Dutch DPA's use of Microsoft's Data Viewer Tool reveals that no Windows 10 telemetry is anonymous

[Delicieuxz]

The topic title also applies to telemetry which Microsoft collects from various other Microsoft programs and services.

 

 

"It turns out that Microsoft’s operating system follows about every step you take on your computer. That results in an intrusive profile of yourself. What does that mean? Do people know about this, do they want this? Microsoft needs to give users a fair opportunity to decide about this themselves." - Wilbert Tomesen, vice-chairman of the Dutch DPA

 

"In our full report (only available in Dutch unfortunately), we deal extensively with the points of forced install. We also explain why all the telemetry data collected by Microsoft are indeed personal data, and certainly not anonymous, regardless of the view of MS that they would only relate to the system/be 'mere' technical data." - The Dutch DPA in an email to me

 

 

In the larger technical summary for the Dutch DPA's year+ long investigation into Microsoft's data collecting and privacy measures (which concluded with the Dutch DPA declaring that Windows 10 breaks EU privacy laws), the Dutch DPA investigators say that they were able to obtain a copy of Microsoft's in-house Data Viewer Tool, which allows Microsoft engineers to monitor in real-time which telemetry and data are being collected by the Windows 10 OS, and sent to Microsoft servers.

 

Starting on page 4 of the technical summary, and continuing on till page 9, the Dutch DPA technical summary reveals that Microsoft is tagging all telemetry Windows 10 collects with various system, location, and user identifiers, and that Microsoft is not only collecting data on people's activities, but is also collecting user-generated content that is input into Microsoft apps, such as writings.

 

Here is an overview of the system / person identifying tags that are applied to collected telemetry, and also of some of the content collected, according to Microsoft's data-collection monitoring Data Viewer Tool.

 

 

 

 

 

 

 

Fully confirming that none of the data collected by Microsoft is anonymous and that all of it is personally-identifying, the Dutch DPA investigators also say that after they spent a week using a test machine running Windows 10 in a virtual machine, when they asked Microsoft to present all information collected from that specific Windows 10 user, Microsoft was indeed able to identify, collect, compile, and present all the data that was sent from that specific Windows 10 user:

 

Quote

Between 4 and 8 July 2016, the Dutch DPA used Windows 10 as a regular user, and performed some activities on a research pc. This was a virtual machine, tests were conducted both on Windows 10 Home and Pro. A week later, the Dutch DPA asked Microsoft for a full overview of all telemetry data collected in that period. Microsoft was able to retrieve and combine all data from that user.

 

Previously, there have sometimes been assertions made that the data which Microsoft collects through Windows and other Microsoft services is anonymous. What the Dutch DPA report now makes clear, is that none of the data collected by Microsoft at any level of telemetry is anonymous, and instead all of it is personally-identifying, attaching device, network, and user account identifiers to the gathered data.

 

The Dutch DPA's full report on their investigation is available only in the Dutch language.

 

 

Related post showing that the number of data fields Microsoft is attaching these personal identifiers to exceeds 3,500:

 

 

[yian88]

I hope they get FORCED to remove most if not all telemetry in a new EU Windows 10 Version, justice shall be served  MicroNSAsoft

[samcool55]

Woo tinfoil hat rules once again!

Good work dutchies.

@Delicieuxz If there's anything that needs translation from dutch to english, let me know

 

[Trixanity]

Rekt.

 

Let's hope we get an EU version without any telemetry.

[dfsdfgfkjsefoiqzemnd]

 

Rekt indeed.  This is going to be gorgeous. 

 

[LAwLz]

I've been saying this since Windows 10 was released, and constantly been accused of being a Microsoft hater who just wants to shit on Windows 10.

I probably don't need to mention names, but a few users on this forum has called me a liar for it. Glad to see it confirmed by the dutch.

 

I seriously hope Microsoft gets sued so fucking hard for this.

[suicidalfranco]

I was right

You were wrong

Suck my scrotum MS Defence Force!

[AresKrieger]

 

This is going to be entertaining

[NvidiaIntelAMDLoveTriangle]

Of course it's not anonymous, how the bloody hell can they make money from anonymous data? They can't.

And before some poor sap replies and says that telemetry is done to improve the user experience. Yeah right keep dreaming mate. They don't care about improving their product for the user, they care about improving their product for themselves to better sell your data.

[sazrocks]

1 hour ago, Delicieuxz said:

Fully confirming that none of the data collected by Microsoft is anonymous and that all of it is personally-identifiying, the Dutch DPA investigators also say that after they spent a week using a test machine running Windows 10 in a virtual machine, when they asked Microsoft to present all information collected from that specific Windows 10 user, Microsoft was indeed able to identify, collect, compile, and present all the data that was sent from that specific Windows 10 user:

[Mira Yurizaki]

Was this data gathered with a local account or a Microsoft account?

[captain cactus]

As a Dutchman, I can only say one thing.

 

[dfsdfgfkjsefoiqzemnd]

1 minute ago, M.Yurizaki said:

Was this data gathered with a local account or a Microsoft account?

According to the overview in the first post a lot of it is collected even on a local account and the basic level. 

 

[Mira Yurizaki]

Just now, Captain Chaos said:

According to the overview in the first post a lot of it is collected even on a local account and the basic level.

I'm trying to figure out how a bunch of randomly generated numbers can be tied to me personally then.

[Syntaxvgm]

33 minutes ago, LAwLz said:

I've been saying this since Windows 10 was released, and constantly been accused of being a Microsoft hater who just wants to shit on Windows 10.

I probably don't need to mention names, but a few users on this forum has called me a liar for it. Glad to see it confirmed by the dutch.

 

I seriously hope Microsoft gets sued so fucking hard for this.

seriously I've been attacked on reddit for shitting on 10's adds and the shit like it turning those setting back on after updates. 

"Bro, it's not MS's fault you don't know what you're doing, all you gotta do is

Some registry edits and some powershell stuff

and then make sure you redo that every update an keep informed on new changes every month or so." 

I was also told it was my fault or was lying that a laptop without a legal key got pushed to 10.

I get sick of people defending this. It seems to me the majority of people do because the anti 10 circlejerk was so big that it became to cool thing to shit on people that shit on 10. 

This thread is not so bad, but here's an example 

The top comment on that thread is actually helpful, but sadly that edit was applied and removed by an update. I'd need to make files apply this stuff and make it happen on login with a batch script.

And now I get multiple notifications daily on my gaming and HTPC that 'there's a problem with my Microsoft account' because I have a local account. The only way to turn that off is to link you account or to find some kind of registry edit. 
I get sick of this shit. 

[Syntaxvgm]

8 minutes ago, M.Yurizaki said:

I'm trying to figure out how a bunch of randomly generated numbers can be tied to me personally then.

I made my first facebook account today for my new job, because I was forced to. Still salty. Didn't use anything but my first name and DOB. New email. No phone number, Never been on that connection before. New computer. 

Immediately got friend suggestions for family, classamtes in college, and even people I hadn't seen in years. 

They bought advertising data for that. 

An advertising ID is just to tie all the data from source, and when you have multiple sources you can very easily figure out which two users from different data sets are the same. You need VERY little info to uniquely identify someone. First name and DOB are enough to uniquely identify a large portion of the US population, and my location in the same town was icing on the cake. 

[AresKrieger]

5 minutes ago, Syntaxvgm said:

First name and DOB are enough to uniquely identify a large portion of the US population, and my location in the same town was icing on the cake. 

Hence why I use my alias instead of real info for everything online, though I suppose I should have gone by "John Smith" as the alias itself is tracked.

[Syntaxvgm]

1 minute ago, AresKrieger said:

Hence why I use my alias instead of real info for everything online, though I suppose I should have gone by "John Smith" as the alias itself is tracked.

Company made me change it to my real name even. I'm searchable on facebook. I almost cried. 

[Mira Yurizaki]

12 minutes ago, Syntaxvgm said:

I made my first facebook account today for my new job. Didn't use anything but my first name and DOB. New email. No phone number, Never been on that connection before. New computer. 

Immediately got friend suggestions for family, classamtes in college, and even people I hadn't seen in years. 

They bought advertising data for that. 

An advertising ID is just to tie all the data from source, and when you have multiple sources you can very easily figure out which two users from different data sets are the same. You need VERY little info to uniquely identify someone. First name and DOB are enough to uniquely identify a large portion of the US population, and my location in the same town was icing on the cake. 

 

5 minutes ago, Syntaxvgm said:

Company made me change it to my real name even. I'm searchable on facebook. I almost cried. 

In that case, they tied personally identifying information that you've inputted to some ID that has the same information and ran their algorithms from that. I'm more concerned about when I make a local account that populates those ID values with random numbers if that can be traced back to me even if I don't enter anything personally identifying (which I avoid doing like the plague)

 

However I'm not naive enough to think that I'm safe. Humans aren't really random enough and it's easy for someone to figure out it's you based on simple usage patterns.

[SpaceGhostC2C]

17 minutes ago, Syntaxvgm said:

I made my first facebook account today for my new job, because I was forced to.

 

10 minutes ago, Syntaxvgm said:

Company made me change it to my real name even. I'm searchable on facebook. I almost cried. 

 

That's fucked up.

[Syntaxvgm]

Just now, SpaceGhostC2C said:

 

 

That's fucked up.

to be fair I was literally hired to manage a team who manages this stuff. 

[captain_to_fire]

I hope other EU countries follow and demand Microsoft to depersonalize telemetry data just like their competitors and add the option to completely turn off telemetry. 

[GOTSpectrum]

I feel like we all already knew this... Deep down.... We all knew.

 

But seriously, a shitty way to do business by lying to your customer base. They'll get away with it to as there isn't really any competition, so consumers can't just move into a new platform.

 

I know Linux exsists but most people wouldn't want to learn to use it.

[Tech_Dreamer]

But look at the Russians. #Irony

[Jito463]

4 hours ago, lots of unexplainable lag said:

As a Dutchman, I can only say one thing.

 

*glances back and forth at image*

I'm guessing most of that is in Dutch, because only one word that I can see is in English.  

4 hours ago, Syntaxvgm said:

Didn't use anything but my first name and DOB.

Never give out your real DOB online unless it's absolutely necessary.  When I sign up on any service, I always use the same month/year I was born, but change the day (typically I go with the 1st, because it's easy to remember).  If their service gets hacked - and it's virtually inevitable it will - then that information is now in the hands of thieves.  Better for them to have false data to operate with.