedicated graphics card. Sure, there's no such thing as a
tablet mode in any of the Linux distributions at the moment, but it works.
WiFi works. Touchscreen works. Open source graphics driver works. Battery
usage has no noticeable difference compared to Windows.

In my three or four years of running Ubuntu-based distributions, I'm yet to
find a single laptop where WiFi / sound card / touch screen or any other piece
of laptop hardware that doesn't work.

~~~
driverdan
There are still sleep / hibernation issues and excessive power use. Plus as
you said, tablet mode doesn't work.

------
cogs
How does this compare with Apple? I haven't seen so many articles about what
MacOS slurps, is that because it is better behaved?

~~~
andy_ppp
By default everything is backed up to iCloud right?

~~~
tinus_hn
You can barely backup an iPhone to the free iCloud option. There is no free
Mac backup to iCloud.

Also imagine the bandwidth requirements, for many people such a backup would
run forever without completing.

------
laurencei
Is there a place where people have put together a conclusive list/script to
remove/turn off as much telemetry as possible?

I've seen various lists on reddit, HN etc - but they all seem to have
different bits.

Perhaps a GitHub Gist that can be crowdsourced to help people ensure they get
every single hidden option turned off?

~~~
HappyTypist
Honestly, your best bet is to use a mac.

~~~
izacus
Did you try running Little Snitch lately? There's at least 5-6 daemons that
keep contacting Apple and reporting on you on mac as well. And pretty much
every 3rd party app uploads behaviour analytics without the ability to turn it
off as well.

~~~
rubatuga
I installed Little Snitch for cracked Adobe suite, but holy fuck the constant
barrage of daemons trying to connect made me disable it completely. Albeit
most of them seemed to be related to iCloud or app updates

~~~
fivesigma
This is my experience as well with Adobe CC. At least 10 different daemons,
some of them instances of node.js constantly connecting to adobe-owned IPs.
Some of them even using very high amounts of CPU. Turning everything off from
the CC settings didn't even make a difference.

I don't want fucking software I paid for to make my PC a part of a botnet, so
I deleted all their stuff and tried to cancel my subscription to CC. I
couldn't do that because their terms allow them to charge your credit card for
the remainder of the year, even if you receive no service. After a few angry
emails with a supervisor they finally agreed to cancel my subscription.

What a shady POS company.

------
pleasecalllater
Cool, so I will have backup data in NSA, and Microsoft. Do you think it's
possible to recover my data from their servers easily?

Looks like 'my data' will soon be something strange, and suspicious.

~~~
akerro
Some people tried it already and court rejected their cases.

~~~
pleasecalllater
Heh, usually when I get a stupid enough idea, it turns out that someone had
that before :)

------
pawadu
I cant comment on the article since I don't have any actual data on the
subject (it doesn't seem they do either). But I do have a slightly on-topic
question for HN readers using Windows in enterprise:

You can run popular Linux distributions off grid and still receive security
updates via a local package repository. Can you still do something like this
with Windows? Does it require an special Windows 10 version?

~~~
Santosh83
I think you need an Enterprise license to customise the update process. Not
even Pro will do, although with that you can turn off the forced updates,
which Home users can't.

~~~
H4CK3RM4N
Last I heard, Pro can only delay updates for 14 days.

------
Steeeve
The article doesn't have a full list, it has a set of examples. The technet
pages linked in the article don't have a full set of information either.

I have the distinct impression that regardless of settings, some data gets
sent.

I also have the distinct impression that the data will be for sale - the
usefulness of a good portion of the data is questionable and some would only
be useful for application developers.

What the list does have enough of ... is enough information for adversarial
parties to want to target it.

It's not that hard to stop using windows. More people should.

------
itaysk
I wonder how this compares to Android while using Google's services and
accepting their terms (admittedly I allow everything by default). Is anyone
aware of such analysis?

------
chj
The reason I installed ubuntu on my laptop.

~~~
liareye
For the convenient Amazon button in the dock?

~~~
sangnoir
Wow, what a dilemma! Which one should I go for: full-bore telemetry including
memory contents and keyboard events with RCE capabilities _or_ an Amazon
button that just sits there until I click it? Truly, this is like _Sophie 's
Choice_ /s

~~~
nebabyte
False dichotomy. Other distros/envs not supporting scummy practices exist too.

~~~
sangnoir
I was using (explicitly marked) sarcasm to highlight the false equivalence in
parent's post. Obviously the choices of OS is not limited to Windows vs. Unity
on Ubuntu

~~~
nebabyte
Right, but your response to scummy practices was "which is why I use [other
thing with scummy practices]."

I'm sure you can justify why a button isn't as bad as spyware to yourself, but
to anyone who puts up with neither, the parent comment makes sense without
needing to 'equate' the two. They're both not things you'd put up with; and
the 'sophie's choice' (yes, I saw the tag) joke would instead just be a
response for a different platform.

~~~
sangnoir
> Right, but your response to scummy practices was "which is why I use [other
> thing with scummy practices]."

This is comparing apples to oranges though: on one side we have a Unity lens
_that can be turned off_ and is restricted to searches, and on the other you
have what I can only describe as a turnkey APT (RAT,RCE, process spy, device
spy, keylogger, memory scraper) that _cannot be switched off_ \- how hard do
you think it would be for a nation-state to 'enrich' and intercept/redirect
this telemetry?

You lose a great deal of detail by intentionally avoiding the nuance of the
situation: murder by starvation or Nitrogen asphyxiation is still death, but
there is value in discussing the cruelty of persons who would choose one
method over the other to kill, especially if one of them lets you opt-out.

Additionally, Ubuntu and Unity (host of the Amazon button) are not equivalent
in any case. I use Ubuntu with KDE, others with XFCE or Gnome. So using Ubuntu
in no way equates with putting up with scummy practices.

edit: expanded and split 2nd paragraph

------
elorant
I'd like to know if there are any C# devs who moved to Linux and how is the
whole experience.

~~~
androtheos
It's better now with asp.net core and visual studio code both of which run
rather well on Debian Linux.

------
retox
Some troubling sounding ones; \- All the physical memory used by Windows at
the point of the crash \- URL for a specific two second chunk of content if
there is an error

\- Image & video resolution, video length, file sizes types and encoding

\- URLs (which may include search terms)

\- Ink strokes written, text before and after the ink insertion point,
recognized text entered

\- Time and result of each connection attempt (WiFi)

\- Mobile Equipment ID (IMEI) and Mobile Country Code (MCCO)

\- Whether the user clicked or hovered on UI controls or hotspots

------
AdmiralAsshat
Useful utility I remember from a few years ago: [https://www.safer-
networking.org/spybot-anti-beacon/](https://www.safer-networking.org/spybot-
anti-beacon/)

I mostly used it to block the Windows 7 telemetry that they backported.

I don't know how up-to-date they're keeping it, though. I fear Microsoft is
adding more hooks faster than Spybot can block them.

~~~
Clownshoesms
It's infuriating that I'm still paranoid about what my paid for Win 7 OS sends
out, despite hiding updates and trying to keep on top of it.

Then again, with IME etc, who siphons more? We've gone wildly wrong somewhere
that this is the norm. Wildly wrong.

------
itchyjunk
Ahh, the "Relevant Ads" button. No matter which way it turns, you still get
adds. I am tempted to ask "Is this button broken /s?" but I know it's a
feature and not a bug.

------
Clownshoesms
Privacy journey. It'll take a while to purge that tripe. Makes me feel sick
thinking of the corporate weasel on the end of the post.

------
frik
The original title of this post was "The sheer amount of data Windows 10 sends
from your PC".

Which was shorted from the article title "Put down your coffee and admire the
sheer amount of data Windows 10 Creators Update will slurp from your PC"

But now he HN title got changed to "Official list of phoned-home info revealed
by Microsoft" whih is misleading or let's say down-playing the whole story.
The story is more than yesterdays HN story, it shades a not so nice picture
about what really happen.

~~~
developer2
The "Official list of phoned-home info revealed by Microsoft" is the
subheading from the article, and offers a neutral tone compared to the biased
headline of "The sheer amount of data Windows 10 Creators Update will slurp
from your PC".

While general consensus will likely be that that it _is_ too much data
collection, it's more ethical - from a journalism standpoint - to allow each
reader to decide that for themselves based on the facts. I find it odd that
The Register used a biased headline, while delegating the unbiased phrase to
the role of a subheading. I suspect the neutral subheading was provided by the
author of the article, while the headline was manufactured by someone whose
job it is to drive traffic/views.

~~~
AimHere
> I find it odd that The Register used a biased headline, while delegating the
> unbiased phrase to the role of a subheading.

The only thing odd about that is that The Register has a more neutral tone in
it's subheading than normal. The main headline is using the default Register
style (and if you go to the Reg's front page, you'll see plenty of tabloid-
esque subheadings).

I suspect that since this has been the Reg's modus operandi for years, that
there's no need for an editor to write headlines by now - the staff writers
know what's expected and probably use the house style already. If anything,
it's the po-faced subheading that's likely to have been tampered with on an
ad-hoc basis.

