Source: MITM your iOS traffic.
Sidenote -- a possibly unforeseen side effect of end to end encryption everywhere is that it makes it far more difficult to man in the middle your traffic and hold companies accountable for their privacy policies.
You can turn it off from Settings > General > Spotlight Search. Uncheck "Spotlight Suggestions" and "<Default search engine> Web Results".
The "About Spotlight Suggesstions & Privacy" link at the bottom of that settings page gives you instructions on how to do it too.
I don't think it's an unforseen effect, but one that is highly downplayed by advocates pushing the security angle. When it was revealed that smart TVs phoned home with detailed viewing information, including filenames, I remember making a similar comment - if they had used TLS, that discovery might not have occurred.
The ability to MITM your own devices is very important, if only so you can figure out exactly what they're sending out.
Another thing is the widespread use of enforced code signing, accompanied by pinning to specific (e.g. MS) CAs; if this had happened a decade or more ago, it would've been pretty easy to pinpoint the parts of the OS responsible and just patch them out. Now the same thing is likely still possible (theoretically, as long as you can change any byte on the disk it is), but involves plenty of bypassing other protection mechanisms on the way and could get pretty hairy if hardware is involved (e.g. secure boot/TPM.) From this perspective, remote attestation and the other upcoming security technologies are immensely disturbing. The desktop PC ecosystem is gradually being locked-down in the same way that mobile is.
These security mechanisms certainly have benefits, but their goal is ensuring that your software is completely unchanged from what the author wants you to have; in situations like these, that is precisely what you don't want. Nevertheless, I hope the hackers/crackers out there find a solution so those that are forced to use Win10 can still retain some privacy.
Unfortunately, given how many in this very thread are willing to apologize for MS's behavior and justify their power grabs, I don't expect there will be much resistance in this War On General Purpose Computing.
In general, as long as you have root access to a machine, you can decrypt any traffic coming out of it, either by locating the private key in the filesystem or memory, or by patching the encryption methods to skip the encryption step.
If you do not have root access to a machine, and software on it signs traffic with a certificate you do not have access to, then you simply cannot see the traffic. If you ask me, that's a huge problem, especially when coupled with the "locking down" of ecosystems that you describe.
The skeptic in me wonders if the same entities pushing the privacy agenda are the same ones with vested interest in encrypted traffic that phones home.
It will even ignore a-0001.a-msedge.net in your hosts file.
Most people, even most developers seem to be pretty clueless with this stuff.
> Altogether, of the 639,283 [Android] apps in our data-set, 45 implement pinning.
Please name and shame, this sounds pretty surprising!
Highly recommend any material on the main site as well. One of the few legit infosec professors I have ever interacted with.
There are several banking-related apps listed here.
No. No application or OS should impose it's own CA on an end user without choice. I get the importance of encrypted traffic flowing over the internet, but I also have concerns about traffic leaving my own network. Neither at my home or my business do I want an encrypted stream of traffic flowing out of my network without my being able to inspect the contents and know who the recipient is.
For example, you may leak information about sites recently visited, updates applied, etc. if you have a local proxy cache and subsequently look at response timings.
That depends on what you mean by privacy. We share information, sometimes sensitive information, with other parties all the time when we interact with them. I believe the essence of privacy is more about being able to choose when and how and for what purposes information is collected and shared and used.
I can't make a purchase using a credit card without the card company at least knowing who I'm paying and how much money I'm giving them. There's not much point going to see a doctor if you're not going to discuss your medical situation with them. If I go out to visit friends, someone passing me in the street is going to know where I am at that moment in time. That doesn't mean anyone else needs to know any of those things, or that they need to be used for other purposes or correlated with other data.
In any case, with a lot of information sharing that is going on with software and networked systems these days, it is far from clear that many of those "potential optimizations" are actually in users' interests at all. Obviously some facilities do need to analyse relevant data sets to make useful predictions -- personal assistants like Siri and Cortana, say, or recommending new material that is similar to what you've accessed before on Amazon or Netflix. But even there, the limitation is often that the technology isn't powerful enough to do the same things locally yet, not that the organisations running these services inherently need to know lots of data about you.
This is the core of the EU data protection principles. It's a very concise way of expressing things. There are two limitations:
- figleafing: the "cookie law" problem where everyone is made to agree to a useless dialog box, supposedly signing away their privacy in order to look at any web page with ads on
- it conflicts with the very strong American free speech principles, in which you can say anything you like about anyone on any basis. Privacy enforcement necessarily means silencing people talking about other people. The bad end of this is UK libel law. It's still present in the US "product libel" laws, although fortunately "ag-gag" was recently struck down.
The platform should hopefully be 100 % trustworthy (from an "it's free software so I can inspect it" point of view), as long as you do not choose to use a non-free graphics driver.
The convenience of one device is a big sell though, plus I think a device with a built in cellular modem is more fairly called a "phone".
It reminds me of the argument that "of course NSA spies, that's what it does" completely merging together the spying on dangerous targets for national security with the spying on every single person on Earth and for economic, blackmail and so on purposes. Reality is more nuanced than that.
Anyway, I've confirmed this. I've disabled web search and all of the other privacy options I've seen with Windows 10 during and after install. As soon as the first character is typed into the Windows 10 search box, the request goes out to www.bing.com. It doesn't say what you searched for (as the request happens before you complete the search), but it does send a lot of info to Microsoft about your platform, including a unique identifier.
Personally, I’d recommend using a combination of GlassWire for monitoring system changes and NetLimiter for the firewall.
¹ — http://www.netlimiter.com/products/nl4
² — http://www.netlimiter.com/Files/ImageGalleries/netlimiter-4-...
 Glasswire! https://www.glasswire.com/ It's super slick. Apparently the paid version has an "ask to connect" feature.
But I can see how this can be a disruptive process, when all you want is some work done. I wish we lived in a place where I did not have to use tools like this.
Isn't this what e.g. Zonealarm has been doing for 15 years on Windows?
I didn't like the fact that that it is opt-out and not opt-in, but yeah, way way better than Windows 10 for now.
Also note that Canonical took steps to ensure amazon doesn't get to imprint your system by proxying the requests through their server.
And, as soon as it's touched, the project maintainers can shut down the SourceForge repos and move on to someplace else.
It's not a guarantee of security, privacy or anonymity, but open source is still your best chance to get any (or all) of the three.
Things getting in can damage your data, but that is what back-ups are for. On the other hand, things getting out can leak your data, which is likely to be a one-way trip and, depending on the type of data, potentially a very expensive one.
Of course things getting in can also interfere with your device's normal operation, and in the brave new world of always-online systems and reprogrammable everything, if your system does get compromised today it may be extremely difficult to reliably clean it. The days of booting from a operating system's install CD and reformatting as a reliable recovery mechanism have long passed. This is not a good thing.
I don't know if there's any solution or if privacy is just a remnant of the past. Is Linux any better? And is there any way to own a smartphone which is built not to leak my information, either through the operating system or through 3rd party apps that request access to everything on the phone?
I don't know if there's any solution or if privacy is
just a remnant of the past.
The reason why you (and everyone else who thinks this way) feel there's no solution is because in your world, giving up a smart-phone or even using a non-Windows/Google/Apple device is a non-starter.
There are new phones coming out like Ubuntu's and Mozilla's that, while not perfect, absolutely are better alternatives. If you keep digging there are projects like Neo900 that respect privacy in totality. You could use a feature phone, or an old n900, or any bevy of alternatives but the price they come with is convenience :)
The last time I checked, Mozilla's Firefox OS phones appeared to be sending all home screen search queries to some unknown company in Israel, with no clear way to disable it.
You're right that it's not mentioned in the video. That's part of the problem; it's obviously something people care about and would like to be informed of.
Here is one bug report discussing it - and a "fix" involving stopping the queries in some very specific cases: https://bugzilla.mozilla.org/show_bug.cgi?id=1082787
Or how about this direct quote from Mozilla's CTO (where in "e.me" refers to Everything.Me in context):
"So we send an XHR request for each letter to Google on Desktop (search box), and XHR requests to e.me on Firefox OS."
It's frustrating because there's no definitive end-date but they are much much further along than most thought.
When Microsoft bought the company (Nokia) they shut down all support for the phone, including SDK, app store, music store, maps, roads and software updates.
That's not what I was referring to, though. You and Nokia may have seen the N9 as the successor to the N900, but I certainly didn't, and I suspect the Neo900 team didn't, either.
I'm pretty sure Microsoft killed that one too.
Microsoft's strategy is to literally kill the competitors. They won't afford buying Google or Apple though :P
It's not as simple as just throwing out Windows and Office and switching to Mint and Libreoffice.
The Iceweasel bug that downloaded some icons silently on the first run was a big deal few days ago. The problem was that iceweasel doesn't ship the search icons with the package (legal reasons maybe), so it downloads them on the first run .
And this is considered a bug that will be fixed. Compare this to the privacy issues on any proprietary OS where they are considered to be features not bugs. Maybe there are other bugs that leak your privacy even more, at least they are recognized as bugs when discovered.
I'm really disappointed in mozilla's track record on privacy. They always seem to choose features over privacy. See for example all of the patches sent by the Tor Browser developers for various info leaks that have been rejected as they would be inconvenient for average users.
It really seems quite pointless to work on a leak like this when there's so many others in the upstream that they refuse to patch (even if they have understandable reasons).
I wasn't aware of this, what kinds of leaks are you talking about? Care to supply us with some references?
A good place to start investigating if you're really interested:
That's a list of the original planned features for the TBB. You can clearly see they intended it to be a temporary thing until patches were pushed upstream, but it's still around and still adding new patches to fix leaks. You might try to search for the tickets for the issues above in the mozilla bugtracker and you will see many WONTFIXes.
For a smartphone, you have to dig back into the past and find a Nokia N900 or an old-school BlackBerry; anything based on Android, iOS, or Windows Phone is going to snoop on you even if you tell it not to. Even FirefoxOS has glaring security issues, and Ubuntu Touch isn't ready for prime time.
> or if those are too obtuse (they can be difficult for the uninitiated to get into) try Ubuntu or Linux Mint.
For the uninitiated I'd cut to the chase and go straight to Linux Mint, there's just less to contend with.
Some time after initiation, depending on interests and needs, maybe work your way back up the stream to Ubuntu or Debian, or portage over to OpenBSD.
Thinking more about my post, I left out the option of just staying with Linux Mint after a noob gains experience.
Not that I'm anything like a role model, but it's my default personal distro, because it doesn't try to be the main focus of my computer experience, it just gets out of the way lets me focus on the work.
But you can't go wrong with Mint as a "get out of my way" OS, as you said.
There are meetings taking place to work out what to do about this in various companies and the general answer so far is jump the sinking platform ship and "thank fuck we wrote everything in Java". Some of the big guys are already rolling out RHEL desktops.
I suggest using this incompatibility as leverage against this kind of data exfiltration. The only way a big company will change is when it hurts their pocket book. They might notice if enough businesses such as yours decline to use Windows 10 while complaining about this.
Of course, Linux is always a good choice, regardless of what MS is doing. If big players are already jumping to RHEL, now would definately be the time to switch.
Microsoft knows it has lock in from a lot of people and it will abuse this. I think their aggressive cloud move with Office 365 and Azure's PaaS stuff is an example of how they are moving this forward further yet retaining a subscription. NOTHING is portable away from them without significant cost.
Edit: just the effort I started two weeks ago to move all my data to platform neutral formats and shift to Linux is less than 50% of the way through and that's just one person with 20 years of data.
Though I may still jump through the hoops to do upgrades on a couple more laptops just to get Windows 10 Pro licenses activated on them - fortunately one of them needs a wipe and reinstall anyway since it was factory restored with Win7Pro 32-bit instead of 64, and the other will need a larger SSD within the next year.
I wouldn't be surprised to see some updates to add better privacy controls - particularly for environments where privacy may be legally mandated. Not every small medical practice is going to be in a position to get Enterprise with possibly better handling of such things, nor will every small law office concerned about someone subpoenaing all of their search terms from Microsoft while they're preparing for a case.
Wondering if I should go through all the Windows stuff there and turn them off. Edit: just did (except for Edge and obvious internet related stuff).
Is there a way to change Firewall rules with a registry tweak? That would be the ideal way to distribute this.
You can get the rules and enable/disable them easily.
> New-NetFirewallRule -DisplayName "Search" -Direction Outbound -Action Block -Profile "Domain, Private, Public" -Program "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"
in elevated Powershell should work.
Sorry for the useless comment that he may not see. I just hate seeing this.
> No. Way. Everything big business does is for the greater good of man. Not for their own bottom line.
Who are you vegetables? 
> Why don't you just... Exercise? 
> No shit. 
> Thanks for that captain obvious 
> Hope you go away forever chairman Pao. 
> Have you heard women talk? 
And many more you can read for yourself. Being shadow banned sucks, no doubt, but this poster is obviously not contributing anything of worth to this site. It was just under a year ago that they appear to have been shadow banned for the last comment and nothing of any real value has been submitted since. So while I'd normally hate seeing this I can't help but think this is exactly what the system was put in place to do. The poster is free to create a new account and try to follow the rules and and realize this isn't reddit.
* before you complain I use the start menu to launch the terminal: I never remember ubuntu shortcuts, it's meta+t on my system
(Call me crazy, but because of this I've come to not mind the basic Windows 8 start screen. It's not as good as the classic start menu, but compared to the Windows 7 one you can at least arrange it for quick access to a larger number of programs.)
"It's not going to happen without having that data culture where every engineer, every day, is looking at the usage data, learning from that usage data, questioning what new things to test out with our products and being on that improvement cycle which is the lifeblood of Microsoft."
1. Run gpedit.msc
2. Navigate to Computer Configuration\Administrative Templates\Windows Components\Search
3. Set the State to Enabled for "Do not allow web search", "Don't search the web or display web results in Search", and "Don't search the web or display web results in Search over metered connections"
Be aware that software can choose to not use a system configure proxy. It's a good tool to use, but absence of traffic in fiddler is not a definitive result, not least because it's tracking http traffic only. Wireshark is probably the next best option.
For completeness, I ran Wireshark and didn't see any outbound HTTP (or otherwise abnormal) traffic while searching from the Start menu.
I'm not sure I was quite as thorough, so I'll retest this tonight using your specific suggestions.
Also, if you know how CDNs tend to structure their DNS entries for their clients, you can remove all but seven of those entries from the list.
I don't think we're doing ourselves any favors by speculating what Aunt Tilly might think of a long list of human-unfriendly domain names.
Meaning the .com is basically just the UI that sends all its information to the .net to be processed, then back to the .com to be rendered? What's the benefit of that to the company, instead of having it all on the .com site?
Sort of, yeah.
I can't tell you why you'd want to have a front office/back office split like that, but I could speculate: Domains are cheap, and it might reduce cognitive overhead to have a .com/.net operational split.
Setting cookies for one third-level subdomain and serving assets from another still sends all of the cookies across when fetching the assets?
 e.g. cookie.example.com and assets.example.com
So, is that a "yes" to my question? A "sort of"? A "it's too complicated to summarize"?
Things like Google Analytics also set cookies by default on *.example.com so you'll have to figure out a way around that.
It seems to list an awful lot more url. Probably after startup though.
It's important to note that this is _not_ info that you search for. No search query was included. Just a lot of identifying information about my machine.
Not suprised that MS does this, however the sad part is for a simple search, there are literally thosaunds of bytes exchanged
For people on capped connections, this is a nightmare. 4kB/search, for using your computer normally! Even though 100 searches/day is only 12MB of data/month, the fact that Microsoft thinks it's okay for the OS to slurp data like this boggles my mind.
For example, even in the Australian market (very low competition environment), 12MB of data via 4G is trivial.
Apple gives OS X away but nobody has yet got the memo that you are becoming the product. (Yosemite does exactly that by default - you can disable it though.)
A much more pragmatic conclusion is that they think this feature is something that users want. And in Apple's case, as well as others, it probably is.
(I also feel like analyzing specific pricing decisions is missing the forest for the trees of "If you're not paying for it, you're the product." It mostly applies to whether an entire business model is free, e.g. Facebook. Several years back, Microsoft used to give out free memory-card-to-USB adapters for the original Xbox, intended for keyboards for MMORPGs, but also useful for jailbreakers. I requested one. Did I become the product?)
Each thousand dollar phone is making many times its manufacturing costs in profits. I expect that there is a large enough margin on phones sold to fully fund R&D not just for iPhones and iOS but the Apple Car, its OS and battery technology, and whatever other projects are in the works.
Apple makes their money selling premium ITC. They don't need to sell your personal details.
They innovate in the hardware space and physical design space, but all of their competitors will make copies of their hardware advantages after a few years. To keep on being competitive, their entire experience has to be superior. And what is harder to copy properly is the software experience.
Engineering cost wise, it's cheaper to just keep the software train rolling than to have older versions persisting that you have to continuously support. That is why they don't charge for it, because it's cheaper for them if you upgrade sooner and become part of the marginal few they can ignore if your a straggler. And 'free' has far higher adoption rates than even $1.00.
Do you expect your laptop to be crawling the internet ?
EDIT: I just noticed I have spotlight settings turned off. Unless I forgot turning it off, I was either asked whether I wanted to turn it on, or it's off by default now.
Microsoft is doing the customer is the product thing that others have done for like the past decade. It is how they can give away Windows 10 upgrades for free, even to pirated copies, and still earn money off of it.
If you don't want to be tracked or spied upon:
You shouldn't be using Windows but one of the free or open source alternatives instead.
HIPPA compliant offices cannot use Windows 10 because of the tracking it does and patient privacy laws.
Even worse is the Wifi sharing with social networks, if even one of your corporate employees has it turned on, their friends can get access to your Corporate Wifi and it is a security breach. You'll have crackers trying to friend employees on social networks of your company just to get the Windows 10 Wifi sharing password to get into your corporate network.
Even with all of the privacy settings turned off, there is most likely more stuff that phones home.
You know that given enough time video gamers will be forced into DirectX12 and have to use Windows 10. That business apps will be written for Windows 10 and force companies to upgrade. Sooner or later most people will have to upgrade to Windows 10 in order to run the software they need.
Woe be to the person who chooses express settings during startup. They will wonder why their Internet is so slow and woe be to them if they have a tablet with a data plan and wonder why they go over it.
Your first mistake was using a simple WPA pass-phrase to secure your corporate WLAN. If you aren't deploying RADIUS and requiring users either present a valid client certificate or their domain credentials to gain access to your corporate network you have already lost - and this goes for any of your wired ports too...
A lawyer of mine has her husband handle their network and PCs. Still running XP and Vista, using ClamAV for AV, has clients access the XP PC to watch videos and they could click on any link or browse any address when they aren't looking. You'll find a lot of small law firms work like that.
Which is turned off by default....
I have the default search settings.
If you really don't have these being made, please share with us your settings, anything you suspect may have disabled these? I've been unable to find anything and I've applied the tweaks from this article, including the GPO changes:
However, it does download some app images that are displayed in my start menu for apps that are advertised in a "play and explore" category in the Start menu.
If I select Settings in the search menu it says "Online search isn't supported in your region". I can enable Online Search, but even then I need to explicitly select "Web" as opposed to the default "My Stuff" before it opens a browser and connects to Bing.
This machine including privacy settings was migrated from Windows 8.1. When I installed that I selected custom settings and disabled most of the privacy sensitive settings.
Google perhaps sets the benchmark, every single action you take in Google apps, whether native or web, is tracked extensively.
As far as I know Chrome OS isn't an exception.
Perhaps we need firewalls to protect us from our own software.
As far as what the contents of the package being sent is, I'll assume it is more information than necessary, and probably over-reaching until they get a slap on the wrist, but to call this phoning home is probably a stretch in itself.
-- Edit --
Apparently the search still phones home even if search is disabled, which makes my point mostly... pointless.
I still suspect that this was an example of Microsoft (intentionally) over-reaching and that they'll backpedal on this now that it has been brought to light.
Shame is, it feels like they are breaking any goodwill that the community may have still had left for them.
EDIT: I've changed the title of the post to clarify this. Hopefully that helps. 80 characters is quite annoying to work with.
I use Comodo firewall and have basically set up a load of rules to prevent phoning home of any kind except to check updates.
That said, I'm not using the Windows Store, Cortana, ModernUI apps, OneDrive or even a Microsoft Account at all so your mileage may vary.
I take it you don't believe in app stores, secure apps, AI, deep learning, cloud computing and similar modern rubbish ;-)
1) I do use app stores (F-Droid, Play etc) but I have no use for the Windows Store. Windows ModernUI apps are basically stripped down versions of more feature-filled desktop applications, so why wouldn't I just use them instead?
2) Secure apps? What does this even mean?
3) I love AI. I play games, so I have to.
4) Again, not even sure what you're suggesting.
5) I do use cloud services. Just not Microsoft, Google or Apple ones.
6) Modern does not immediately equate to good. This kind of thinking is naive.
My Windows machine is for games and games alone. I have no need or want of any of Microsoft's cloud integration.
Fair enough. You could have skipped the other six points.
> Windows ModernUI apps are basically stripped down versions of more feature-filled desktop applications, so why wouldn't I just use them instead?
Windows ModernUI apps are written to Windows Runtime, not the old Win32 API. This means they are available from a trusted source (not eg Download.com), they are easy to install, can be updated automatically, they are easy to uninstall, they are more controlled than Win32 apps, and they run sandboxed, so they are more secure.
If a ModernUI app does what you need, it would be sensible to run the app rather than a traditional desktop program.
I generally don't have problems with any of those things.
> they are more controlled than Win32 apps
Not necessarily a good thing for power users.
> and they run sandboxed, so they are more secure.
Already got my own solution for this.
> If a ModernUI app does what you need, it would be sensible to run the app rather than a traditional desktop program.
That's what I'm saying. In my experience they generally are inferior to most desktop applications that already exist and are far more powerful and featureful. It's been this way since Windows 8 debuted the Windows Store.
If at some point in the future that changes then I'll consider switching over to them properly. Until then, I'll stick with Win32 programs that are...well, better in both UI (in my opinion, they are easier to navigate) and features.
ModernUI apps are just Microsoft's foray into the walled garden ecosystem. I can't blame them for doing it this way, there is a lot of money to be made and Apple and Google are both doing it so they run the risk of being left behind.
I still like control over how my operating system and the applications on it run though. I'm not an error-prone casual user. I don't need the use of my OS and programs dictated to me., nor do I like my applications to be delivered through a single vendor-controlled portal.
Good for you. Sadly, roughly 1.5 billion people frequently do have problems with all of those things.
> Not necessarily a good thing for power users.
Windows isn't written for power users. If it were, Microsoft would be a very small and very poor company.
> Already got my own solution for this.
Good for you. Sadly, roughly 1.5 billion people don't.
> In my experience they generally are inferior to most desktop applications that already exist and are far more powerful and featureful. It's been this way since Windows 8 debuted the Windows Store.
Absolutely true. But, as you say, the vast bulk of users seem to be very happy with iOS- and Android-level apps. Microsoft's strategy is to run the apps that most people appear to want.
> I can't blame them for doing it this way, there is a lot of money to be made and Apple and Google are both doing it so they run the risk of being left behind.
Yes, well put. That hits the nail right on the head....
App Stores are just repositories by another name.
Secure apps are just signed binaries.
Cloud computing is just, "pay someone else to host your shit" same as it always was.
I'm not the person you replied to but I share his views. I use all of these 'modern' luxuries but in my case I'm in control of them.
Luckily, you have 30 days to change your mind and return to Windows 7. I did it within hours. I never liked Windows 8 and I think I dislike Windows 10 ever more. No wonder they're giving it away because had they tried to sell it then it would have probably met the same fate as Windows 8.
And this is relevant to a customer now as in what ?
I'm getting tired or too old for this "continuous, agile, push now make it work later" attitude of products that's out today.
Actually, silly ToS language and spyware don't really matter. The entire update/versioning process with MS is so painful that distros like ubuntu start to seem the easier option.
So you're saying that 2015 is finally the year of Linux on the desktop? That prediction has been made before. That prediction has never come true, and never will. IMO.
I installed Windows 10. I turned off Cortana web search so it now only searches for stuff on my laptop. Convenient.
I also turned off all camera and microphone use. Easy enough to turn on if I need it.
Search for "privacy settings"' hit the first link and turn off what you want. (I turned off just about everything.)
I think that as long as I use privacy badger in my web browsers, use duck duck go as my default search engine, and make sure to install security updates and scan daily, that my cheap little Windows 10 laptop is reasonably comparably privacy wise to my two Mac laptops, but less private and secure than my three Linux laptops.
Seriously, I think it is a mistake to talk non-tech family and friends out of using Windows 10. Just help them make the right privacy settings.
Additionally, the worst thing is that the average Joe probably won't even notice all those obfuscated settings. Of course a power-user can disable most of it, but it's not about them and that shouldn't be a thing to begin with, especially in a paid software where we are supposed to be the customers.
The thing is, I don't think avoiding Windows 10 is an overreaction at this point.
The new business model, starting with giving Windows 10 away for free and aiming to make money on what you do with it instead, is a fundamental shift from previous Microsoft products under the Windows brand.
Finally, for most users, updates are now automatic and can't be turned off. That means any workarounds that are contrary to Microsoft's new business model can simply be turned off remotely by Microsoft. Nothing you configure in any settings or block in any firewall hosted on the Windows device itself can be trusted.
It's only paranoia if they're not out to get you.
I think it is a mistake not to talk anyone you know out of using Windows 10. You can opt out of using on-line services like Google or Facebook if you are concerned about your privacy. But if you can't even trust your own desktop OS, you essentially have no privacy at all the moment you switch on your computer. Even for a generation that thinks nothing of sharing a lot of personal thoughts and photos on social networks, that is a big step.
There isn't a new business model, and Microsoft is not giving Windows 10 away for free. What it is offering is a free upgrade to Windows 10 to people who have paid for Windows 7 or 8. This isn't really any different from iOS and Android users getting free upgrades on devices they have also paid for. It's what people expect.
> Finally, for most users, updates are now automatic and can't be turned off. That means any workarounds that are contrary to Microsoft's new business model can simply be turned off remotely by Microsoft.
You can't turn off updates to Gmail or Facebook either. Same goes for most mobile apps. Or your Chromebook.
What has changed is that Microsoft is building a cross-platform mobile ecosystem in which Windows 10 is a mobile operating system. Think: cloud-first, mobile-first, and Software as a Service. (Windows 10 will run on phones.)
Now, I'm not saying that the permissions required in Windows 10 are right. What I am saying is that the permissions suitable for a cloud-based cross-platform ecosystem* with a built-in intelligent agent and deep learning (AI) capabilities are not the same as the ones required by an old-fashioned standalone operating system, and should be evaluated in that context.
* Windows 10 devices (phones, tablets, PCs, games consoles), OneDrive, Azure, Office 365 (PCs, Macs, tablets, smartphones), Windows Store, Bing, and dozens of apps on Windows 10, iOS and Android etc. This is comparable to the iOS and Android ecosystems, not to standalone Linux.
> that new version is no longer a traditional desktop OS like previous versions of Windows
It's no longer a traditional desktop OS, but that change is not new to Windows 10. It was already the case with Windows 8.
> You also glossed over all the spyware and the ads that you can pay^Wsubscribe to remove even running basic software locally on your own system
Not really. Windows Store apps behave just like other people's store apps. It's exactly in line with the current culture of "free". I'd guess that Microsoft doesn't like it any more than you do, but thinks it needs to become like Android to prosper in a world that's averse for paying for stuff, or even thinks that paying people to write code is evil.
Windows 10 is designed for people who aren't interested in computing and don't want to be bothered with having to maintain their PC.
There's certainly a change in the technology approach, but the idea of developing point releases may have been sub-optimal for five or 10 years. The idea with Windows 10 is to use Big Data from actual usage to drive continuous improvements. Exactly like Gmail, Facebook etc.
I personally choose to pay a premium for my mobile by using an iphone rather an android precisely because I am put off by this constant intrusion into our privacy. So I am not exactly thrilled to see Microsoft adopting the google approach.
All hyperbole aside, I'm glad for HN threads like this. I don't need to read the article to get the gist. And I also gain perspective from all the comments posted here.
I assume it's like all those sort of services, like the Google Chrome address bar, etc.
What I understand about the matter, the information sent is a regularly regenerated random ID and some machine information. Compare that with a Tesco's Clubcard or Walmart's Credit Card: given the information you provide them with, these companies may know what you eat, how much you spend, where you live. They can judge your income, they can project your financial situation into the future, and they probably know when you go on holiday. And I don't really think people opting in on those products really understand these implications.
I think this issue is overblown only due to it belonging in the area, where most commenters here work. As I see it, there are business practices way more harmful to privacy than this, but are happily ignored by the pop-privacy crowd just because they are convenient and have been in place for a long time.