August 27, 2015

No, Microsoft is not spying on you with Windows 10

No, Microsoft is not spying on you with Windows 10

Buy tinfoil futures.

I’m dead serious. There is apparently a growing and very vocal population of people who believe that Windows 10 is basically a 1984 telescreen come to
life. They are convinced that with Windows 10 Microsoft has built a spying apparatus not seen since the height of the Cold War, scraping up every detail
of your life and feeding it back to Redmond for who knows what nefarious purposes.

They’re going to need lots of tinfoil.

They’re also either wildly misinformed or deliberately agitating. Unless, of course, they’re just crazy, which is entirely possible based on some of what
I’ve read.

But most importantly, they are wrong, terribly wrong. And they’re being whipped into a frenzy, or at least passively aided by the tech press. That group
unfortunately includes ZDNet, which earlier this week
unquestioningly repeated
this incendiary allegation, posted on Reddit by someone who claims to be affiliated with an obscure torrent tracker, iTS:
Microsoft decided to revoke any kind of data protection and submit whatever they can gather to not only themselves but also others. One of those is one
of the largest anti-piracy company [sic] called MarkMonitor. Amongst other things Windows 10 sends the contents of your local disks directly to one of
their servers.
That’s not true. It’s wildly at odds with the facts, even. I keep tabs on a handful of well-established torrent sites, orders of magnitude larger than
the ones complaining here, and none of them seem to have a problem with Windows 10.

There’s literally no basis for that statement in fact. And yet you read it here. And on dozens of other sites, unfortunately, where a single lie gets repeated
often enough to seep into the collective unconscious.

The bizarre belief that Windows 10 is a spying tool keeps popping up among conspiracy theorists. Via email, a reader sent me a link to
this rant
by an alternative medical practitioner who apparently is also an expert on the law and IT:
Windows 10′s new license agreement … gives Microsoft permission to Hoover up every particle of data on a doctor’s hard drive. This will include any confidential
patient-doctor emails that are stored there, any reports, any bills, and any short notes to staff through intra-network messaging (for example: Spoke
to Tom Mypatient today re gender dysphoria and desire to transition to female. Pls follow up with referral.“)
No, it doesn’t, doc. Here, take a sip of this calming tea and let’s talk, OK? And let’s get that torrent dude in here, too, because he needs someone to
explain what’s really going on.

Both of these poor benighted souls and a bunch of other people just like them base their belief on a paragraph from
Microsoft’s new, unified privacy policy.
The clause lists the conditions under which Microsoft will access, disclose and preserve personal data, including your content (such as the content of
your emails, other private communications or files in private folders)…”

That narrow list of conditions includes legal demands, like search warrants and subpoenas and (presumably) National Security Letters, as well as actions
necessary to help prevent the loss of life or serious injury of anyone” or to stop attacks on Microsoft’s services.

And those terms only apply to content stored online using Microsoft’s services. Here’s the earlier part of that agreement, the one that defines the content
covered by that clause. This section of the agreement is apparently blocked by tinfoil and invisible to the Microsoft-is-spying brigade:
We collect content of your files and communications when necessary to provide you with the services you use. This includes: the content of your documents,
photos, music or video you upload to a Microsoft service such as OneDrive. It also includes the content of your communications sent or received using Microsoft
services…
So yes, if you send and receive email using Microsoft’s consumer services or store files in OneDrive, there’s a risk that a court could issue Microsoft
a subpoena compelling them to hand over that information. (Pro tip: Microsoft offers
Office 365 for Health,
which provides cloud services and HIPAA compliance for medical professionals who care about that sort of thing.)

But there’s no risk that Microsoft is gathering the contents of your local hard disk and sending it to anyone. Zero.

Microsoft is under a microscope, constantly, with its every move examined by security experts and privacy advocates. Windows 10 has been available in preview
versions for nearly 10 months and in a final version for roughly six weeks, since build 10240 was released in mid-July.

You’d think if those 75 million hard drives were being scoured someone might have noticed. But so far, no word from anyone who actually knows how to use
a network analyzer. Because it’s not happening.

In fact, the specific terms that the good doctor was complaining about are completely unremarkable. Any company that offers modern computing services has
nearly identical language in its privacy agreement.
It is certainly true that Windows 10 relies on online services to a much greater degree than previous Windows releases. That’s the way of the world, especially
one in which a billion people carry around devices that literally track their every movement around the world and report them to global telecommunication
companies.

We expect personalized services. We expect relevant search results. We expect the devices we use daily to get smarter and more useful over time. We expect
them to understand us despite our accents when we use speech-enabled features. We expect bugs in software and services to be fixed yesterday.

All of those goals require that customers willingly share information with the companies providing those services, with a corresponding commitment from
the recipient of that data to guard it carefully and use it only for its intended purposes.

After carefully reading the
Microsoft Services Agreement,
the
Windows license agreement (English, retail),
and the
<a href=“http://www.microsoft.com/en-us/privacystatement/default.aspxMicrosoft Privacy Statement
carefully, I don’t see anything that looks remotely like Big Brother.

I’m also not hearing a single peep of complaints from people who actually set up and run business networks, because they understand how utterly normal
those privacy terms are in 2015.

If you’re running a small doctor’s office and are subject to HIPAA governance, I hope you’re not buying consumer PCs from Walmart and plugging them into
your office network and just hoping for the best. I also hope you’re not relying on some angry chiropractor to tell you how to set up your network. Any
business that cares about security, either because they’re run by good people or because they’re mandated to do so by law, should have an IT pro setting
up their communication systems and their infrastructure.

If you don’t understand that, I’m not sure even tinfoil can help.


articles Link privacy security Surveillance


Previous post
THURSDAY LISTER: FINAL PREPARATIONS! This is a list I made on my personal blog. It’s just a few things I need to do tomorrow, so Saturday will run
Next post
Introducing Pure Blogging, Where It’s All About the Content AAny regular reader or subscriber of this blog will know I’ve been talking a lot about