Microsoft's Telemetry Additions To Windows 7 and 8 Raise Privacy Concerns

WheezyJoe writes: ghacks and Ars Technica are providing more detail about Windows 10's telemetry and "privacy invasion" features being backported to Windows 7 and 8. The articles list and explain some of the involved updates by number (e.g., KB3068708, KB3022345, KB3075249, and KB3080149). The Ars article says the Windows firewall can block the traffic just fine, and the service sending the telemetry can be disabled. "Additionally, most or all of the traffic appears to be contingent on participating in the CEIP in the first place. If the CEIP is disabled, it appears that little or no traffic gets sent. This may not always have been the case, however; the notes that accompany the 3080149 update say that the amount of network activity when not part of CEIP has been reduced." The ghacks article explains other ways block the unwanted traffic and uninstall the updates.

Re:Define Your Acronyms

[Stolpskott]

Customer Experience Improvement Program... for those of us used to wading through the pile of sewage that is Windows in a corporate environment, it is well known and enjoyed about as much as annual performance appraisals.

Sigh, guess no Win boxes in the lab then

[WillAffleckUW]

There are consequences to every action

Re:Sigh, guess no Win boxes in the lab then

The funny part is that there was a man who saw all this coming back in the early 90s who nobody listened to. His name is Richard Stallman.

Stallman warned everyone that proprietary software turns on the user in the end. People are complaining that Windows now sucks, and they have all these expensive (closed source too) tools they depend on for their livelihood that can't run on any platform besides Windows. Well, I guess they're getting what's coming to them. Stallman tried to warn them, but they didn't listen because they wanted stuff to "just work". Well, Stallman's inconvenient truth can no longer be ignored.

So have fun Windows users. I hope that your short term gains were worth not solving the problem in an open, portable, way.

Trifecta of obscurity

[Okian+Warrior]

"Raises privacy concerns" is elliptical speech: it's made to be deliberately obscure. (It uses "causes concern" to convey the central point without giving any information about what the point is.)

It's also passive voice, in that there's no person performing the action, the action is simply "caused" by something. (For comparison, consider "we wrote reports" versus "reports were written".) Hence, there's no person or group responsible, it's simply an aspect of situation.

And finally, the phrase uses framing to soften the effect. Your personal information isn't being harvested, the system simply "raises some concerns".

Taken as a whole the headline tries to get the reader emotionally involved by stating something we should be concerned about, without saying in concrete terms *that* there is anything to be concerned about, and that it's *other people* who are concerned.

Meh. This didn't work on me, I'm not actually concerned, I'm going to ignore it.

(Propaganda success!)

Re:Kickstarter Needed

[Tokolosh]

https://github.com/WindowsLies...

Someone is on the case!

Re:Define Your Acronyms

[denis-The-menace]

And it's a failure b/c they ignore what people really wanted: the Start Menu.

Instead we got the Start List: 100+ icons to scroll through.

Only Santa's list is longer.

Windows 10

[Fire_Wraith]

I really want to like Windows 10. It seems to have a lot of nice features, was a smooth upgrade from 7, and probably the single most painless OS upgrade I've had on any MS platform (I had to correct a single driver, for a minor issue, and that was it).

But I'm really, really sick of just how blatantly Microsoft is trying to jam every single stupid thing into this, and tie it back to their cloud based bit. And I might even be okay with some of that, because I'm well aware that I wind up giving a lot to Google when I'm using stuff on Android. I might even use some of it, if they weren't going far beyond even what Google does.

The final straw was when they wanted to essentially remove my local account on the machine and replace it with me using a Microsoft account for my local login. No, sorry, but Redmond can go get fucked if they want that. It's one thing to have stuff in a cloud based application that has its own password, but it's another thing for that cloud based password to be my entire system. Perhaps I'm being overly negative, but it's just too much, that they want all this personal data, and they want to tie it all not just to what I do in application land with Outlook/Bing/Edge/Cortana/Skype whatever, but down to the OS level? No. And if it gets worse, I may just have to bite the bullet and do my PC gaming on Linux, and give up on doing anything bleeding edge.

Re:Windows 10

[LVSlushdat]

My "last straw" occurred around 2011. I'd just retired friom supporting Windows (and some Linux) for 24 years (1991-2010). After I retired, I used Windows 7 on my home machines for a bit, and finally I decided that there was nothing I do on the computer that requires Windows, so I killed the dualboot, and switched permanently to Linux, specifically Ubuntu.. Since I'm sort of the local neighborhood "tech support", I tried out Windows 10 in Virtualbox, just to familiarize myself with it for when I'm asked to help out a neighbor.. To put it bluntly, I'd NEVER run Windows10 on any of my machines, PERIOD.. And I'll recommend to anybody who asks, that IF they MUST use Windows 10, they need to, AT A BARE MINIMUM, turn off all the privacy-removal stuff and use a local account... Yeah, I know.. keeps you from using that over-rated Cortana crap... Whupteedoo... TL:DR: People who value what little privacy they have left should stay AWAY from Windows 10, Just one man's opinion........

No, that guy killed DoNotTrack dead. DNT for Beta

[raymorris]

No, the guys who wanted more tracking took that guy out for a beer. That's the guy who killed off DoNotTrack. Like Private Browsing in Firefox or Incognito Mode in Chrome, DNT was about the balance between privacy on one hand and convenience/features on the other hand. DNT was supposed to mean that the user valued privacy more than convenience and features at the moment. Here's what was supposed to happen, what DNT was intended for:

Case 1, no DNT header:
I go to Slashdot, and have not set a specific DNT header. I therefore get the DEFAULT tracking/personalization behaviors of Slashdot, including:
        I'm not redirected to Beta, because Slashdot tracks that I set "do not showme beta".
        On my mobile device, I'm not redirected to m.slashdot.org, because again Slashdot tracks my preferences based on some identifier/cookie.

Case2, with DNT header:
I launch a Private Browsing window in Firefox, or an Incognito tab in Chrome.
The browser prompts "DNT: Do you want to tell web sites to avoid identifying you or tracking your preferences? Some features and preferences may not work in DNT mode."
I click "yes, send the DNT header".
Slashdot sees that I have expressed that I want a higher level of privacy than the default, that I am willing to give up personalization in exchange for privacy.
Slashdot does not set a cookie, and I get redirected to m.slashdot.org or beta.slashdot.org each time. It does not track me to know my preferences between sessions.

It's all about the balance between privacy and convenience. Much like Incognito / Private Browsing mode disables the browser history, autocomplete, and other useful features in exchange for better privacy.

In short, the purpose of DNT was to communicate the user's desire to value privacy over convenience.

By violating the spec and sending DNT as the DEFAULT, the DNT header in IE suddenly meant "the user probably wants the DEFAULT balance between privacy and convenience". Since IE sent DNT by default, it no longer provided any information about the user's priorities regarding convenience vs privacy. It therefore became completely useless for it's purpose. That guy killed DNT.

-----

Here's a concrete example. Quoting from the DNT policy:

| all user identifiers, such as unique or nearly unique
| cookies, "supercookies" and fingerprints are discarded

Do you really think that all sites are going to get rid of cookies, including "don't show me Beta" cookies, for anyone and everyone using IE? Just because Microsoft thought it was a good idea? No friggin way. If the USER chose to actively ticked the box, perhaps so. Because Microsoft's marketing team thought that "Do Not Track" sounded good and that breaking most web sites was an acceptable side effect? I don't think so.

suggestion to make slashdot useful again

[ihtoit]

Would the editors consider adding a section for analysis of Windows updates so we can read then decide if we want them instead of having to go on click marathons through the desktop client? Even some sort of Patch Tuesday digest just indicating which of the updates are actual security patches would do it.

Re:suggestion to make slashdot useful again

[Zocalo]

The Internet Storm Centre (part of SANS) posts one of these fairly shortly after MS releases the patches. Here's their post for the August patch batch to give you an idea - they don't cover the optional updates at all though.

Re:Firewall/Router blocking settings?

[geminidomino]

I put this in my tomato "Scripts" section. Basically grabbed all of the dig output for settings-win.data.microsoft.com and vortex-win.data.microsoft.com, cnames, and authorities for them.

Possibly excessive. I'm ok with that. YMMV.

iptables -I FORWARD -d 8.26.215.27 -j DROP
iptables -I FORWARD -d 64.4.54.254 -j DROP
iptables -I FORWARD -d 8.26.204.25 -j DROP
iptables -I FORWARD -d 198.78.199.155 -j DROP
iptables -I FORWARD -d 204.160.105.155 -j DROP
iptables -I FORWARD -d 4.23.46.155 -j DROP
iptables -I FORWARD -d 65.55.44.108 -j DROP