Microsoft responds to Windows 10 privacy concerns

[LAwLz]

So things like the advertising ID is off, and other stuff in the privacy settings are off then, correct? If correct, then you can turn things off.

Did you read my post? I said that even if you turn all the settings to off, it still sends out a bunch of information. A lot of the things you don't even have the option to turn off (like telemetry).

If I can't change options to stop it from sending out all that data then clearly I can't turn it off.

 

We don't know what is up with the Onedrive thing. Would be nice to know to understand what is going on.

It sure would be, but Microsoft refuses to explain it to us what info they are sending (some info we have dug up ourselves).

 

Does connecting to Bing's servers from the start menu really a problem though? We go to our web browser all the time, probably the #1 thing we do on a PC, and connect to search engine servers all the time. Now that your start menu does, is it a problem? It's not a privacy issue. The only problem is that you try to turn it off and it still connects to the servers.

I actually find it very useful. Instead of loading a browser first and clicking on the URL or search box and typing you just click the start button, type, and press enter.

1) It is a privacy issue. What I search for is some of the most personal data someone can take from me, and Microsoft are essentially hijacking my computer by pretending to do one thing and then doing something else behind my back.

2) It is a huge problem that it continues to do it even when I have explicitly told it not to do it.

3) Great that you enjoy it. For me it doesn't matter because I don't want it and I couldn't even get it to work properly because Microsoft doesn't support it in Sweden.

 

"the fact is that because of the unique ID a lot of things can be traced back to you" Don't you mean your machine really? Also, because it's an anonymous ID it isn't tied to you (or I think your location). Is it possibly to figure it out? Maybe, but you can't say for sure because you haven't seen the data.

No, I mean back to me because I own the machine. If you can track my machine, which I use, then you can also track me.

It is an "anonymous ID" which is only used by my machine and it keeps reporting back to Microsoft, and the same machine is also reporting back to Microsoft with actual personal data. Think of it this way. Imagine if I sent you 10 letters a day. One of the letters contained my name, and the 9 other letters did not but all of them came from the same address (an address where only 1 person lives). All the letters also had my finger print on them. Are you really going to claim that you could only track 1 of the letters back to me and the other 9 were just anonymous mail that you could not for the life of you finger out who sent? Come on...

 

/Edit

If you want to know how easy it is to track someone simply by looking at things like your browser fingerprint then I recommend this report by the EFF. 94.2% of browsers with Flash or Java were unique and could therefore be tracked by simply looking at your browser's fingerprint. Now imagine how easy it would be to track if you had the entire OS as the fingerprint. I would be very surprised if Microsoft couldn't get a 99.9% accuracy using just a fraction of the data they collect.

/End edit

 

Even if the anonymous id can be tied to you, what information can be taken from that ID that would make you worried?

Are you really going to pull the "if you got nothing to hide you got nothing to fear" argument? I don't need to justify why I don't want to be spied on. It's the ones that spy on me that should justify doing it.

Let me turn the question around. If it does not contain anything I need to worry about anyone seeing, why does Microsoft even bother encrypting it?

[Fetzie]

yeah... because microsoft really NEED TO KNOW whenever i search for midget fairy cosplay porn or how many times ive watched justin bieber music vids

If they know you enjoy Justin Bieber and midget fairy cosplay porn, then they can display advertisements for Justin Bieber albums and concert tickets, or DVDs of midget fairy cosplay porn on websites.

[Sharp_3yE]

Did you read my post? I said that even if you turn all the settings to off, it still sends out a bunch of information. A lot of the things you don't even have the option to turn off (like telemetry).

If I can't change options to stop it from sending out all that data then clearly I can't turn it off.

 

It sure would be, but Microsoft refuses to explain it to us what info they are sending (some info we have dug up ourselves).

 

1) It is a privacy issue. What I search for is some of the most personal data someone can take from me, and Microsoft are essentially hijacking my computer by pretending to do one thing and then doing something else behind my back.

2) It is a huge problem that it continues to do it even when I have explicitly told it not to do it.

3) Great that you enjoy it. For me it doesn't matter because I don't want it and I couldn't even get it to work properly because Microsoft doesn't support it in Sweden.

 

No, I mean back to me because I own the machine. If you can track my machine, which I use, then you can also track me.

It is an "anonymous ID" which is only used by my machine and it keeps reporting back to Microsoft, and the same machine is also reporting back to Microsoft with actual personal data. Think of it this way. Imagine if I sent you 10 letters a day. One of the letters contained my name, and the 9 other letters did not but all of them came from the same address (an address where only 1 person lives). All the letters also had my finger print on them. Are you really going to claim that you could only track 1 of the letters back to me and the other 9 were just anonymous mail that you could not for the life of you finger out who sent? Come on...

 

/Edit

If you want to know how easy it is to track someone simply by looking at things like your browser fingerprint then I recommend this report by the EFF. 94.2% of browsers with Flash or Java were unique and could therefore be tracked by simply looking at your browser's fingerprint. Now imagine how easy it would be to track if you had the entire OS as the fingerprint. I would be very surprised if Microsoft couldn't get a 99.9% accuracy using just a fraction of the data they collect.

/End edit

 

Are you really going to pull the "if you got nothing to hide you got nothing to fear" argument? I don't need to justify why I don't want to be spied on. It's the ones that spy on me that should justify doing it.

Let me turn the question around. If it does not contain anything I need to worry about anyone seeing, why does Microsoft even bother encrypting it?

 

Yes I read it. You mentioned 3 things that keep getting sent. 1. Something related with OneDrive, possibly some sort of telemetry. 2. Search still sends data to Bing servers. 3. Some telemetry data such as when an app crashes the data is sent to Microsoft.

 

Which means, all the other stuff is turned off. So yes, when you turn off privacy settings it turns off for at least the most part. My guess, you turn off Advertising ID, smartscreen filter, writing data, language list, location, camera, microphone, speech, inking, typing, apps being able to access account, contact, calander, messaging, and radio info all turn off when you turn them off in the settings.

But things like apps crashing, errors, and some other things will still send to microsoft.

 

1) It is a privacy issue. What I search for is some of the most personal data someone can take from me, and Microsoft are essentially hijacking my computer by pretending to do one thing and then doing something else behind my back.

2) It is a huge problem that it continues to do it even when I have explicitly told it not to do it.

3) Great that you enjoy it. For me it doesn't matter because I don't want it and I couldn't even get it to work properly because Microsoft doesn't support it in Sweden.

"What I search for is some of the most personal data someone can take from me"

That is absolutely NOT TRUE!!!!!

 

They could be taking your pictures, or your financial data. Searching for a file, what ever the name is even if the title of the file is your social security number, all they have is a bunch of numbers that they don't care about. Searching for "my daughter" for her photos, all the bing servers get is the words "my daughter" and what are they going to do with that?

 

Yea, I agree if you turn something off it should turn off. There isn't a privacy issue but as a functionally it is an issue. You tell it/want it to do something and it doesn't.

 

 

No, I mean back to me because I own the machine. If you can track my machine, which I use, then you can also track me.

It is an "anonymous ID" which is only used by my machine and it keeps reporting back to Microsoft, and the same machine is also reporting back to Microsoft with actual personal data. Think of it this way. Imagine if I sent you 10 letters a day. One of the letters contained my name, and the 9 other letters did not but all of them came from the same address (an address where only 1 person lives). All the letters also had my finger print on them. Are you really going to claim that you could only track 1 of the letters back to me and the other 9 were just anonymous mail that you could not for the life of you finger out who sent? Come on...

 

/Edit

If you want to know how easy it is to track someone simply by looking at things like your browser fingerprint then I recommend this report by the EFF. 94.2% of browsers with Flash or Java were unique and could therefore be tracked by simply looking at your browser's fingerprint. Now imagine how easy it would be to track if you had the entire OS as the fingerprint. I would be very surprised if Microsoft couldn't get a 99.9% accuracy using just a fraction of the data they collect.

/End edit

 

I'm not going to get into this topic to much cuz I don't know enough about it. I don't know what exactly they collect or how they do the anonymous ID BUT what I would assume is it's not collecting your address, name of pc, or any identification of you. So, what personal information do they have of you? So, if your anonymous ID only has technical information about your pc, how do we use that to find you? This is just my thought process.

 

Here is an example of what I am thinking. Lets say Dr. Microsoft is doing an anonymous human body study. So, they get a bunch of volunteers from around the world and a machine documents their body such as their weight, height, skin color, eye color, blood type and a couple others things but Dr. Microsoft NEVER sees your face, takes your picture, gets any name, location or any direct identifier.

So, Dr. Microsoft only has this information that could be from a lot of people. Besides, what can someone do with that information? They can come up with theories/conclusions about a random mass amount of people. You wouldn't even use that info to try to identify me cuz whats the point? A random information about a person.

 

Another example I can think of is taking a test on a computer, no one puts any identification on it and everyone is using the same font. Sure you can identify that a test is theirs if you compare the answers to other questions by that person but then again, what is the point. You aren't finding the person you already found the persona and are comparing the persons way of answering questions with the anonymous test. You would only find out that the test is theirs. WHO CARES!

 

The anonymous ID of your computer isn't going to identify you, if my thought is correct. If your Microsoft account was hacked, yea you could be found and certain info about you would be found out but a Microsoft account is something you sign up for. 

 

So, the telemetry data, which is really just technical information from your PC isn't going to give anyone any personal data about you or identify you. Other info that Microsoft has about you that you give then can identify you.

 

 

Are you really going to pull the "if you got nothing to hide you got nothing to fear" argument? I don't need to justify why I don't want to be spied on. It's the ones that spy on me that should justify doing it.

Let me turn the question around. If it does not contain anything I need to worry about anyone seeing, why does Microsoft even bother encrypting it?

 

No, not what I was saying at all. I was saying, why would it matter if they someone knew technical information that came from your PC? It's not personal information like your bank account info. It's "this app crashed on this type of PC." It's "on this pc the start button gets clicked this many times when in use." THAT DOESN'T MATTER! It's not personal info.

[Newton10]

This is how a free upgrade becomes profitable..

[LAwLz]

Yes I read it. You mentioned 3 things that keep getting sent. 1. Something related with OneDrive, possibly some sort of telemetry. 2. Search still sends data to Bing servers. 3. Some telemetry data such as when an app crashes the data is sent to Microsoft.

 

Which means, all the other stuff is turned off. So yes, when you turn off privacy settings it turns off for at least the most part. My guess, you turn off Advertising ID, smartscreen filter, writing data, language list, location, camera, microphone, speech, inking, typing, apps being able to access account, contact, calander, messaging, and radio info all turn off when you turn them off in the settings.

But things like apps crashing, errors, and some other things will still send to microsoft.

Well those 3 things were the big ones I could think of off the top of my head. There are plenty of other claims regarding what things Microsoft collect but I have disproved some of them myself and some have not been tested yet as far as I know, so I don't trust them.

But yes you are correct. Turning some things off seem to actually turn them off, while turning some other things off don't.

 

 

 

"What I search for is some of the most personal data someone can take from me"

That is absolutely NOT TRUE!!!!!

 

They could be taking your pictures, or your financial data. Searching for a file, what ever the name is even if the title of the file is your social security number, all they have is a bunch of numbers that they don't care about. Searching for "my daughter" for her photos, all the bing servers get is the words "my daughter" and what are they going to do with that?

 

Yea, I agree if you turn something off it should turn off. There isn't a privacy issue but as a functionally it is an issue. You tell it/want it to do something and it doesn't.

I am going to have to agree to disagree with you on that then.

 

On a side note, one of the claims I haven't tried yet is that PhotoDNA, Microsoft's service for finding child porn, is integrated into Windows 10. Someone claimed that every time you use the photo app it sends the hash of that image back to Microsoft. The person making the claim did show that every time he opened an image in the app it did connect to Microsoft, but I haven't had time to replicate it and I haven't seen anyone replicate and decrypt the connection so take it with a shovel of salt.

 

 

 

I'm not going to get into this topic to much cuz I don't know enough about it. I don't know what exactly they collect or how they do the anonymous ID BUT what I would assume is it's not collecting your address, name of pc, or any identification of you. So, what personal information do they have of you? So, if your anonymous ID only has technical information about your pc, how do we use that to find you? This is just my thought process.

 

Here is an example of what I am thinking. Lets say Dr. Microsoft is doing an anonymous human body study. So, they get a bunch of volunteers from around the world and a machine documents their body such as their weight, height, skin color, eye color, blood type and a couple others things but Dr. Microsoft NEVER sees your face, takes your picture, gets any name, location or any direct identifier.

So, Dr. Microsoft only has this information that could be from a lot of people. Besides, what can someone do with that information? They can come up with theories/conclusions about a random mass amount of people. You wouldn't even use that info to try to identify me cuz whats the point? A random information about a person.

 

Another example I can think of is taking a test on a computer, no one puts any identification on it and everyone is using the same font. Sure you can identify that a test is theirs if you compare the answers to other questions by that person but then again, what is the point. You aren't finding the person you already found the persona and are comparing the persons way of answering questions with the anonymous test. You would only find out that the test is theirs. WHO CARES!

 

The anonymous ID of your computer isn't going to identify you, if my thought is correct. If your Microsoft account was hacked, yea you could be found and certain info about you would be found out but a Microsoft account is something you sign up for. 

 

So, the telemetry data, which is really just technical information from your PC isn't going to give anyone any personal data about you or identify you. Other info that Microsoft has about you that you give then can identify you.

Read my mail analogy again. It's far easier and accurate since it explains how even without explicitly putting in my name in a letter, it can still very easily be tracked back.

Here is a blog post I found where someone captured what a search request to Microsoft looks like. Please bear in mind that this person had Cortana enabled. When I search I just see a HTTPS connection and once I have decrypted that I just see that my computer fetches a bunch of javaScripts, but I can't tell what they do. So maybe it behaves differently when Cortana is enabled or not, but it should give you a pretty good indication of just how much "anonymous" data is being sent.

 

GET /AS/API/WindowsCortanaPane/V2/Suggestions?qry=about&cp=5&cvid=ce8c2c3ad6704645bb207c0401d709aa&ig=7fdd08f6d6474ead86e3c71404e36dd6&cc=US&setlang=en-US HTTP/1.1

Accept: */*

X-BM-ClientFeatures: FontV4, OemEnabled

X-Search-SafeSearch: Moderate

X-Device-MachineId: {73737373-9999-4444-9999-A8A8A8A8A8A8}

X-BM-Market: US

X-BM-DateFormat: M/d/yyyy

X-Device-OSSKU: 48

X-Device-NetworkType: ethernet

X-BM-DTZ: -420

X-BM-UserDisplayName: Tester

X-DeviceID: 0100D33317836214

X-BM-DeviceScale: 100

X-Device-Manufacturer: innotek GmbH

X-BM-Theme: ffffff;005a9e

X-BM-DeviceDimensionsLogical: 320x622

X-BM-DeviceDimensions: 320x622

X-Device-Product: VirtualBox

X-BM-CBT: 1439740000

X-Device-isOptin: false

X-Device-Touch: false

X-AIS-AuthToken: AISToken ApplicationId=25555555-ffff-4444-cccc-a7a7a7a7a7a7&ExpiresOn=1440301800&HMACSHA256=CS

y7XaNyyCE8oAZPeN%2b6IJ4ZrpqDDRZUIJyKvrIKnTA%3d

X-Device-ClientSession: 95290000000000000000000000000000

X-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI

X-MSEdge-ExternalExpType: JointCoord

X-MSEdge-ExternalExp: sup001,pleasenosrm40ct,d-thshld42,d-thshld77,d-thshld78

Referer: https://www.bing.com/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0; Cortana 1.4.8.152;

10.0.0.0.10240.21) like Gecko

Host: www.bing.com

Connection: Keep-Alive

Cookie: SA_SUPERFRESH_SUPPRESS=SUPPRESS=0&LAST=1439745358300; SRCHD=AF=NOFORM; ...

All of this could be classified as anonymous data, but by having a unique machine ID; your user name, a DeviceID, a few identifiers, cookies, the device name and some other meta data it is very easy to link that "anonymous" information back to you.

You might say that they are only collecting information about a persona, but the fact is that that persona will be you. We are back to this whole "it's data so it's not you the person" crap that doesn't make any sense. You might as well say the person in videos is not Linus because it is merely data that makes an exact copy of him.

Your identity is not a physical thing.

 

 

 

No, not what I was saying at all. I was saying, why would it matter if they someone knew technical information that came from your PC? It's not personal information like your bank account info. It's "this app crashed on this type of PC." It's "on this pc the start button gets clicked this many times when in use." THAT DOESN'T MATTER! It's not personal info.

But it is personal information. What I search for is very much personal information because it shows a very detailed picture of who I am as a person. The crash reports can contain a huge amount of personal information as well since on the default setting (haven't tested the more restrictive reports) it sends info about what I was doing in the program that crashed (such as what I typed, what I was looking at and so on). Even if Microsoft only has good intentions (be able to trace what action made the program fail) it is still extremely personal information which I do not want them to have.

[suicidalfranco]

This is how a free upgrade becomes profitable..

what about those who paid for it?

[dfsdfgfkjsefoiqzemnd]

what about those who paid for it?

 

They are doubly screwed.  They paid money for something that others got for free AND they are having their data harvested on top of that.

[Newton10]

They are doubly screwed.  They paid money for something that others got for free AND they having their data harvested on top of that.

Pretty much