
France orders Microsoft to stop tracking Windows 10 users - abhi3
http://www.theverge.com/2016/7/21/12246266/france-microsoft-privacy-windows-10-cnil
======
satysin
Is there any accurate analysis of exactly _what_ Microsoft collects in Windows
10? I understand you cannot totally disable the telemetry (with the exception
of an Enterprise version) but when put down to the "basic" level is there any
capture of what is being sent? Everything I have seen is bullshit anti-
Microsoft fairy tale stuff.

I understand text and voice data will be captured and sent if you use Cortana
but that is pretty obvious, the same is true of Google, Bing, Siri, etc. [0]

What I want to know is when I put things at the lowest setting possible what
do MS get and how often?

Edit: [0] I mean captured and sent for processing. I expect (perhaps wrongly)
for it to be deleted from Microsoft's servers as soon as my request has been
answered. Unlike Google which stores _everything_ you say to Google Now for
example.

~~~
Sylos
As far as I understand it, there is no way to know what Microsoft sends,
unless you work at Microsoft.

As such, the "bullshit anti-Microsoft fairy tale stuff" is just as valid as
whatever you believe that they send. Especially also under the connotation,
that Microsoft does actually reserve the right to send anything they want in
their Privacy Statement.

And we shouldn't treat privacy as "innocent until proven guilty". If they
cannot provide a lower boundary where you have a guarantee that they respect
it, then we should assume the worst.

~~~
rdudek
But why just target Microsoft? What about Google? Apple?

Big data is huge and there is no end in sight as far as growth goes! Telemetry
is a big success. And we're talking about regular usage now. Hospitals use new
state of the art EMR software with all kinds of telemetry built it as well.

~~~
tunap
Is this a calculated derailment technique? Why MS? Because MS is the subject
being discussed in this post, is why. Wanna talk Apple? Open up an Apple
privacy related article's comments and you'll read the same concerns
accompanied by more red herrings asking 'why just Apple?'. Repeat for Goggle,
if you need further clarification.

Why not Verizon? Why not NSA? Why not the traffic strips counting cars? why
not the ticket guy @ the cinema?

~~~
rdudek
Let's rephrase that, why isn't the French government going after Google,
Apple, and others for telemetry?

~~~
tunap
They have. Repeatedly. And for whatever reasons most are unaware of, they
appear to be getting away with their actions more or less. Why? I don't know,
ask a lawmaker. Or better yet, ask a lobbyist. Even better, ask the DHS PAC:

Edit: US example, I have no idea how France government works.
[http://www.boilingfrogspost.com/2011/11/30/bfp-report-
meet-t...](http://www.boilingfrogspost.com/2011/11/30/bfp-report-meet-the-
department-of-homeland-
security%E2%80%99s-%E2%80%98distinguished%E2%80%99-privacy-advisory-committee-
members/)

------
bad_user
I would like laws that would force companies to disclose the bad side of what
they are doing.

When they ask if you want to share what you type or say with them, in order to
improve the experience and for you to get more relevant suggestions or more
accurate spell checking or whatever, they only focus on the positives.

But that's not enough. I want them to say that your delicate and private
conversations might leak and be used for nefarious purposes by disgruntled
employees, state agencies, hackers or future owners of that data, because
that's the truth.

Much like how cigarettes packs have graphical warnings on them. I'd like that
very much, because as an ex-smoker I can tell you that those work. But of
course, it would hurt their business to admit it, so they'll never do it
willfully.

~~~
cm2187
Or like the financial industry, which products are deemed too complex to the
average client. They must disclose and inisist on the risks of a product.

Windows pretty much checks the box in term of complexity to the average user.

~~~
Kristine1975
_> They must disclose and inisist on the risks of a product._

By giving me a 50+ pages brochure. Just like EULA's hide the nasty stuff among
huge amounts of text.

Sure it's better than nothing, but still far from perfect IMO.

~~~
cm2187
No no. If you trade something on margin or borrow money, in many countries
like in the UK, all the marketing material has to clearly state the risks. All
mortgage ads have a big banner "if you do not make your payments your house
may be repossessed". A derivative contract with a mid-size company is now
deemed missold if the marketing material doesn't highlights adverse or worst
case scenario.

These are not font 6 footnotes in the terms and conditions.

~~~
sievebrain
Yes, and what great nanny-stateism. The only people whom that big warning
helps are people who don't know what a mortgage actually is, yet are planning
to take one out anyway. I'm sure such people exist in very small numbers but
this is how you get "Warning: may be hot" on coffee cups. Where do you draw
the line? Surely someone who walks into a bank and says "I'd like a mortgage"
should be expected to know what repossession is?

~~~
FireBeyond
And yet in the US look at any prescription drug ad, where there's this ugly
extended component of the ad that details dozens of possible issues, which to
your logic would be the job of the physician (and I agree), not the
advertising.

------
Taek
People are giving special attention to the things that Microsoft is doing, but
history shows that they will eventually accept it and live with it.

Facebook has been doing this for a long time, to extremely high degrees of
invasiveness. Google as well, and pretty much every single web startup in
existence. Collecting data is how you compete in modern business.

If you think this Microsoft stuff is a big deal you should have another look
at the entire foundation of modern tech.

~~~
frik
You are right, but I bag to differ. Giving out your personal emails or your
private life to advertisers is one thing. But an operating system is the
lowest dominator and the PC platform is where most data is stored and real
work in being done. So Microsoft's 180 degree turn by the CEO from being a
trustworthy company to a turning their customers to products is unheard of and
very very concerning - especially given they still have a quasi PC monopoly
(ca 90% market share). There is a long legacy history , some run up to 30
years old software on Windows and now are concerned with little option to move
forward.

~~~
Taek
Is that much different from Android? Google is known for being incredibly
pervasive, and also invasive.

I'd argue that my phone is almost a lower common denominator than my computer.
My phone knows my geographic location at virtually all times, has logged into
most of my web accounts, handles all of my social contacts (definitely more
than Facebook. But even people who primarily use Facebook likely use it mostly
from their phone and not their computer).

If we want to care about this stuff, things need to change in very dramatic
ways.

~~~
tunap
"If we want to care about this stuff, things need to change in very dramatic
ways."

Absolutely & unequivocally. Hard part is, the technological means is baked
into every modern SoC & NIC, huge amounts of money are being made from the
'big Data' industry created & the psychopaths are driving the bus. We survived
just fine back in the Stone Age(pre-smartphone) and we _can_ hold out for
change($=vote). Principals often require certain sacrifices.

------
jld89
Are there other countries as active as France is concerning the enforcement of
user privacy laws and data protection?

~~~
Sylos
Switzerland is usually pretty good at it, and Germany tends to also care,
because of their Stasi-history, but the recent trend of "Terrorists killed a
handful of people, let's throw away the fundamental rights of our population."
hasn't left those two unscathed either...

~~~
CatsoCatsoCatso
>Terrorists killed a handful of people

234 people dying from terror attacks in France in the last 18 months is not a
handful. Don't just dismiss their deaths so heartlessly as a "handful".

Shame on you.

~~~
cm2187
Realistically it's an average air crash. At the scale of a population like
France it is almost meaningless. Drowning kills several orders of magnitude
more. I don't see calls for changing the constitution to reduce the number of
drownings.

Or suicidal airline pilots...

~~~
angry-hacker
But it's one airplane crash too many. I don't understand your point. We
shouldn't care?

~~~
smhenderson
Not to answer for the parent but IMHO it's not so much we shouldn't care. It's
we should be very careful about what rights and freedoms we give up and how
much power we give to a state to scrutinize our daily lives when the very
thing we are trying to prevent has not had a major impact on our daily lives.

Yes, it had a major impact on some people and their families and their pain is
not to be dismissed lightly but on the other hand we should not give up our
way of life to prevent these things from happening, especially when evidence
supports that the new laws that are written after these events seem to do very
little to actually further protect us.

While a little sensational I think the graphic in this article concerning the
TSA in the US does a pretty decent job of summing up exactly what we've gotten
from "enhanced" security in the US.

[https://www.techdirt.com/articles/20120405/04390118385/tsa-s...](https://www.techdirt.com/articles/20120405/04390118385/tsa-
security-theater-described-one-simple-infographic.shtml)

------
brudgers
Announcement at CNIL: [https://www.cnil.fr/en/windows-10-cnil-publicly-serves-
forma...](https://www.cnil.fr/en/windows-10-cnil-publicly-serves-formal-
notice-microsoft-corporation-comply-french-data-protection)

------
acd
I switched to Ubuntu because of Windows 10. Using Linux as a primary operating
system works great as a developer.

There is a saying which says if a product are free "you are the product".
Microsoft made the upgrade to Windows 10 free a guess so that they can mine
data about you and your habits. That data is valuable for marketing purposes.

Wireshark traffic dumps show a lot of data going to Microsoft telemetery.

I choose to say no to that data collection, instead wanting to keep a bit of
privacy.

Have some security wiz MITM the Microsoft telemetry server with their own cert
to inspect the data collection traffic?

~~~
Meegul
I recommend disabling some of the Amazon integration in Unity if you're
concerned about your privacy. This shouldn't be too difficult, even if you're
new to Linux. I 'd also suggest getting Unity-tweak-tool and playing around
with some of the settings in there.

EDIT: Just realized that since 16.04, Ubuntu no longer has online search
results enabled by default in the Dash. Still though, play around with some of
the settings!

~~~
0xmohit
One doesn't really need Unity, does one? Openbox is awesome. It doesn't hog
system resources either.

~~~
Sylos
Yeah, but Openbox isn't suitable for new users, at least not on its own. As
part of something like LXDE or LXQt, it's definitely workable, but without a
deeper understanding of Openbox, those are pretty much as good as any other
Desktop Environment (except maybe that LXDE/LXQt are also among the lightest
DEs around).

I would rather recommend either Ubuntu GNOME, if you want a rather
unconvential, but highly integrated, highly user-friendly interface, or Linux
Mint Cinnamon, if you want a cleaned up Windows-like interface, or Kubuntu, if
you want a Windows-like interface which just smothers you in options, tweaks
and customizability.

------
serge2k
> the four-character PIN system used to access Microsoft services is insecure,
> because there is no limit on the number of attempts a user can make.

I just tried logging in with my pin.

After a handful of tries I was given a string to enter before I could try
again. I did that. After another try I got told to restart the device before I
could try again.

So it doesn't look like 10 tries and locked out forever, but rather increasing
penalties for incorrect attempts. Which is fine.

oh and my pin is 6 characters long.

If they don't have this right why should we believe them about any of their
other claims?

------
zamalek
_> Microsoft: users are in control with the ability to determine what
information is collected

> Microsoft: so enterprise customers will be able to completely turn off
> telemetry if they choose[1]_

Which is it, Microsoft?

[1]: [http://www.techrepublic.com/article/windows-10-now-lets-
you-...](http://www.techrepublic.com/article/windows-10-now-lets-you-turn-off-
tracking-but-only-if-youre-a-business/)

~~~
Piskvorrr
"Determine" also means "find out"; not necessarily "decide".

~~~
zamalek
> find out

What is the wire format of the telemetry data? How do I access the UI that
tells me _exactly_ what telemetry has been sent to Microsoft?

~~~
Piskvorrr
Don't ask me, I'm not MS. Just pointing out that there's enough weasel words
in there that the text can be twisted to be sort-of-not-entirely-false.

~~~
zamalek
I can agree on that point. The point of my comment wasn't necessarily the
truthfulness of either quote, merely that they really need to follow through
on what they are saying. Their hands and mouth seem to be in a state of
disconnection.

------
ionised
This is a step in the right direction, but no fine they can levy will be
sufficiently punitive.

Companies like this will continue on and consider things like this simply the
cost of doing business.

Kind of like banks. They don't give a fuck.

~~~
tajen
The EU commission levied a $2bn (yes, billion) fine for Microsoft antitrust
problems, i.e. the stupid removal of the choice popup for the browser in XP
SP3 and not giving the API documentation to some editor. Those two things were
very stupid misgivings by Microsoft: They were almost going out unscattered,
and they played with the fire towards the end of the trial.

Since then, I like the EU commission. As long as they can bend the master
plans of dominating US companies.

However, I don't see how the forced Windows upgrade didn't lead to a
requirement to reimburse every user of their stripped Windows 8 license.

------
0xmohit
With LinkedIn [0], Microsoft has much more in its arsenal.

That said, who cares. I've hardly seen anyone use uBlock Origin, Ghostery or
Privacy Badger. OTOH, people love tools [1] that read your email and notify
about due bills and the like.

[0]
[https://twitter.com/darylginn/status/590664399041519617](https://twitter.com/darylginn/status/590664399041519617)

[1] Google Now

------
72deluxe
I have LittleSnitch on my Mac and observe the requests that my Windows VM
makes. I believe you can use an equivalent tool on Windows, such as GlassWire,
or also the very useful tool O&O ShutUp10 with which you can disable telemetry
settings.

~~~
Sylos
Wireshark is most commonly used for packet sniffing.

[https://www.wireshark.org/](https://www.wireshark.org/)

------
VOYD
Good luck with that.

------
dogma1138
Windows 10 petite edition - coming soon.

~~~
dingaling
Or perhaps the opposite; sell only the Enterprise edition in France, with its
ability to disable telemetry... at a price.

~~~
tajen
...and lose market share. Microsoft really needs to keep its product
proeminent, especially today, especially in home products. So the EU
commission actually has leverage to forbid certain behaviours.

Microsoft, then Android, please ;)

~~~
Grishnakh
Oh please, what are people going to do, switch to Macs? Or Linux? People have
shown over and over that they're willing to accept any treatment Microsoft
sees fit to give them, and that they will not abandon the Windows platform no
matter what. MS can do whatever they want and customers will just take it.

~~~
tajen
The upper comment says "What happens if Microsoft only sells the Enterprise
edition in Europe?", it will increase the price. In the absurd event when
Microsoft doesn't sell the OEM anymore, people would have to pay $250 for a
Windows license, which will make a lot of people switch. Yes, to Linux for the
best, and to Mac for the new buyers.

~~~
Grishnakh
Paying $250 for a Windows license is still less money than they're going to
pay for a new Mac. Macs are very expensive.

And even so, lots of people have software that isn't compatible with Macs (or
Linux for that matter).

I'm honestly curious what would happen if MS decided one day to jack up their
Windows license costs to, say, $1000 per copy. Or what about $500? Would their
revenue go up or down? Obviously, some people would switch to something else,
a bunch more would just stick with what they have, but people do buy new
computers now and then, and businesses are always refreshing. Combine this
with "updates" to existing Windows versions to make them slower and slower and
slower (like iOS does) to force people to get new versions of Windows, and it
seems to me MS would probably make a lot more money by gouging customers as
much as they can.

~~~
dogma1138
If MSFT charges 1000$ for Windows it wouldn't matter much (other than negative
press) most windows licenses are sold through the non-retail programs such as:

Enterprise/Volume Licensing, SMB Licenses, Educational Licences (Students and
Teachers), Developer Licensing (MSDN), Microsoft @ Home (buying considerably
discounted licenses through your employers) and OEM licenses for retailers and
system builders...

Since Windows 7 the vast majority of the windows licenses that are not VL are
cooked into the machine (stored in the BIOS) and are effectively non-
transferable (OEM lic's were never transferable, but now there is no sticker
with a key anymore).

If microsoft decided to charge 1000% for the retail the majority of the
licensing programs would be immune, OEM's/System Builders would love it (can
rack up the prices since Windows is so expensive now), and pretty much none of
the normal users would care/be affected by it directly.

~~~
Grishnakh
Ok, maybe I'm not being clear, I'm not talking about MS just raising prices on
certain licenses, but really across the board. What if they also jacked up
their license costs for the ones "cooked into the machine", and also their
Enterprise/Volume licensing?

Heck, I think they have even more room to screw their customers with the
Enterprise licensing, not only for Windows but all their other enterprise
products too. What are big businesses going to do, suddenly switch to Apple?
Obviously, they couldn't do this overnight, but they could certainly jack up
their enterprise license costs to 5x when they come up for renewal. They'd
probably want to avoid doing this too much for some things where there's
actually competition (like with SQL Server: businesses might switch to
Oracle), but with Windows, MSDN, etc., they could. Where are customers going
to go?

~~~
tajen
It's a company with millions of dollars on marketing. You can bet they've
studied their price point and it is exactly at the right ratio between sale
quantity and sale amount. If Linux became unsafe/untrusted (e.g. unapproved by
S&P500 audit companies for example, or if black hats activities were
discovered at the kernel level of Linux), however, they would become a
monopoly on PCs, and they indeed could triple the price.

~~~
Grishnakh
I'm sorry, I have to disagree with this. I don't see how the perception of
Linux's security would have anything to do with Microsoft's pricing for
Windows. As much as I wish the case were different, Linux is simply almost
never considered as a viable alternative to Windows (on the desktop), except
in a few rare cases which are so rare, they become big news items (e.g. city
of Munich government). Both companies and individuals are too invested in
Windows and its software ecosystem to even contemplate a change, except maybe
to Macs. I do see more people switching to those, both individuals and
companies actually (I almost interviewed at a small company that was all-Mac).
So if MS quintupled their prices for Windows Home/Pro, I could definitely see
that spurring a defection to Macs, though I still doubt it'd be that big
because of the installed base of Windows software that doesn't have a Mac
version. Also, Macs just don't seem to be set up for enterprise use the way
Windows is, and while Linux can be, it takes more IT competence than I've ever
seen at a large company (which these days seem to be outsourcing to external
vendors anyway).

------
sievebrain
Ah, CNIL.

What counts as "excessive"? Apparently whatever someone at CNIL thinks is
excessive. I can imagine that Microsoft learning what apps you download is
inevitable given their reputation based malware detection scheme: no way for
that to easily work except by IE checking in with Microsoft to find out if a
program is known malicious or not. And figuring out if a program is actually
interacted with or not seems like a pretty good signal to determine if a new,
unknown program is a silent botnet or not.

"4-PIN limit is insecure, because there's no limit on the number of accesses"
is exactly the kind of bureaucratic central-planning nonsense that France has
so many problems with. You do not need absolute counted limits on a
password/PIN system to make it secure. You just need to take other steps to
make brute forcing infeasible, like throttling the rate of attempts. Why is
CNIL attempting to micro-manage the code for the Windows authentication
systems, something they are clearly not qualified to do? The details of
Microsoft's security system is their concern alone: if users dislike the way
Microsoft do it, then they have other alternatives they can easily switch to.

I suspect Microsoft may do what other big companies do and simply ignore CNIL
completely. They can only hand out relatively small fines and it's easy for
big companies to just pay them off to make them go away. Their rulings have a
long history of being completely unreasonable so it's usually the easiest
path.

~~~
liotier
> What counts as "excessive"? Apparently whatever someone at CNIL thinks is
> excessive

"Loi n° 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux
libertés" is quite specific about collection & processing of personal data. A
good example of what falls foul of this legislation: logging everything for
unspecified purposes to cross-tabulate it with other unspecified records in
case it might be useful in some way (which might not be in the user's direct
interest) within an undetermined timeframe, without letting the user know
about it precisely nor letting him opt out.

CNIL is annoying and their enforcement is spotty for lack of budget (so they
have to focus on landmark cases) - but their actions are well grounded in
legislation and actually protective of people.

> I suspect Microsoft may do what other big companies do and simply ignore
> CNIL completely

Please do that - I'm off to fetch some popcorn !

~~~
sievebrain
The use is always specified: usually something like "running existing services
and supporting the development of future services".

Oh, that's not good enough? Well now you are back to what I said: it's simply
central planning nonsense where a regulator makes up rules on the fly.

I have seen _no_ evidence that CNIL or indeed other bodies like them protects
people from anything. Please show me one, completely unambiguous case of
someone who was clearly suffering whose suffering was rectified by CNIL
forcing some change to a privacy policy somewhere. And I mean really has a
problem, not some emotional airy-fairy feeling that they'd prefer things to be
different, I mean concrete, quantifiable issues: like monetary loss.

There is no need for popcorn. I think the biggest fine CNIL can usually hand
out is like 300,000 EUR or something. Just pay it Microsoft and get on with
things.

