Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Windows Microsoft Privacy

Is Windows 11 Spyware? Microsoft Defends Sending User Data to Third Parties (tomshardware.com) 195

An anonymous reader shares a report from Tom's Hardware: According to the PC Security Channel (via TechSpot), Microsoft's Windows 11 sends data not only to the Redmond, Washington-based software giant, but also to multiple third parties. To analyze DNS traffic generated by a freshly installed copy of Windows 11 on a brand-new notebook, the PC Security Channel used the Wireshark network protocol analyzer that reveals precisely what is happening on a network. The results were astounding enough for the YouTube channel to call Microsoft's Windows 11 "spyware."

As it turned out, an all-new Windows 11 PC that was never used to browse the Internet contacted not only Windows Update, MSN and Bing servers, but also Steam, McAfee, geo.prod.do, and Comscore ScorecardResearch.com. Apparently, the latest operating system from Microsoft collected and sent telemetry data to various market research companies, advertising services, and the like.

When Tom's Hardware contacted Microsoft, their spokesperson argued that flowing data is common in modern operating systems "to help them remain secure, up to date, and keep the system working as anticipated."

"We are committed to transparency and regularly publish information about the data we collect to empower customers to be more informed about their privacy."
This discussion has been archived. No new comments can be posted.

Is Windows 11 Spyware? Microsoft Defends Sending User Data to Third Parties

Comments Filter:
  • What? (Score:5, Insightful)

    by quonset ( 4839537 ) on Sunday February 12, 2023 @06:42AM (#63286585)

    flowing data is common in modern operating systems "to help them remain secure, up to date, and keep the system working as anticipated."

    1) Though I am a basic Linux user, last I checked, no version of Linux is sending data to any outside source

    2) Is anyone surprised at this "revelation"? Anyone with at least one brain cell knows Windows is spyware.

    "We are committed to transparency and regularly publish information about the data we collect to empower customers to be more informed about their privacy."

    Then you wouldn't mind if people opt out completely from having their data sent to outside third parties, right? For privacy.

    • Re: (Score:3, Interesting)

      by AmiMoJo ( 196126 )

      Didn't Ubuntu send some data to third parties by default, at least for a while? Something to do with their app store I seem to recall.

      Anyway, this is one of those rare occasions when Betteridge's Law doesn't apply.

      • Re: What? (Score:5, Informative)

        by doragasu ( 2717547 ) on Sunday February 12, 2023 @08:50AM (#63286777)

        Yes, they integrated Amazon search in the dash. That's when I stopped used Ubuntu.

        • by jmccue ( 834797 )

          And that is the thing, it is very easy to move from Ubuntu to another distro or to a *BSD. Windows, SOL.

          No lock-in with Linux or BSD, but sadly to me, one commercial distro seems to be slowly following Microsoft down the same path.

          • by Luckyo ( 1726890 )

            There are ways to gut windows sufficiently so most spyware features stop working.

            It does shut down quite a lot of functionality though.

            • It's also a PITA to do, or you have to trust a sketchy tool to do it, and you can not only never really prevent all of the data collection but since none of the system is OSS, but it's difficult to be sure that Microsoft isn't exfiltrating data through Windows Update.

              Paranoid? Maybe. But given the abject state of computer security, maybe more paranoia is warranted.

      • Re:What? (Score:5, Informative)

        by Brain-Fu ( 1274756 ) on Sunday February 12, 2023 @10:36AM (#63286975) Homepage Journal

        You are probably thinking of this [arstechnica.com].

        Summary: a very long time ago Ubuntu shipped with Unity as the default desktop. Unity included integration with Amazon in its "dash" which you used to find your apps. It would include Amazon results and track your click through to get credit if you bought the thing from Amazon.

        People screamed, Canonical corrected itself. For a long time now the default desktop environment has been Gnome instead. No Unity, no Amazon integration, no tracking. And, even back when Unity was the default, the tracking could be completely disabled by un-checking one easy-to-find setting. Or you also could have ditched unity and switched out to a different desktop environment.

        I would like to point out that this tracking was minuscule compared to what Windows tracks (and doesn't let you disable). We really are comparing a molehill to a mountain here. People keep bringing this up as if to say "HAH! Even Linux is rife with evil tracking and is just as bad as Microsoft!" It's simply not true. Here's the side-by-side:

        MS: A whole lot of stuff sent to many third parties and itself. Ubuntu: A shopping ad from Amazon
        MS: Hard to reduce, impossible to disable. Ubuntu: Easily completely disabled
        MS: Even more there now despite customer complaints. Ubuntu: Completely removed in response to customer complaints
        MS: Still there today and growing. Ubuntu: Removed many years ago

        • by ufgrat ( 6245202 )

          People keep bringing this up as if to say "HAH! Even Linux is rife with evil tracking and is just as bad as Microsoft!" It's simply not true.

          Speaking of false equivalencies... No, this is just another indication that even a supposedly well-meaning corporation can skewer your privacy in the name of "features".

          A better equivalence would be comparing Canonical to Microsoft, Google and Apple. Canonical still comes out ahead, but I'm not a fan of fatpaks.

        • Re:What? (Score:4, Informative)

          by ctilsie242 ( 4841247 ) on Sunday February 12, 2023 @08:18PM (#63288123)

          At the minimum, Ubuntu doesn't have in its T&C where it sends "sus" files to a mother ship by default. Most AV programs, IIRC even Windows Defender, this is the default, and we all know what havoc [seattletimes.com] that can wreak.

          Most Linux distributions (excepting Android... which though can be considered "Linux", has a different userland and sub-implementations of AOSP are partially designed to ensure the user is locked out as much as possible to ensure maximum metadata slurpage) is inherently private, just because there is no real core distro maintainer who wants to get caught slurping metadata/telemetry, as there is no effective way to hide it. For most things, stuffing your Web browser in FireJail and redirecting its writes to a subdirectory is "good enough", and there are no known processes which are designed to "tattle" or constantly report on the user.

      • I was looking for that negative Betteridge Law reference... But maybe a Slashdot headline is like a tree falling in an empty forest these years?

        The general topic is something I often wonder about. For example, right now this machine says it has sent about 15 million bytes and received 67 million (probably since the last re-connection to the WiFi). Both numbers are increasing fairly rapidly, even though I am not doing much of anything with the machine. Seems pretty unreasonable, but even stranger when I noti

        • This x1000.

          A more user -friendly WireShark could make all the difference, if only someone would build such a thing.

          It would make it impossible for Joe Sixpack and Jane Boxwine to ignore what Microsoft is doing with their computer.

        • Comment removed based on user account deletion
    • Canned answers (Score:5, Insightful)

      by Lonewolf666 ( 259450 ) on Sunday February 12, 2023 @07:03AM (#63286609)

      Both of the quotes show that Microsoft's spokesperson does either not understand the subject matter or is just giving a standard, generic answer to this kind of question. Probably both.

      Keeping the system up to date does not require contacting third parties.

      Transparency would be better served if Microsoft would publish what exactly they transfer.

      • by edis ( 266347 )

        This intellect can be well artificial.

      • Re:Canned answers (Score:5, Insightful)

        by Anonymous Coward on Sunday February 12, 2023 @07:46AM (#63286667)

        Transparency would be better served if Microsoft would publish what exactly they transfer.

        Transparency is meaningless if you have no ability to opt-out. Simply telling someone "I'm going to fuck you, whether you like it or not", is not a meaningful form of transparency.

        • If I had mod points I'd mod you up. Seems like some pussies who can't take adult language modded you down.

        • by HiThere ( 15173 )

          Sorry, but that actually *is* transparency. It lets you know you want to avoid them.
          Transparency doesn't mean that they're good, in and of itself. It's what the transparency reveals that determines that.

          • Came here to say exactly that.
            "Transparency" refers to how clearly intent and the message are communicated. It says nothing about the merits of the message.

            "I'm going to fuck you, whether you like it or not" is actually fairly good transparency. I wish other governments / corporations were that up front.

      • by jmccue ( 834797 )

        Transparency would be better served if Microsoft would publish what exactly they transfer.

        True, but I think this will do nothing. I assume the data sent is encrypted (I would hope). So even if they do publish what is being sent and how used, would anyone believe them ?

        The only way to fix is to generate an email with the data, you review it and select a button that states "Yes I will send this to MS now" or "Do not send". Even if done, I doubt people will trust MS.

    • Re:What? (Score:5, Interesting)

      by Brain-Fu ( 1274756 ) on Sunday February 12, 2023 @09:34AM (#63286849) Homepage Journal

      Well, no, MS said "empower customers to be more informed about their privacy."

      Not "empower customers to take control of their privacy."

      They have tremendous financial incentive to walk all over their customers as much as they can. They only things that hold them back are law (privacy protection law in this domain is a joke at present) and fear that they might actually drive customers away (which is barely there because they have learned that customers will put up with tremendous violations of privacy in return for an OS that basically works with little technical knowledge needed).

      The bottom line is: privacy is only granted to those who stand up and fight for it (specifically by going through the pain and sacrifice of using Linux instead). And dumbphones instead of smartphones (yes, dumbphones spy on you too but not nearly as much).

    • Re:What? (Score:4, Funny)

      by Joce640k ( 829181 ) on Sunday February 12, 2023 @10:28AM (#63286961) Homepage

      "We are committed to transparency and regularly publish information about the data we collect to empower customers to be more informed about their privacy."

      They just 'publish' it in a disused basement lavatory with a sign on the door saying "beware of the leopard"...

      PS: If your customers were 'empowered' they'd be able to turn it off. Just sayin'.

    • by rnturn ( 11092 )

      So "keeping the system working as anticipated" means Win11 is intended, in part at least, to be means of collecting data on users in order to direct advertising to them. No thanks.

      I had my belly full of Windows when WinXP keep crapping on itself and rendering itself unbootable. Nowadays, I'll only use an Microsoft operating system when an employer shoves it at me---but I'll looking for a means of running Linux in a VM.

    • They expect us to believe that sending our data to Steam makes our system "more secure"?
  • And I don't get local admin because tHat'S a SeCUriTy iSsUe...

    Wonder whether they properly disaed telemetry via GPO...

  • by Alain Williams ( 2972 ) <addw@phcomp.co.uk> on Sunday February 12, 2023 @07:00AM (#63286605) Homepage

    It seems to me that this is illegal under the GDPR in many ways, for instance the principle of transparency [ico.org.uk]. Microsoft might try to claim that it mentions this in the Windows T&Cs but it most people are not aware then it is clear that the T&Cs are not transparent enough.

    Microsoft has faced some GDPR pushback [theregister.com] but, IMHO, not enough.

    Time for the regulators to get some teeth ... if this does not happen then we need to wonder why, who else is MS sharing this data with ?

    • by uffe_nordholm ( 1187961 ) on Sunday February 12, 2023 @07:09AM (#63286619)

      ... who else is MS sharing this data with ?

      My guess is "anybody who pays enough"... And for every year that goes on, I am more and more happy that I have been using Linux since the early naughties.

    • by budgenator ( 254554 ) on Sunday February 12, 2023 @09:04AM (#63286799) Journal

      I'm wondering what kind of implications there are under HIPPA in the US as well, it seems like the data is a lot more than just is needed for strictly OS telemetry.

      • While I feel that MS may have breached some consumer laws, I cannot see how this has to do with any health related data privacy. Unless you happen to be storing private medical records on a Windows that MS is somehow transmitting to 3rd parties.
        • I cannot see how this has to do with any health related data privacy. Unless you happen to be storing private medical records on a Windows

          Windows Telemetry can collect your data from files, keystrokes, or the screen, and it doesn't matter if you're intentionally copying someone's HIPAA-protected information or not. As such, those who care about complying with the law actually go out of their way to avoid collecting health information, just as reputable websites do to avoid collecting CC information (which can leak from your browser back to the site you're doing business with if they're doing enough data collection.)

          • This story is about how a Windows 11 machine reports back to 3rd parties. Key logging was not part of it. Do you have evidence that Windows 11 records all your keystrokes, mouse clicks, and screen grabs? Such capture violates basic privacy much more than HIPAA.
            • Do you have evidence that Windows 11 records all your keystrokes, mouse clicks, and screen grabs?

              That's not the claim. The claim is that it can, which we know to be true. When you see me say that they're doing that, then you can ask me that question. Don't move the goalposts.

              • That's not the claim. The claim is that it can, which we know to be true. When you see me say that they're doing that, then you can ask me that question. Don't move the goalposts.

                Can you scroll up and read the original claim:"I'm wondering what kind of implications there are under HIPPA in the US as well, it seems like the data is a lot more than just is needed for strictly OS telemetry."

                NOWHERE in his claim is there any mention of keylogging, screen grabbing, or such. There is only speculation that it must be more because there is a lot of data. You moved the goalposts by inserting all of those.

            • Not "All" your keystrokes, but fragments of them. This could be enough to violate laws.

              "Inking, typing, and speech utterance data This type of Optional diagnostic data includes details about the voice, inking, and typing input features on the device.

              Samples of the content you type, write, or dictate on the device.
              Details about status of transcribing input into text."

              https://privacy.microsoft.com/... [microsoft.com]

              This is optional, but remember that, in Microsoft

      • HIPPA has been regularly violated on hospital systems. And they don't want to answer questions about it [microsoft.com].
      • by jmccue ( 834797 )

        I'm wondering what kind of implications there are under HIPPA in the US

        Enforcement of laws in the US correlates to the size of the offenders bank account. The lower the account, the greater the penalty.

      • Is the telemetry data personally identifiable health data of patients? That's what you're really looking for with HIPPA.
    • Doesn't matter if Microsoft mentions it in their T&C or not - illegal is still illegal.

      Everything needs to be opt-in. We had problems with companies auto-signing up people for stuff, and auto-renewing stuff they never even signed up for, without user consent. They mostly don't do that now because they got smacked down for it. Time to do the same with all these stupid tech bros.

      BTW, your Win10 install will continue to work after it goes out of support. Same as other software. If Microsoft tries to remotely disable it, they are in for a world of hurt, because that is definitely illegal tampering with your device, and they cannot show you knowingly consented to it, since the T&C don't even apply once it's out of support.

      • MS has done this before with zero real repercussions. Forced updates even when updates permission answered "no" and even when updates disabled. This even made some machines 100% unusable with no ability to roll back or revert. There answer was that operating system is 'too old' and 'not secure enough for you' - isn't that supposed to be the users decision?

        "If Microsoft tries to remotely disable it, they are in for a world of hurt, because that is definitely illegal tampering with your device,"

        • And if people actually follow the complaint process, they get money. Just search for the woman who got $10,000 when an update she never accepted hosed her machine. Problem is, most people are big talkers and tiny doers. They get mad, then they go away grumbling.
    • People's lack of care is not covered under the GDPR. The transparency is based on information available, not information commuted to memory by users.

  • by thesjaakspoiler ( 4782965 ) on Sunday February 12, 2023 @07:16AM (#63286631)

    Who said that you could own your computer with Windows11?

    • Technically, you don't own your computer if you run proprietary blobs in the firmware either. Remember MINIX being used as a secret management tool.
    • The store salesman said your new PC, the word new implies ownership [dictionary.com]. George Orwell was wrong, newspeak [wikipedia.org] is created by corporations not totalitarian governments.

      • "New" does not imply ownership - never has. You bought a new house - but until the mortgage is paid off, you don't really own it, the bank does. You bought a new car, until you pay off the loan, you don't own it, the loan company does.

        You bought a new phone on a pay-so-much-a-month plan. You don't own it. Lose it, you have to pay off the balance owing. If you owned it outright, you wouldn't have any obligation to pay shit to anyone.

        You have a new kid. You don't "own" the kid. Don't believe me? Try abusi

        • The bank owns the house, but the bank cannot put spy cameras into the house unless you default on the loan. You have 100% control over your own house even with a large mortgage. The same with an automobile that you owe money on (and is not leased). You OWN the house and auto, the loan is a separate thing. If you stop paying the loan then the loan owner can repossess.

          If you buy a computer, it is YOURS. If Intel has spyware management in their CPU they need to ask your permission to use it.

          Software is iffy

      • created by corporations not totalitarian governments

        They seem to be becoming one and the same.

  • by Anonymous Coward on Sunday February 12, 2023 @07:16AM (#63286633)
    Windows 11 doesn't ship with Steam or McAfee. Was this a Dell/Alienware system with additional bloatware preloaded?
    • Re: (Score:2, Flamebait)

      by rudy_wayne ( 414635 )

      Windows 11 doesn't ship with Steam or McAfee. Was this a Dell/Alienware system with additional bloatware preloaded?

      I'm betting that they used a computer from one of the big OEMs that ships with a metric fuckton of crapware pre-installed.

      Gotta have a new click-bait headline for your shitty website.

      • Windows 11 doesn't ship with Steam or McAfee. Was this a Dell/Alienware system with additional bloatware preloaded?

        I'm betting that they used a computer from one of the big OEMs that ships with a metric fuckton of crapware pre-installed.

        Right. Which has nothing to do with MS itself.

        Its partnerships, perhaps.

      • Its a laptop, so definitely an OEM.

        The only OEM that I know of that is devoid of crapware is Microsoft themselves, and even then Surfaces have some bloatware regarding the warranty and health checks, as well three installs of Office 365 for English, Spanish and French.

        Even back in the day when Microsoft was touting the Signature Edition PC's which were supposed to be 3rd party OEM's devoid of crapware, the OEM's would sneak it in as part of a device manager package that was necessary for basic operation. Le

        • by Luckyo ( 1726890 )

          The office part is genuinely annoying too, because you must uninstall each language that is put on it. Which depends on a region. I recently had to prep two new win11 laptops, and it included uninstalling Finnish, Swedish and Danish versions of office trial. Which even on a decently fast modern gaming laptop took a minute or so for each version.

    • by Barny ( 103770 )

      It was a laptop, if you RTFA. So, yes, it had bloatware. That's the activity they were seeing.

    • Exactly this. I looked through the article and a quick skim of the video, and at no point does it mention anything about who made the computer, is it running a genuine Windows 11 version or is this some knockoff that has a bunch of pre-installed "value" software.

      It makes great click bait though, and who needs accountability when you can get that sweet sweet ad revenue.
  • by Big Hairy Gorilla ( 9839972 ) on Sunday February 12, 2023 @08:35AM (#63286737)
    There is only 1 business model now. Data Rape.

    Everyone is doing it.
    But you don't mind being raped.
  • Spyware = modern (Score:5, Insightful)

    by peppepz ( 1311345 ) on Sunday February 12, 2023 @08:36AM (#63286741)
    It's the second time in two days that I hear, from different spyware companies, that trafficking user data is "modern". It's their strategy: if all of them abuse the customer in the same way, then when caught they can say "eh, it's just what everyone does these days". I only wish there were more people in the tech press calling bullshit on claims such as "we need to sell your data to Steam in order to keep your PC secure".
    • You know what else is modern? Covid-19, drones carrying bombs, and putting classified docs in your sock drawer. Being modern is not necessarily a good thing.

  • by RegistrationIsDumb83 ( 6517138 ) on Sunday February 12, 2023 @08:37AM (#63286743)
    Given how much data they collect and share, it's no wonder they push so hard for an account. The data will be even more valuable if they tie it to a real identity. This is the real reason all their crap from visual studio classic to Minecraft to sea of thieves to win 11 pushes accounts so hard and why they ban throwaway accounts when you try to reg them.

    Same company complicit with PRISM, never trust them.
    • Given how much data they collect and share, it's no wonder they push so hard for an account.

      Don't be silly. Nothing about what they collect requires an account. Everything they collect can easily and directly be tied back to you regardless of how you log in.

      They are pushing their accounts as a way to prevent jumping to other products. No need to find a cloud provider if you get OneDrive "for free with an account", no need to use Chrome if all the wonderful synchronisation settings are available in Edge "for free with an account".
      They are pushing accounts to try and push their "value added features

  • by Kevin108 ( 760520 ) on Sunday February 12, 2023 @08:38AM (#63286747) Homepage

    Yes, Windows has been spyware since at least Windows 8.

    • Windows 8 didn't include telemetry out of the box, it was retconned into 7 and 8 after Windows 10 was released.

      This does mean if you're doing updates you have to take additional measures to remove spyware from Windows 8 (Windows 8.1 Embedded is still getting updates) which usually means remove_crw.cmd [github.com].

      Telemetry is baked into Windows 10 and later, so no amount of not updating (or removing updates after the fact) will avoid its installation.

  • by petes_PoV ( 912422 ) on Sunday February 12, 2023 @09:16AM (#63286813)

    to empower customers to be more informed about their privacy."

    Knowing your data is being appropriated is not the same as being empowered to control it.

  • by PhantomHarlock ( 189617 ) on Sunday February 12, 2023 @09:26AM (#63286825)

    So is the best way to stop it at this point at the router level? Of course they doesn't help when you're taking a laptop on the road. I try to disinfect and de-bloat new windows installs as much as possible but it's getting very hard to do.

    • by Bert64 ( 520050 )

      Nothing stopping you taking a small linux based computer (eg a raspberry pi) powered from USB and hanging it off your laptop... Route all of your connectivity through that.

    • If you want to avoid the possibility of Microsoft exfiltrating your data, then you are going to have to use egress filtering with default deny.

      Nobody has ever caught them sending your data out through Windows Update itself AFAIK, so that is ostensibly "safe" to permit. But it's physically possible to send data out through it, so it also arguably isn't.

      While it represents a high level of paranoia, this threat could be avoided by using scripted, unattended installs for your applications, and storing your data

  • flowing data is common in modern operating systems "to help them remain secure, up to date, and keep the system working as anticipated."

    So a system that is air gapped would eventually just stop working if it wasn't able to phone home or call "friends"? I'm calling BS. I mean, anyone with half a brain knows that Windows has been spyware since Windows 8 and most likely earlier.

  • Any of those 3rd parties gets hacked in?

    What if any of those 1-way data channel can become a 2-way command and control?

    Are you still using proprietary OSes?

  • Break up Microsoft (Score:5, Insightful)

    by Schoenlepel ( 1751646 ) on Sunday February 12, 2023 @10:47AM (#63287001)

    This is one of the reasons Microsoft should not be trusted and split up.

    It should be split up in:
    - A part which produces the OS, Visual Studio, and various other small bits and pieces. Visual studio and those small bits and pieces would be required to become cross-platform in x amount of time.
    - A part which produces business software (which would be required by court to supply software to other OSs than Windows).
    - A games publisher (which would be required by court to provide its games to other OSs than Windows).
    - The online services part (bing, MSN, github, azure, for example). Perhaps these need to be split up further.

    Then, these parts would need to convince a judge every time they want their software/services to interact with one another somehow. They would be disbarred from buying one another.

  • ...where Plankton kidnaps people to force them to eat chum. "Come on, it's a standard marketing technique!"
  • Microsoft are trying to be just like Google! Yeah, haven't used Windows for years but it's pretty close to impossible to avoid being spied on by Google.
  • > flowing data is common in modern operating systems

    Way to normalize theft, Microsoft. That may be one of the most evil things Microsoft has ever said.

  • What about conscious, intentional consent?

  • by Espectr0 ( 577637 ) on Sunday February 12, 2023 @11:54AM (#63287149) Journal

    is there a public hosts file that we can use (or any other tool) to effectively block this traffic?

    • by GBH ( 142968 )

      Didn't I read somewhere a while ago that MS were "retiring" the hosts file in a future OS?

      It is SUCH a useful tool to have when you're troubleshooting I'd hate to lose the simplicity of hosts to fix problems.

  • Windows since version 8 has been spyware. Windows 7 updates also introduced telemetry which can easily be removed with something like Tronscript. I'm never using another Windows version beyond 7. Migrating to Linux or pencil and paper after 7.
  • Thatâ(TM)s fine and may be true, but:
    A. As we were taught as kids, if everyone else were jumping off a building would you?
    B. Doesnâ(TM)t magically make it not spyware

I put up my thumb... and it blotted out the planet Earth. -- Neil Armstrong

Working...