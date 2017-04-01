Included:
"Storage attributes, such as number of drives, type, and size" -- So ID numbers of all USB storage drives you've connected? Better not put sensitive data on a USB and send it to a journalist...
"the number of crashes or hangs, and application state change details, such as how much processor time and memory were used, and the total uptime for an app." -- To e.g. determine when you used the TOR browser, since the difference in uptime between two time points is how much it was up during that interval.
"App usage data. Includes how an app is used, including how long an app is used, when the app has focus, and when the app is started" -- Oh, never mind, they also explicitly state they gather which apps you have installed and how much and when you use them in the next section.
"Accessory device data. Includes a list of accessory devices, such as printers or external storage devices, that are connected to Windows PCs and whether these devices will function after upgrading to a new version of the operating system." -- Print poster and glue it to a wall -> Printer gets identified via tracking dots ( https://www.eff.org/pages/list-printers-which-do-or-do-not-d... ) -> Printer is linked back to you, even if you bought it with cash. I hope you didn't print anything your local sheriff would dislike!
Edit: This is all in the 'basic' level, which you can't disable.
How in the hell can this just be called analytics?
This level of data isn't anonymous. It can't be.
If another piece of software did this, Microsoft would label it spyware and Windows Defender would kill it.
Yet, they feel fine doing this with an OS that they actually sell. It's not even crap freeware. You pay to have your every move watched.
aka, what dandelion_lover said.
is there some big list of the hardware I have bought?
If not, sure, they can fingerprint me but I don't see how it de-anonymizes me.
[1] http://latanyasweeney.org/work/identifiability.html
Combine that with unique combinations... and you get an increasing confidence of who the end user is.
It's why they suggest you don't "full screen" browsers when using tor... Stuff like browser sizes can identify you:
https://security.stackexchange.com/questions/102133/how-can-...
It's easy to tell that if a custom screen size can identify you... what will other unique traits do?
> To e.g. determine when you used the TOR browser, since the difference in uptime between two time points is how much it was up during that interval.
Having personally talked with Microsoft engineers who handle what this data is used for, I can tell you they take PII very seriously and per user details aren't being shared with 3rd parties (at present). Could they be misusing this? Or start selling it? Yes, but it would be an incredibly dumb idea from a brand value perspective, and I trust them to at least protect that. (I do honestly think that like most people, Microsoft employees are well-meaning individuals with good intentions)
What is this data used for? The most common use is to tell a large software developer "you have a memory leak in version 3.1.x when running on 4th gen intel CPUs with driver version 11.3" or similar. So companies with wide install bases (Oracle, IBM, other Microsoft divisions, etc) can fix issues which impact literally millions of users.
If anyone reading this has ever received this sort of Microsoft communication about your software, could you share your experiences?
Being an American company, you also have to worry about Microsoft being compelled to disclose per-user details with law enforcement or the intelligence community. They have no choice when it comes to this, so allowing them to have this data at all is dangerous.
Then let me disable this telemetry completely, I'm fed-up with people that know better than me what's good for me.
While (like many here) I'm very privacy oriented, this is a situation where Occam's Razor applies.
https://en.wikipedia.org/wiki/Occam%27s_razor
Not that's ideal, but it seems a lot better than Windows 10 seemingly indefatigible ways and means of sneaking data out. Ignoring hosts file and DNS responses is just rude.
[0] baseband attacks are still a problem, but at that level of threat then the BIOS or management subsystem on your PC isn't trustworthy either.
Not that I think Android is on a good trajectory in terms of user control, but hopefully alternatives such as Sailfish gain traction.
[0] https://tehnoetic.com/tehnoetic-s3-phone-replicant
On the other hand, most mobile devices have locked bootloaders, actively work to prevent giving the owner root access, and speak directly out to the Internet using proprietary networking modules.
If you have a clean android phone I suspect there no monitoring going on. For example if you use a community built mod or build AOSP yourself.
Guess what mine is saying...
Hey, LANGUAGE!
So, if you don't enable at least enhanced telemetry, Microsoft does not want to hear from you, does not care about your feedback, and no Microsoft employee will respond to your query on the matter.
I've tried to engage the Windows Insider folks over a couple different mediums, as far as I can tell they're barred from talking to anyone who even mentions telemetry.
I know Windows is a large piece of SW, but this seems "quite" big for the "Basic" level... :/
> Note: even though it originally came from an acronym, Tor is not spelled "TOR". Only the first letter is capitalized. In fact, we can usually spot people who haven't read any of our website (and have instead learned everything they know about Tor from news articles) by the fact that they spell it wrong.
This should definitely work for hard disks, which have a serial number in their SMART data but do standard USB flash drives have any kind of unique identifier? There's the vendor ID but that covers every single instance of that model of device. Or is there some kind of identifier at the filesystem level?
Incorrect. Please stop spreading this misinformation.
http://winaero.com/blog/how-to-disable-telemetry-and-data-co...
Fairly certain USB drives don't have serial numbers, just vendor numbers that are far from unique.
[1] http://www.usb.org/developers/docs/devclass_docs/usbmassbulk...
Note that they don't tell you which of the other levels enables Windows Update telemetry, which is apparently helpful.
Disclaimer: These concerns of course extend to other companies actions, but in the context of this article MS is the most relevant company.
But to be fair one should point out that Apple is also collecting telemetry data (search system logs for com.apple.telemetry) without any toggles in the system preferences.
Search results don't bring much info on what is collected and how it is being used. Does anyone here have insight into Apple telemetry granularity?
- will do it well enough so that you can't find out
- control PR well enough so that it won't leak out
- have enough fan boys that if by any miracle people learn about it they'd be cool with it anyway
Microsoft is trying to double dip: Windows wants to be a premium product like Apple, and the cloud division wants to be Google. The CEO is from the cloud division.
To get more user data, many teams in Microsoft backported data collection to existing Windows devices without an opt-in (or even opt-out) at the same time they made telemetry mandatory, effectively compromising millions of devices.
This completely destroyed any trust privacy-minded users had in them. Now the telmetry team (which is probably actually acting in good faith, and just trying to make stuff better) is the lightning rod for all the other inappropriate data collection being done in Redmond.
This is why there is such a disconnect between Apple's response to privacy issues (usually: "oops, crap. We'll fix it in the next release") and Microsoft's responses, like this article, where the spokesperson doesn't have the knowledge or authority to provide honest answers.
I did find this which is interesting and helpful:
https://github.com/drduh/macOS-Security-and-Privacy-Guide
[1] https://technet.microsoft.com/en-us/sysinternals/tcpview.asp...
[2] https://technet.microsoft.com/en-us/sysinternals/processexpl...
A monitoring device connected along the network path would be more trustworthy.
Now, for example, it feels great to happen to notice my harddrive spin up when I'm sitting idle at my desk, and relax knowing my OS is just doing what it's supposed to, not covertely spying on me or installing some crud I didn't ask for.
Nadella has a lot to learn from Newell and his crew. The "fuck consumers" attitude MS had during the Gates years, unfortunately, continues with Nadella's management. He never become the reformer we thought he would and the depressing part is that it would be very easy to implement these consumer friendly features and as I wrote, have already proven to be a success.
Respect your customers and we'll respect you. Treat us like children and we'll push back or just switch to OSX/Linux/Mobile.
There is still no "stop sending my personal information to Microsoft" switch, but Microsoft has published a list of examples of what data the "telemetry" subsystems collect.
There are other Windows 10 subsystems (cortana, start menu, etc) that silently collect data, and they are not covered by the list the article links to.
It might not be listed in name/order of the "subsystems" you expect to see, but that does not mean those "subsystems" aren't covered in the list.
[1] https://privacy.microsoft.com/en-US/windows-10-cortana-and-p...
Sure there is. Don't use Windows.
I think that is necessary but not sufficient at this point, sadly.
I don't use outlook, but they announced some feature where it looks up the senders of your emails on linked in. So, if anyone you know uses outlook, then linkedin knows you know them.
I'm not sure if it looks at email bodies (yet), or if they rolled it out yet.
Either way, Microsoft should soon be able to sell employers a reasonably complete list of employees that are looking for a new job (including employees that are not active on linkedin or that do not even have linkedin accounts).
This is one example of many, I'm sure.
Answer: Probably all of us.
Would it be a call for the next phase of technology economy to begin (whatever that would be) and ending the current 'data' economy rise?
Speak for yourself.
(and I'll take this opportunity to thank everyone who works on FOSS software, paid or otherwise)
Really, what I want is Windows 7 that isn't locked to last-generation hardware and that isn't coming up on EOL. It wasn't FOSS, but it worked very well for what I needed.
The other distro I have heard great reviews on that still has a sane interface is Linux Mint - again, try it before you "buy" it.
Virtually every distro except for a few niche ones have Live boot versions, that will allow you to try them out on your system, get a feel for what works, what doesn't (hardware and software-wise), and how the overall system "feels" - before committing to an install.
Your other option (to handle your use cases) might be to keep a windows partition (or on a separate drive) around and use that. Another option would be to use Microsoft's online Office360 suite (I think that's what it is called?). Or run VirtualBox on the Linux system, and run a version of Windows inside that. Any or all of these could be done together, in addition to using Crossover and/or Wine. You have a ton of choices here.
Also - for your documents - you say you are worried about formatting when they go to the client - does the client need to be able to edit them? If not, then dumping them out as a PDF might be able to work for you, if they'll accept PDF copies vs Word docs. The other thing to do would be to take a few of your old copies of docs you have sent to clients, and run them thru LibreOffice or something - see what they look like when you import them, then export them back out to a new file in the various Office formats, and load them back up in Word and see what it looks like. You might be surprised at what you find (you might be disappointed as well). This is all something you can try with the Live boot versions of Linux distros.
Oh - and games - besides using Crossover/Wine - there are a ton of native games available, plus plenty of "old-school" conversions and ports (some quite fun and amazing - some of the Doom/Doom 2 ports are pretty amazing). Also, there are a ton of Steam games on Linux available, too. If all you do is casual gaming, and don't care about always running the latest AAA shooter/fps/mmorpg or such - you'll usually be able to find something worthwhile and fun to play.
"These improvements are unlikely to appease that minority of users that regard the mandatory telemetry as an unacceptable intrusion..."
by "minority", I assume the author means those pesky, conscientous types who prefer not to have every action disseminated for exploitation. Analytics make the world a better place, and they can be abused as spyware... it all comes down to trust. MS's history speaks for itself.
If only THAT were true.
So massive levels of enforced data collection are justified by them fixing the Windows Alarm App.
This whole thread is somewhat disheartening, actually. Devs - especially ones developing against a broad hardware ecosystem - need feedback from the field to surface problems. That need must be balanced against privacy.
A golden hope would be an open standard for collection and anonymized storage of telemetry data. It's likely difficult to say exactly what is needed from one os to the next though, once you get into the technical details of what needs to be monitored for useful debugging of major subsystems... So seems far fetched.
They are not publishing exactly what they are collecting for the "Full" telemetry setting, which is opt-in. I'm guessing they don't want to commit to that because they want to be free to add and remove metrics they're interested in.
This is not a list of "telemetry data collected by Windows 10".
I am beginning to suspect that they do not have adequate internal safeguards to control the collection of personally identifiable information across the entire company (including office, bing, skype, linkedin, etc, etc).
That would mean they are actually incapable of enumerating all the information a clean Windows 10 install and office 365 will phone home. It would also explain discrepancies between todays's list and third party audits of Windows 10.
The impression I get is that this information took so long to produce because they did have to sit down with all of the various teams involved.
They also don't seem to be attempting any Orwellian use of the word "telemetry", though it is technically explicit. They start the document by establishing the definition, if you care to question it more directly: https://technet.microsoft.com/itpro/windows/configure/config...
It's just evasive on Microsoft's part.
To their minimal credit, I suppose, you can no longer avoid the toggle when installing or upgrading to the Creators Update, which you could do in previous Windows with telemetry. I doubt that many will still bother even reading the labels of the toggles though, let alone consider whether they'd be better served with an option other than the default.
They may not have even considered that "telemetry" might hurt their image (or profits). Even on HN we regularly see people complaining that they cannot switch to a different OS. Technical solutions sometimes help but MS probably assumes that most people will submit to the lockin. Image doesn't matter when most people are tied to the platform. When games are enough to tie people to Windows, MS can do whatever they want.
Hell, everybody's getting rich doing it!
http://adage.com/article/datadriven-marketing/24-billion-dat...
Maybe I should not have used Windows Insider after all which forces you to have it on full...
I wonder how this affects something like Keepass. If I had it unlocked open while Windows crashed, does Microsoft now have all my passwords?
If you attempt to use legal recourse you will likely fail and your passwords could become publicly viewable evidence.
Change your passwords and don't store them on a close sourced system, this is the only mitigation I see you having that is sure to work.
>While KeePass is running, sensitive data (like the hash of the master key and entry passwords) is stored encryptedly in process memory. This means that even if you would dump the KeePass process memory to disk, you could not find any sensitive data.
Either way, it is bad that Microsoft does not really warn people about this.
[1] http://keepass.info/help/base/security.html#secmemprot
There needs to be an off switch for this, though.
https://wiki.archlinux.org/index.php/PCI_passthrough_via_OVM...
[1]: http://www.play-asia.com/microsoft-windows-10-pro-3264-bit-o...
Microsoft tends to get singled out while being the better option, sometimes
It's pretty astounding, HN reads like early 2000s Slashdot sometimes in regards to its complete hatred of Windows. This entire thread is almost verbatim early 2000s Slashdot, "I just switched to Linux and I love it" along with all the OSS evangelists piling on. It's more annoying than insightful.
This is a subjective opinion (i.e., subject to debate), and also a harmful one. "The other guy is worse" is never a good defense.
So for example if you are a lawyer, a doctor, or a stock broker, and are typing a sensitive document for a client, even if you are diligent and checked that telemetry was set to Basic, before and after you typed the document, there still exists the possibility that for a few minutes the setting was changed to Full telemetry due to a background windows update, and minutes later reset again to Basic telemetry due to another update, thus leaking the sensitive document without you even knowing about it. That is what being non-deterministic means and is obviously unacceptable for certain professional software usage scenarios.
But the greatest flaw in Windows 10 is not the keylogger. The greatest flaw is the Delivery Optimization module, its new peer-to-peer software delivery system. Basically, with Windows 10, the DLLs that compose your kernel do not come from Microsoft servers directly, but come from Joe down the street, or worse from Boris the hacker from some other country, due to peering. What could possibly go wrong with that? In effect, your attack surface is the entire internet, and all that it would take for someone to compromise your system is some buffer overflow to nullify the hash thar Delivery Optimization uses to validate the peered DLLs.
Windows 10 has many great features, and one can see truly the significant positive progress Microsoft is making every month. But Microsoft really needs to purge the telemetry DLL and the delivery optimization DLL from the base windows install. They introduce unacceptable risks in several professional usage scenarios.
https://github.com/crazy-max/WindowsSpyBlocker
And no this won't fix the core problem so the best solution is to avoid windows completely.
I boot mine up sometimes when I want to play a game not on linux or playstation, however that is becoming increasingly rare.
Enterprise still doesn't let you disable telemetry though - just lets you set it to basic.
If you want to disable it fully you need the LTSB version.
you can set it to security through gpedit
I don't understand what the Pro license even is at this point, since they refuse to treat it like one.
We need a less trendy suffix to signify what "pro" used to, something like "modular" or "developer edition" or something, and have that also applicable to laptop/computers with no soldered RAM or SSDs etc. etc.
Make it cost more, fine, but make it available. Because in the long run every developer saying "the touch bar and low travel keyboard are not for me" or "I am not touching something with telemetry with a 10 foot pole" means less software for your platform later on.
Why engage in their game and try to whack-a-mole their software, if you have a choice.
I admit, for some, there is no alternative. And that's why there's the outrage.
I think I'll just dump its traffic with no network apps open and see which addresses it calls home on.
I suppose you'd have to take them on their word, but do they have that much trust from their users?
Doesn't stop them from sending down targeted updates to turn on deep telemetry, say, under a legal order.
This is similar to the WhatsApp situation. They claim all this crypto. If they were lying, someone could figure it out and FB would get slammed.
There should be a project to fund some research into this, verifying some popular closed source clients.
(Maybe I'm being naive.)
I feel like what we really need might be a legislation mandating easy opt-out (or even better, requiring opt-in).
https://support.apple.com/kb/PH25654
On OSX this document seems to say no data is sent without explicit instruction, but then it says "data can be sent automatically if one of these events occurs".
E.g., is my web browsing traffic collected by Microsoft?
http://www.catb.org/esr/halloween/
Why anyone would choose to trust them is beyond me.
Are you arguing that I am to just assume that they've changed due to the passage of time?
