Interesting that my main reason for wanting a local account was not mentioned. Privacy. I simply don't want my files saved on Microsoft's servers. Some files, sure, I can put those in the cloud to make life easier. Other files, no, not unless I can ensure they are encrypted and I'm the only one with the key.
It's not like I'm doing illegal things. I just don't trust corporations and I feel that they shouldn't expect to see everything I do.
It's not even "just" about privacy. I find the idea that "preferences, password, and files are stored in the cloud and carry over to new devices" a bit unsettling in terms of security and trust.
I am reasonably convinced that Microsoft isn't snooping on me, not at a level of detail that would bother me anyway. I'm sure they have the tools to do so if they want, but I'm not an US citizen, not doing anything illegal, not involved in anything shady or uncomfortable for the US government or its allies (which includes my country, for that matter) -- I think it's unlikely enough that I'll ever be a target.
But.
Microsoft, and its cloud servers, are a really big target. It's the holy grail of ID theft. Do I trust Microsoft to safeguard my passwords, preferences and files against attacks, not just today, but over the next ten or twenty years, at a time when Windows isn't really the focus of their business anymore? I'm gonna say a pretty big no to that.
Even if I were convinced they had only good intentions (let's say they do) about this stuff, so did Yahoo, and LinkedIn, and Adobe and countless other vendors who eventually ended up with huge data breaches.
Do I have any guarantees that, twenty years from now, Microsoft's personal data storage systems won't give way, between budget cuts, incompetent management (twenty years is a long time, maybe Satya Nadella's successor is going to be worse than Steve Ballmer...), technical debt and increasing capabilities from malicious actors? Can I be sure that Microsoft is never going to lower their security standards? That they won't make any compromises that they aren't willing to do today, even, say, if they were on the verge of bankruptcy?
Granted, I have neither the budget, nor the security know-how that Microsoft does, but I'm not that big a target, either, nor do I store my data on systems that are accessible 24/7 from anywhere in the world. My passwords aren't too valuable -- for all the reasons that make me unimportant to Microsoft + a bunch of other ones (I'm not that rich, I'm not friends with any celebrity etc. etc.). The costs involved in getting access to my data remotely far outweigh any benefits -- which can't be said for Microsoft's treasure trove of personal data.
I appreciate your point, I really do, but I think that ship has sailed a long time ago. Your password to that website? If the website is popular and has some financial value, its on the shortlist too. They're not only going after microsoft cloud servers. Yes, a central location makes it easier to get a large dataset, but then again, penetrating some random e-commerse website is way easier than hacking microsofts cloud servers. Your personal data and billing info is already in tons of places, and all those places - are not using the best security engineers to secure it. Your documents? Well unless you're not sending those documents out, they're already on the cloud in some form, everytime you email them to someone, or hand them on a usb drive. The network effects of this are so strong that its simply impossible to escape any of this. Without regulation, there is little chance of reversing these worldwide trends.
>Do I trust Microsoft to safeguard my passwords, preferences and files against attacks, not just today, but over the next ten or twenty years, at a time when Windows isn't really the focus of their business anymore? I'm gonna say a pretty big no to that.
>Do I have any guarantees that, twenty years from now, Microsoft's personal data storage systems won't give way, between budget cuts, incompetent management (twenty years is a long time, maybe Satya Nadella's successor is going to be worse than Steve Ballmer...), technical debt and increasing capabilities from malicious actors? Can I be sure that Microsoft is never going to lower their security standards? That they won't make any compromises that they aren't willing to do today, even, say, if they were on the verge of bankruptcy?
Do any businesses exist that you can apply this guarantee to?
Well, thats a fair criticism. But I'm saying its like trying to avoid being kidnapped when you're already in the trunk of someones car. Sometimes the trunk is nice and large and roomy... :)
The fact that the state of security or privacy is already bad is no reason to make it worse. Sure, "that ship" might have sailed a long time ago but that's no reason to send the rest of the fleet after it.
At one point, "the ship" of every tide that humanity has turned "had sailed". For example, there was a time when virtually every potent means of human transportation ran on heavily-polluting fuel -- and while we're by no means back to stone-age levels of environmental friendliness, we're still better off than in the 1960s.
> Do any businesses exist that you can apply this guarantee to?
No, but that's also why there is no company that I trust with a significant portion of my data over an indefinite period of time, nor with any data that I'm not comfortable sharing. (In fact, I don't trust any company that doesn't have a good retention policy -- thankfully, the GDPR makes it a little easier to filter those out now).
The value of data increases exponentially with its amount. For example, mounting a convincing ID theft based on passwords to my LinkedIn account and the local computer shop is difficult, but doable, with the right skills and the right motivation, and for reasonably simple things (e.g. impersonating me to get interesting, but not particularly sensitive data from a former colleague who still works at a former workplace). Mounting an ID theft based on all the data that Google or Microsoft store about a person is a whole different story.
Well, I'm saying that you're already trapped in the thing you're trying to avoid. I am too, everyone is. I'm not saying things will always stay the same or that we shouldn't do anything - I mentioned that we need more regulation. I'm just acknowledging that we have only a notional amount of control over our data. The data is distributed over such a large surface area and each node on that graph has a weakness to it. A large node like Google or MS will be a tough nut to crack, but a few small nodes (e.g. 150 million SSNs and other personal info from Transunion) will be far easier.
>The value of data increases exponentially with its amount. For example, mounting a convincing ID theft based on passwords to my LinkedIn account and the local computer shop is difficult, but doable, with the right skills and the right motivation, and for reasonably simple things (e.g. impersonating me to get interesting, but not particularly sensitive data from a former colleague who still works at a former workplace). Mounting an ID theft based on all the data that Google or Microsoft store about a person is a whole different story.
Right, so they would just hack Transunion and directly get SSNs and other personal info on 150 million people. Of course practically speaking, there are no 150 million "new" people who are just waiting to assume the identity of someone else.
Also as an aside if you were given the documents folders of 150 million people, you'd need a massive amount of storage space and compute power to run indexing, de-duplication and other automated tasks on all the various document formats before you can even begin mining any data from it. Though I'm sure the cost of that will come down over the next decade...
20 years ago, software that included advertisements was called adware, and it was widely considered to be a form of malware. And software that sent out telemetry without the informed opt-in consent of the user was considered spyware, another form of malware.
Windows 10 is doing both of these today, but mainstream expectations for how software should behave have severely degraded. I fear the situation will not improve unless the public can be 're-educated', but a company with the brand recognition and legacy of Microsoft participating in these practices goes a long way towards further normalizing it.
It's not like I'm doing illegal things. I just don't trust corporations and I feel that they shouldn't expect to see everything I do.