Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Windows Microsoft Privacy

Microsoft's Telemetry Additions To Windows 7 and 8 Raise Privacy Concerns 240

WheezyJoe writes: ghacks and Ars Technica are providing more detail about Windows 10's telemetry and "privacy invasion" features being backported to Windows 7 and 8. The articles list and explain some of the involved updates by number (e.g., KB3068708, KB3022345, KB3075249, and KB3080149). The Ars article says the Windows firewall can block the traffic just fine, and the service sending the telemetry can be disabled. "Additionally, most or all of the traffic appears to be contingent on participating in the CEIP in the first place. If the CEIP is disabled, it appears that little or no traffic gets sent. This may not always have been the case, however; the notes that accompany the 3080149 update say that the amount of network activity when not part of CEIP has been reduced." The ghacks article explains other ways block the unwanted traffic and uninstall the updates.
This discussion has been archived. No new comments can be posted.

Microsoft's Telemetry Additions To Windows 7 and 8 Raise Privacy Concerns

Comments Filter:
  • by smittyoneeach ( 243267 ) * on Tuesday September 01, 2015 @03:37PM (#50439341) Homepage Journal
    Telemetry hack
    Like shearing your back
    The right suds keep it
    From chopping your stack
    Burma Shave
  • by Anonymous Coward

    What the hell is CEIP? Editors, define your acronyms the first time they're used, especially if they're not common.

    Can Editors Inspect Paragraphs?

  • Does anybody have instructions for common hardware firewalls and routers on what needs to be blocked at the network level?

    My google-fu keeps failing me and everybody tries to explain how to do it using the built-in firewall which is probably as secure as guarding the hen house with foxes.

    Thanks,
    IMarv

    • by geminidomino ( 614729 ) on Tuesday September 01, 2015 @05:56PM (#50440221) Journal

      I put this in my tomato "Scripts" section. Basically grabbed all of the dig output for settings-win.data.microsoft.com and vortex-win.data.microsoft.com, cnames, and authorities for them.

      Possibly excessive. I'm ok with that. YMMV.


      iptables -I FORWARD -d 8.26.215.27 -j DROP
      iptables -I FORWARD -d 64.4.54.254 -j DROP
      iptables -I FORWARD -d 8.26.204.25 -j DROP
      iptables -I FORWARD -d 198.78.199.155 -j DROP
      iptables -I FORWARD -d 204.160.105.155 -j DROP
      iptables -I FORWARD -d 4.23.46.155 -j DROP
      iptables -I FORWARD -d 65.55.44.108 -j DROP

    • This isn't perfect, but I was using the batch file from here [hakspek.com] to uninstall/disable most of the telemetry bullshit from Windows 7.

      (It says it's for Windows 10, but it seems works for Windows 7, too. Also note that the hiding/disabling of the KB updates in Windows update didn't work perfectly for me; I had to go back in a hide/disable some of them manually, afterward.)

    • Does anybody have instructions for common hardware firewalls and routers on what needs to be blocked at the network level?

      Note that this is only going to help if you're sitting behind your own firewall, as soon as you take your laptop out of the house all the data is going back to Microsoft again. So a more reliable option is to block it at the source by changing the Windows config.

      (Which, if it's anything like getting rid of the Win10 downgrade nag, is going to be a major chore. I've scraped viruses out of PCs that were easier to remove than the Win10 nag).

      • by rtb61 ( 674572 )

        Makes much more sense to un-install those privacy downgrades. Worth the effort as there is a distinct improvement in boot times as well as general performance. Those M$ anal probes do come with more than one cost, not just your privacy taken but also a system performance cost, obviously they run better in windows 10 built in than added in windows 7 and 8, which is why windows 10 outperforms fully privacy downgraded windows 7 and 8. I wonder how well windows 7 clean install no M$ recommended privacy downgr

        • Makes much more sense to un-install those privacy downgrades.

          An easier option is probably just to disable them [arstechnica.com], it looks like the sole purpose of the Diagnostics Tracking Service is to send data back to Microsoft so if you prevent it from running you should be fine.

          Disclaimer: I haven't run Snort on this yet so I don't know if there isn't something else phoning home with my data, but DTS seems the obvious candidate to kill.

          • by rtb61 ( 674572 )

            Thanks, I did both. In fact it seems to be a never ending tangle, finding more and mores purposeful holes in windows built in on purpose and needing to be uninstalled, disabled, detasked and blocked at the (non-M$) firewall.

      • by ihtoit ( 3393327 )

        There's a method which works (I've done it, and wrote the method as I went): it completely obliterates the Win10 nag and all associated processes and files, registry entries and pretty much guarantees that it won't return.

        Step 1: take ownership of the GWX folder
        Go to /Windows/System32/GWX. Right-click, Properties. Then, go to the Security tab, click Advanced. Under the Owner, click on Edit. Select your account rather than whatever crap Microsoft has preselected. Make sure you tick the box that says subfolde

        • Here's mine, rather more brief than yours since it was written purely as a memo for future reference:

          Create key HKLM\SOFTWARE\Policies\Microsoft\Windows\GWX, then add DisableGwx
          as REG_DWORD, value = 1.

          Win+R -> taskschd.msc, open Task Scheduler Library | Microsoft | Windows |
          Setup, which has two subkeys gwx and GWXTriggers. Delete all entries in
          gwx, the other can't be deleted because of permissions, for this use Win+R
          -> tasks, which opens C:\Windows\System32\Tasks. Go to
          Microsoft\Windows\

  • by WillAffleckUW ( 858324 ) on Tuesday September 01, 2015 @03:55PM (#50439483) Homepage Journal

    There are consequences to every action

    • by Anonymous Coward on Tuesday September 01, 2015 @04:44PM (#50439773)

      The funny part is that there was a man who saw all this coming back in the early 90s who nobody listened to. His name is Richard Stallman.

      Stallman warned everyone that proprietary software turns on the user in the end. People are complaining that Windows now sucks, and they have all these expensive (closed source too) tools they depend on for their livelihood that can't run on any platform besides Windows. Well, I guess they're getting what's coming to them. Stallman tried to warn them, but they didn't listen because they wanted stuff to "just work". Well, Stallman's inconvenient truth can no longer be ignored.

      So have fun Windows users. I hope that your short term gains were worth not solving the problem in an open, portable, way.

      • by chipschap ( 1444407 ) on Tuesday September 01, 2015 @05:23PM (#50440047)

        they didn't listen because they wanted stuff to "just work".

        The further irony is that they didn't even get that much ... what they got was "stuff just works, except when it doesn't."

        Now ... before anyone says, "yeah but stuff doesn't 'just work' on Linux either" ---- I know that. But I also know how much I paid for Linux. And if I'm good enough at it, I'm free to "fix stuff" and "make stuff work" I've done so many times. (Sure there are limits, the kernel is not so easy to fix ... but still ... you at least have full source access.)

        • Now ... before anyone says, "yeah but stuff doesn't 'just work' on Linux either" ---- I know that. But I also know how much I paid for Linux. And if I'm good enough at it, I'm free to "fix stuff" and "make stuff work" I've done so many times. (Sure there are limits, the kernel is not so easy to fix ... but still ... you at least have full source access.)

          Another fallacious "free" concept: "Linux is only free if your time is."

          Personally, I want to work with my computer, not on my computer. I have enough of the former writing Windows Applications during the day for work. So when I come home, the very last thing I want to do is fiddle-fart around with Linux just to achieve a modicum of usability, or suffer the slings and arrows of even more Windows crap, and now New and Improved built-in Spyware! So, check my username and get a clue as to what I enjoy as an

      • Microsoft is just helping you put into practice the (your) data wants to be free thing.
        • by lgw ( 121541 )

          Ubuntu too, of course, part of their program of copying everything MS does.

        • Microsoft is just helping you put into practice the (your) data wants to be free thing.

          So, if that's true, why don't we all just cause crash after crash, filling up their servers and bandwidth until they are forced to rethink their mass data collection strategy?

      • Stallman warned everyone that proprietary software turns on the user in the end.

        I know of some [apple.com] that won't [apple.com].

  • So...did Microsoft take the guy who turned on "Do Not Track" in IE out back and shoot him?

    • by raymorris ( 2726007 ) on Tuesday September 01, 2015 @04:52PM (#50439817) Journal

      No, the guys who wanted more tracking took that guy out for a beer. That's the guy who killed off DoNotTrack. Like Private Browsing in Firefox or Incognito Mode in Chrome, DNT was about the balance between privacy on one hand and convenience/features on the other hand. DNT was supposed to mean that the user valued privacy more than convenience and features at the moment. Here's what was supposed to happen, what DNT was intended for:

      Case 1, no DNT header:
      I go to Slashdot, and have not set a specific DNT header. I therefore get the DEFAULT tracking/personalization behaviors of Slashdot, including:
              I'm not redirected to Beta, because Slashdot tracks that I set "do not showme beta".
              On my mobile device, I'm not redirected to m.slashdot.org, because again Slashdot tracks my preferences based on some identifier/cookie.

      Case2, with DNT header:
      I launch a Private Browsing window in Firefox, or an Incognito tab in Chrome.
      The browser prompts "DNT: Do you want to tell web sites to avoid identifying you or tracking your preferences? Some features and preferences may not work in DNT mode."
      I click "yes, send the DNT header".
      Slashdot sees that I have expressed that I want a higher level of privacy than the default, that I am willing to give up personalization in exchange for privacy.
      Slashdot does not set a cookie, and I get redirected to m.slashdot.org or beta.slashdot.org each time. It does not track me to know my preferences between sessions.

      It's all about the balance between privacy and convenience. Much like Incognito / Private Browsing mode disables the browser history, autocomplete, and other useful features in exchange for better privacy.

      In short, the purpose of DNT was to communicate the user's desire to value privacy over convenience.

      By violating the spec and sending DNT as the DEFAULT, the DNT header in IE suddenly meant "the user probably wants the DEFAULT balance between privacy and convenience". Since IE sent DNT by default, it no longer provided any information about the user's priorities regarding convenience vs privacy. It therefore became completely useless for it's purpose. That guy killed DNT.

      -----

      Here's a concrete example. Quoting from the DNT policy:

      | all user identifiers, such as unique or nearly unique
      | cookies, "supercookies" and fingerprints are discarded

      Do you really think that all sites are going to get rid of cookies, including "don't show me Beta" cookies, for anyone and everyone using IE? Just because Microsoft thought it was a good idea? No friggin way. If the USER chose to actively ticked the box, perhaps so. Because Microsoft's marketing team thought that "Do Not Track" sounded good and that breaking most web sites was an acceptable side effect? I don't think so.

      • Do you really think that all sites are going to get rid of cookies, including "don't show me Beta" cookies, for anyone and everyone using IE? Just because Microsoft thought it was a good idea? No friggin way. If the USER chose to actively ticked the box, perhaps so. Because Microsoft's marketing team thought that "Do Not Track" sounded good and that breaking most web sites was an acceptable side effect? I don't think so.

        So you're saying privacy should be opt-out rather than opt-in.

        • by bondsbw ( 888959 )

          Yet in the same comment, he's saying that making it opt-out is the reason it died.

          • Yet in the same comment, he's saying that making it opt-out is the reason it died.

            So we can't privacy by default. You should have no privacy unless you opt-in to having it.

            • by bondsbw ( 888959 )

              No, I agree with your original statement. I was just pointing out the contradiction in the post by raymorris. (And to be clear, it's not a contradiction in logic but a contradiction between ideal and reality.)

        • I didn't say anything about my opinion of what SHOULD be. I described what the DNT spec does actually say. It says the header means that user actively chose to give up convenience and features , choosing more privacy instead. That's the meaning of the DNT header, per the DNT spec. I didn't write the spec, I just read it.

          As written, DNT is well matched with Private Browsing mode. Sometimes I use Private Browsing. Most of the time I don't use it, because I LIKE auto complete. But I don't like my addres

          • The fact that you have to explicitly say you want privacy makes it a bad spec to begin with, just like having to explicitly say you dont want to participate in Windows' CEIP rather than it being something you opt-in to is bad for privacy (even though in that case it's just telemetry data).
            • I don't entirely disagree with you. However, consider this. You not only got on the web, you also LOGGED IN and posted your private opinions publicly. For whatever reason, you just chose to make your private thoughts public, and chose to have Slashdot track your /. user id. That shows that SOMETIMES, you want Slashdot to identify you. Sometimes, privacy is not the most important thing to you.

              If you're like me, you clicked the "don't redirect me to beta" button. You'

              • I don't entirely disagree with you. However, consider this. You not only got on the web, you also LOGGED IN and posted your private opinions publicly. For whatever reason, you just chose to make your private thoughts public, and chose to have Slashdot track your /. user id. That shows that SOMETIMES, you want Slashdot to identify you. Sometimes, privacy is not the most important thing to you.

                Right, and I prefer to choose when that is, not have that as the default.

                On the other hand, I want my Google maps to be very convenient. I'd rather it remember frequently used addresses rather than make me type em in every time.

                Yes and you should opt in to that.

      • by AmiMoJo ( 196126 )

        There is no reason why in your example Slashdot could not remember your preferences without tracking you. A simple anonymous cookie with no unique ID for beta/no beta and mobile/desktop is all that is required.

        Even logging in is possible without violating DNT. Just discard any tracking data not essential for the provision of logged in services. DNT doesn't mean "do not set cookies", it means "don't track my browsing habits for any reason other than the provision of the services I ask for (e.g. advertising).

        • If you're interested, you can read the actual DNT RFC rather than guessing about what it says.

          There's nothing in the spec about "reason other than the provision of the services". There is one mention of advertising- tracking is ALLOWED under an exemption for advertising fraud detection. So almost the opposite of what you guessed it says.

  • by Tokolosh ( 1256448 ) on Tuesday September 01, 2015 @04:20PM (#50439621)

    I am willing to contribute money for the development of (hopefully) simple software or scripts rid my system of this malware, once installed.

    Also, some ongoing review system which only allows MS updates that are deemed benign.

    Sheesh, it's getting tedious to wade through all the KB verbiage with my evil lawyer hat on.

    • by Tokolosh ( 1256448 ) on Tuesday September 01, 2015 @04:28PM (#50439667)

      https://github.com/WindowsLies... [github.com]

      Someone is on the case!

      • I've also been eyeing this project, but haven't tried it on any of my machines yet. In the reddit /r/sysadmin thread [reddit.com] people seem quite critical of this script. There is credible opinion that these updates will be required for windows to continue updating in the future, so it's dangerous to remove them; and that privacy cannot be achieved anymore while running Microsoft operating systems.
      • by AmiMoJo ( 196126 )

        I wish that guy documented his work a bit more and didn't come off as paranoid. Why does he block hotmail.com, for example? I need login.love.com to use OneDrive for my encrypted backups. Blocking random Akamai servers doesn't sound like a good idea either.

        What we need is a minimal set of blocking rules, with each one well documented with evidence that it actually needs to be blocked. None of this hacky "block a bunch of random web sites because they are associated with Microsoft" crap.

        There is too much spe

    • I found this. Dunno if it's 100% comprehensive, but it's a start.

      http://www.hakspek.com/securit... [hakspek.com]

  • by Okian Warrior ( 537106 ) on Tuesday September 01, 2015 @04:22PM (#50439635) Homepage Journal

    "Raises privacy concerns" is elliptical speech: it's made to be deliberately obscure. (It uses "causes concern" to convey the central point without giving any information about what the point is.)

    It's also passive voice [wikipedia.org], in that there's no person performing the action, the action is simply "caused" by something. (For comparison, consider "we wrote reports" versus "reports were written".) Hence, there's no person or group responsible, it's simply an aspect of situation.

    And finally, the phrase uses framing [wikipedia.org] to soften the effect. Your personal information isn't being harvested, the system simply "raises some concerns".

    Taken as a whole the headline tries to get the reader emotionally involved by stating something we should be concerned about, without saying in concrete terms *that* there is anything to be concerned about, and that it's *other people* who are concerned.

    Meh. This didn't work on me, I'm not actually concerned, I'm going to ignore it.

    (Propaganda success!)

    • I am with you, my friend.

      If they really want to know where my desktop is.... I guess it is no secret anyway... I mean I am using a public IP after all...

  • Windows 10 (Score:5, Insightful)

    by Fire_Wraith ( 1460385 ) on Tuesday September 01, 2015 @04:41PM (#50439749)
    I really want to like Windows 10. It seems to have a lot of nice features, was a smooth upgrade from 7, and probably the single most painless OS upgrade I've had on any MS platform (I had to correct a single driver, for a minor issue, and that was it).

    But I'm really, really sick of just how blatantly Microsoft is trying to jam every single stupid thing into this, and tie it back to their cloud based bit. And I might even be okay with some of that, because I'm well aware that I wind up giving a lot to Google when I'm using stuff on Android. I might even use some of it, if they weren't going far beyond even what Google does.

    The final straw was when they wanted to essentially remove my local account on the machine and replace it with me using a Microsoft account for my local login. No, sorry, but Redmond can go get fucked if they want that. It's one thing to have stuff in a cloud based application that has its own password, but it's another thing for that cloud based password to be my entire system. Perhaps I'm being overly negative, but it's just too much, that they want all this personal data, and they want to tie it all not just to what I do in application land with Outlook/Bing/Edge/Cortana/Skype whatever, but down to the OS level? No. And if it gets worse, I may just have to bite the bullet and do my PC gaming on Linux, and give up on doing anything bleeding edge.
    • by ihtoit ( 3393327 )

      that's Software As A Service for you. Cloud-based login for a local account is just about the stupidest idea I have ever heard of. What if you don't have an internet connection (for example, if you're sitting in a roadside cafe)?

      Windows 7 and no automatic updates for me, and I've just started ripping out the other CEIP crap, there's fuckin' loads of it.

    • by vux984 ( 928602 )

      The final straw was when they wanted to essentially remove my local account on the machine and replace it with me using a Microsoft account for my local login.

      Apple actually it too.

      And in both cases, you can simply say No. It's not as obvious as it should be, but its also pretty trivial to say no, and since saying no, it hasn't bugged me about it again.

      Perhaps I'm being overly negative, but it's just too much

      I tend to think so too. But some people actually seem to like it.

      I may just have to bite the bullet and do my PC gaming on Linux

      Or you could just run a local account on your PC as you've always done. And not use Bing, edge, and outlook, and turn off Cortana.

      Windows 10 is a product of the times, so anticipate stuff with cloud integration shit to be all over the place... everyon

    • Cloud login sync between my 8.1 family PC and 8.1 tablet = kinda cool - the kid's pictures and game saves just pop up between the two.

      Cloud sync between my 8.1 family PC and 8.1 development box = completely pointless - these are two different machines, I don't want family junk on my dev box or makefiles all over my family machine.

    • I really want to like Windows 10. It seems to have a lot of nice features, was a smooth upgrade from 7, and probably the single most painless OS upgrade I've had on any MS platform

      Amen, it really has been painless. They put a lot of effort into making this super easy. So far I've upgraded more than a dozen machines, ranging from a Core2Quad from 2008 to a recent high end Haswell machine, down to an ultraportable that only came with 32GB of SSD storage and didn't have enough space to install, but it used a USB Flash stick and did it anyway.

      No problems. None, zero, ziltch, everything worked perfectly at the first reboot, and that included 5 year old Windows 7 installs that had a mil

    • The final straw was when they wanted to essentially remove my local account on the machine and replace it with me using a Microsoft account for my local login.

      The final straw was providing you something optional which you can change at any time?

      Man you're easy to upset.

    • google does the exact same with their Chromebook login. Windows does let you use a regular username/password untied to the cloud. I did it first thing.
    • Yep, I totally hate what they've done with Win 10 too. It's not that they offer you options for cloud synchronization and such is that they're pushing them hard by making them the default and in many cases, making the "classic" options hard to find (e.g.: creating a local account instead of using a Ms account for login when you install Win 10).
      Also for many apps (mail, media player, browser) the default are the "modern"/metro touch-optimized apps, which I find horrible for desktop use because, among other
  • I've come up with a relatively simple solution. The text at the end of this post is a batch file. You can copy it from here, and paste it into notepad, and save it with any name you want, and the file extension .bat and then click on it to run it. It will look for each of the corrupted updates in order, and either tell you that they aren't installed, or give you the option of removing them. If you do choose to remove one or more of them, it will prompt you to reset your computer after each successful remova
  • by ihtoit ( 3393327 ) on Tuesday September 01, 2015 @04:57PM (#50439855)

    Would the editors consider adding a section for analysis of Windows updates so we can read then decide if we want them instead of having to go on click marathons through the desktop client? Even some sort of Patch Tuesday digest just indicating which of the updates are actual security patches would do it.

  • The funny thing about this is until this I was willing to send telemetry to Microsoft. I understand how them knowing when my system crashes helps them fix bugs. I understand the wealth of good-for-everyone knowledge that comes with reports of which precise system file had a problem performing what kind of information. I would block crash reports sometimes, and I would allow other basic telemetry most of the time.

    But due to their new privacy policy and other privacy rapine I've blocked every form of telemet
    • by yuhong ( 1378501 )

      What is actually wrong with the privacy policy that led you to disable it?

    • In my neighborhood, I am said "local nerd", and my advice to ANYone who asks, is "If you're on XP, we need to see if your system's use case allows you to use this thing called Linux.. If you're on Windows 7 or 8, STAY where you are... If you bought a new machine with 10, may God bless your soul.. We need to see if your machine's use case allows wiping that nightmare and installing Linux..." These words (or ones like them) have been spoken several times lately.. Especially regarding the poor sap who just bou

  • People who opted in to the Customer Experience Improvement Program are getting updates that send customer experience telemetry data.

    What an outrage.

    • A good software developer should add logging of errors, unexpected values, and operations that take longer to complete than expected, and there should be a user option to have these logs sent back to the developer. So ok that seems to be what's happening here. As this is an OS it's probably also sniffing for malware like behaviour.

      Being Slashdot I guess the unspoken worry is that MS are recording videos of slashdotters watching porn and the developers are having a good laugh. However I doubt that is happeni

      • by Octorian ( 14086 )

        Yeah, when anyone else does it, this is the normal way software is maintained and supported in the modern connected world.
        But when Microsoft does it, we scream bloody murder!

        So many things these days seem to have these sorts of double-standards.

  • by Trogre ( 513942 )

    Why, again, do people still use Windows?

    • Re:Sigh (Score:4, Insightful)

      by exomondo ( 1725132 ) on Tuesday September 01, 2015 @06:48PM (#50440499)

      Why, again, do people still use Windows?

      Because it runs the programs they need to run and works with the devices they use. That is the primary purpose of an operating system, nobody turns on their computer just to use the operating system.

  • From what I've read, all of these infected updates are optional, so you have to deliberately install them. Is this true? If not, how do I detect if I've been infected? Someone up the thread posted a link to a github with a batch script you have to run as administrator, that's not really what I'm talking about. I just want to detect.
  • Aw man apk will jizzgazm all over this thread. The time has finally come!

  • by naranek ( 1727936 ) on Wednesday September 02, 2015 @05:40AM (#50442439)

    The thing that worries me it that there are now dozens of articles about which updates to remove to disable telemetry or the Windows 10 update nagbox. We've been saying that installing security updates is fundamental to keeping your computer secure. This goes against that. Do we really want to teach people to uninstall random updates based on shady blog articles?

    Earlier I had all automatic update checkboxes checked, because I trusted that security updates are just that - security updates. From now on I'll be checking all the updates manually before installing, and I really hate to have to do that.

    And before anybody recommends switch to Linux, I already use Linux as my main OS.

  • Unless there's a sinister plan to expand the use of telemetry in the future, why would these updates even be deployed to users who aren't already participating in the Customer Experience Improvement Program?

It's currently a problem of access to gigabits through punybaud. -- J. C. R. Licklider

Working...