Windows 10 privacy changes announced
Privacy is one of the hot topics when it comes to Microsoft's latest operating system Windows 10. The company has been criticized for making it difficult for users to block or minimize telemetry data collection, and for not being very forthcoming in regards to data that it collects, and how that data is being analyzed and used.
Terry Myerson, Microsoft's Executive Vice President, Windows and Devices Group, announced privacy changes coming to Windows 10 yesterday in a new blog post on the official Windows Experience blog.
In a nutshell: Microsoft will improve the privacy set up experience and privacy settings in the upcoming Windows 10 Creators Update, and it has launched a new online privacy dashboard that Microsoft customers can check out to control collected data.
Microsoft: Your Privacy
You can load https://account.microsoft.com/privacy#/ in your browser of choice to open the new "Your Privacy" page on the Microsoft Account website.
The data provided is not as extensive as that of Google's My Activity dashboard or Google's Account management page, but it is a start.
The privacy dashboard on Microsoft's website lists data from four sources currently:
- Microsoft Edge browsing data. This is only sent to Microsoft if you are logged in to Windows with a Microsoft account, and have turned on browsing history in Cortana.
- Bing search data. When you search on Bing while being logged in to the Microsoft account.
- Location information taken from Bing and Microsoft Health GPS-based activities.
- Cortana's Notebook reveals your interests.
You can clear the data directly from the privacy website. Each page lists frequently asked questions on top of that.
Myerson notes that this is the first step only, and that Microsoft will improve the "your privacy" site to add more functionality and categories of data over time to it.
Creators Update Privacy Changes
Microsoft plans to simplify privacy settings and improve how privacy settings are presented to Windows users in the Windows 10 Creators Update.
One of the core changes is that Microsoft will reduce the number of diagnostic data collection levels from three to two. The Enhanced level will be removed, so that only Basic and Full are available (and Security in some versions).
Windows customers who have selected Enhanced will be asked to pick Basic or Full after the upgrade to the Creators Update.
Microsoft furthermore announced that it will reduce the data collection of the basic level. Myerson did not reveal what Microsoft intents to change though in this regard.
The company plans to improve the "privacy settings" experience for users as well. One part of this is a new privacy setup dialog that provides you with information on privacy settings.
Information includes the impact of turning off a privacy setting.
It remains to be seen how effective those privacy changes are in convincing Windows users that they are in control of their privacy.
While some will certainly welcome these changes, it is clear that they are not as far reaching as privacy advocates would like them to be. There is still no clear option to block any data collecting and sending to Microsoft, and the information provided in some areas is not as complete as users may want it to be.
Now You: What is your take on the announced changes?
It’s a matter of trust and personally i don’t trust any company with my personal data, I take steps to minimise my “digital footprint” and one of those steps is to not use software that has extensive data gathering capabilities irregardless of whether than can be turned off, if i don’t trust a company with my personal data I’m not going to trust them to honor a setting, much simpler to just not use software with data gathering built into it.
You can sniff or block traffic with tools not pertaining to the company you don’t trust, so you can actually check yourself that the opt-outs provided are honoured.
It’s not about trust in that case. Trust comes in when you *have to* let traffic pass, but can’t examine it because it’s scrambled, encrypted, too obscure, or the IP is from a CDN that could belong to anyone.
E.g. I use Firefox, which by default sends some data to Mozilla, because I know for sure that their opt-outs are 100% functional. Not because I trust Mozilla. (Which as a result, I do, but only on a psychological level, materially I won’t stop checking that opt-outs work update after update, especially since I can do so with just one click and a glance, takes 3 seconds tops.)
I call that lucidity. Very good. I entirely agree. Facts don’t lie. Ignorance triggers initial reactions which can blind for the best as for the worse. Don’t take idealism nor cynicism as a guide but check, verify, compare.
The traffic you intend to sniff will be encrypted for your own security, possibly with pinned certificates, so how do you know what information is transmitted?
@Sashimi, Blocking or sniffing packets will do nothing to ensure opt-out are honored, that’s unless you plan on doing that 24×7 365, what with any traffic presumably being encrypted there’s no way for you to distinguish between legitimate data and erroneous data, basically there’s no way to know what a packet contains.
So ultimately it does come down to trust as we, in the collective sense, have to take companies on their word when they say an opt-out does what it says, and to that end I’d prefer not to use software that contains extensive data gathering capabilities.
Case mentioned in second paragraph above. That’s under the circumstances where trust is involved.
Blocking of course works regardless of whether or not opt outs are honoured. Sniffing is the attempt to check whether that program you allow does what you allow it to. In Firefox’s case, it’s loading websites. If it does something else, I sure as hell will know. You can log Firefox’s traffic whenever internet access is on, and see that it never phones home if you opted out according to Mozilla’s guide. That’s what I do. With Windows it’s even easier, you don’t have to filter traffic, you just block everything, no trust involved.
Some programs like Unity require phoning home to do what you want them to do. Those are more annoying to deal with. I avoid them unless I really need something and it can’t be obtained through downloading a resource with the browser and using it offline. (You can do that with Windows updates)
So as I said, only programs like Unity require trust. Windows itself does not, use it and block it, because it is known that opting out completely is tricky if at all possible. Firefox doesn’t require trust either but that’s because it can be proven that opt outs work 100%.
@Sashimi, Also i forgot to say that blocking is only going to work if done via an external device as Microsoft have hard coded some DNS lookups into the DLL’s of Windows for many years.
It doesn’t matter if you change DNS lookups because you don’t allow programs access to the web in the first place. Windows would have to hijack Firefox, which has been allowed network access, or defeat your firewall app. Something that will be spotted by the community for sure.
@Sashimi, i had submitted another reply but it seems to have vanished in the ether, never mind.
We’re not talking about a single program like FF though are we, we’re talking about software with extensive data gathering capabilities.
Which OS would be left to use? Recently I installed a Linux distro and was asked to provide my social media credentials during first login….arghh
Just stay away from technology. Seems you can’t handle it.
So… what happens with Local accounts? It’s quite the oxymoron if these settings require a Microsoft account to actually work on Windows 10.
Also, the fact that they say they are going to give you the option of disabling data collection doesn’t mean they will actually do so I wonder if it makes any difference to have a Microsoft account to disable this, ’cause who knows what they will still secretly collect?
True. It’s very easy for Microsoft to implement “settings and buttons” that do absolutely nothing more than trick the user to believe he/she is in control. Windows 10 completely destroyed my trust in Redmond, so I don’t believe anything they say anymore. In fact, I think most of the settings a user can tweak, regarding telemetry and privacy, are fake buttons that do nothing.
What Bobo said. You pretty much have to look at 3rd party hacks and not rely on anything M$ says and presents with their pretty sliders GUI and all.
Even if those sliders were to do what M$ says they’ll do, who’s to say they won’t be turned back on in a later update and you not knowing it.
Still no independent third-party audit of exactly what data is stolen, where it stored and who has access to it, for how long.
too little, too late
What is my take on Microsoft’s announced changes concerning Windows10 privacy? I’d have to be a Windows10 user, I’d have to experience myself what so many who actually run Windows10 are complaining about to consider my state of mind as legitimate. How to explain that it is because I don’t trust Windows10 that I don’t use it? Should I mention that Windows10 led me to ask myself what Windows7 itself could possibly include in terms of privacy violations and that many issues appeared (which I fixed) when, without Windows10, I’d never have suspected them? Am I entitled from there on to wonder if intrusion and tracking is not in the very core of Microsoft’s policy, whatever OS and that the planetary preoccupations are now so considerable only because Microsoft crossed a border-line?
I do not trust Microsoft anymore and in my belief announced changes are to be put on the account of commercial communication only. I don’t consider a relationship with a person or an entity in whom I have no confidence as finished, as over; but I act accordingly, sleeping with an open eye, always, with such oddities.
Some people will see that as a step in a good direction but to me it’s a smokescreen, an overused technique in “politics”: You have opponents who have valid arguments and are strong enough to make their case. To shut them up, there’s nothing more efficient than giving them the appearance of what they want, the most minimalistic concession presented in such a way that it looks the most agreeable to your opponents’ interests. They end up weakened even if they see through it, and are much less able to make a case for further concessions because you now have the upper hand and took the wind out of their sails for a while.
Facebook and Google have had that for a while too. Who’s going to say these companies are privacy friendly ?
Microsoft will only regain trust if they provide the ability to COMPLETELY disable all home phoning period, should users decide to do so. Then people can sniff out traffic and see for themselves that it’s true.
Acting, pretending sounds like a warrior’s tactic. I’m not sure the war scheme is the correct analogy and guide, at least not on the long-term. On the immediate and short-term I’ll have to defend myself but, ultimately, societies as well as relationships don’t really progress, IMO, with cheating and hiding. We strive for truth, we may have different vision of it, no one holds it and therefor dialog is imperative. Even with those, especially with those, companies included, who may be deeply convinced that their truth is universal and invariable, not to consider it might very well be, in coherence with above mentioned. I don’t believe intrusion, tracking, spying is correct but if I use these words my opponent might refer to security. We need dialog, always. No other way.
Two points you made:
“On the immediate and short-term I’ll have to defend myself but, ultimately, societies as well as relationships don’t really progress, IMO, with cheating and hiding.”
Nonsense. That only works if there’s a level playing field here and there is no level playing field here. We are no longer the end user, we are the end product.
“I don’t believe intrusion, tracking, spying is correct but if I use these words my opponent might refer to security.”
Of course. That patronizing excuse M$ uses all the time to justify the spying going on. Of course with the ads being added to the OS, we know that’s a load of nonsense. That there’s a bigger picture other than “security” going on here. And it doesn’t take wearing a tin foil hat to see it, either.
@WWW, describing my comment as nonsense perhaps reveals that even on a playing field with rules such as a blog intransigence would apply. Does this mean that the argument of the absence of rules is more a pretext than a reason?
Conflict, war starts with my neighbor. I’ve never had the “Peace, brother” mentality but I do believe that objectivity has to prevail and that there is no objectivity with revolutionary references, with a binary view of others, of the world, of the Good and the Bad. We only loose time. I believe there is no other way than to try to understand — understand doesn’t mean to agree — all parties, as well as to never block a relationship. We can forget the ethics, even if it’ll take more time, but intelligence itself will get or be brought to the point of understanding that an open mind is the only alternative.
Understanding, trying to understand an opponent is essential, should I say even from your perspective which I understand as a non-negotiable vision of relationships in a given situation (remains to know its exact perimeter: when does “clash” apply?). Yasser Arafat has lived several years in Cairo and many years later, when he would be asked “But why, when you lived in Cairo, did you attend regularly the synagogue’s services?”, Yasser answered “To better understand ‘them'” — You see, whether you aim is to find a ground of dialog or simply to beat your opponent, the first step of trying to understand him is inevitable.
I’ll be frank : my very first reactions when facing what I consider as injustice is comparable to yours, I’ve often in the past shown signs of exasperation but, with time, I believe that I have to make the effort of bypassing this first reaction in order to participate to the long odyssey of intelligence (together with ethics, IMO) which is fundamentally destined to peace and not war. Also, if I wish and expect that from others I could not avoid it for myself. It’s not always easy.
Sorry Tom, but this really isn’t the place for philosophical discussions. It doesn’t take a rocket scientist to see what M$ is up to. I understand it perfectly.
The rest of what you’re trying to say has no bearing on what’s being said here by others, beyond those two earlier nonsensical points I responded to. Unless this is your way of being an apologist for them.
The way things are going with Microsoft slowly, very very very slowly and ever so slightly, start listening to the users wants and needs, Windows 10 will PERHAPS be a somewhat usable OS in five years or so. Right now it’s a potato.
They will probably reset all of our privacy tweaks when they release this update (back to default, full on), under the justification that they had to do so to offer this “improved” version.
Online controls for edge? WTF lol, bring back the proper offline controls:
You still can’t shut it all off, completely. This is not a change, at least not a meaningful one.
PS, for anyone who is forced to use Windows 10, but who does not want to, e.g. in a corporate environment, I made a nice G-rated wallpaper that you can use, in the style of the “Scroogled mug” which was a product that Microsoft was actually formerly selling, back when they were bashing Google for engaging in these business practices. Not wanting to let Microsoft bury the past, I decided to create this!
BTW, for a demonstration of Microsoft’s former campaign: https://www.youtube.com/watch?v=iI1ominSL_c
I have W10 in a VM and I use this wallpaper for it (:
I think it suits it better than the default one.
You THINK it’s improved, but actually that’s a smokescreen. Currently Win10 has 4 privacy settings.
– Security sends basically nothing, but is only available in Win10 Enterprise and Education versions. They won’t let you use it on Pro or Home.
– Basic sends MS a bunch of stuff including every app you run, and is the minimum telemetry you can set on Win10 Home and Pro. Basic is slightly less intrusive in the Creator’s Update, but still unacceptable to me personally.
– Enhanced is the default today, and sends more than basic, including memory dumps, networking, and file activity on your computer but not the files themselves.
– Full sends full crash dumps that may include files from your computer, and can send your registry settings as well, which often contain private information.
OK. The change Microsoft is hiding here is this– in the Creator’s Update, the default telemetry level will be FULL. Unless you change it, MS gets _everything_.
So if you’re concerned about your privacy, you’ll set it to Basic, same as today. Or if you’re computer-savvy like many people reading this website you’ll run Shutup10 and turn telemetry off entirely.
But the vast majority of people will stick to the default and expose vastly more of their private information to MS than today.
@Jolle K, “So if you’re concerned about your privacy” :- you wouldn’t be using Windows 10.
It’s a bit like someone saying they’re concerned about catching an STI so they wear a rubber when in fact if they were that worried they wouldn’t sleep around. ;)
Beware of imitations, always choose French rubbers, the only, the authentic protection, pleasure dome guaranteed.
This is off-topic, I beg your pardon. As a Frenchman I just couldn’t miss that one, even if in France we call ’em English (rubbers) :)
Please carry on.
You sure you’re not from Canada and holding your world map the wrong way ? The French should call those prÃ©servatifs or capotes, not rubbers…
I would have switched to OSX over this myself, actually, if I wasn’t a gamer. That’s the only reason I still use Windows.
” ‘So if you’re concerned about your privacy’ :- you wouldn’t be using Windows 10. ”
Or you would block it. I definitely wouldn’t trust Microsoft opt outs at this point, even with all the system changes gathered in comprehensive tools like Shutup10 I wouldn’t be comfortable. Things are too easily missed, and updates can change stuff unexpectedly.
Learn to use firewalls guys. Firewalls. No way around that if you want to consider your device to be a safe harbour for your data. [Malware and hacking aside]
You’ve got the point checked, Charly :) Indeed in French the word is “capote anglaise” or “English rubber” once translated. But as a United Nations interpreter once told me, the correct translation is “French rubbers”. In other words you’d buy them as French in UK (for instance) and use them as English in France. Life is sometimes so complicated!
Looks like nobody wants to take responsibility for this invention.
Condoms should become IoT.
“You failed getting HIV 3 times this month, congratulations. Your partners weren’t very much in the mood 45% of the time according to moisture analysis. Your fertility is 10% below average and your offspring would have a 30% chance to be retards. Thank you for using Durex.”
Addiction is a terrible thing, but there are means for liberation. Tobacco, alcohol, sex … best way is to stop progressively…
— What’s for your service, sir?
— ‘condom, please …
— Box of 20, 30?
— Just one ..
— I’m trying to stop.
Well, it’s supposed to be funny.
And I would add: use an external firewall appliance of some sorts, not a software fw (and certainly not the built-in MS firewall) on the machine(s) to be firewalled. Some routers have good built-in fiewwalls. An old PC with a P4 or Celeron processor, with 2 network cards and a Linux fw app, can also do good firewall duty. Another good reason to do this: all your networked machines are protected.
But of course, for Joe and Jane at home, they won’t, or can’t, do this sort of setup.
@John in Mtl, maybe you could point “Joe and Jane at home” to a good guide that you would recommend in order to do this. Yes?
Yes, if you can’t trust Windows not to phone home, then you definitely can’t trust it not to bypass inbuilt or software firewalls. An external firewall box is the only way to be truly safe, but the quality and ease of use of the interface to those (all running variants of Unix/Linux) may vary.
Ars Technica did an excellent comparison of options recently, from off-the-shelf to self-build (“homebrew”) units: http://arstechnica.com/gadgets/2016/09/the-router-rumble-ars-diy-build-faces-better-tests-tougher-competition/ – from that and the excellent comments on the article, the name Mikrotik stands out as a clear brand winner for cheap dedicated units for most of us (their hEX or hAP series) if you’re prepared to learn how to configure their RouterOS.
@Win7forlife, that takes care of the hardware. Now how to configure?
Well it might be a step in the good direction, at the very least it shows that they’e heared the complaints. But this should have been in there from the very first aplha version.
but on the other hand if you don’t allow telemtry MS gives reports that 100% of their users are using the ribbon and like it.
coz only those who adore MS had all telemetry open . those who disliked it have telemtry shut down.
Statisticians have ways to clean up such skews in data. It’s not a problem that a portion of such a huge user base disables “telemetry”. (Let’s just call it computer usage tracking, we’re making them quite a favour using the term that some tech companies coined to minimise customer backlash.)
@ Tom Hawack ( good joke ) & picky picky ( IoT condom !? ).
I suppose that an IoT condom is a sign of things to come ?
Best off topic posts I’ve read for a long time :))
Once condoms become part of the IoT and they start sending back telemetry on my whereabouts and who I’m with then I’ll know we’re in really big trouble.
Somehow, many people only get that mass surveillance is a threat when you make up sex scenarii.
Did you know that over at the NSA offices, it is a common distraction for some employees to share nude pictures or videos of innocent people that have been caught in the spyweb ? Then they make comments, laugh blissfully, and live happily ever after. Edward Snowden anecdote.
@Picky picky, they laugh until one of them recognizes his wife/her husband, especially in the arms of a Russian spy. lol.
This is really is amazing. I use Win10Privacy to hack/obstuct what I can of Microsoft’s knack for info obtains.
I realised, after an MS update in September 16, that I had problems with connecting to my VPN provider AND my Microsoft Wireless Display Adapter.
Subsequently I found out that some of the firewall blockings in Win10Privacy was the cause.
I then wrote to Win10Privacy; This is the answer:
“W10Privacy blocks nearly 11.000 ip addresses.
I don’t have the time to determine which ip address blocks which microsoft service.
Microsoft does not communicate such information, so there is no other way than either using the blocking rules and taking the disadvantages or trial and error.”
I doubt Apple or Google are any better
You can fix all of this. It takes some time setting up everything, let’s say a day when you’re clueless about such things.
1/ Install a proper firewall software that can block absolutely all types of network requests, regardless of protocol, originating process or low level system shit.
2/ Block everything
3/ Allow only what you want.
Typically the system only needs 3 rules, all for svchost.exe: DNS requests to DNS servers, and to use WiFi a couple rules for Bootstrap Protocol through the local network. You can also add one rule for Network Time Protocol if you want to get time synchronisation.
From then on you only need to allow outbound traffic to the apps you actually want to let through. If you don’t want Microsoft apps to phone home, don’t allow their processes. Since everything is blocked, only what you allow can go through.
Then you can disable Win10Privacy IP blocklist, since I assume it is targetted at preventing Microsoft apps from phoning home. A blocklist is useful if you want to let some Microsoft apps go through, but minimize leakage.