Conspiracy theories are gaining steam as accusations about Microsoft "spy patches" heat up. But a much larger part of the story may sound familiar to any experienced Windows or Office user.
The tinfoil ball started rolling on Aug. 24, when Sergey Tkachenko at Winaero.com published an incendiary discovery: Four recent Windows 7 and 8.1 patches -- KB 3022345, 3068708, 3075249, and 3080149 -- were sending a potful of data to Microsoft's servers. In at least one case, the spying patches transmit data through hard-coded servers, bypassing the Hosts file and making it even harder to block their activity. On Aug. 28, Martin Brinkmann at ghacks.net posted a follow-up that confirmed several details.
What Tkachenko and Brinkmann revealed is, quite literally, true -- though many on the Windows beat have dismissed their claims as overblown or bordering on irrational. Others, including several widely read mainstream publications, have pointed to their statements and claimed or implied that the Windows 10 privacy-busting "disease" has been thrust onto Win7 and Win8.1 customers.
It's so bad that I'm deluged with emails and phone calls from readers, friends, neighbors, and family members, all asking if they should apply updates to Windows 7 and 8.1 because of the "spy programs." They're genuinely concerned -- and they should be.
Has Microsoft started running spy sorties on Windows 7 and 8.1 systems? Judging from the headlines, it seems a foregone conclusion, but the facts are a little less clickbait worthy.
Bogdan Popa at Softpedia received an official statement from Microsoft last week. He quotes it as saying:
This KB (3080149) was posted in May related to updates to the diagnostics service for Windows 7 & 8.1 systems that participate in the Customer Experience Improvement Program (CEIP), which is an opt-in, optional program… Our use of CEIP data to help improve and diagnose Windows 7 and 8.1 products has not changed from what is described in the privacy statements for those versions of the operating system. For Windows 8.1, CEIP is described in the Feature Supplement in the ‘Windows Customer Experience Improvement Program' section.
Popa goes on to say that "according to Microsoft, [the four patches are] part of the Customer Experience Improvement Program and are only offered as optional downloads to users participating in this initiative."
Those statements confused me because they don't quite jibe with the way Microsoft usually works -- before or after Windows 10. So I went back to Microsoft and got official confirmation.
To understand where all of this is coming from, you have to know about the CEIP. Long ago, Microsoft started two separate CEIP programs, one for Windows XP and one for Office XP. Since then there have been CEIP programs instituted for several other products, including Windows Media Player, Live Messenger, Defender, and others. They are, and always have been, focused on collecting data about what you do and how you do it. Does this consist of spying or keylogging? Not really -- depending on how you define those terms -- but telemetry, yes.
The WMP snooper was sending Media Player usage data -- lists of songs and videos -- to Mother Microsoft a decade before Groove Music was a gleam in any WinRT developer's eye. Heaven only knows what data the Windows Live Messenger snooper sent.
CEIP is definitely not designed to dish up personalized ads. It isn't there to swipe your passwords or reconstruct Ed Snowden's files. It's there to help Microsoft decide what's working and what isn't so that it can design improvements people can use and maybe help determine how to fix the stuff that's broken.
Every version of Windows since XP (and I believe, but can't immediately confirm, every version of Office since XP) has enabled CEIP by default. When you install Windows and/or Office, if you take the installation defaults, CEIP is turned on. If you've read any of my Windows books, going back to Windows XP, you know I've warned people for years that they should turn off CEIP. As far as I'm concerned, Microsoft gets enough telemetry without adding your information to the mix.
What does CEIP have to do with the four "spying patches"? Good question.
- KB 3022345, since replaced by KB 3068708, says, "By applying this service, you can add benefits from the latest version of Windows to systems that have not yet been upgraded." That looks like a lightning bolt to any tinfoil hat. Read further, though, and Microsoft says the patch "collects diagnostics about functional issues on Windows systems that participate in the Customer Experience Improvement Program," which is a horse of a very different color.
- KB 3075249, however, doesn't mention anything about CEIP. It's billed as an update that "adds telemetry points to the User Account Control (UAC) feature to collect information on elevations that come from low integrity levels."
- The final patch of the bunch, KB 3080149, also mentions CEIP in much the same terms as KB 3022345.
Which brings us back to Popa's comment about how the patches are offered. At this point, all four patches are optional -- which means they're unchecked in Windows Update. You can install them if you specifically seek them out, check the install box, then run Windows Update -- an activity I recommend only to those who love to watch their foot being shot.
The CEIP status on a machine doesn't make any difference in how the patches are offered. Here's what a Microsoft spokesperson told me:
Windows updates KB3068708, KB3022345, KB3075249, and KB3080149 are all either optional or suggested updates regardless of if the customer is opted in to the Windows CEIP or not. If you are not opted into the Windows CEIP, the functionality of diagnostic services within each update is regulated accordingly.
That confirms what I would expect: These four patches change the kind of data collected by CEIP, but you have to manually install them. Believe me, if you've installed all optional Windows patches, you have much worse problems than CEIP.
What about turning them off? In response to my question, "If a customer receives KB3068708, KB3022345, KB3075249, and/or KB3080149, and turns CEIP off, will that prevent all of the associated programs in the KBs from sending info to Microsoft?" the Microsoft spokesperson responded:
Yes, if the customer receives updates KB3068708, KB3022345, KB3075249, and/or KB3080149, but chooses not to participate in the Windows CEIP, the related Windows telemetry will not be sent to Microsoft.
That, too, is exactly what I would expect, having worked with/around CEIP for a decade or so.
Can I prove, definitively, that what the Microsoft spokesperson avers is in fact true? No, I can't. But I see no reason to doubt the statements. They're certainly in keeping with all I've learned about CEIP, and they mesh with both the Microsoft corporate structure surrounding CEIP and Microsoft's long history with telemetry.
So the next time somebody sends you an article that says "The Windows 10 spying stuff is going to Windows 7 and 8.1," you can counter with a few facts, instead of a lot of hand-wringing. There are two old-timer lessons to take away from all this, which I've repeated indefatigably since the arrival of XP:
- Don't click to install optional updates
- Turn off CEIP
Turning off CEIP in Windows XP, Vista, 7, and 8.1 is not easy.
In XP and Vista, click Start > Control Panel > System and Maintenance > Problem Reports and Solutions. On the left at the bottom, click Customer Experience Improvement Program Settings. In the resulting dialog box, check "I don't want to join the program at this time" and click OK.
In Win7, type "Experience" in the Start menu search bar; in Windows 8.1, type "Experience" on the Metro Start screen. In either case, click on Change Customer Experience Improvement Program Settings. In the resulting dialog box, check "No, I don't want to participate in the program," then click Save Changes.
Turn off CEIP in Office 2010 (desktop) and later by starting an Office program, then click on File > Options > Trust Center, click the button marked Trust Center Settings, Privacy Options, and uncheck the box marked "Sign up for the Customer Experience Improvement Program" or (depending on version) "Send us information about your use and performance of Office software to help improve your Microsoft experience."
If you're using Microsoft Security Essentials, bring up MSE (icon in the system tray), click Help > Customer Experience Improvement Program and check "I don't want to join the Customer Experience Improvement Program."
If you're using Windows Media Player, switch to VLC Media Player, fer heaven's sake -- it doesn't collect any information. If you have to stick with WMP, start it up and click Tools > Options > Privacy tab and uncheck the box marked "I want to help make Microsoft software and services even better by sending Player usage data to Microsoft."
I don't know anybody who's still using Windows Live Messenger, but if you are, start WLM and click the button with your name on it, choose More Options, then Privacy, and uncheck the box marked "Allowing Microsoft to collect data about your computer and how you use Windows Live helps us improve our products and services. It may also be used to personalize content for you, but it won't be used to contact you."
If you know of any other Microsoft programs with CEIP settings, please contribute in the comments!
Other patches have been implicated in "spying" activities -- including KB 2505438, 2670838, 2952664, 2976978, 3021917, and 3035583, among others -- with little or no justification that I can find.
I don't mean to tell you that the new reach of the CEIP in Windows 7 and 8.1 is innocuous. Clearly, Microsoft is gathering more data. But it's more of the same-old, same-old: The "new" CEIP in Windows 8.1 or Windows 7 isn't much different from the "old" CEIP. It's hardly the stuff of mainstream newspaper headlines or threats to boycott older versions of Windows.
Windows 10's a different story. As I've explained repeatedly, Win10 is starting to collect data for the purpose of targeting ads -- not unlike Windows Live Messenger, years ago, and Google and Facebook and many others, for as long as they've been around. You should understand the privacy implications before you decide to upgrade (or not) to Windows 10. The fact that Windows 10 continues to leak information even after all the CEIP/Cortana/Bing settings have been shut off does not instill confidence.
But the Windows 10 data-scraping approach is not moving down to Windows 7 or 8.1, no matter what those headlines and experts may say.