Windows 10 Privacy Changes Appease Watchdogs, But Still No Data 'Off-Switch' (zdnet.com) 211
Earlier this month, Microsoft announced several privacy changes in Windows 10, but it didn't give users an option to completely opt-out of data-collection feature. The announcement came at a time to coincide with a statement by the Swiss data protection and privacy regulator, the FDPIC, which last week said it would drop its threats of a lawsuit after the company "agreed to implement" a string of recommendations it made last year. The news closed the books on an investigation that began in 2015, shortly after Windows 10 was released. Though the Swiss appear satisfied, other critics are waiting for more. The French data protection watchdog, the CNIL, was equally unimpressed by Microsoft's actions, and it served the company with a notice in July to demand that it clean up its privacy settings. In an email, the CNIL said that the changes "seem to comply" with its complaint, but it's "now analyzing more in [sic] details Microsoft answers in order to know whether all the failures underlined in the formal notice do now comply with the law." ZDNet adds: Microsoft still hasn't said exactly what gets collected as part of the basic level of collection, except that the data is used to improve its software and services down the line; a reasonable ask -- but one that nonetheless lacks specifics. Microsoft said it wants users to "trust" it. And while the likelihood that the company is doing anything nefarious with users' information is frankly unlikely, the running risk is that the data could somehow be turned over to a government agency or even stolen by hackers is inescapable. That risk alone is enough for many to want to keep what's on their computer in their homes. While changing the privacy controls is a move in the right direction, it's still short of what many have called for. By ignoring the biggest privacy complaint from its consumer users -- the ability to switch off data collection altogether -- Microsoft has favored the "just enough" approach to appease the regulators. Without a way to truly opt-out, Microsoft's repeated pledge (eight times in the blog post, no less) to give its users "control" of their data comes off as a hollow soundbite.
What gets collected (Score:2, Insightful)
what ever the NSA or their EU equivalent asks for and more just in case they need to ask for more in the future.
stop using windows if you want any semblance of privacy.
Trust? (Score:5, Insightful)
Apparently Microsoft uses the word "Trust" in the same way Apple uses the word "Courage". I still haven't figured out what either one means... only that neither correspond to what's in the dictionary.
Re: (Score:1)
My Airpods are awesome and my enterprise version of windows has everything turned off. So meh.
Re: (Score:2)
off isn't off is the point, your enterprise edition is still sending info to microsoft without your consent.
Re: (Score:1)
actually, for the Enterprise version (at least it was supposed to be like this), moving the slider to zero is supposed to result in no data being sent. The same setting on the version us commoners get to use still sends data to MS.
Re:Trust? (Score:5, Interesting)
This view is disgusting:
Microsoft still hasn't said exactly what gets collected as part of the basic level of collection, except that the data is used to improve its software and services down the line; a reasonable ask
Reasonable? Why should I spend my money on electricity and bandwidth to help the commercial product of a multi-billion dollar corporation? Why don't they pay people to do QA any more? Why don't they pay users if the data has business value?
Fuck that. It is NOT a reasonable ask, it's ridiculous.
Re:Trust? (Score:5, Interesting)
The problem is endemic far and beyond Microsoft. While the data on your PC is something people take personally, other companies performing tech support for products less often encountered by end-users are playing it fast and loose with their customer's data in the name of support.
In the networking space, if you call in any request to fix or enhance a product, the front line TAC these days has been told to have you collect a pretty thorough dump of the device configuration database. These databases are not necessarily in any sort of human readable form, but those who know what to look for can easily see that they often include private crypto keys, password hashes or sometimes even cleartext passwords, and more detail about the internal layout of the most sensitive parts of the customer's network than would be needed to solve a technical problem.
This is plausibly just because these companies have not had enough customers complain, and assigned development the task of omitting potentially sensitive data from these "tech dumps"; But it doesn't take horribly much tinfoil to imagine there could be compromised policy-setters at these companies who stand ready to step on any attempt to rectify this situation.
Finally, to top it off there is a trend to either transfer these files over email since huge attachments are no longer a problem on modern email systems, or to outsource file uploads to dropbox-ish cloud service providers.
So, it would not surprise me if there were quite a few spooks... foreign, domestic, and industrial... working at support departments in major corporations, though the more resourced agencies may not even need to do even that given the lack of hygiene exercised in transferring these files to and around the corporate TAC.
Re: (Score:2)
A difference of degree only, with the trend going in the wrong direction in both cases. Neither is acceptable.
Re: (Score:2)
The point being, that dump is not human readable, and almost nobody at the company can really tell you "it has no keys in it" because they don't know, nevermind how to redact the keys. Basically you are left with two options: redact every bit of binary data that could possibly contain a key, possibly breaking the dump in a way that prevent TAC/engineering from using it (say, if they have a visualization tool that needs to load it, or they want to replicate by loading it onto test equipment.) Or, second opt
Re: (Score:2)
>> Basically you are left with two options ...
Nope
You have 4 options
1) & 2) as you mentionned
3) reproduce the issue on a pristine PC without any sensitive data, send this dump.
4) Use Linux.
Re: (Score:2)
3) is sometimes an option... license keys or hardware inventory can get in the way here. It's also pretty labor intensive.
4) generally isn't as there are not enterprise-grade open-source alternatives (and often custom hardware, many
times already running a custom linux.)
Re:Trust? (Score:5, Funny)
> Apparently Microsoft uses the word "Trust" in the same way Apple uses the word "Courage". I still haven't figured out what either one means..
MS Trust: "I'm altering the deal. Trust I don't alter it any further." DUN DUN DE DUN.
Apple Courage: "It is easy confuse to Courage with Stupidity -- we did. If you're stupid enough to spend yet more money on over-priced wireless crap to replace the gear you already have, we have the courage to sell it to you."
Re: (Score:1)
Microsoft wants you to trust its product despite the fact that the product betrays you. That isn't hard to understand.
They have no intention of making it trustworthy. They just want to do spin doctoring and social engineering to get people to accept it the way Microsoft wants it to be, rather than the way the users want it to be.
Makes perfect sense that they would do this, given their position and incentives.
Re:Trust? (Score:4, Insightful)
/puts on tinfoil hat
I wonder how long it will be before those of us who refuse to use corporate/closed-source operating systems on our computers will be put on a watch list by the government, and subjected to things that terrorists are subjected to...
As far as I'm concerned, you don't need a tin-foil hat to think that this may not be *too* far down the line...
Re: (Score:2)
>> I wonder how long it will be before those of us who refuse to use corporate/closed-source operating systems on our computers will be put on a watch list by the government ...
In most government the watchlist is no more. it's been replaced by an opt-out list containing a few names of top politicians.
Every now and then, these top politicians find out that the opt-out list is ignored, and it's funny that they are furious about it.
In other words : WE ARE ALL CONSIDERED TERRORISTS ALREADY.
Re: (Score:2)
The word "courage" when applied to Apple means much the same as describing people in our community as "gifted" or "special".
For example, the decision to not release a Mac Mini or MacBook Pro that could take more than 16 GB RAM in 2016 was a very courageous move. As is sticking a fork in a power socket and licking it.
Re: (Score:2)
I wish I could mod on the same article I post to. This so deserves a +1.
Of course (Score:1)
Re: (Score:2)
I actually think they want the 30% of all software you install even more than the data./p.
Windows "telemetry" = Only use Linux Mint (Score:2, Flamebait)
Seriously. Why bother with Windows 10 if it's going to spy on your activity?
Why bother with Windows 10?
Why bother with Windows X?
Re: (Score:2, Informative)
Why bother with any OS? Oh yeah, that's where my software lives
So much software is Windows only or works on Windows "best" (emulation is spotty and under-performing on avg)
It's a platform some of us have to live with
Re: (Score:1)
So I've switched to Linux Mint from Windows, a few months ago, because of advice similar to this.
Just recently, I've tried to upgrade the Linux kernel from 4.4 to 4.8 in Linux Mint 18.1
The upgrade process failed, because of problems recompiling some VirtualBox thing or other,
but it was not protected by some sort of transaction to only allow activation on success.
End result: major borkage and a broken boot - I now have to boot using a USB drive with a separate copy of Linux
And since the Linux Mint guys haven
Re: (Score:1)
I don't have anything against linux mint (i've even contributed some bits) but the most important thing in an operating system is support, and expecting 100% perfect update and/or other support on linux mint in kinda naive, since its maintained by a small group of people, most of the work being done from one guy. People with no desktop linux experience should use something better backed by more people like Ubuntu, Debian or Fedora.
Re: (Score:2)
Ever phoned Microsoft for "support"? how'd that go for you? If you're lucky they told you to re-install. more likely you couldn't even find a human to talk to.
People talk about commercial software having support, but it doesn't (Unless you're an enterprise license with thousands of seats, and even then you pay dearly for very little in the way of support). The forum posts you can find for any linux distro offer far more support than anything any commercial software company produces.
Re: (Score:2)
>> End result: major borkage and a broken boot
Yeah. For mint, the recommended and fully supported upgrade path is a fresh install.
If you upgrade it the other way, it's risky, and you knew it, you checked the box with the red warnings before.
Anyway,the fresh install on Mint is two times quicker than the update, so why bother with the update ??????
My recommendation (through GUI): : /home
On first install, create 4 partitions
sda1 : root, 40 GB
sda2 : empty, 40GB
sda3 : swap, 4GB
sda4 :
When upgrading, install
Re: (Score:1)
Re: (Score:2, Insightful)
> "But that tracking can be easily disabled!" or "But that tracking is off by default!"
These are perfectly reasonable mitigations.
Also, it is not reasonable to pretend that a thing that Ubuntu did is somehow "Linux", even if they were still doing it. You know what spies on you? Red Star Linux. But that's not a very reasonable thing. If you don't like the Ubuntu/Amazon thing, then leave it off or turn it off, or just simply don't use Ubuntu. Arch doesn't have that problem. Or Fedora, or Debian, or o
Re: (Score:1)
It's dangerous to think that somehow Ubuntu is somehow better in this regard.
FTFY. Canonical doesn't represent the whole of Linux or open source software. Also being open source means you can remove or add anything you want. Can you point me to the source code for Windows 10?
Then there's Firefox's telemetry, too.
There's also the Homebrew open source project, which supports data collection, and stores it in Google Analytics
Firefox and Homebrew's spyware is 100% optional. You also have access to the source code, so you can yank it completely out if you want to. In addition, neither of them are operating systems with full access to everything.
If you can't see the difference between always-on spyware in an operating system from a mul
Re: (Score:1)
You also have access to the source code, so you can yank it completely out if you want to.
Another misconception.
0.000023425% of the userbase actually has the ability to do something more than point and click to start the application. Since you evidently missed this, please post your repository where you've already done the work, so the majority of the userbase can download it. thanks.
Until Data Collection is 100% Removed... (Score:3, Interesting)
Re: (Score:3, Funny)
Thank you for your sage advice, Career Captain CapsLock!
Re: (Score:2, Insightful)
Re:Until Data Collection is 100% Removed... (Score:4, Informative)
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
Re: (Score:1)
Re: (Score:1)
Re: (Score:1)
Re: (Score:1)
Re: (Score:1)
Re: (Score:1)
Re: (Score:1)
Re: (Score:1)
Re: (Score:1)
Re: (Score:1)
Re: (Score:2)
What will you replace with? :(
Re: (Score:3, Insightful)
The parent actually makes a good point, and I don't doubt your rebuttal. However!
Microsoft promised that there would not only be "one" Windows and that everyone would receive forced updates.
But that's not actually the case. What they are doing is rolling out updates across different users at different rates. So actually, the parent poster could be 100% correct, and so can you, and it's all down to Microsoft using everyone who isn't an "Enterprise" customer as their QA department.
They're being complete fucks
Re: (Score:1)
Re: (Score:2)
I see a lot of comments like this all over the net. People claiming things that are wasy to prove false, or are false on the surface. I wonder if someone is astroturfing, or if MS hate is STILL that strong?
Also, I guess this person uses no smartphone as well, as ALL of those collect data, even with a custom ROM and rooting and other protections, the black box known as the cell radio has you tracked anyway, so that is certainly not 100% removed. I guess no social media at all, and no gmail, dropbox etc. iOS,
Re: (Score:1)
Re: (Score:2)
You're just pissed because the hardcoded callback IPs make your host file software redundant, at least so far as Win10 goes (and, so far as I understand it, Win7 and 8/8.1 as well).
I'll sit back now and wait for you to stalk me for a few hours. Watching you get unhinged and demonstrate your manic phase with grandiose claims and threats.
Re: (Score:1)
Re: (Score:1)
Re: (Score:1)
Re: (Score:1)
Re: (Score:1)
Re: (Score:1)
I called this already (Score:5, Interesting)
I will simply refer you to my comment in last week's discussion on "Microsoft To Enhance User Privacy Controls In Upcoming Windows 10 Update": here [slashdot.org]
Bottom line: Microsoft's only objective was "get people to quit trashing us openly". Of course, the current state very well could have been their desired end goal and they went extreme from the outset to give them room to appear to compromise. Either way, whether or not it was planned, they make themselves look (comparatively) like the good guys.
Re: (Score:2)
Heh, funny world we live in.
"From now on, I'll only beat my wife on the weekend"
Partnership with US government (Score:1)
This is clearly a partnership with the US government in expanding its surveillance practices. Free access to all emails on their servers and now it's free access to everyone's computers, key logs, data and documents. Microsoft knew exactly what they were doing, just as well as the US government.
Re: (Score:2)
This much is dead obvious.
Makes me want to... (Score:2)
Trust me. (Score:5, Funny)
Microsoft said it wants users to "trust" it.
I hear that a lot from companies and people -- like some newly elected officials -- and it always makes my ass twitch.
Re: (Score:2)
... it always makes my ass twitch.
In a good way?
Unfortunately, generally no.
"frankly unlikely"? (Score:4, Insightful)
ZDNet adds: ... And while the likelihood that the company is doing anything nefarious with users' information is frankly unlikely ...
This quote is a case of somebody writing something to just fit a grammatical template, rather than thinking about what they're writing. Substantiate that wild speculation, ZDNet, or turn in your beard-stroking license asap.
Re: (Score:2)
ZDNet and especially Ed Bott are Microsoft puppets. It's not surprising that they would try to handwave this sketchy behaviour.
It's not "trust" in the Merriam-Webster sense ... (Score:3)
Users: How? You haven't asked us about anything.
Microsoft: Oh, we know--trust us
-------
All Power to the NT Overlords!
Do they really know what users want? (Score:1)
Camera pans over boardroom:
Data Guy: "Did you know user data shows that consumers spend less than 0.1% of their computer time in the control panel?"
Executive: "It must not be important and takes up a lot of developer time. Remove it!"
Programmer: "Um... can we, maybe, not do that?"
Executive: "Just KILL it! Also, you're fired!"
Re: (Score:2)
This is the least objectionable use for the data. If it was truly and irreversibly anonymized, I wouldn't have a problem with MS datamining trends to give users what they want.
I just have doubts about the truly or irreversible part, even if they claimed anonymity.
Trust (Score:2)
The opposite of trust? Anit-Trust. Ya'know, that thing Microsoft already violated?
I only want an operating system (Score:5, Insightful)
Is that too much to ask? I'd like to pay some money in exchange for software to abstract my hardware into a platform and allow application to run. That is of course the kernel and drivers as well as the libraries and services necessary for applications.
I don't want advertisements, data mining, or even a bundled web browser. I do want security updates and timezone updates, please don't stop updating timezones with the excuse that an older operating system version is "unsupported".
If this were a free market, we could pay money in exchange for the goods and services we want. Assuming we can agree on a price, but I doubt even a million dollars would could get Microsoft's attention.
Re:I only want an operating system (Score:5, Funny)
Re: (Score:3)
If this were a free market, we could pay money in exchange for the goods and services we want. Assuming we can agree on a price, but I doubt even a million dollars would could get Microsoft's attention.
It is a free market. What you describe actually exists. In fact, something better than what you describe exists: Linux. It may seem tired, but there are literally dozens of distributions out there. Some have corporate backing (e.g., RedHat, SuSE), others are developed by a community (e.g., Debian), and others are the result of heroics by primarily one individual (e.g., Slackware). The point is that there are so many options, some which will take your money, others of which will not.
Many of those Linux
Re: (Score:2)
Yes, I've been using Linux as my primary OS for over 20 years (really!). But Linux is not equivalent to Microsoft Windows.
I can get chicken sandwiches from Wendy's, McDonalds, etc. and I tend to frequent those establishments instead of Chick-Fil-A. But of course there is a huge amount of choice for fast food, and they are generally equivalent to each other ignoring basic taste preferences.
If I want to run a Windows application should I use anything except Microsoft Windows to run it? Could I use Wine? Perha
Re: (Score:3)
If 99% of software was cross platform they'd have to give people what they want instead of giving us what Microsoft wants
Re: (Score:2)
My dream is that when most software is available on iOS and Android that Microsoft will lose their hold over us.
Of course then we'll be locked into Apple, Amazon and Google app store ecosystem and will not be able to develop and sell software without Apple and Google's say so.
And it will never happen (Score:2)
Win10 was designed *from the ground up* with telemetry and spayware/malware/whathaveyou in mind.
You will never get them to "turn it off", at best you'll get "minimal" and it will require 3rd parties to fix (if they can, closed source and all that)
Why use it to begin with, if you have the option, use anything else, but not Win10.
Trust them (Score:2)
It will make it a lot easier for them if you just trust them. Not better for you, but certainly better for them.
i call bs (Score:1)
Microsoft still hasn't said exactly what gets collected as part of the basic level of collection, except that the data is used to improve its software and services down the line; a reasonable ask...
Unless the OS is free, its not a reasonable ask. Period.
So how *does* one turn off telemetry completely (Score:2)
As the title says, how do /.ers turn off W10 telemetry completely? I've seen many solutions, but none seem to be successful in both allowing updates to come through and blocking *all* telemetry.
Re: (Score:3)
And that's the trick. It's easy to block all the telemetry by simply blacklisting all the MS servers at the firewall. The issue is that also blocks updates.
Pick your poison....
Of course you ask what /.ers do. They don't run Windows in the first place!
Re: (Score:3)
Simple: Do not use Win10 or never connect it to a network. Anybody else that thinks they can reliably "turn of telemetry completely" in the face of missing documentation and forced updates is just kidding themselves. There is a good reason no well-known security researchers have come up with reliable recipes to do it, they know and understand this. It is also extremely telling that there are no good analyses of what actually gets sent out there: It is both difficult to do and the data could change completel
SSL Decrypt? (Score:2)
Just curious, but is anyone running SSL decryption on their networks where they could see this traffic leaving the network? Would they be able to see the traffic in plain text to see what is being reported to Microsoft?
Re: (Score:2)
Recall the PRISM slides and the years for each US brand?
https://en.wikipedia.org/wiki/... [wikipedia.org]
"Microsoft handed the NSA access to encrypted messages"
https://www.theguardian.com/wo... [theguardian.com]
If you want a secure OS find one. Use Microsoft for games and DirectX 12 support.
Let Microsoft enjoy the computer game feedback on Windows 10.
Do any real computing with a more secure OS.
Go ahead, Microsoft (Score:2)
Read my data.
Enjoy your PTSD [slashdot.org].
First (Score:1)
First, Microsoft has to treat us like users: People who have sensitive data, want to know what their tools (computers) are doing with the rest of the internet, don't have to use your products (although the ubiquity of MS Office and vertical market software make that difficult) and yes, pay for the products you make.
Trust requires trustworthiness (Score:2)
MS has none. They have engaged in criminal acts to screw over customers and competitors. Lying to their customers is something they routinely do. They have shown time and again that they feel zero obligations to their customers.
Anybody trusting MS is stupid. They do not deserve trust. They must make legally binding accurate and complete statements about the data they collect, what it is being used for, and how it is secured against unauthorized access. And if they violate any of these assurances, it must be
Re:oh yes I DID! (Score:4, Informative)
Where have you been for the last two years? MS uses hard-coded IPs to avoid any messing around with DNS.
Re: (Score:2)
Re: (Score:2)
What does that have to do with a HOSTS file? Very good job on regurgitating that knowledge, but maybe make sure it's relevant next time.
Re: (Score:2)
Re: (Score:2)
So you don't black hole those IPs and hosts at the router/firewall level?
How will you ever know if you got them all? Malware authors have evolved techniques like rotating their C&C to different IPs based upon to the current UTC time. Microsoft has 20+ million IPs [he.net] to pick from, and those are just the ones with their name on them. You can't block them all without taking out all of Azure, which hosts lots of legit non-MS services.
Re: (Score:2)
That only works if you carry your router with you everywhere you take your computer. That would be a totally feasible thing if someone produced a micro router/firewall that was the size of a bluetooth dongle, but I haven't been able to find anything like that yet.
Why are you running Windows 10 anyway? If you really need to run it for some specific applications then just dual boot, yes it's slightly inconvenient but that is the price of privacy.
Re: (Score:2)
Well given we're talking about blacklisting IPs that Windows sends information to and that you are looking for (haven't been able to find) a micro router/firewall I'd say it's pretty reasonable assumption that you do or that you would like to run Windows 10. If not then why bother? Just use the hosts file on Linux.
Anyway ok, you're not running Windows 10, no big deal. The suggestion still stands for anybody who does need to run it for whatever reason.
Re: (Score:1)
Re:oh yes I DID! (Score:4, Informative)
I don't think there's anything illegitimate about it. It's just that he's mentally ill, and that the software in question really doesn't work where an OS or software manufacturer hard codes callback IP addresses. I went to his page about six months ago, and was fascinated to see screenshots from what was either XP or Server 2003, which said a lot not only about the software, but about APK's state of mind. He's also made a number of posts over the years that suggest he's a good old fashioned netkook, maybe the last of that ancient breed. So, like all good netkooks, he has a fixation, which in his case is his obsession with the hosts file.
Re: (Score:2)
Lots of software developers are somewhere on the autism spectrum, and are classified as high-functioning ASD. Personally, I also have dysthymic disorder (essentially chronic low-grade depression that's gone through two name changes since my diagnosis), and people seem to trust what I write.
Re: (Score:2)
You probably wouldn't notice me as being ASD or depressive. Lots of us are quite adept at looking normal. I'm being open with it because it's unlikely to hurt me (not any worse than it has already; I've already been denied insurance).
People depend on stuff I've written for safety purposes. They haven't regretted it.
Re: (Score:2)
I've got the diagnoses. Therefore, I'm mentally ill, although it usually doesn't show. I also have some physical illnesses you won't notice by looking at me. I'm reasonably healthy for my age, and I know a lot of contemporaries who are worse off, but I'm not in perfect health.
I'm emphasizing this because I really hate "mentally ill" being used as an insult, and it often is. APK does not necessarily have a mental illness; APK might just be an asshole, which is not a category in DSM-V. There are menta