tinyapps.org / blog


Windows 10: Privacy nightmare #

July 29 - the big Windows 10 release day. Rather than trying an unreliable workaround that was making the rounds, I followed RiotShielder's advice and downloaded an ISO from Microsoft, installing over a Windows 8.1 virtual machine (because you must upgrade your existing Windows OS to get a valid Windows 10 key before doing a clean install* (recover the key with Nir's ProduKey (actually, it looks like you needn't bother))).

When installation completes, be sure to click the tiny "Customize" link on the "Get going fast" screen; you may (not) be surprised at how invasive Microsoft has become. Here's a taste (these are all enabled by default):

  1. "Personalize your speech, typing, and inking input by sending contacts and calendar details, along with other associated input data to Microsoft."
  2. "Send typing and inking data to Microsoft to improve the recognition and suggestion platform."
  3. "Use page prediction to improve reading, speed up browsing, and make your overall experience better in Windows browsers. Your browsing data will be sent to Microsoft."
  4. "Automatically connect to suggested open hotspots. Not all networks are secure."
  5. "Automatically connect to networks shared by your contacts."
  6. "Send error and diagnostic information to Microsoft." (The toggle switch to enable or disable was hidden below the screen; a near-invisible scroll bar was required to view it.)

Number five apparently refers to Wi-Fi (Non)Sense, which Claus covered in some detail.

Much more about the mounting privacy problems in Windows 10 from Heini Järvinen:

By default, when signing into Windows with a Microsoft account, Windows syncs some of your settings and data with Microsoft servers, for example "web browser history, favorites, and websites you have open" as well as "saved app, website, mobile hotspot, and Wi-Fi network names and passwords". Users can however deactivate this transfer to the Microsoft servers by changing their settings.

More problematic from a data protection perspective is however the fact that Windows generates a unique advertising ID for each user on a device. This advertising ID can be used by third parties, such as app developers and advertising networks for profiling purposes.

Also, when device encryption is on, Windows automatically encrypts the drive Windows is installed on and generates a recovery key. The BitLocker recovery key for the user’s device is automatically backed up online in the Microsoft OneDrive account.

Microsoft’s updated terms also state that they collect basic information "from you and your devices, including for example "app use data for apps that run on Windows" and "data about the networks you connect to."

Users who chose to enable Microsoft’s personal assistant software "Cortana" have to live with the following invasion to their privacy: "To enable Cortana to provide personalized experiences and relevant suggestions, Microsoft collects and uses various types of data, such as your device location, data from your calendar, the apps you use, data from your emails and text messages, who you call, your contacts and how often you interact with them on your device. Cortana also learns about you by collecting data about how you use your device and other Microsoft services, such as your music, alarm settings, whether the lock screen is on, what you view and purchase, your browse and Bing search history, and more." But this is not all, as this piece of software also analyses undefined "speech data": "we collect your voice input, as well your name and nickname, your recent calendar events and the names of the people in your appointments, and information about your contacts including names and nicknames."

But Microsoft’s updated privacy policy is not only bad news for privacy. Your free speech rights can also be violated on an ad hoc basis as the company warns:

"We will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders), when we have a good faith belief that doing so is necessary to", for example, "protect their customers" or "enforce the terms governing the use of the services".

At the very least, be sure to create a local account and customize the privacy settings after installation. Better yet, migrate to a truly free operating system; Richard Stallman was right all along. UPDATE: Microsoft Admits Windows 10 Automatic Spying Cannot Be Stopped

UPDATE: Not content to spy on just Windows 10 users, Microsoft is retrofitting Windows 7, 8, and 8.1 with Telemetry and more. In response, /u/spexdi has assembled a script which roots out and blocks this newfound spyware: MTRT - Microsoft Telemetry Removal Tool (download).


* /u/justmoa kindly shared an alternative approach:

  1. Copy \source\gatherosstate.exe from the Windows 10 ISO image to the Desktop (or any writable directory) of an activated Windows 7, 8, or 8.1 system
  2. Run gatherosstate.exe; it will create GenuineTicket.xml in the same directory
  3. Copy GenuineTicket.xml to some external storage device
  4. You can now perform a clean install of Windows 10 (click "Do this later" when prompted to enter a product key)
  5. When the install is complete, copy GenuineTicket.xml to C:\ProgramData\Microsoft\Windows\ClipSVC\GenuineTicket\ and reboot

As usual, Microsoft's licensing policies are as clear as mud:

/windows | Jul 29, 2015


Subscribe or visit the archives