How does Windows 10 allow Microsoft to spy on you?
Windows 10 is perhaps the most Internet-connected and cloud-centric operating system released by Microsoft to date. This, of course, has caused many users to be concerned about how the OS respects their privacy (or doesn't).
Multiple sources are now claiming that this OS reports user data to Microsoft which could be violating the users' assumptions of privacy. (A couple of examples are linked below.)
How legitimate are these concerns and claims? Is Microsoft actually collecting data about Windows 10 users' location and activity? Are they actually authorized to do so, simply by a user's acceptance of the EULA?
I'm aware that Windows 10 sends malware files to Microsoft for analysis. This is a common and generally-accepted practice for most antivirus products, and antivirus is known to be integrated into this OS. What about the other information?
Comments are not for extended discussion; this conversation has been moved to chat.
This is a highly relevant question but a key component seems to me forgotten. `↵` What is the risk that these reports to Microsoft will cause **data leaks** to **companies** and **governments**? How could it be seen as acceptable that this risk is **accepted** by an **EULA**?
Please note that it's not just Microsoft that's "spying" on you. Every other company that you do business with does their own market analysis in some way. Even supermarkets analyse your purchasing habits and can even figure out if your daughter is pregnant before you do. It's when this data is shared with people that might abuse that information, like governments or criminals, that you should start worrying. As stated in some answers, Microsoft will only disclose this data if it's needed to comply with law enforcement.
The Privacy statement that's included by mention as part of the EULA says "we will access, disclose and preserve personal data ... when we have a good faith belief that doing so is necessary to ... protect our customers, for example to prevent spam ...". Comments are not for extended conversation, so I will not add another comment here, but a careful read of the EULA and its inclusions, especially the Privacy statement, does not remotely support the claim that "MS will only disclose this data if it's needed to comply with law enforcement".
@raiph Agreed, Microsoft will ultimately use the data for whatever purpose Microsoft deems will provide the greatest benefit to Microsoft, just like any other company will. Tandy Corporation is a good, recent, "for instance," putting all their customer PII up for sale after promising (cross our heart, honest) that they would never do that. The thing about Windows 10 is that the tracking is built-in to the operating system itself and unless you disable it, every search you make for anything *on your own computer* is also stored at Bing.
After reading through this post, i thought i should change some privacy settings to opt-out, this tutorial was very helpful How to Turn off Windows 10 'Spy - Keylogger' Privacy Settings
Coming back to your interesting question, if you are still interested, you may read **this question** and see the nature of data Windows 10 *steals* from its users (including personal files). Unlike the answer above that states you can survey Windows 10 traffic, I mentioned a serious study that says it is impossible to do that (they see Windows leaking out data but they can not read it).
I thought we should only do "Next..Next..Next..finished"? who reads terms and conditions/Agreements/privacy statement? >:) jk
It's worth noting that, according to the snowden leaks, Microsoft was apparently among the very first to agree to the NSA's PRISM collection program. I think that should tell you all you need to know about their trustworthiness with personal information. https://www.theguardian.com/world/2013/jun/06/us-tech-giants-nsa-data
I can't turn this into a full response because I don't have enough reputation ... I recently had to reinstall Windows. The installation wizard contains a lot of screens in which you have to basically press "Next" repeatedly (like what is your keyboard layout, what is the language, etc.). Then when you are on the verge to press "Next" again, the serious questions pop up. One of it specifically asks you if you want to send Microsoft "enhanced" personal information, specifying that these informations would include **all the websites you visit** (again, it's clearly written explicitly) cont.
... and other personal data (location, GPS, names, etc.) which I don't remember the full list (it would be easy to me to install it in VM and take a screenshot, but don't have enough rep to make a reply). The second option would to send them more "basic" info (I am sure that didn't include the lists of all websites you visit). After you installed Windows, the OS insists on you using Edge. If you search for "Google Chrome" using Microsoft Edge (and Bing), a pop-up will show us, where Microsoft strongly recommends you to stay with Edge, it being faster, nicer, etc. cont.
I guess that their insistence on using Edge is related to the question about sending them all the websites you visit? Point is: (i) pay very strong attention to the questions it makes during installation, don't press "Next" repeatedly because after the more obvious questions come the questions about privacy (ii) I guess it would be technically possible for them to send the personal websites also if you use Google Chrome, but that would mean intercepting Google Chrome traffic somehow and would seems to far
When you acquire, install and use the Program software and services, Microsoft collects information about your use of the software and services as well as about the devices and networks on which they operate. Examples of data we may collect include your name, email address, preferences and interests; location, browsing, search and file history; phone call and SMS data; device configuration and sensor data; voice, text and writing input; and application usage. For example, when you:
install or use Program software and services, we may collect information about your device and applications and use it for purposes such as determining or improving compatibility (e.g., to help devices and apps work together),
when you use voice input features like speech-to-text, we may collect voice information and use it for purposes such as improving speech processing (e.g., to help the service better translate speech into text),
when you open a file, we may collect information about the file, the application used to open the file, and how long it takes to use it for purposes such as improving performance (e.g., to help retrieve documents more quickly), or
when you input text, handwrite notes, or ink comments, we may collect samples of your input to improve these input features, (e.g., to help improve the accuracy of autocomplete and spellcheck).
This is so serious that even some political parties here in France that have nothing to do with technologies denounced Microsoft Windows 10 practices.
A member claimed that the statement above does not concern the shipped version of Windows 10.
- We have not been provided any proof that Microsoft removed all those monitoring modules of its Windows 10 beta version in the final release. And, since Windows is closed-source, there's no way for us to check ourselves.
- The media has reported a history of Microsoft spying as its practice (e.g. Microsoft, China clash over Windows 8, backdoor-spying charges, also NSA Built Back Door In All Windows Software by 1999).
- For the shipped version of Windows 10, we can see the same information with smoother words: Privacy Statement
We will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders), when we have a good faith belief that doing so is necessary to protect our customers or enforce the terms governing the use of the services,
From Windows 10 feedback, diagnostics, and privacy: FAQ (shipped version of Windows 10, NOT Pre-Release Preview), we can also read regarding Diagnostics Tracking Service:
As you use Windows, we collect performance and usage information that helps us identify and troubleshoot problems as well as improve our products and services. We recommend that you select Full for this setting.
Basic information is data that is vital to the operation of Windows. This data helps keep Windows and apps running properly by letting Microsoft know the capabilities of your device, what is installed, and whether Windows is operating correctly. This option also turns on basic error reporting back to Microsoft. If you select this option, we’ll be able to provide updates to Windows (through Windows Update, including malicious software protection by the Malicious Software Removal Tool), but some apps and features may not work correctly or at all.
Enhanced data includes all Basic data plus data about how you use Windows, such as how frequently or how long you use certain features or apps and which apps you use most often. This option also lets us collect enhanced diagnostic information, such as the memory state of your device when a system or app crash occurs, as well as measure reliability of devices, the operating system, and apps. If you select this option, we’ll be able to provide you with an enhanced and personalized Windows experience.
Full data includes all Basic and Enhanced data, and also turns on advanced diagnostic features that collect additional data from your device, such as system files or memory snapshots, which may unintentionally include parts of a document you were working on when a problem occurred. This information helps us further troubleshoot and fix problems. If an error report contains personal data, we won’t use that information to identify, contact, or target advertising to you. This is the recommended option for the best Windows experience and the most effective troubleshooting.
Note that only on Enterprise Edition one can turn Diagnostics Tracking Service off totally.
Diagnostics Tracking Service available in Windows 8.1, Windows Server 2012 R2, Windows 7 Service Pack 1 (SP1), and Windows Server 2008 R2 SP1 and Windows 10. The quoted paragraphs concern the Diagnostics Tracking Service mechanism in which other modules, apart from Telemetry, are included.
Diagnostics Tracking Service consists in these files:
Note that the answer below claiming that nothing private is collected by Windows 10 as a qualified user may listen to the traffic of his Windows operating system is wrong. It is impossible to know what Windows collects and sends permanently. Windows does not stop sending information on his/her behalf as this study shows: Even when told not to, Windows 10 just can’t stop talking to Microsoft. But still what the official documentation describes is not very good for the user such as when Windows takes system files or MEMORY SNAPSHOTS, which may unintentionally include PARTS OF A DOCUMENT YOU WERE WORKING ON on when a problem occurred (From: What are the privacy and security implications of Windows Telemetry)
Isn't this the privacy statement for the _pre-release_ Windows 10? It makes sense collecting this kind of data from participants in a beta evaluation program.
If you sign up for a limited and free Windows beta evaluation program, you are likely to be a power user knowing that it will be subject to special conditions like this. What really matters is the Privacy statement of the product shipped to consumers.
Note that Android has the same kind of data collection policy: http://www.google.com/intl/en/policies/privacy/. Mac OS X Yosemite has the same clauses, albeit all more specific under each program's point.
@Gruber is right but look at the key words "*for example*". That should have been enough to make the beta testers run a mile; the text allows them to collect anything they want.
This answer quotes an out-of-date MS Privacy statement. The new Privacy statement, which currently applies to use of many MS products and services (not just Windows 10) includes stuff like ""we will access, disclose and preserve personal data ... when we have a good faith belief that doing so is necessary to ... prevent spam ..." Remarkably, the situation is far worse than that abstract suggests but I wanted to stick to a simple example. Go the page, click 'Expand All' (at top right) and search for 'Reasons We Share'.
I have an idea. How about we programmers just do a really good job of developing a product that does things right the first time around so we dont have to spy on people to see if our software works well. Test things, sure, in the lab, on test subjects. If I need my product to self improve (for example next-word guessing, for language mannerisms), I'll go out of my way to develop a system that encrypts and decrypts that data on the client side before being stored on my servers. Private key for the client, shared between his devices securely.