tinyapps.org / blog

Windows 10: Privacy nightmare #

When installation completes, be sure to click the tiny "Customize" link on the "Get going fast" screen; you may (not) be surprised at how invasive Microsoft has become. Here's a taste (these are all enabled by default):

1. "Personalize your speech, typing, and inking input by sending contacts and calendar details, along with other associated input data to Microsoft."
2. "Send typing and inking data to Microsoft to improve the recognition and suggestion platform."
3. "Use page prediction to improve reading, speed up browsing, and make your overall experience better in Windows browsers. Your browsing data will be sent to Microsoft."
4. "Automatically connect to suggested open hotspots. Not all networks are secure."
5. "Automatically connect to networks shared by your contacts."
6. "Send error and diagnostic information to Microsoft." (The toggle switch to enable or disable was hidden below the screen; a near-invisible scroll bar was required to view it.)

Number five apparently refers to Wi-Fi (Non)Sense, which Claus covered in some detail.

Much more about the mounting privacy problems in Windows 10 from Heini Järvinen:

By default, when signing into Windows with a Microsoft account, Windows syncs some of your settings and data with Microsoft servers, for example "web browser history, favorites, and websites you have open" as well as "saved app, website, mobile hotspot, and Wi-Fi network names and passwords". Users can however deactivate this transfer to the Microsoft servers by changing their settings.

More problematic from a data protection perspective is however the fact that Windows generates a unique advertising ID for each user on a device. This advertising ID can be used by third parties, such as app developers and advertising networks for profiling purposes.

Also, when device encryption is on, Windows automatically encrypts the drive Windows is installed on and generates a recovery key. The BitLocker recovery key for the user’s device is automatically backed up online in the Microsoft OneDrive account.

Microsoft’s updated terms also state that they collect basic information "from you and your devices, including for example "app use data for apps that run on Windows" and "data about the networks you connect to."

Users who chose to enable Microsoft’s personal assistant software "Cortana" have to live with the following invasion to their privacy: "To enable Cortana to provide personalized experiences and relevant suggestions, Microsoft collects and uses various types of data, such as your device location, data from your calendar, the apps you use, data from your emails and text messages, who you call, your contacts and how often you interact with them on your device. Cortana also learns about you by collecting data about how you use your device and other Microsoft services, such as your music, alarm settings, whether the lock screen is on, what you view and purchase, your browse and Bing search history, and more." But this is not all, as this piece of software also analyses undefined "speech data": "we collect your voice input, as well your name and nickname, your recent calendar events and the names of the people in your appointments, and information about your contacts including names and nicknames."

But Microsoft’s updated privacy policy is not only bad news for privacy. Your free speech rights can also be violated on an ad hoc basis as the company warns:

"We will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders), when we have a good faith belief that doing so is necessary to", for example, "protect their customers" or "enforce the terms governing the use of the services".

At the very least, be sure to create a local account and customize the privacy settings after installation. Better yet, migrate to a truly free operating system; Richard Stallman was right all along. UPDATE: Microsoft Admits Windows 10 Automatic Spying Cannot Be Stopped

UPDATE: Not content to spy on just Windows 10 users, Microsoft is retrofitting Windows 7, 8, and 8.1 with Telemetry and more. In response, /u/spexdi has assembled a script which roots out and blocks this newfound spyware: MTRT - Microsoft Telemetry Removal Tool (download).

^* /u/justmoa kindly shared an alternative approach:

1. Copy \source\gatherosstate.exe from the Windows 10 ISO image to the Desktop (or any writable directory) of an activated Windows 7, 8, or 8.1 system
2. Run gatherosstate.exe; it will create GenuineTicket.xml in the same directory
3. Copy GenuineTicket.xml to some external storage device
4. You can now perform a clean install of Windows 10 (click "Do this later" when prompted to enter a product key)
5. When the install is complete, copy GenuineTicket.xml to C:\ProgramData\Microsoft\Windows\ClipSVC\GenuineTicket\ and reboot

^† As usual, Microsoft's licensing policies are as clear as mud:

• From meatwad75892's comment: "[I]f you get on Win10 via this free upgrade from 7/8.x, a unique machine ID for your system is sent to Microsoft. The upgraded Win10 winds up on a generic product key. That generic key activates your OS depending on if your machine ID is in Microsoft's database or not. So as long as you don't change a motherboard or anything that would effectively change that unique ID MS has on your machine, you could pop in a new drive, clean install Windows 10 while skipping entering keys (thus leaving it with its generic setup key), and you'll wind up on an activated Win10 provided that the machine had gone through the free upgrade process in the past (between July 29 2015 - July 29 2016, that is). I've done this several times over between personal machines, test machines at work, some Hyper-V guests, and family machines. It works quite wonderfully and is no-fuss."
• From coolbho3k's post: "EDIT 5: The popular theory online seems to be that as long as your hardware was legitimately updated to 10240 from an activated version of Windows 7, 8, 8.1, or 10 Preview, you will have an activated Windows 10 RTM. Even if your 10 Preview wasn't an upgrade from 7, 8, or 8.1 and even if you disable Insider builds: this is contrary to what Microsoft said. After you successfully complete an upgrade, Microsoft will have your HWID stored in their activation servers you can just skip product key entry during clean installation later (you'll automatically be activated under the generic key). EDIT 4: It is a generic key. For Pro, it's VK7JG-NPHTM-C97JM-9MPGT-3V66T, thanks /u/plectid. Seems like it will activate any computer that is marked in Microsoft's system as having been upgraded. So if you upgraded from Win 7/8/8.1 Pro to Windows Insider Preview Pro and you want to clean install RTM, it should be safe to use the ISO posted in the other thread and this key to activate. Still don't know the behavior on Insider systems that didn't upgrade from 7/8/8.1."
• See Susan Bradley's Sorting through the changes in Windows licensing for further elucidation.
• UPDATE: Next big Windows 10 release will ease activation hassles: "The latest preview release of Windows 10 includes the first glimpse of a new feature designed to eliminate one specific activation headache. When this change rolls out to the general public next month, you'll be able to use your Windows 7 or 8.1 product key to complete a Windows 10 upgrade."

/windows | Jul 29, 2015

Subscribe or visit the archives.