Slashdot Mirror
Test Version Windows 10 Includes Keylogger
wabrandsma writes From WinBeta: "One of the more interesting bits of data the company is collecting is text entered. Some are calling this a keylogger within the Windows 10 Technical Preview, which isn't good news. Taking a closer look at the Privacy Policy for the Windows Insider Program, it looks like Microsoft may be collecting a lot more feedback from you behind the scenes. Microsoft collects information about you, your devices, applications and networks, and your use of those devices, applications and networks. Examples of data we collect include your name, email address, preferences and interests; browsing, search and file history; phone call and SMS data; device configuration and sensor data; and application usage." This isn't the only thing Microsoft is collecting from Insider Program participants. According to the Privacy Policy, the company is collecting things like text inputted into the operating system, the details of any/all files on your system, voice input and program information.
The article mentions that this 'feature' will be turned off once Windows 10 reaches broad distribution. Makes perfect sense actually
First you prove that the back door you've installed in the OS operates as expected. Then you sell key logger access to your user base on a case-by-case basis to the FBI, CIA, NSA or any other agency that is shaking big wads of cash in front of your nose while holding a 'keep it all secret' and 'get out of jail free' card for good measure (see various sections of the patriot act and other anti-terrorism, save-the-children, etc. legislation that have been aggressively 'interpreted').
Thus, encryption and other defensive measures are easily rendered useless as no AV system will detect a key logger 'feature' that is part of the operating system.
More profit for MS, less security for it's users. Brilliant.
True, but that tends to be the best you can do in HCI testing. Users won't do the same things with a camera pointed at them as they'll do in private, but you hope that they'll do enough that's the same that you get useful results.
I am TheRaven on Soylent News
I don't know about you, but I don't think I could properly evaluate it if I had to avoid browsing to any website where I might need to enter a password, or unzip password-protected zip files, or, well, do anything that would involve me entering a password.
This. What would even be the point of releasing a test version of windows if they were not tracking what you do?
Like all previous software test versions. So that users could test their actual applications, especially with the private data that they can't hand over to Microsoft, and report back if there are problems.
The joy with which people defend the jackboot of their opressor as it pounds down upon their faces is a bit scary sometimes. Does nobody think "how did everybody live and produce software for the last 40 years before there was total surveillance" before they post this kind of explanation?
I could get in big trouble for this, they made me sign an NDA but here's the pseudo-code:
function gatherTextData(field) {
if (field.type == "password") {
return ""
I think they've got a patent pending, it's pretty complicated stuff.
Then I would say we all have quite a lot to worry about. One small example many of us SSH into systems all day long and our passwords are not protected by your pseudo code there is no UI element explicitly marked password.
Anyway since your an insider with Microsoft you might want to have your team communicate algorithms and limits associated with collection activity clearly.
As it stands the only information publically available described in the privacy policy states:
"enter text, we may collect typed characters " it does not provide any qualifying limits of any kind on the *collection* activity although it does provide some qualification on *use* "and use them for purposes such as improving autocomplete and spellcheck features"