Yesterday, Windows honcho Terry Myerson (finally!) posted an official blog about Windows 10, privacy, trust, transparency, and the three levels of data collected by Microsoft when customers use Windows 10. He says:
I assure you that no other company is more committed, more transparent and listening harder to customers on this important topic than we are.
From the very beginning, we designed Windows 10 with two straightforward privacy principles in mind:
- Windows 10 collects information so the product will work better for you.
- You are in control with the ability to determine what information is collected.
With Windows 10, information we collect is encrypted in transit to our servers, and then stored in secure facilities.
With Microsoft's refusal to document its patches, the lack of facility to block forced changes to Windows 10 computers, and the surprise push of Windows 10 nagware to Windows 7 and 8.1 PCs, Microsoft's actions speak far louder than words on the questions of trust and transparency. It remains to be seen if indeed we are "in control with the ability to determine what information is collected."
Susan Bradley -- Microsoft MVP, Microsoft Answers forum moderator, and moderator of the Patch Management mailing list -- devised a straightforward test that involved the following:
- Putting together a clean Windows 10 Pro system (RTM, build 10240) with all updates applied. The computer shouldn't be attached to an update server.
- Going to the Service snap-in and disabling the Diagnostic Tracking Service. That, in theory, turns off Microsoft's telemetry and general data gathering.
- Going through Microsoft's list "Setting your preferences for Windows 10 service," painstakingly turning off every option for Windows 10 privacy: personalization, location, advertising ID, typing and inking data, contacts and calendar details, SmartScreen, page prediction, connectivity, error and diagnostic information, Cortana, Edge, Hello, Windows Update delivery optimization. Off, off, off.
Bradley then rebooted and watched for data traffic.
Not surprisingly, Windows 10 contacted mscrl.microsoft.com/pki/mscorp/crl/msitwww2.crl, crl.microsoft.com/pki/mscorp/crl/msitwww2.crl, www.microsoft.com/pki/mscorp/msitwww2.crt, and ocsp.msocsp.com. Those are all sites involved in verifying SSL certificates.
For reasons unknown, Windows 10 also contacted www.bing.com.
Why does Windows 10 communicate with Bing even after DTS is turned off and all of the Services Setting Preferences are turned off? This is with no browser open and nothing running on the PC.
Peter Bright at Ars Technica reported a similar data breach last month. He contacted Microsoft and was told the following:
As part of delivering Windows 10 as a service, updates may be delivered to provide ongoing new features to Bing search, such as new visual layouts, styles and search code. No query or search usage data is sent to Microsoft, in accordance with the customer's chosen privacy settings. This also applies to searching offline for items such as apps, files and settings on the device.
All data sent and received by Microsoft is encrypted, so we have no way of knowing precisely what goes out. But the fact remains that even with all the privacy settings turned off -- every one of them -- Windows 10 still reaches out to Bing.
Does that make you feel "in control with the ability to determine what information is collected"?
If Microsoft wants to earn our trust, we need a lot more transparency and a lot less hand-waving.