Hacker News new | past | comments | ask | show | jobs | submit login
Does Windows 10's telemetry include sending *.doc files if Word crashed? (stackexchange.com)
157 points by chupa-chups 54 days ago | hide | past | web | favorite | 102 comments

NASA is finding exoplanets every day, and the LHC is probing quarks at high energies, yet nobody seems to know what is and isn't sent to Microsoft on Windows 10, despite the relative simplicity of doing so (and arguably equal importance as this could be giving Microsoft access to billions of dollars of trade secrets for example). Are any security researchers actively researching this topic? Even if crash documents are encrypted over the network, couldn't these questions be answered by patching root certificates, setting up fake diagnostic servers, tracing the stack with a debugger, etc? Even a reproducable test of making Word crash 10 times, measuring the bandwidth, changing the document size slightly, and remeasuring could give some insight into this question.

Ultimately this will have to be dealt with by one of the Information Commissioners of the EU. I don't think anyone could argue either consent or business necessity for a process this opaque.

The better comparison is that we have volunteer crackers bypassing DRM with obfuscated code (Denuvo) within days of release. To my knowledge Windows doesn’t have obfuscated code (except maybe for activation related stuff) and they even provide symbols in some cases.

What would you gain from actual analysis of a debug version of one OS build that will be completely different in 6 months, perhaps even before that?

Additionally, getting that debug version does actually require signing a restrictive license...

What you will find is mostly reasonable debug data, feature click and run traces and OS memory and driver state dumps. Obviously some of this might be critical data nobody should ever get.

>What would you gain from actual analysis of a debug version of one OS build that will be completely different in 6 months, perhaps even before that?

Microsoft provides symbols for both release and “checked“ (debug) builds

I wonder how much confidential health information Microsoft pulls from computers in hospitals and doctor's offices?

I have spoken with several lawyers offices, both the secretaries and the attorneys - and most have no idea what I'm talking about in regards to telemetry and default settings upon machine setup or during updates.

Same with accountants and some dental offices.

Luckily I did find one that does encrypted off site backups three times a week, and fired his last secretary for clicking okay on a windows warning overlay that installed malware once.

Not a lot of data points, but so far 1 out 20 or so sensitive professions I have polled are using windows completely ignorantly of the privacy ramifications.

Interesting question.

I would speculate (read: hope) that at least in a hospital, they’ll be running the Enterprise version and have it properly configured not to leak data by IT staff who know about HIPAA compliance.

The average small physician’s practice may be a very different story, however.

I hate that there are special rules for "enterprises." Every person and every business is an enterprise.

Quarks and Exoplanets are deliberately trying to hide.

Are you missing a 'not' ?

And btw Quarks and Exoplanets usually don't employ armies of lawyers to protect against poor scientists attempting to reverse engineer their behaviour.

Any source that Microsoft ‘s suing people for this?

It isn't, but it is not exactly legal in light of the license for the debug build.

And handling a multi million dollar suit is nobody's idea of a good time when there is no payoff.

>Are any security researchers actively researching this topic?

What's the point? If you're using Windows you already lost. Use a FOSS OS if you care about your data, it's really the only answer.

This is not true actually, in some enterprise network your host won't be able to talk to MS directly so there is no way for your machine to send any data to MS.

"some enterprise network" != total market running windows 10.

The extremetech link[0] given in the answer is probably more generally interesting. That article also explains how to access the MS Diagnostic Dataviewer which allows you to explore the collected data after you switch it on (from the Settings app go to Privacy -> Diagnostic & feedback). It also links to Microsoft's explicit listing of everything that they might collect for basic diagnostics[1].

Of course Microsoft could be lying but in that case you shouldn't be using their OS. To borrow a phrase: They have root. If you don't trust them then you don't trust your PC.

[0] https://www.extremetech.com/computing/247311-microsoft-final...

[1] https://docs.microsoft.com/en-gb/windows/privacy/basic-level...

That isn’t a list of everything. “Basic” telemetry sends up everything in the “Security” list, plus the things on this page. They don’t publish what’s in the “Security” level or why they send it.

> If you don't trust them then you don't trust your PC.

This is absolutely the core of the problem with windows and Microsoft. Of course I don't trust Microsoft or any other third party. In addition, I don't trust any government, including our own. Even if I trust Microsoft, once the info is on their servers, any government agency can easily access it. Same thing with third party companies that Microsoft might sell the data to.

So to clarify, if you don't trust Microsoft, or you don't trust any of their partners, or you don't trust your government or any government in the world that Microsoft is subject to the jurisdiction thereof, then you don't trust your windows pc. That's a lot of trust that no logical person would ever have. Incredible how Microsoft managed to pull this off and convince millions to just open up their computers to so many untrustworthy organizations in the world. It goes without saying that a company like this is untrustworthy, hiding behind legalese and lies.

> but in that case you shouldn't be using their OS. To borrow a phrase: They have root. If you don't trust them then you don't trust your PC.

Is this really an option? I'd posit that even many hardcore Linux folk keep a Windows partition, VM, or secondary PC around.

Nope. I don't use Windows at all. If it can't be done on Linux, I simply don't do it. I don't even bother with wine.

There's a whole planet out there. Your computer doesn't need to be the only thing that occupies your time, it doesn't need to be perfect, it doesn't need to do everything.

My customers often use Windows so my options are:

1) Don't bother testing what I write

2) Quit

Occasional Windows use seems like a great compromise.

3) Find new customers

You mean in the 2% or less that do not use iOS, Mac OS, Windows or Android, right?

I find these two sentiments very strange in conjunction (complete abstinence from Windows, and the call to get away from your computer.) Did you mean for the second to be the opposite of the first?

I don't use Windows; if something can only be done on a Windows PC, I simply don't do it. I find literally anything else to do with my time.

Everyone would love to switch to linux, except "I can't do X on linux, and I must have X". People are literally addicted to PCs, I think it's unhealthy.

> Everyone would love to switch to linux, except "I can't do X on linux, and I must have X". People are literally addicted to PCs, I think it's unhealthy.

It's not just about spending all your time using computers or addiction.

I would like to switch to Linux but there's no screencast video editing tools that are comparable to Camtasia that run on Linux.

I wouldn't call that an unhealthy addiction for sticking with Windows. It's a necessity for my line of business.

Did you try OBS Studio?


I'm not sure what you're trying to do, but OBS is pretty OK, while it takes a bit of a learning curve, Lightworks is pretty rad for video editing. If you haven't played with them, they're worth checking out.

OBS is amazing for streaming and recording but it's not equipped for editing previously recorded content.

I have hundreds of screencasts I recorded where I record my desktop and sometimes a webcam in the corner. These screencasts are put together to create a video course, so they need to be super polished.

With Camtasia it takes seconds to add really really nice looking tooltip pop ups, various text styles and arrows, smooth zoom / pans and even really neat animations that can be applied to anything.

For example check out the intro video on https://diveintodocker.com/. That entire animation (and video) was made in Camtasia in a few minutes without needing to do anything other than drag a few sliders around until the speed was right and it looked reasonable. Camtasia is an all purpose screencast editing tool but they have no Linux port.

I tried everything. Kdenlive, Lightworks, Shotcut, Open Shot, DaVinci Resolve and even Blender. They are all much much worse than Camtasia for editing screencast style videos (which are mostly around adding context related popups, dimming areas of the screen, adding text overlays, zooms, etc.). Worse as in, after 8 hours of trying to reproduce that Docker intro in Kdenlive I still didn't have anything that looked good with nothing in sight that would hint that I could do the things I could do in Camtasia. That was as of 2 months ago too.

That's a really nice video and your quippy narration is quite pleasant.

I'll admit, my experience with video editing is quite minimal. I understand your reasoning for choosing the software you choose. My position is still don't use Windows.

There are screencast and video editing tools available for linux and they cost $0.

"Existing" and "being worth the aggravation to use" are significantly different things.

'nickjj has eloquently described the problems with pretty much everything available on Linux and I agree with him. I use Resolve, which does run on Linux, for video editing--but that's not the same thing he's talking about and I too use Camtasia on that dreaded, dreaded Windows for recording and editing down those sorts of presentations. Because to not do that would probably take half again as long, make for a worse end result, and have a direct impact on the likelihood of those clients buying from me or hiring me again.

Sneering zealots are weird, man. Don't be That Guy.

Yes but none of them are close to being comparable to Camtasia.

Check my other reply at https://news.ycombinator.com/item?id=19282459.

"I don't use Windows; if something can only be done on a Windows PC, I simply don't do it."

As a 99% Linux user (do very rarely used Wine and some VMs count as Windows installs?) I find this wrong when applied to real life scenarios. "Normal" users, the ones who would neither dare nor enjoy recompiling their kernel to squeeze out a few megabytes of free RAM, treat a PC just like a tool to get some work done (think a pair of scissors or a screwdriver, could anyone imagine someone wearing a black t-shirt showing their favorite screwdriver brand?). Those people are forced to use a PC because not doing so would mean being slower than other people, which in this society equals to lose a job or not meeting the requisites to get one. I'm pretty sure very few of them would waste their time at the PC if they could get the same results by themselves.

The right approach to help people abandon the Windows world is making their Linux experience as much painless as possible, which requires compromises on our part. I've converted some people in recent years (thanks also to the UI nightmare MS themselves created from Windows 8 and beyond) And never ever abandon them when they're initially lost because they're used to do something "the windows way": all my Linux installs for previous Windows users have a Windows (XP/7) like UI [1] and all Libreoffice installs save documents in Office 97-2003 format by default. I always offer them to evaluate Linux for a while, then if they find it unsuitable I'll install Windows back for free, no questions asked. So far I had only one person asking to go back to Windows, but he needed to use a proprietary software that didn't even work under Wine (more likely it was its copy protection). We need to adapt our approach to them, and not the way around, for we know both worlds while they have been exposed to a digital monoculturalism during their entire professional life.

[1] please, XFCE developers, consider changing the horrendous default look: it makes no sense having two panels eating space on a light DM that often is being chosen for laptops with limited vertical pixels. I know it takes a minute to correct that, but we want to help new users. Willing to help on that if anyone tells me how to turn a customized setup into a .deb package that might also pull a few dependencies (mostly themes). Having a nicer look as a third option when starting it for the 1st time would be even greater IMO.

"Normal" users aren't what you think they are. They basically just use facebook at this point. You can give the bulk of society a modern linux distro with Chrome installed and they would never know the difference.

I no longer install or support Windows in any way for friends and family. If all the 'computer people' in everyone's lives quit helping them, Windows would finally die off because it's a crap product.

I love this comment so much I might print it out and frame it. I've always had the same feeling but you put it into words so much better than I could. I'm perfectly ok with "missing out" on software that's Windows only. I really don't think I'll be on my deathbed wishing I had used my computer more.

Thanks. I totally agree about that deathbed wish thing!

I can't remember when I last had windows installed on equipment that I owned. At some point I did, e.g. in college in the 90s, but it ceased to be the case a long time ago. Of course I occasionally help others who have windows, but I don't find that I need it.

I'm the same. I was heavy into Linux when it first came out, but I've been pretty much 100% Windows for about 20 years. I still help my kid out when he has to use Linux for a project or whatever, but I could never see myself using it as my "daily driver".

For values of "same" approaching "not the same at all".


I like a hilarious put-down as much as the next person, but your contributions here could be better motivated. Everyone here understands how somebody could be linux-only, but how on earth can you live your entire life on windows? It's just very difficult to understand...

The "hardcore Linux folk" run any windows apps they need in wine. It works pretty well. Also if you're running a VM, Microsoft obviously doesn't have root access to the host, which is what's in question.

The only sizeable groups of Linux users I know of to keep a windows partition are newcomers who want to be able to retreat to it, and previously gamers, though the latter is not really the case anymore since proton appeared.

> The only sizeable groups of Linux users I know of to keep a windows partition are newcomers who want to be able to retreat to it, and previously gamers, though the latter is not really the case anymore since proton appeared.

Over half my Steam games do not work properly with Proton.

Only 2 of my 80-ish games don't work either natively or with Proton. One requires Uplay and the other requires something like Games for Windows Live, neither of which I can get to work in Wine.

Otherwise, I've had pretty good luck. A couple have required some tweaks, but otherwise it's been pretty easy.

Anyway, yay to no more VFIO/passthrough.

But the average steam user only plays 5% of the games he owns, so this may not be so bad!

I’ve been windows-free for 10 years. It’s really not so hard if you use a common distro like Ubuntu. Yes there are occasional glitches but, I’ve had to install windows 8 for my mom recently, and windows update was broken out of the box...

> It’s really not so hard if you use a common distro like Ubuntu.

I hate this "argument". I am running Ubuntu myself for half a year now but there is no chance to get Adobe Creative Suite/Cloud to run smoothly on Ubuntu. You will absolutely need macOS or Windows for that.

And lots of people need professional applications like those to earn money. Not everybody can be happy and good to go with $texteditor and a bash.

This is a bit like saying "there is no chance to get iMessage running on Windows". The application developer hasn't given you that option; if it works at all, it's usually thanks to volunteers reverse-engineering things to get them to work.

If you absolutely need an application that isn't available on Linux, maybe Linux isn't right for you, at least not all the time. But there are tons of applications that are available on Linux. If you're not dead-set on Photoshop for example, GIMP is there. If you don't specifically need Acid, Ardour exists.

And plenty of people aren't musicians or artists and can get by pretty well with just a web browser, hence the popularity of Chromebooks. Browsers work just as well on Linux as on Windows or MacOS.

Well, no. OP took a broad stand and said that being Windows-free is not hard. That's just not reality for some professions.

Glad if it works for you, because you might not need some specialized software, but it is not an universal rule and people tend to forget that and treat non Windows-free users like they are too stupid to see the alternatives.

There are just no good alternatives for media professionals when it comes to things like Photoshop, Illustrator, Indesign. Other solutions lack compatibility or generate quirky output. Sometimes you need the real deal and it's no question of "liking" Windows.

As someone who has no idea what media professionals require or why Photoshop/etc are so good, what makes programs like that so much better? I have occasionally watched videos of people using Blender or Krita or Gimp or ... Ink(spot?scape?), and they seem to be fine. Though, again, I don't use them professionally in the least bit.

And if your profession depends on access to iMessage, you're going to have to use macOS or iOS, regardless of whether or not you trust Apple.

This was my initial point. It's not so easy as "if you don't trust Microsoft you shouldn't use Windows." If that's an option, great. But it often isn't an option.

In that case allow me to amend my original statement: If you don't trust Microsoft you shouldn't use Windows for your personal data.

Any data is personal, and business data is often even more valuable. And also liable.

Sure but if the company forces you to use a particular OS then they're the ones who are liable for the results of that decision.

It's funny, Adobe's Suite is so bad for your computer. Every time I build a computer for my wife, it runs amazing until I install that shit on there. Then, nothing ever works quite right on it again.

Sounds like you don't know how to do it. Lots of systems run perfectly well with Adobe CS/CC.

Compartment your work. I have a different machine and OS for what I need to do. At work, I can’t get away from MSWin. For other things, photo editing, video processing, it’s my MBPro. And for other things, my Debian box. Not one machine fits my workflow.

That's what I'm doing, too. Got two SSDs and choose whether to boot into Windows for Adobe CS, and nothing else, or boot my Ubuntu disk. Nevertheless I would prefer if I could just skip the windows disk.

Note I said "many", I know there are exceptions! It also largely depends on what you use your computer for. If you need even occasional access to Photoshop, for example, you're going to need Windows or macOS (or maybe iOS, I guess). GIMP might work sometimes, but not always.

Anecdata point: I managed to make a commercial 2D platform game with GIMP. It's pretty powerful, even if the usability is not as good.

I have one old Windows 7 machine for playing World of Warcraft. I would (and have) run it on Linux, but the frame rate and object loading is a bit worse due to the CPU instruction latency from wine. GPU model doesn't even matter. I have begged Blizzard to make an unsupported linux elf binary, but they just won't.

I came across this when I attempted to run wow in linux after upgrading my gpu and ram. This was this month, and last time I logged in was in Legion. Exactly as you describe but you can fix it with Vulkan.

I've never tried Vulkan. I will look into it. Thankyou. :)

Sure, but my XP and 98 boxes are not on a WAN connected network.

This is actually a really good, practical solution. Use the platforms you don't trust, just don't give them internet access. It won't work for every case, but probably a lot of them.

I think I'd get overly frustrated transferring files, but if you have a good solution for that...

Yeah, I occasionally connect a linux laptop on both networks (ipforwarding OFF) with an http port open that exposes my fileserver mounted on the laptop via NFS. If that's too hard, I just pull the hard drives out and connect to my workstation with USB, also good for imaging the machines since they crash so dang often.

Mac/Ubuntu covers all my bases. For personal or development use, what can Windows do that these others can’t?

Most AAA games?

That _long_ list is limited to the "basic level" telemetry data and does not include e.g. automatic sample documents that Defender sends by default (those include you actual documents).

Microsoft proves over and over again that they are not trust worthy. I agree you shouldn't be using their OS, but sadly many people don't consider this a choice since it comes pre-installed on most PCs.

As far as I'm aware Defender will not send documents without prompting you first.

I remember the NSA refusing to send a core file for us to debug a FrameMaker crash they ran into, since they knew that their document could be extracted from it. Perhaps this is the sense in which the .doc files are being sent; in the trivial case, they may simply be mapped into memory, which is then part of the dump that gets sent.

Are Windows 10 and Microsoft Office compatible with HIPPA given they may send off protected health information without protecting it themselves?

Would be very costly if actually pursued

I use the free tool O&O ShutUp 10 to disable this


Make sure you reboot after running it, disable telemetry again and do another reboot. Only then all three telemetry features will remain off.

It‘s a shame that you have to work against your OS to protect your privacy. Use Linux unless you need Windows for a good reason.

Using 1 proprietary application to 'lock down' another proprietary application seems like an exercise in futility.

The same people running these freeware tools/scripts, are the same people for whom "Windows Update constantly breaks my install." It isn't a coincidence, most of these scripts intentionally break Windows' components in unsupported ways.

Use at your own risk.

Make sure your Linux distro doesn’t have telemetry!

As a user I don't mind sending diagnostic information for debugging, but that should be transparent to me and controllable. Why not just show a dialog saying "a crash happened, here is what is going to be sent to us, uncheck items that you don't want to share with us"?

Quietly retrieving documents without user permission is not acceptable.

Probably because they're just grabbing a core dump of the crash and sending it off. The dump of your memory may or may not include various items that you'd like "checkboxed", but it's not easy to clean out unchecked ones from that kind of dump.

Answer: you can't know for sure.

Absolutely ridiculous.

Diagnostic Data Viewer shows you the unencrypted data. The only way to get to "you can't know for sure" is by this logical leap:

> But that does NOT guarantee or prove that there is documents privacy in any way.

Using that specious logic you could say the same about any software on your machine.

You are missing the point:

If we dont trust the OS, why would we trust it to be honest and display what it's actually reporting. You can't be sure until you wiretapped the communication and looked for yourself.

I'm not sure if it's going to impact your trust in Windows either way, but regulators do 'wiretap' the communication sent off Windows boxes in an effort to keep Microsoft compliant with law, and Microsoft is financially incentivized to be honest (at risk of hefty fines).

Tech journalism is quick to print stories of malfeasance in the privacy/security area, but they've done very little to inform readers of accountability or legal obligations that are enforced by government entities. This leads to general distrust and unproductive online conversations.

If you're interested in privacy/security, you should be paranoid about this stuff, but don't mistake yourself into thinking that Microsoft operates in vacuum of unaccountability.

(Disclaimer, MS employee, and I have to state that this is my opinion)

Seems I didn't miss the point at all. This is a conspiracy theory and not based on any fact, the theorist point to lack of proof as proof and ask us to disprove their ideas.

The actual information we have indicates that isn't the case. If you disagree, then I'd suggest you dig up something supporting that viewpoint.

> If we dont trust the OS

Then pack it in and go home.

Any headline asking a question is generally no, but in this case yes.

In theory you want the file causing the crash as it makes figuring out the fault many times easier. The problem comes in when this is your financial records being sent off to Microsoft

When I was using Windows years ago you got a popup with the option to send a crash report, are the crash reports sent without you knowing? Is this feature on by default?

That was during the same period you were allowed to chose when you installed updates, right?

>but in this case yes

not really, the answer even says it's his guess.

The only other question where the answer is almost always yes is “is this a scam?”.

Or a document covered by attorney-client privilege.

At least in Europe using Win10 as an attorney (or physician for that matter) may bring you into hot waters.

I worked for Defence for a year. I'd be shocked if they allow this

Or HIPAA in the US

Does this also happen with Office on MacOS?

But Scott Hanselman thinks it's all about MS killin' our pappies.

I appreciate Hanselman and his work a lot, but that answer riled me as well. He seems to not understand that Microsoft's underhanded behavior in the past actually did kill a lot of promising, pioneering companies -- Netscape, Stac (https://en.wikipedia.org/wiki/Stac_Electronics) and Digital Research (https://en.wikipedia.org/wiki/Digital_Research), to name just a few off the top of my head.

It's one thing to argue that they don't do that sort of thing anymore, but quite another to pretend they never did it in the first place.

> It's one thing to argue that they don't do that sort of thing anymore

Even if you argued that, you'd be dead wrong - they won't reveal which Android patents they use for extortion, till very recently pushed for adoption of the FAT32 filesystem so they could extract patent fees from that. Now that those patents have expired, they're doing the same with ExFAT, all while lobbying against open document formats, and deliberately making their own as difficult to work with as possible.

That's all just from the top of my head, without even going into Windows 10.

Where did he comment on this issue?

This is the article I am referencing. https://www.hanselman.com/blog/MicrosoftKilledMyPappy.aspx

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact