Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Windows Privacy

A Breakdown of the Windows 10 Privacy Policy 318

WheezyJoe writes: The Verge has a piece on Windows 10 privacy that presents actual passages from the EULA and privacy policy that suggest what the OS is capturing and sending back to Microsoft. The piece takes a Microsoft-friendly point of view, arguing that all Microsoft is doing is either helpful or already being done either by Google or older releases of Windows, and also touches on how to shut things off (which is also explained here). But the quoted passages from the EULA and the privacy policy are interesting to review, particularly if you look out for legal weasel words that are open to Microsoft's interpretation, such as "various types (of data)", diagnostic data "vital" to the operation of Windows (cannot be turned off), sharing personal data "as necessary" and "to protect the rights or property of Microsoft". And while their explanations following the quotes may attempt an overly friendly spin, the article may be right about one thing: "In all, only a handful of these new features, and the privacy concerns they bring, are actually in fact new... Most people have just been either unaware or just did not care of their existence in past operating systems and software." Even pirates are having privacy concerns and blocking Windows 10 users.
This discussion has been archived. No new comments can be posted.

A Breakdown of the Windows 10 Privacy Policy

Comments Filter:
  • by Karmashock ( 2415832 ) on Monday August 24, 2015 @03:14PM (#50383075)

    ... you just don't "know" you like it? They did this promotion where they sat old people in front of vista machines asked them to derp around on it and then asked them if they liked it... they all said they did... and MS basically said "everyone saying they don't like vista is wrong/a troll/ignorant/etc"... remember that?

    Well... same thing seems to be happening again. Consumers are saying "we have problems with these features and we'd like them fixed"... and MS is again saying "I hear you saying you don't want it but I think you're just saying you want me to tell you about how great they are again until you change your mind.

    No.
    https://youtu.be/dROwEc4VyJA?t... [youtu.be]

    • I did like Vista, when you have drivers for it, it ran great.
    • I would call this more similar to what Microsoft went through with the latest Xbox. Initially there were significant privacy concerns, some people got very upset, and they backpedaled (as they did on so many things with that system.) I'm hoping we see that with Windows 10. I'm not holding my breath, especially since they added spying to Windows 7 instead so far.

      • The xbox one never actually recovered from that either. If you compare the sales figures with the PS4... the xbox one lost something like half its potential install base because of that fuck up.

        I think sales of the xbox one are something like 25 to 33 percent of the PS4 which is a big reversal from the Xbox 360.

        There were so many fuck ups with that release. The kinnect or whatever it was called was better evidence for MS having their heads up their asses than I've seen in awhile. And the stupidity just kept

    • MS basically said "everyone saying they don't like vista is wrong/a troll/ignorant/etc"... remember that?

      I am looking at an Insider build of Windows which, for all practical purposes, has restored the Aero desktop.

      • define what you're talking about? You mean as opposed to metro?

        Because that's not a giant vote of confidence.

  • by Anonymous Coward on Monday August 24, 2015 @03:18PM (#50383111)

    Posting anon for obvious reasons.

    In a former life, there was some question about what and how far an org could go into customer data that was collected through remote telemetry or use of cloud services. A couple years ago, legal counsel informed us that we could capture, examine, and retain essentially any customer data, because any security-related review fell under the clauses about use of customer data for "enhancement of customer experience", to which the customer consented in the EULA. This is why some entities feel very free to capture any data they want from endpoint computers and effectively lie about it in marketing documents: because end-users consented to a free-for-all in the prior/overriding legal license.

    • It's worth pointing out that laws in this sort of area vary widely. I don't know where you're based, but I don't know a lot of lawyers who'd be comfortable defending that position in much of Europe, for example. On the other hand, it wouldn't surprise me at all to find the law allowed that kind of behaviour in the US.

  • Simple (Score:2, Insightful)

    by Anonymous Coward
    Windows 10 Privacy = Oxymoron
  • by Anonymous Coward on Monday August 24, 2015 @03:24PM (#50383181)

    Exactly how vital can they be if the fucking computer still works with no Internet connection?

    • Clearly they're not vital to enterprise customers.
    • by Dunbal ( 464142 ) * on Monday August 24, 2015 @04:06PM (#50383499)
      Vital to Microsoft. So they can mine/sell the data. Get it now?
    • Exactly how vital can they be if the fucking computer still works with no Internet connection?

      How many computers outside a secured corporate or governmental network are currently operating without at least part-time access to the Internet?

      How many computers on the corporate intranet aren't collecting similar data for internal use --- and sharing some of that data with Microsoft to improve the performance of both clients and servers?

  • 7 and 8 too (Score:5, Informative)

    by Anonymous Coward on Monday August 24, 2015 @03:26PM (#50383191)

    If you're running automatic updates on 7 or 8 you already have the same "telemetry" components as well. Check for installation of 3035583, 2952664, 2976978, 3021917, 3044374, 2990214, 3022345, 3068708, all of which are windows 10 related components. It seems that the last two are the diagnostics/telemetry ones with the others having more questionable intent.

    Microsoft describes these updates (https://support.microsoft.com/en-us/kb/3068708) as honoring the CEIP choice and only doing the spying if the user has opted in. At least at this time however the server that microsoft identifies (vortex-win.data.microsoft.com) will have active connections even on machines where the CEIP choice was set to opt-out.

    I'm sure once this gets some more media attention Microsoft will claim that they're storing the data just in case you change your mind, and that they wouldn't think of abusing it until then.

    • Or not (Score:4, Insightful)

      by Anonymous Brave Guy ( 457657 ) on Monday August 24, 2015 @04:01PM (#50383473)

      If you're running automatic updates on 7 or 8 you already have the same "telemetry" components as well.

      No, I don't. You see, the great thing about still being on Windows 7 is that I'm not forced to install whatever user-hostile updates Microsoft deems necessary. So I didn't.

      By the way, neither did a lot of other people. Many of the professionals I know have been "security updates only" for quite a long time, even on personal use machines rather than work ones. Plenty more joined the fold recently after the Win10 nag message update.

      It frustrates me that the casual press keep repeating the dogma that the forced updates in Windows 10 are a good thing because security experts recommend applying all patches immediately or similar, as if Microsoft hasn't been pushing non-security updates for years.

      • the great thing about still being on Windows 7 is that I'm not forced to install whatever user-hostile updates Microsoft deems necessary.

        congratulations on being forced to stick with windows 7, you've installed exactly the user hostile software that Microsoft deemed necessary for you.

    • Do which one of those is needed to read SD cards? One of them is.

  • by mi ( 197448 ) <slashdot-2017q4@virtual-estates.net> on Monday August 24, 2015 @03:31PM (#50383217) Homepage Journal

    Over twenty years ago there was a FreeBSD-hacker with the following signature: "Do not trust an operating system you don't have sources for".

    Though I was then a fresh FreeBSD convert myself, the maxim seemed a little too radical to me... Not any more.

    If you absolutely must use Windows, get a stripped-down variant via a Russian or Chinese torrent (there are reputable ones, which will not infect you). If you don't want to rob Microsoft, send them a check... But best is to just get an OS, for which sources are also available.

  • In June, MS shipped a bunch of now-infamous "Telemetry Services" updates to Windows 7 and Windows 8/8.1. I forget what the exact Knowledge Base numbers are, but you can find them pretty easily. These updates were marked as "Important" in Windows Update, and actually have the same general description of "This update fixes some bugs and improves security" that they use for all updates if viewed in the Add/Remove Programs window.

    The "Telemetry Update" has been proven to send information to MS, and cannot be controlled short of uninstalling the update and force-stopping the associated services. I was told that the "update" collects all of your keyboard input and ships it to MS for use in "improving" their Auto-Correct and Word Suggestion features, and I have no reason to believe otherwise.

    I had to turn off Windows Update entirely on both of my machines in order to stop MS trying to ship this update after I uninstalled it, because it kept trying to push the update even when I specifically said not to install it.

    • so, it is keylogging feature. Great ...

      File this under "what could possibly go wrong"

    • by Anonymous Coward on Monday August 24, 2015 @04:42PM (#50383761)

      Remove the following updates (if installed already)

      KB971033 Description of the update for Windows Activation Technologies
      KB2952664 Compatibility update for upgrading Windows 7
      KB2990214 Update that enables you to upgrade from Windows 7 to a later version of Windows
      KB3021917 Update for Windows Customer Experience Improvement Program
      KB3022345 Update for customer experience and diagnostic telemetry
      KB3035583 Update installs Get Windows 10 app in Windows 8.1 and Windows 7 SP1
      KB3044374 Update that enables you to upgrade from Windows 8.1 to a later version of Windows
      KB3068708 Update for customer experience and diagnostic telemetry
      KB3075249 Update that adds telemetry points to consent.exe in Windows 8.1 and Windows 7
      KB3080149 (update for CEIP and telemetry)

      ---

      run cmd as administrator

      sc stop Diagtrack
      sc delete Diagtrack

      *Task Scheduler Library:

      Everything under "Application Experience"
      Everything under "Autochk"
      Everything under "Customer Experience Improvement Program"
      Under "Disk Diagnostic" only the "Microsoft-Windows-DiskDiagnosticDataCollector"
      Under "Maintenance" "WinSAT"
      "Media Center" and click the "status" column, then select all non-disabled entries and disable them.

      *services.msc:

      "Remote Registry" to "Disabled" instead of "Manual".

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      Way to jeopardize the Net as a whole by teaching people to turn off and never trust updates again.

      Go fuck yourself, Microsoft. Fucking idiots.

  • by Anonymous Coward on Monday August 24, 2015 @03:39PM (#50383281)

    "This water is only one degree hotter now than a few minutes ago," said the frog to his companions.

  • by david.emery ( 127135 ) on Monday August 24, 2015 @03:43PM (#50383325)

    Microsoft, since its only product is software, has to go to great lengths to protect and extend that property base. "Extend" here is Googly data mining.

    Apple, on the other hand, makes money by selling you the hardware. The protection is the physical ownership of the device. You might not believe Apple when it says "we don't want your personal information", but you have to respect that they're not depending on either data or software to make the great majority of their revenue.

    This may not be a popular opinion, but I trust Microsoft more than Google, Apple -way more- than Microsoft, and the NSA more than any commercial company.

    • The flip side of that is that Apple's long-term support can be awful to non-existent.

      Don't feel bad if that recommended and conveniently non-reversible update to iOS renders your three-year-old tablet or phone unusable. Here, try an iPad 7, that runs the new version just fine!

      Oh, and that similarly ancient business laptop? You would have been secure against the malware you just got hit by if you'd only installed OS X Jungle Gryphon. Well, maybe. Or maybe you wouldn't. You see, we're not going to give you an

      • You see, we're not going to give you any sort of clear indication of how long we will support our hardware

        no doubt you are able to supply us with a list of vendors who will do otherwise

        • Given that just about every PC, monitor, storage device, networking device, and other major peripheral around me as I type this has a formal warranty that indicates the minimum support period and the OS I'm running (Win7) has a published lifecycle that tells me exactly how long as a minimum I can expect security patches for, yes, I could. Short of the relevant businesses literally going under, in which case obviously no guarantee is worth much, I can count on support for these systems for several more years

      • Well, I've been running Macs as my primary office automation/desktop (vice development) machine for 29 of the last 30 years, and haven't had these problems. And I routinely get 5 years out of my home Macs (and between 3 and 4 years from the corporate machines.)

        Your mileage may vary.

        • I expect my 2011 mac mini to be viable until at least 2020. People forget we are in a massive transition period so of course some things are going to be obsoleted out quickly. The non fully 64 bit macs and pre iphone 5 designs are really where this bit hard. I don't expect that kind of attrition again.
          • Just to be clear, I'm not talking about hardware issues here. I'm talking about not issuing security patches for serious vulnerabilities [appleinsider.com] in versions of OS X that would have been shipping on brand new devices at little as a year ago.

            There's really no excuse for not providing proper security fixes for the original OS supplied with a device for the useful lifetime of the device. Any security patch is by definition fixing a serious defect in the original product and clearly Apple's responsibility. I don't neces

    • Microsoft, since its only product is software, has to go to great lengths to protect and extend that property base. "Extend" here is Googly data mining.

      Nobody is making money on hardware as a commodity. Software is a much sweeter deal.

      Apple, on the other hand, makes money by selling you the hardware. The protection is the physical ownership of the device.

      Apple operating system can be installed on hardware purchased from not Apple. There are a number of howto's floating around including for install as VM guests.

      This may not be a popular opinion, but I trust Microsoft more than Google, Apple -way more- than Microsoft, and the NSA more than any commercial company.

      I trust humans to abuse power they are given like they always have throughout the entirety of recorded history. I trust the continued aggregation of power into the hands of a few mega corporations who are increasingly able to know everything about everyone and have

    • by m00sh ( 2538182 )

      Microsoft, since its only product is software, has to go to great lengths to protect and extend that property base. "Extend" here is Googly data mining.

      Apple, on the other hand, makes money by selling you the hardware. The protection is the physical ownership of the device. You might not believe Apple when it says "we don't want your personal information", but you have to respect that they're not depending on either data or software to make the great majority of their revenue.

      This may not be a popular opinion, but I trust Microsoft more than Google, Apple -way more- than Microsoft, and the NSA more than any commercial company.

      Microsoft sells software, not advertising like Google. Apple's hardware and Microsoft's software are comparable. Both say similar things about privacy when Android talk comes up.

      Both Apple and Microsoft want to get the advertising and data mining dollars like Google.

      In the modern era, large corporations are always looking to expand and expand and expand. Both Apple and Microsoft are looking to leverage what they have to muscle into the online advertising industry. So, I think your trust is misplaced.

      • "Microsoft sells software,"

        For now, mostly. Microsoft has a problem here: Selling software worked in the past because there was a constant upgrade cycle to drive sales. All those new computers getting replaced after two years kept a constant stream of OEM licenses shifting, and every couple of years they could bring out a new version of Windows or Office that promised and delivered revolutionary improvements* so people would be climbing over other in the rush to upgrade.

        Now? Their software reached 'good eno

      • "Microsoft sells hardware, not advertising......"

        O really, than what the fuck is Bing for?
    • by AmiMoJo ( 196126 )

      Apple does this kind of data collection too. When you talk to Siri, your voice recording goes direct to Apple. They use it both to provide the service and to improve the service. Their app store gathers data on what you install and use, they gather stats on the OS. How else do they know that 94% of users are on the latest version? They clearly know which devices are in active use and what OS they have.

      iTunes and Apple Music sends detailed stats on your listening habits to Apple, in order to provide you with

      • The Siri remote processing is for practical reasons, not business: The Siri engine is subject to constant revisions and optimisations by Apple, including even the voice recognition. It wouldn't be practical to update a very large application on a phone every two days, so they host almost all of it on their own servers. The phone part is just a minimal client.

        You're right, though: Everyone spies. Customer data is very valuable as a means to come to business decisions and as a means of optimally flogging peop

  • Half the story (Score:4, Insightful)

    by HideyoshiJP ( 1392619 ) on Monday August 24, 2015 @03:44PM (#50383341)
    The article seems to only be telling half the story about previous versions of Windows and about sending data "critical" to the operation of Windows.
    A. The Customer Experience Program could be opted out of.
    B. Windows 10 only sends data "critical" to the operation of the system in the "basic" telemetry setting. It's funny how you can disable it in enterprise. I guess it must not be so critical, huh? I don't care what they do with home versions, but I take issue with not being able to do this in Pro. An individual cannot buy Enterprise.
    C. It's not fair to compare this to Google. Google provides their products free of charge. Despite Microsoft giving out a free update, Windows is not free. You can purchase a retail copy. I'm sorry to criticize your apologist article, Verge, but these are issues that affect the company I work for. I don't care what you do with your personal computer; the government doesn't regulate that.
    • Re:Half the story (Score:4, Insightful)

      by Anonymous Brave Guy ( 457657 ) on Monday August 24, 2015 @04:21PM (#50383601)

      I don't care what they do with home versions, but I take issue with not being able to do this in Pro. An individual cannot buy Enterprise.

      I've been wondering about that. If it's still going to be true once they've got their act together, then presumably that also affects most small businesses? That could be a very expensive strategic mistake. The hoi polloi will put up with a lot, and big businesses will do their own thing and probably not update for a long time anyway, but alienating the smaller and more agile businesses that might have updated sooner seems unwise, and alienating the geek community -- who run IT in those businesses and advise their less geeky friends -- seems downright commercially suicidal.

      • This is a very good point, though I'm willing to bet that many of them will not be able to afford the security expertise to have the concern anyway. I'm just waiting to see how firms that perform security audits treat it.
  • by shaitand ( 626655 ) on Monday August 24, 2015 @03:48PM (#50383371) Journal
    My computer is not a phone. We need to lock down phones not open up desktops. Otherwise there is no point to encryption at all.
  • by kav2k ( 1545689 ) on Monday August 24, 2015 @03:48PM (#50383373)

    Swiss Pirate Party initiated an inquiry into Windows 10 privacy policy [cubiclane.com].

    The end result of which (if it does not pass Swiss scrutiny) would be an official recommendation to prohibit purchase.

  • by Anonymous Coward on Monday August 24, 2015 @03:48PM (#50383375)

    Two articles I found since yesterday that contradict statements in the summary:

    * previous versions of Windows now spy on you becuase of recent MS updates: http://www.hakspek.com/securit... [hakspek.com]

    * They still spy on you after you turn the "features" off: http://arstechnica.com/informa... [arstechnica.com]

  • Yikes (Score:4, Insightful)

    by Chris Johnson ( 580 ) on Monday August 24, 2015 @04:05PM (#50383495) Homepage Journal

    'It's okay, it's already being done by Google' is NOT reassuring! D:

    • Any time you use the internet without the type of firewall and filtering that comes with a free roll of aluminium foil it is safe to assume you are being monitored by at least a few companies, and likely everything you do is also logged by one or two government agencies for analysis.

    • by shione ( 666388 )

      Agreed. People need to stop using the logical fallacy that if somebody else is doing it its somehow alright for somebody else to. Wrong is wrong and the reason why people talk about microsoft doing the wrong is because that's what the article is about. Also google is leaps and bounds different from microsoft. There is not one google product that you have to use because there are many viable alternatives to every google product. Even android doesnt have a killer app that you can't find on another os. windows

  • Linux Mint (Score:5, Insightful)

    by dmt0 ( 1295725 ) on Monday August 24, 2015 @04:13PM (#50383541)
    All this talk about Windows made me rediscover Linux. Tried out latest Mint and was really pleasantly surprised by how well polished the thing is overall. Everything worked right from Live CD. Things that I could never get to work on Ubuntu even a year ago. Bluetooth speaker just connected, Android phone didn't make any components die a quiet death. Skype. All menus are reasonably laid out. Configurations work. Started being productive on it just after two hours of installation/configuration. Breath of fresh air.
  • by rMortyH ( 40227 ) on Monday August 24, 2015 @04:19PM (#50383581)

    Look under Settings/Privacy
    There is a switch, which reads 'Send Microsoft info about how I write to help us improve typing and writing in the future'

    This the collection of keystroke data. They can do anything they want with this. Definitely makes it even more creepy to log in to someplace else on a Windows 10 box.

    Another thing which is standard practice is to list all kinds of serious and unlikely reasons they'll use your data, followed by 'or any other legal purpose' which does not mean for some 'legal' matter, which it's meant to sound like, but for ANY purpose which is not SPECIFICALLY ILLEGAL. Which means anything.

    You can turn off the keystroke thing, but Microsoft routinely resets preferences, including privacy preferences, when you run an update. So you have to keep checking it and make sure it's off. However, I doubt very much if it matters. You're sending EVERYTHING to Microsoft and they can use it for any purpose.

  • ... I've been swamped with questions from the Gentle User, and articles like this help to explain stuff without placing me in a position of having an axe to grind.

    I have shared it out and people are eating it up.

    Much appreciated.

  • by Anonymous Coward

    The Swiss data protection agency is now investigating windows 10's data sharing.
    (Link in French) http://www.lematin.ch/economie/berne-lance-procedure-concernant-windows-10/story/29192122

  • ...is the requirement of PERSONAL INFORMATION vital to the functionality of ANY user system nor is it pertinent to the intellectual property rights or protections otherwise under the Law of ANY company offering product and/or services for public consumption.

  • It's pretty bad. (Score:5, Interesting)

    by SuricouRaven ( 1897204 ) on Monday August 24, 2015 @05:07PM (#50383939)

    Get a packet sniffer on Windows ten. You can't run calculator without MS knowing.

    Seriously. Try it. Every time you run any of the new-style apps, including calculator or the image preview, it opens up a brief encrypted TCP connection to a MS licensing server. I have a video: https://www.youtube.com/watch?... [youtube.com]

    Just ignore the bit about photoDNA at the end - that was a theory on my part that I've now determined is unlikely. It's not actually reporting on images, it's reporting on every time the image previewer is loaded. Or calculator, or sound recorder, or quite a few other things. I'm not sure that's much better.

    I had quite a bit of fun at the weekend with wireshark seeing just what a freshly-upgraded no-software-installed Windows 10 reports, after setting every privacy option I could find to private. The answer is pretty much everything. Even if you disable searching from the start menu, it still executes the search - it just doesn't display the results. It fetches updates for the default tiles on the start menu (weather and news) even after you remove the tiles. It establishes mysterious TLS connections frequently that I can't identify the purpose of - some of them might be checking for updates, but I doubt it check for upgrades every few minutes.

    Don't trust in my paranoia. Install wireshark and look for yourself.

    The good news is that Windows 10 firewall can be made to block almost everything with a deny rule and a list of IP ranges. The bad news is that it's quite tricky to do so without also blocking windows update, Bing, the Windows store (No great loss) and I suspect a few Azure hosts.

  • by WaffleMonster ( 969671 ) on Monday August 24, 2015 @05:34PM (#50384113)

    Excuse #1 - Google, Apple..etc are doing it too. This is what 5 year old children say when they get caught doing something they know they shouldn't while their brother (Google) or sister (Apple) does not (this time). If you don't understand why this is a completely nonsensical position try following defense in court.. "yes your honor ... I was drinking and driving but everyone else I was with did it too so its ok."... Go ahead...see what happens.

    Excuse #2 - ALL of your data is necessary to provide a feature. Examples like Siri, Cortana, Google voice are often paraded around. They need to rummage through your address book to know who "Frankenstein" is before they can call ... Need to know what's in your calendar and where you are at...right? Well no... your "Intelligent Agent" needs to know. There isn't any reason said agent can't execute locally and provide the same services if user prefers not to upload a list of all of their acquaintances and agendas to Microsoft. These systems are architected the way they are because spying is profitable not because they maximize value to end users. Your phone can know your at the florist without sending your location to Microsoft. Your phone can remind you to pick up flowers when you call someone. It isn't impractical or unrealistic to implement. It just isn't profitable.

    Excuse #3 - Browser information leaks... Chrome, Firefox, IE keep thinking up new excuses with mostly negative to users to get a piece of everything you are doing with every revision. Some of this shit is offensive blatant one finger salute ...Sending your searches to bing even when you don't use bing.... Uploading your browsing history to Microsoft...there is no rational excuse for this and I can't believe anything approaching a majority of people want this to happen by "default" for any reason.

    Excuse #4 - You can turn it off - Coupled with intentional UX design blurring demarcation between local and internet promoting accidental leakage and turns the leakage spigot to 11 by default knowing most users won't know, care or understand enough to change settings which increasingly are ultimatums or don't actually stop data leakage they purport to stop. Now the pot is really starting to heat up... Now Microsoft is retroactively saying fuck you people we will collect shit and there is nothing you can do about it. That they have the gall to say this to their *customers* I personally find amazing.

    --
    "Finally, we will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders), when we have a good faith belief that doing so is necessary."

  • Microsoft,

    You failed at the one job you had to do. You need to have people to trust your OS. That is all. But you couldn't resist and loaded it with spyware and possible government back-doors. There is not a corporate account who will even consider this OS now.

    I guess the even-number-windows-versions-are-crap rule continues.

  • by ILongForDarkness ( 1134931 ) on Monday August 24, 2015 @07:42PM (#50384797)

    Point 6: a whole bunch of semi-colon separated statements with no joining words. Does it mean they'll share the data when required by law, to protect themselves, security of the systems etc. Or do they connect them with ors: required by law, or "we want to" or ... ?

    I'm fairly pro-MS and yeah I found this over the top biased towards MS "It's pretty clearly laid out this time. Reiterating it would only serve to be redundant." an ~10 line sentence connected with semi-colons is pretty far from "clearly laid out" to me.

  • by Chris Mattern ( 191822 ) on Monday August 24, 2015 @08:18PM (#50384919)

    ...somebody admitting that Window 10's privacy policy is having a breakdown.

Every nonzero finite dimensional inner product space has an orthonormal basis. It makes sense, when you don't think about it.

Working...