EFF takes a deep dive into Windows 10's brutal privacy breaches

Originally published at: http://boingboing.net/2016/08/22/eff-takes-a-deep-dive-into-win.html
…

However, the company’s strategy for user adoption has trampled on essential aspects of modern computing: user choice and privacy.

I agree with the sentiment and it’s my opinion that user choice and privacy should be essentials. But I fear in the age of IoT and cloud computing those aspects are not regarded as desirable. Software providers see them more as hurdles that needs to be broken down.

my solution to the telemetry problem was to google up lists of microsoft’s telemetry servers, since people started crowdsourcing that data from day one, and plug them into my router’s list of blocked websites. I’m not actually sure that it accomplished anything, it may just be a case of “something must be done! there, I’ve done something.”, but I can hope, right?

…right?

The thing about this is they have been gathering telemetry since XP and it has always been easy enough to turn off.
Also is the EFF gonna deep dive into Ubuntu and OSX for collecting the same kind of telemetry data? Why is Cory not worried about them?

Yes Microsoft was awful about pushing Win10 too hard but all the ‘privacy issues’ are either from oh you are using our free cloud services by linking to the msft cloud account instead of using a local only account (and pretty much the same stuff everyone collects if you use that kind of thing) and well the telemetry data which hey Cory’s beloved Ubuntu does it too.

it has always been easy enough to turn off

Note the past tense. I think all Doctorow and EFF wants is for users to have more control over privacy. If that means no Microsoft cloud, then so be it.

There are no technical reasons why they can’t do this, it’s just policy.

The enterprise edition does have these controls, but they won’t sell it to consumers.

Ubuntu does indeed collect some private information, but there are controls to turn that off.

It still is easy to turn off and you don’t have to link to the cloud account. So even if you let them have telemetry data from that all they get is local user account not myname@msft.cloud.com

What they don’t turn off that is ‘turned off’ in enterprise edition is security patches. And after having seen too many systems never updated I understand why they are doing this. Do I like it 100%, well no but I totally understand why. The reason you can ‘turn it off’ in enterprise edition is you are supposed to have your own patching infrastructure in place and still push out updates just from your own servers on a more controlled schedule.

And again it is the same stuff APPLE and UBUNTU collect… Why are Cory and the EFF so upset about Microsoft and not the other two?

Do you think Windows 10 Professional can be used in a doctor’s office where HIPAA rules are in effect? The professional designation would suggest to me that it’s an appropriate product for use in a commercial setting, but with the lack of privacy controls I don’t think it can be used in a medical setting.

What lack of privacy controls? It is still there it is still easy to turn it off and again YOU DON’T HAVE TO LINK TO A MICROSOFT CLOUD ACCOUNT. How fucking hard is it for people to grok this? Seriously. All the ‘snooping/gathering’ is for your free (why do you think it is free?) cloud account and linking your login to that. So like don’t fucking do that.

I doubt the doctors office would be using anything other than their local domain accounts to login and also if they are subscribing (PAID SERVICES NOT FREE) to an Azure instance then they will get HIPAA (if they signed up correctly anyway) and whatever else protections so still not a big deal.

And professional lets you delay patches so you can if it is necessary you can let some test machines get updated first and make sure everything works before letting the rest of the office get updates.

ETA : Do you use gmail and google docs and other things in the Google cloud? For free? Guess what they collect the same shit microsoft does? Why are we all shocked about Microsoft doing it all of a sudden?

And again it is the same stuff APPLE and UBUNTU collect… Why are Cory and the EFF so upset about Microsoft and not the other two?

I suspect this is more an issue of resources than anything else. The EFF is a non-profit, and their pockets are limited. They have to choose which battles to fight, to where they might do the most good. Microsoft is the obvious choice right now: they currently loom large in the arena of public awareness, and they hold the largest market share.

Because they hold the largest market share, they presumably collect the most data. Because (we presume) they collect the most data, there is more concern over what happens to that data. It’s not that nobody cares about Apple and Ubuntu collecting data, it’s that Microsoft does it on a larger scale, so it is proportionally more alarming.

Microsoft claims it is HIPAA-complaint as far as it needs to be. They specifically disclaim being a HIPAA covered entity but recognize they may be peripherally covered under Business Associate Agreements. Do you really think this hasn’t occurred to them before? Here’s some more information about their HealthVault product which is the closest thing they have to a HIPAA-covered product, and it explains why it isn’t.

Since I use Ubuntu, I checked this. Looks like the EFF did a deep dive most recently in 2012:

More recently there’s been discussions on askubuntu.com. Canonical also has some verbiage on their policies on their Web site.

The difference between this and Microsoft (and Google, which I think I use too much) is basically attitude. Love 'em or hate 'em, Google will let you export your data and delete it, and is reasonably up-front about what they’re collecting. Yeah, they might be lying about the deletion part, but the option has always been there. Google also sends users regular self-serve security audits.

Ditto Ubuntu for most of that.

Microsoft, on the other hand, has been caught either fumbling, not caring, or both, again and again and again and again… and their pockets are deeper than Canonical’s. I’m not sure how they compare to Google anymore, but even now they can afford not to screw it up so badly. In a marketing survey, my first descriptors for them would be “bloated” and “hard to use” – neither of which I would apply to either Google or Ubuntu.

Worst of all, Microsoft still has, by far, the lion’s share of the clueless/helpless users: those who either can barely use a computer (grandparents, the undereducated) , or else have to because they need Windows for school or whatever.

I chose to go Linux and chose my distro, chose this particular set of pros and cons. For most users that’s too big a task. While I wish computer literacy was better in general, I empathise that many people feel they’re stuck with Windows – Apple is too expensive or too much of a change, and probably they don’t even know Linux exists.

And that’s why Microsoft gets the scrutiny.

Oh I have no problems with microsoft getting some scrutiny. They need it and are still fumbling their way into the services/cloud game and I am not ready to trust that part of their offerings for “free” anyway. It’s just the whole ‘the sky is falling’ from Cory and others that bothers me and hey maybe he could link to that and what they found for Google and Apple and say where they are doing a better job.

It’s the ‘you can’t turn it off’ whining that always gets stated when you obviously can if you bother to take 2 minutes of searching the web. Heck I knew what to turn off/leave on just by actually reading the dialog boxes when I ran the upgrade from 7 to 10. So if you stick with a local account and turn off telemetry (which all the vendors like because it gives them actual data on what the users do and with a local account they just know local userX) they are not getting any info from you.

ETA And he doesn’t post about the EFF deep dives into ubuntu/google/apple/etc. (not that I have noticed)

Well, I was really thinking more about stuff like if they were to search BIng for “weeping genital sores” then immediately say “Cortana, send an email to RatMan”, Microsoft gets the search and the fact that Cortana was asked to initiate an email to you. I don’t know if that would be a HIPAA violation, but it seems a bit leaky to me.

Cortana is the part of Windows 10 that seems most HIPAA incompatible to me. It has a microphone and would probably catch all kinds of things it really shouldn’t.

maybe he could link to that and what they found for Google and Apple and say where they are doing a better job.

Did he say Google and Apple are going a better job? Even if if they are worse than Microsoft, why would that make criticism of recent changes by Microsoft invalid?

How about the telemetry from Cortana’s always-on mic, eh? And that’s just one example.

Sorry, I just can’t agree with you, it’s excessive to an extreme, AND most other OSes let you turn this type of shit off. If I want my computer to not talk to someone/something, that’s my business, not MicroSquish’s.

And yes, Apple is no better.

You mean the one you can turn OFF? Which I did during the setup?

etc.

See my reply to @Bozobub it can very easily be turned off and in a proper company environment it will be disabled 20 ways to sunday by group policy.

Microsoft’s own documentation states that you need to shut down/turn off a number of different things, including switching telemetry to the “security” setting that isn’t available to non-enterprise releases, in order to “prevent Windows from sending any data to Microsoft”. That doesn’t really seem very easy.

It’s not a HIPAA issue. Microsoft is not acting as covered entity (“covered entity” means something specific in HIPAA language; Google it if you’re interested) and HIPAA/Hitech would not apply. This is a common problem. People expect HIPAA to generally cover their medical privacy (it’s in the name, after all) but it doesn’t do that at all. Depending where you are, your state may have some kind of medical privacy laws that might apply, but there are usually so many loopholes that it doesn’t matter.

The email to me might be covered, on my end, if it were to me in my corporate or professional capacity and you are a patient of mine, or of my employer. But again, Microsoft bears no burden there either.

and in a proper company environment it will be disabled 20 ways to sunday by group policy.

You realize that there are lots of very small medical offices that consist of a doctor and an administrator, right? There’s no group policy management.