Hacker News new | comments | show | ask | jobs | submit login
Microsoft opens up on Windows telemetry, tells us most of what data it collects (arstechnica.com)
170 points by discreditable 5 hours ago | hide | past | web | 162 comments | favorite





The actual list of what it gathers: https://technet.microsoft.com/itpro/windows/configure/config...

Included:

"Storage attributes, such as number of drives, type, and size" -- So ID numbers of all USB storage drives you've connected? Better not put sensitive data on a USB and send it to a journalist...

"the number of crashes or hangs, and application state change details, such as how much processor time and memory were used, and the total uptime for an app." -- To e.g. determine when you used the TOR browser, since the difference in uptime between two time points is how much it was up during that interval.

"App usage data. Includes how an app is used, including how long an app is used, when the app has focus, and when the app is started" -- Oh, never mind, they also explicitly state they gather which apps you have installed and how much and when you use them in the next section.

"Accessory device data. Includes a list of accessory devices, such as printers or external storage devices, that are connected to Windows PCs and whether these devices will function after upgrading to a new version of the operating system." -- Print poster and glue it to a wall -> Printer gets identified via tracking dots ( https://www.eff.org/pages/list-printers-which-do-or-do-not-d... ) -> Printer is linked back to you, even if you bought it with cash. I hope you didn't print anything your local sheriff would dislike!

Edit: This is all in the 'basic' level, which you can't disable.

reply


So enough software information to know everything you do, and enough hardware information to fingerprint you.

How in the hell can this just be called analytics?

This level of data isn't anonymous. It can't be.

If another piece of software did this, Microsoft would label it spyware and Windows Defender would kill it.

Yet, they feel fine doing this with an OS that they actually sell. It's not even crap freeware. You pay to have your every move watched.

reply


Between browsing, searching, Android phone telemetry, and GMail, Google already has better than that level of data on pretty much everyone already.

reply


https://en.wikipedia.org/wiki/Whataboutism

reply


Pointing out that Google/Android sucks just as hard doesn't excuse Microsoft.

aka, what dandelion_lover said.

reply


> This level of data isn't anonymous. It can't be.

is there some big list of the hardware I have bought? If not, sure, they can fingerprint me but I don't see how it de-anonymizes me.

reply


De-anonymization is incredibly easy (bordering on trivial) with any rich data set. For example, 87% of the US population is uniquely identifiable by their combination of DoB, zip code, and sex [1]. The richer a dataset is, the easier it is to de-anonymize. This is a pretty rich dataset.

[1] http://latanyasweeney.org/work/identifiability.html

reply


If you get enough info... and compare it to someone else's set of info... there is going to be an intersecting set of information.

Combine that with unique combinations... and you get an increasing confidence of who the end user is.

It's why they suggest you don't "full screen" browsers when using tor... Stuff like browser sizes can identify you:

https://security.stackexchange.com/questions/102133/how-can-...

It's easy to tell that if a custom screen size can identify you... what will other unique traits do?

reply


I'm not sure that they do this, but all it would take is for it to be tied to the license key you bought from microsoft.

reply


Which is conveniently taken care of when you sign in using your Microsoft account.

reply


> > "the number of crashes or hangs, and application state change details, such as how much processor time and memory were used, and the total uptime for an app."

> To e.g. determine when you used the TOR browser, since the difference in uptime between two time points is how much it was up during that interval.

Having personally talked with Microsoft engineers who handle what this data is used for, I can tell you they take PII very seriously and per user details aren't being shared with 3rd parties (at present). Could they be misusing this? Or start selling it? Yes, but it would be an incredibly dumb idea from a brand value perspective, and I trust them to at least protect that. (I do honestly think that like most people, Microsoft employees are well-meaning individuals with good intentions)

What is this data used for? The most common use is to tell a large software developer "you have a memory leak in version 3.1.x when running on 4th gen intel CPUs with driver version 11.3" or similar. So companies with wide install bases (Oracle, IBM, other Microsoft divisions, etc) can fix issues which impact literally millions of users.

If anyone reading this has ever received this sort of Microsoft communication about your software, could you share your experiences?

reply


> Having personally talked with Microsoft engineers who handle what this data is used for, I can tell you they take PII very seriously and per user details aren't being shared with 3rd parties (at present). Could they be misusing this? Or start selling it? Yes, but it would be an incredibly dumb idea from a brand value perspective, and I trust them to at least protect that. (I do honestly think that like most people, Microsoft employees are well-meaning individuals with good intentions)

Being an American company, you also have to worry about Microsoft being compelled to disclose per-user details with law enforcement or the intelligence community. They have no choice when it comes to this, so allowing them to have this data at all is dangerous.

reply


> Microsoft employees are well-meaning individuals with good intentions

Then let me disable this telemetry completely, I'm fed-up with people that know better than me what's good for me.

reply


It's typically systems and corporate structures that are the problem not individuals.

reply


thanks for your input in this conversation. thats really informative.

reply


i was being serious, i thought that was really helpful input.

reply


Thanks dude.

While (like many here) I'm very privacy oriented, this is a situation where Occam's Razor applies.

https://en.wikipedia.org/wiki/Occam%27s_razor

reply


This is awful, but if you use a smartphone, this is about the same telemetry that has been collected on you for years. Microsoft is just keeping up with the times.

reply


One difference being that seriously privacy-sensitive or -critical smartphone users can avoid using Google's services on their phone and create a firewall whitelist, or a filtering loopback VPN, to avoid leakage.[0]

Not that's ideal, but it seems a lot better than Windows 10 seemingly indefatigible ways and means of sneaking data out. Ignoring hosts file and DNS responses is just rude.

[0] baseband attacks are still a problem, but at that level of threat then the BIOS or management subsystem on your PC isn't trustworthy either.

reply


"avoid using Google's services" implies using an Android build that doesn't include Google Play Services, which means you're probably going to have to download and flash it yourself. If you're willing and able to do that, you can probably handle using Linux on your desktop, which is the analogous alternative on the PC.

reply


I agree entirely, and I'm not happy with the current state of the smartphone landscape, but I was trying to illustrate the difference between 'user hostility' in Android, for example, and downright 'user evasion' in Win 10.

Not that I think Android is on a good trajectory in terms of user control, but hopefully alternatives such as Sailfish gain traction.

reply


... or even something as simple as blocking MS IP ranges and domains, which should be far simpler than rooting an Android phone.

reply


CopperheadOS sells preflashed phones.

reply


As well as Tehnoetic [0]. But unfortunately those phones are not very usable.

[0] https://tehnoetic.com/tehnoetic-s3-phone-replicant

reply


I disagree with this completely. It's drastically easier to control the network environment on a desktop platform, where it goes through routers and/or firewalls to get out to the Internet in most cases, and as you can be an admin on the PC and tamper with the OS enough to block it.

On the other hand, most mobile devices have locked bootloaders, actively work to prevent giving the owner root access, and speak directly out to the Internet using proprietary networking modules.

reply


There was a class action lawsuit over the preinstalled carrier iq agent that did this: https://en.wikipedia.org/wiki/Carrier_IQ

If you have a clean android phone I suspect there no monitoring going on. For example if you use a community built mod or build AOSP yourself.

reply


"Telemetry gives users a voice"

Guess what mine is saying...

reply


> Guess what mine is saying...

Hey, LANGUAGE!

reply


They mean this quite literally too, as Microsoft employees direct everyone to use the Windows Feedback app to submit feedback, and the Feedback app refuses to function without Enhanced or Full Telemetry.

So, if you don't enable at least enhanced telemetry, Microsoft does not want to hear from you, does not care about your feedback, and no Microsoft employee will respond to your query on the matter.

I've tried to engage the Windows Insider folks over a couple different mediums, as far as I can tell they're barred from talking to anyone who even mentions telemetry.

reply


This isn't the detailed list, here it is: https://technet.microsoft.com/en-us/itpro/windows/configure/...

I know Windows is a large piece of SW, but this seems "quite" big for the "Basic" level... :/

reply


It's "Tor", not "TOR". From https://www.torproject.org/docs/faq.html.en#WhyCalledTor

> Note: even though it originally came from an acronym, Tor is not spelled "TOR". Only the first letter is capitalized. In fact, we can usually spot people who haven't read any of our website (and have instead learned everything they know about Tor from news articles) by the fact that they spell it wrong.

reply


> So ID numbers of all USB storage drives you've connected? Better not put sensitive data on a USB and send it to a journalist...

This should definitely work for hard disks, which have a serial number in their SMART data but do standard USB flash drives have any kind of unique identifier? There's the vendor ID but that covers every single instance of that model of device. Or is there some kind of identifier at the filesystem level?

reply


USB mass storage devices have serial numbers.

reply


You have a point, but you oversell it with the hyperbolic commentary and it makes me want to disagree with you. I don't like agreeing with people who exhibit such sloppy thinking.

reply


> This is all in the 'basic' level, which you can't disable.

Incorrect. Please stop spreading this misinformation.

http://winaero.com/blog/how-to-disable-telemetry-and-data-co...

reply


> So ID numbers of all USB storage

Fairly certain USB drives don't have serial numbers, just vendor numbers that are far from unique.

reply


They do. See section 4.1 of the USB mass storage spec.[1]

[1] http://www.usb.org/developers/docs/devclass_docs/usbmassbulk...

reply


> If your organization relies on Windows Update for updates, you shouldn’t use the Security level. Because no Windows Update information is gathered at this level, important information about update failures is not sent. Microsoft uses this information to fix the causes of those failures and improve the quality of our updates.

Note that they don't tell you which of the other levels enables Windows Update telemetry, which is apparently helpful.

reply


It's enabled with Basic.

reply


I ranted in another article regarding Microsoft's Explorer Advertising about my frustration with MS conflicting with my desire to support the good work some of their teams are doing, such as C#, Visual Studio Code, and Typescript. After reading through the comments here about everything this covers and which cannot be disabled, I'm putting my money where my mouth is and I'm stopping all further use of C#, F#, Visual Studio, Typescript, Azure, etc. I know that my individual loss means nothing to MS, but it's clear that MS is dying to attract developers to their platforms; as such, we who are outraged at MS's privacy violations need to act together to reject MS technologies, as that is one of the few things that they will listen to.

Disclaimer: These concerns of course extend to other companies actions, but in the context of this article MS is the most relevant company.

reply


Telemetry at the OS level bothers me to the point that I'm not Windows user anymore and I I'm not planning to become one anytime soon.

But to be fair one should point out that Apple is also collecting telemetry data (search system logs for com.apple.telemetry) without any toggles in the system preferences.

Search results don't bring much info on what is collected and how it is being used. Does anyone here have insight into Apple telemetry granularity?

reply


Fun thing is, they probably do the same, but:

- will do it well enough so that you can't find out

- control PR well enough so that it won't leak out

- have enough fan boys that if by any miracle people learn about it they'd be cool with it anyway

reply


My take on this is that Microsoft is stuck in an awful compromise. Google's stuff is free because their business model is surveillance. Apple compromised the user experience to preserve privacy until it could push the machine learning algorithms to user devices. Siri lagged (lags?) Google, but it can now find all my locally stored cat pictures, even though Apple doesn't have a copy of them. There are toggles in iOS to prevent Apple from gathering personal info.

Microsoft is trying to double dip: Windows wants to be a premium product like Apple, and the cloud division wants to be Google. The CEO is from the cloud division.

To get more user data, many teams in Microsoft backported data collection to existing Windows devices without an opt-in (or even opt-out) at the same time they made telemetry mandatory, effectively compromising millions of devices.

This completely destroyed any trust privacy-minded users had in them. Now the telmetry team (which is probably actually acting in good faith, and just trying to make stuff better) is the lightning rod for all the other inappropriate data collection being done in Redmond.

This is why there is such a disconnect between Apple's response to privacy issues (usually: "oops, crap. We'll fix it in the next release") and Microsoft's responses, like this article, where the spokesperson doesn't have the knowledge or authority to provide honest answers.

reply


Microsoft allows more control over data collection in Enterprise than in Home. I wouldn't call that good faith.

reply


When you setup macOS and after updates it asks if you'd like to send diagnostic data to apple and crash logs to devs. That's probably what you're seeing.

reply


Are there any good analyses out there of what telemetry OSX sends?

I did find this which is interesting and helpful:

https://github.com/drduh/macOS-Security-and-Privacy-Guide

reply


It doesn't matter what Microsoft says or how they paint it. It doesn't matter how "transparent" they are. As long as data-gathering (read: snooping) is a part of the operating system, there will be a conflict between that and a user's desire for privacy. The only acceptable option for privacy-conscious users is to not use Windows 10 at all, unless and until Microsoft introduces an "Off" setting.

reply


Even if they introduce an "off" setting, there's no good way to verify that they aren't collecting/sending that data anyway.

reply


What about using something like TCPView[1], and Process Explorer[2]? Saying that there's "no good way" is throwing in the towel a bit early.

[1] https://technet.microsoft.com/en-us/sysinternals/tcpview.asp... [2] https://technet.microsoft.com/en-us/sysinternals/processexpl...

reply


If it's the OS doing the data gathering, it can just hide that stuff from whatever you would use to monitor it. Look at how rootkits hide for an example.

reply


Those tools rely on Microsoft-developed APIs to monitor traffic though...

A monitoring device connected along the network path would be more trustworthy.

reply


Or won't again in the future. I finally bailed on MS completely (at home only unfortunately) when 10 came out and telemetry was first reported. I let myself get too comfortable with Windows 7, and will not make that mistake again.

Now, for example, it feels great to happen to notice my harddrive spin up when I'm sitting idle at my desk, and relax knowing my OS is just doing what it's supposed to, not covertely spying on me or installing some crud I didn't ask for.

reply


I disagree. I, and millions of others, participate in the regular Steam survey which sips up quite a lot of my information. I do this because I don't mind and want to help steam and video game devs understand the PC gaming world. All MS has to do is replicate this system. Ask me to do this. Tell me what you collect. Done. That's it.

Nadella has a lot to learn from Newell and his crew. The "fuck consumers" attitude MS had during the Gates years, unfortunately, continues with Nadella's management. He never become the reformer we thought he would and the depressing part is that it would be very easy to implement these consumer friendly features and as I wrote, have already proven to be a success.

Respect your customers and we'll respect you. Treat us like children and we'll push back or just switch to OSX/Linux/Mobile.

reply


From a quick skim:

There is still no "stop sending my personal information to Microsoft" switch, but Microsoft has published a list of examples of what data the "telemetry" subsystems collect.

There are other Windows 10 subsystems (cortana, start menu, etc) that silently collect data, and they are not covered by the list the article links to.

reply


Cortana collects data that is considered "functional" by the TechNet document, which also links to the Cortana Privacy FAQ [1]. What you consider "Start Menu" I would presume likely refers to a cross-over of Windows Store and app reliability telemetry, which is all listed.

It might not be listed in name/order of the "subsystems" you expect to see, but that does not mean those "subsystems" aren't covered in the list.

[1] https://privacy.microsoft.com/en-US/windows-10-cortana-and-p...

reply


> There is still no "stop sending my personal information to Microsoft" switch

Sure there is. Don't use Windows.

reply


:-)

I think that is necessary but not sufficient at this point, sadly.

I don't use outlook, but they announced some feature where it looks up the senders of your emails on linked in. So, if anyone you know uses outlook, then linkedin knows you know them.

I'm not sure if it looks at email bodies (yet), or if they rolled it out yet.

Either way, Microsoft should soon be able to sell employers a reasonably complete list of employees that are looking for a new job (including employees that are not active on linkedin or that do not even have linkedin accounts).

This is one example of many, I'm sure.

reply


Honestly there is a lot of hypocrisy here in this thread. How many of us work for startups that either collect data on users usage of their app or rely heavily on the data Google/FB/Twitter etc have mined?

Answer: Probably all of us.

reply


So ... what is the next part of this argument?

Would it be a call for the next phase of technology economy to begin (whatever that would be) and ending the current 'data' economy rise?

reply


> Answer: Probably all of us.

Speak for yourself.

reply


Windows 10 makes me want to move to Linux more than ever. I'm not some FOSS crusader, but I would like an operating system that doesn't spy on me, doesn't put ads in my desktop UI, and doesn't force people into an upgrade to do so.

reply


It sounds to me like you want to take control of your computer, which basically makes you a FOSS crusader. Only Free Software puts you in control that way.

reply


Do it, don't look back.

(and I'll take this opportunity to thank everyone who works on FOSS software, paid or otherwise)

reply


It's been years since I've futzed around with Linux... it's a little daunting. I need to be able to exchange Word documents with clients, and I worry about formatting errors and the like showing up if I'm creating those documents in LibreOffice. Also, I do like to play the occasional video game.

Really, what I want is Windows 7 that isn't locked to last-generation hardware and that isn't coming up on EOL. It wasn't FOSS, but it worked very well for what I needed.

reply


The company I work for, CodeWeavers, sells a commercial version of Wine called CrossOver for exactly that use case. We're a little behind the current versions of Office; 2013 doesn't work very well yet, but old versions work excellently and we're working hard on 2013.

reply


How's Adobe CS support?

reply


Good question, I don't know. I remember hearing something just this morning about CS5 working well, but I don't know if that was with some internal hacks or with our public product. We offer a free trial if you'd like to try it out.

reply


Interesting, I'll look into that. (I use 2010 anyway, so that's no issue.)

reply


Windows 7 reportedly "works" on current hardware, with a beta driver for Intel Kaby Lake GPU.

reply


Linux desktop is at a pretty nice place right now, you should at least give it a try.

reply


Is there a consensus on a good distro for this use case?

reply


Used to be the goto distro for those who just wanted a "plug-n-go" experience was Ubuntu. Unfortunately, Ubuntu has lost their minds when it comes to the desktop interface. But - you may like it. Try it out (live thumbdrive or such). It's possible to go back to the "old" interface if you want, and it doesn't take much effort - but may be more than you really want to play with.

The other distro I have heard great reviews on that still has a sane interface is Linux Mint - again, try it before you "buy" it.

Virtually every distro except for a few niche ones have Live boot versions, that will allow you to try them out on your system, get a feel for what works, what doesn't (hardware and software-wise), and how the overall system "feels" - before committing to an install.

Your other option (to handle your use cases) might be to keep a windows partition (or on a separate drive) around and use that. Another option would be to use Microsoft's online Office360 suite (I think that's what it is called?). Or run VirtualBox on the Linux system, and run a version of Windows inside that. Any or all of these could be done together, in addition to using Crossover and/or Wine. You have a ton of choices here.

Also - for your documents - you say you are worried about formatting when they go to the client - does the client need to be able to edit them? If not, then dumping them out as a PDF might be able to work for you, if they'll accept PDF copies vs Word docs. The other thing to do would be to take a few of your old copies of docs you have sent to clients, and run them thru LibreOffice or something - see what they look like when you import them, then export them back out to a new file in the various Office formats, and load them back up in Word and see what it looks like. You might be surprised at what you find (you might be disappointed as well). This is all something you can try with the Live boot versions of Linux distros.

Oh - and games - besides using Crossover/Wine - there are a ton of native games available, plus plenty of "old-school" conversions and ports (some quite fun and amazing - some of the Doom/Doom 2 ports are pretty amazing). Also, there are a ton of Steam games on Linux available, too. If all you do is casual gaming, and don't care about always running the latest AAA shooter/fps/mmorpg or such - you'll usually be able to find something worthwhile and fun to play.

reply


I like Debian myself.

reply


"Most" being the operative word.

"These improvements are unlikely to appease that minority of users that regard the mandatory telemetry as an unacceptable intrusion..."

by "minority", I assume the author means those pesky, conscientous types who prefer not to have every action disseminated for exploitation. Analytics make the world a better place, and they can be abused as spyware... it all comes down to trust. MS's history speaks for itself.

reply


Precisely. Let's paint privacy-conscious users (read: virtually all of humanity, given the choice) as the "minority." Let's make it seem like they are just an annoying vocal minority, complaining for the sake of complaining. This is just a basic marginalization tactic. Disgusting.

reply


The real problem is they are right. We are a minority. Most people don't give a damn about it. We are talking about a world in which you can lie to presidency, ridicule yourself and the entire country and still people believe in you. So privacy ? It's not even on people's radar.

reply


>privacy-conscious users (read: virtually all of humanity, given the choice)

If only THAT were true.

reply


Most people close the bathroom stall door before they poop. They appreciate privacy. I think a lot of non-technical people just don't understand how this relates to privacy, which is a different problem.

reply


Thanks; this is what I was trying to say. I believe most, if not all, humans appreciate privacy and would value it over a lack of, given a clear and obvious choice.

reply


Peter Bright is a huge Microsoft/closed source software proponent. All of his articles are about how MS and big software companies never do bad things. He even supported Oracle in their efforts to destroy the software industry by granting copyright status to APIs.

reply


> "Marisa Rogers, the "privacy officer" of the Windows and Devices Group, told us that the telemetry data is genuinely useful to making Windows better. As an example the company offered us, there was a problem with the Windows Alarm app. "

So massive levels of enforced data collection are justified by them fixing the Windows Alarm App.

reply


To be honest, publishing most of what they are collecting makes me trust them less, not more. Why not publish all, what are they hiding?

reply


That reaction is exactly why many companies don't disclose this kind of thing at all. It's better to remain opaque than walk into a bad pr cycle for performing a basically good deed (increasing transparency).

This whole thread is somewhat disheartening, actually. Devs - especially ones developing against a broad hardware ecosystem - need feedback from the field to surface problems. That need must be balanced against privacy.

A golden hope would be an open standard for collection and anonymized storage of telemetry data. It's likely difficult to say exactly what is needed from one os to the next though, once you get into the technical details of what needs to be monitored for useful debugging of major subsystems... So seems far fetched.

reply


If I understand the article correctly, they are publishing all they are collecting by default.

They are not publishing exactly what they are collecting for the "Full" telemetry setting, which is opt-in. I'm guessing they don't want to commit to that because they want to be free to add and remove metrics they're interested in.

reply


Note the Orwellian use of the word "telemetry." They are using it to mean "data collected by the telemetry team" at Microsoft.

This is not a list of "telemetry data collected by Windows 10".

I am beginning to suspect that they do not have adequate internal safeguards to control the collection of personally identifiable information across the entire company (including office, bing, skype, linkedin, etc, etc).

That would mean they are actually incapable of enumerating all the information a clean Windows 10 install and office 365 will phone home. It would also explain discrepancies between todays's list and third party audits of Windows 10.

reply


I don't think that is true: the list includes telemetry from the Windows Store, which while a bundled part of Windows 10 I would be hugely surprised if its telemetry (which includes marketing concerns) is anywhere a part of the same "telemetry team" as say crash/error reporting telemetry.

The impression I get is that this information took so long to produce because they did have to sit down with all of the various teams involved.

They also don't seem to be attempting any Orwellian use of the word "telemetry", though it is technically explicit. They start the document by establishing the definition, if you care to question it more directly: https://technet.microsoft.com/itpro/windows/configure/config...

reply


The default telemetry level is "Enhanced" though, so it's not what they're collecting by default.

It's just evasive on Microsoft's part.

reply


Enhanced is being removed. Only full and basic will exist. This is in the linked article.

reply


Yeh, I'm sorry, I missed that. My point is perhaps only even stronger though, considering the new default is "Full".

To their minimal credit, I suppose, you can no longer avoid the toggle when installing or upgrading to the Creators Update, which you could do in previous Windows with telemetry. I doubt that many will still bother even reading the labels of the toggles though, let alone consider whether they'd be better served with an option other than the default.

reply


The first sentence of the article is "Microsoft has published the full range of data that Windows 10 version 1703, the Creators Update, will collect in its default "basic" telemetry setting." They provided all the info they collect in the default mode, the title only says "most" because they didn't give a complete list for what they collect in the opt-in "Full" telemetry mode.

reply


They could tell us they're telling us everything and just be lying. Why does it have to be hidden at all? And why not let people turn it all off? Then everyone would stop talking about it.

reply


This is what I don't get. For as many reasons as they have to justify telemetry, it can't be worth the damage to their image of refusing to allow a disable setting. Especially since the vast majority of users will not disable it anyways.

reply


I doubt they care about their image. Microsoft has traditionally acted in a very monopolistic - sometimes almost solipsistic - manner. In recent years they've broadened their approach a bit, but NIH syndrome is going to be a key part of their culture for a long time.

They may not have even considered that "telemetry" might hurt their image (or profits). Even on HN we regularly see people complaining that they cannot switch to a different OS. Technical solutions sometimes help but MS probably assumes that most people will submit to the lockin. Image doesn't matter when most people are tied to the platform. When games are enough to tie people to Windows, MS can do whatever they want.

reply


I disagree. I don't think you need to like Microsoft to notice they are investing heavily in initiatives designed to repair their historical reputation.

reply


Oh, I don't really know, but I gather they are gambling that the data & ad sales will eclipse any potential losses in marketshare. Their hubris, and duopoly position, leads me to presume they are going to profit in the short-term, at least.

Hell, everybody's getting rich doing it!

http://adage.com/article/datadriven-marketing/24-billion-dat...

reply


Perhaps a secret court order forbids them from doing that.

reply


or a favorable tax deal

reply


This was my thought as well.

reply


Because then people would stop using their OS. They would also lose their free beta testers.

reply


plus it took them almost 2 years after release to reach even this pathetic state. M$ lost any trust it ever had (not that much) long time ago

reply


>All crash dump types, including heap dumps and full dumps.

Maybe I should not have used Windows Insider after all which forces you to have it on full...

reply


Wow, this means they will store in their databases your private data you had in RAM when something or Windows crashed? Am I wrong? because this sounds horrible, you should have an option on sending your memory dumps.

reply


Yes, you are right.

I wonder how this affects something like Keepass. If I had it unlocked open while Windows crashed, does Microsoft now have all my passwords?

reply


Yes it means microsoft has your passwords and you have technical recourse.

If you attempt to use legal recourse you will likely fail and your passwords could become publicly viewable evidence.

Change your passwords and don't store them on a close sourced system, this is the only mitigation I see you having that is sure to work.

reply


Actually, if you look here [1], it says:

>While KeePass is running, sensitive data (like the hash of the master key and entry passwords) is stored encryptedly in process memory. This means that even if you would dump the KeePass process memory to disk, you could not find any sensitive data.

Either way, it is bad that Microsoft does not really warn people about this.

[1] http://keepass.info/help/base/security.html#secmemprot

reply


I could consider a scenario where heap dumps of a process crashing due to an exploit would be immensely helpful to Microsoft, since everyone is essentially now a honeypot-esque collector.

There needs to be an off switch for this, though.

reply


One can run Windows virtual machine on a Linux host at near native GPU performance with PCI passthrough and KVM for gaming and then besides Windows registry use Iptables to block Microsoft Atlas telemetry. I use that setup for playing Windows PC games which are not yet available native on Linux.

https://wiki.archlinux.org/index.php/PCI_passthrough_via_OVM...

reply


I think that things like this are cool from a technical perspective. From a business and financial perspective you are still giving money to people who refuse to release linux versions of games. In the long run this supports microsoft, their telemetry and other their BS.

reply


Sounds very interesting. Can I please ask what sort of games you play and what FPS you're getting?

reply


Do you have to pay for a windows license to do this?

reply


Yes you should use a genuine copy of Microsoft Windows for security purposes so that you do not get malware. I use a paid license of Windows home edition.

reply


Can you use OEM versions of windows for VMs? If so you can get a Windows 10 OEM key from play-asia.com for $20 [1].

[1]: http://www.play-asia.com/microsoft-windows-10-pro-3264-bit-o...

reply


I'm unsure if Macs send as much data. For a fact, Android combined with Google apps know A LOT more.

Microsoft tends to get singled out while being the better option, sometimes

reply


Sometimes? More like all the time. Microsoft still gets unfair criticism when what it is doing is usually less than its competitors (Apple, Google.)

It's pretty astounding, HN reads like early 2000s Slashdot sometimes in regards to its complete hatred of Windows. This entire thread is almost verbatim early 2000s Slashdot, "I just switched to Linux and I love it" along with all the OSS evangelists piling on. It's more annoying than insightful.

reply


Microsoft still gets unfair criticism when what it is doing is usually less than its competitors (Apple, Google.)

This is a subjective opinion (i.e., subject to debate), and also a harmful one. "The other guy is worse" is never a good defense.

reply


This change in the settings menu fixes absolutely NOTHING. Suppose that as the article describes, you go ahead and chose the Basic setting for telemetry. What happens next week when some update is published and reverts back your settings to Full telemetry? This is not a theoretical scenario, many past updates have changed the state of the user chosen settings (including telemetry) without the users knowledge. In Computer Science parlance, the settings menu is non-deterministic, meaning you cannot be sure what state it is in now, as compared to the next minute.

So for example if you are a lawyer, a doctor, or a stock broker, and are typing a sensitive document for a client, even if you are diligent and checked that telemetry was set to Basic, before and after you typed the document, there still exists the possibility that for a few minutes the setting was changed to Full telemetry due to a background windows update, and minutes later reset again to Basic telemetry due to another update, thus leaking the sensitive document without you even knowing about it. That is what being non-deterministic means and is obviously unacceptable for certain professional software usage scenarios.

But the greatest flaw in Windows 10 is not the keylogger. The greatest flaw is the Delivery Optimization module, its new peer-to-peer software delivery system. Basically, with Windows 10, the DLLs that compose your kernel do not come from Microsoft servers directly, but come from Joe down the street, or worse from Boris the hacker from some other country, due to peering. What could possibly go wrong with that? In effect, your attack surface is the entire internet, and all that it would take for someone to compromise your system is some buffer overflow to nullify the hash thar Delivery Optimization uses to validate the peered DLLs.

Windows 10 has many great features, and one can see truly the significant positive progress Microsoft is making every month. But Microsoft really needs to purge the telemetry DLL and the delivery optimization DLL from the base windows install. They introduce unacceptable risks in several professional usage scenarios.

reply


Why couldn't microsoft offer a Windows 10 "developer edition" allowing telemetry to be set to "security"? Make it cost $200 more, so typical users won't buy it, but why not make it available at all?

reply


The best way is just to block all their shit in the firewall and avoid using windows as much as possible.

https://github.com/crazy-max/WindowsSpyBlocker

reply


It is horrible when people must defend themselves from their own computer...

reply


if by firewall you mean an EXTERNAL firewall (pfSense box or something), sure, but how do you trust the windows firewall? And anyways what if you do want software updates and the telemetry is sent as part of your update request? Unless you have deep packet inspection and drop the telemetry packets how are you going to make sure the data does not go out?

reply


Yes by firewall I mean an external one :) Personally I have a dedicated old computer that is running linux for this purpose.

And no this won't fix the core problem so the best solution is to avoid windows completely.

I boot mine up sometimes when I want to play a game not on linux or playstation, however that is becoming increasingly rare.

reply


It's called Enterprise.

reply


That's what MS lip-service said two years ago. The inclusion, difficulty to arrest said services and reactivations in express violation of the users' intent through "security updates" tells a different story. What you may have meant to refer to was Enterprise LTSB; good luck getting a copy outside of a corporate licensing environment.

reply


Good luck getting a legal copy. They can be had by the sufficiently motivated.

reply


Are mere mortals even allowed to buy the Enterprise edition, quantity 1? Somehow, I doubt it.

reply


If you have a MSDN subscription, you have access to various versions of Windows 10, including the Enterprise version.

reply


As far as I'm aware it's only available via a volume licensing agreement.

Enterprise still doesn't let you disable telemetry though - just lets you set it to basic.

If you want to disable it fully you need the LTSB version.

reply


>Enterprise still doesn't let you disable telemetry though - just lets you set it to basic.

you can set it to security through gpedit

reply


Not anymore. You can disable most of it but not all of it, and only via Group Policy, which any Windows admin here will know only works maybe 70% of the time at best.

reply


This is pretty much exactly the sort of thing "Pro" is meant for. Of course, for some mystifying reason Windows Pro, sold on business PCs, insists on preinstalling Candy Crush Soda Saga.

I don't understand what the Pro license even is at this point, since they refuse to treat it like one.

reply


that's because the "pro" suffix is completely devalued nowadays, just look at the app store, "pro" usually just means "without ads" and/or "not stripped down in functionality"

We need a less trendy suffix to signify what "pro" used to, something like "modular" or "developer edition" or something, and have that also applicable to laptop/computers with no soldered RAM or SSDs etc. etc.

Make it cost more, fine, but make it available. Because in the long run every developer saying "the touch bar and low travel keyboard are not for me" or "I am not touching something with telemetry with a 10 foot pole" means less software for your platform later on.

reply


Is there a traffic pattern I can block on my home network that will disable telemetry but won't mess with updates?

reply


Probably (until they change the telemetry traffic pattern). I don't know what it is.

Why engage in their game and try to whack-a-mole their software, if you have a choice.

I admit, for some, there is no alternative. And that's why there's the outrage.

reply


I actually am keeping several computers in my house on Windows 7. A work laptop came pre-installed with 10 and I haven't yet installed Linux on it.

I think I'll just dump its traffic with no network apps open and see which addresses it calls home on.

reply


I found this further down the thread, it might be of interest to you.

https://github.com/crazy-max/WindowsSpyBlocker

reply


Thank you, I'll be researching this further

reply


As for my take, I have a little shell script that translates hosts files into unbound configuration files, with always_nxdomain rules for each superdomain. I then use that unbound instance as my DNS.

reply


I'd use my rpi for this, but it's on the wrong vlan...

reply


Even if they would provide a full list of evertyhing they are collecting about you, how could you even prove that is really _everything_ as long as window is not OSS?

I suppose you'd have to take them on their word, but do they have that much trust from their users?

reply


Well it's possible to inspect the system and determine if they were exceeding that, and then the backlash would be pretty heavy, perhaps even legal? Sure they could secretly leak stuff, but then we have to think a ton of engineers are in on truly spying on users, not just getting telemetry.

Doesn't stop them from sending down targeted updates to turn on deep telemetry, say, under a legal order.

This is similar to the WhatsApp situation. They claim all this crypto. If they were lying, someone could figure it out and FB would get slammed.

reply


Sure, someone could. But it's easy enough to obfuscate it so that it would be extremely difficult to tell for sure. There's a reason why making things verifiably FOSS is such a big deal. "Someone would surely catch them and embarrass them" isn't a great reason to trust them.

reply


Of course. But is it worth a billion dollars or whatever the, say, EU, might decide to fine them if caught? Plus the added compliance costs of whatever a court decides they need to do? Not to mention press and loss of government contracts, etc.

There should be a project to fund some research into this, verifying some popular closed source clients.

reply


It probably is worth it. Look at VW, "surely someone would catch them" worked out for them for years, and was quite profitable for them.

reply


Although I've managed to neuter this crap, we really need a table which details all the data MS, Google, Apple, various Linux apps collect under the guise of 'usage data'. I'm willing to grant that most of this is not nefarious, but there should definitely be an opt-out. As the owner of the machine, I do not want my CPU cycles going towards this, or JS scripts that track me, etc.

reply


I don't think Apple collects anything, unless you say explicitly say "Yes, share usage data" during installation.

(Maybe I'm being naive.)

I feel like what we really need might be a legislation mandating easy opt-out (or even better, requiring opt-in).

reply


AFAIK, I think its enabled by default on iOS, but you can opt-out.

https://support.apple.com/kb/PH25654

On OSX this document seems to say no data is sent without explicit instruction, but then it says "data can be sent automatically if one of these events occurs".

reply


There is nothing that they could do to placate this crowd. even if they stopped collecting telemetry then there would be a vocal contingent of people complaining that it isnt open source. if it was open source and people didnt like the way it handled init a loud contingent would complain.

reply


Does anyone know how the "advertising ID" works or what's included?

E.g., is my web browsing traffic collected by Microsoft?

reply


I've switched my desktop computer to linux (Mint) with Wine. It's great. Very easy, stable and feature rich. Easier to deal with and customize. There are still some issues with software compatibility or security but it's on par with Windows enough that I haven't really noticed. The only problem I have is games. I hibernate and boot back into Windows 7 for GTA5!

reply


linux is useless for sound production as well

reply


Yeah, not gonna lie. I've tried most of the free DAWs and they all have stability issues. Random crashes or audio glitches.

reply


you didn't configure it properly

reply


What about the other subsystems that silently collect data?

reply


It's still so crazy to me that they do this in their OS. But I guess a lot of people either don't mind or just don't know.

reply


This is the company behind the Halloween Documents:

http://www.catb.org/esr/halloween/

Why anyone would choose to trust them is beyond me.

reply


You really think the Microsoft of today is the same as the Microsoft of 20 years ago?

reply


20 years ago, Microsoft was convicted as an abusive monopolist. It's up to them to convince me that they've reformed, and they're doing a kind of poor job of it.

Are you arguing that I am to just assume that they've changed due to the passage of time?

reply


How hard does a 28 year old person need to work to convince you they're not the same as they were when they were 8 years old? Microsoft has changed CEOs and lower leadership a number of times in the last 20 years. I submit that it would be difficult to find ANY company that can go 20 years without changing.

reply


I don't know. It can go both ways. You seem to assume that Microsoft cleaned up their act for the better, but for all we know it could be the opposite. You don't automatically become good (or less evil) by ageing.

reply


Of course it's not automatic but pointing to something that happened in the distant past (on the scale of the technology industry) is a terrible argument to justify an opinion about something current.

reply


It does seem so.

reply


In some ways they seem worse.

reply




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: