Microsoft Finally Reveals What Data Windows 10 Really Collects

Starting today, Microsoft is updating its privacy statement and publishing information about the data it collects as part of Windows 10. From a report: "For the first time, we have published a complete list of the diagnostic data collected at the Basic level," explains Windows chief Terry Myerson in a company blog post. "We are also providing a detailed summary of the data we collect from users at both Basic and Full levels of diagnostics." Microsoft is introducing better controls around its Windows 10 data collection levels in the latest Creators Update, which will start rolling out broadly next week. The controls allow users to switch between basic and full levels of data collection. "Our teams have also worked diligently since the Anniversary Update to re-assess what data is strictly necessary at the Basic level to keep Windows 10 devices up to date and secure," says Myerson. "As a result, we have reduced the number of events collected and reduced, by about half, the volume of data we collect at the Basic level."

The real problem...

... of course, is that we have to wait for Microsoft to "inform" us about that in the first place.

Re:The real problem...

[ytene]

And the only reason Microsoft are doing this is [likely to be] because the EU were basically telling them that their latest privacy-slurping OS was going to run foul of EU legislation if they didn't come clean. Having Windows 10 banned in the EU because of privacy concerns was likely a suitable incentive. What a shame it has come to the point where companies need this sort of inducement to come clean.

Re:The real problem...

[gweihir]

My guess is that they only do it because they got some pretty severe threats from the EU behind the scenes. The first round (Swiss Data Protection Commissioner) they already lost and that guy very likely talked this over with his EU colleagues before and they decided that his situation was best for a test-balloon (as Switzerland is not in the EU, hence not setting legal precedent for the EU).

Without that, my guess would be that MS would never have informed anybody. And they could still be lying. Unless there is an independent verification by somebody competent, I am not going to trust this at all.

Re:The real problem...

[Kjella]

What a shame it has come to the point where companies need this sort of inducement to come clean.

Companies will run slave plantations unless somebody forces them not to. Capitalism is useful but it'll throw you under the bus if it means higher profit, it's nobody's friend just raw application of economic power. Once you're past the size where anyone feels personally responsible and they only answer to shareholders who want return on interest it has no conscience, ethics or morality. So I'm not sure what you think is new or different here, the only time they don't act like total psychos is exactly when there's consequences. Otherwise they'd make Soylent Green out of you.

Re:The real problem...

[cayenne8]

Ok..so where is the option to switch it to NO DATA COLLECTED AND REPORTED....?

Basic and full are dandy for those that want to "opt in" for such data collection, but how about those of us who liked the old fashioned OS days when NO data was sent or required to be sent?

Re:The real problem...

Exactly this.

This announcement is akin to:

We've listened to our customers who are upset about the ass rape, so to address your concerns, we've added an exciting new option!

-Lubed ass rape
-Unlubed ass rape (for our TRUE believers)

Re:The real problem...

You imply that this behavior only applies to larger companies, but any perusal of popular sites online clearly demonstrates that people are only decent in person because they fear immediate physical retribution.

Re:The real problem...

[Jason+Levine]

Companies will run slave plantations unless somebody forces them not to. Capitalism is useful but it'll throw you under the bus if it means higher profit, it's nobody's friend just raw application of economic power. Once you're past the size where anyone feels personally responsible and they only answer to shareholders who want return on interest it has no conscience, ethics or morality. So I'm not sure what you think is new or different here, the only time they don't act like total psychos is exactly when there's consequences. Otherwise they'd make Soylent Green out of you.

I think a lot of people forget this when they cry out that all government regulations are bad and should be done away with. That was nearly the case in relatively-recent history. Children were forced to work 19 hour days in locked factories with only one way out. Employers treated them like little more than slaves and there was no protection for the worker. Got injured on the job due to your employer providing a dangerous work environment? Too bad, you're unemployed now since you can't do the job they hired you to do. Fire raging in the one spot where you can exit the factory? Jump from the tenth story window to your death. (See the Triangle Shirtwaist Factory fire.)

Over time, outrage over these abuses led to the government making rules against them. You can't work kids 19 hours a day. You need to provide a safe working environment. Employees injured on the job deserve compensation. Products should be safe for people to use.

Are all regulations good? Of course not, but acting like they're all bad and companies would be job-creating angels if that big, bad government would just get off their back is far from the truth as well.

Re:The real problem...

[uncqual]

Then don't use your work devices for personal business. Your employer selected Microsoft for their business so they must be okay with this collection - it's your employer's data, not yours.

Personally, I will probably never again install Windows 10 (or successors) on any personal iron for a variety of reasons -- Linux works fine for my personal use for almost everything. If my employer chooses to use Windows 10, it doesn't bother me because it's not my machine/data.

January

[campuscodi]

Finally, since January. They revealed this in January when they pushed the update to Insiders Build. They introduced the disclosure as part of compliance with EU regulations.

Real link

[AmiMoJo]

Link to the actual list, not an article about the list: https://technet.microsoft.com/...

Re:Real link

[AmiMoJo]

Okay, let's have a quick look at some interesting items from the list:

- userId The userID as known by the application.
This is what you type when Windows asks "what is your name?" during account creation, so it's quite likely to be the user's real name.

- did XBOX device ID
- xid A list of base10-encoded XBOX User IDs.

- localId Represents a locally defined unique ID for the device

- friendlyName Represents the name of the file requesting elevation from low IL.
- cmdLine Represents the full command line arguments being used to elevate.
Don't enter passwords on the command line!

- PCFP An ID for the system that is calculated by hashing hardware identifiers.

- BiosDate The release date of the BIOS in UTC format.
- BiosName The name field from Win32_BIOS.
- Manufacturer The manufacturer field from Win32_ComputerSystem.
- Model The model field from Win32_ComputerSystem.

The list is very long, I'm about 1/3rd the way in...

Re:Real link

[lq_x_pl]

Keep in mind, this is the list for now.

Re:Real link

[jez9999]

"The Basic level gathers a limited set of information that is critical for understanding the device and its configuration"

LOL, that's the bare minimum critical info is it? A metric fuckton of data.

How about, oh i dunno, NOTHING?

Re:Real link

[zifn4b]

Also, you could find out what URL's Windows 10 is phoning home to and put the hostnames in your %WINDIR%\System32\drivers\etc\hosts file

Any evidence...

[CrimsonAvenger]

that this list is really complete and conclusive? Or is this just what MS is saying is the complete list?

Re:Any evidence...

[Volanin]

It doesn't matter if this is the complete list. This list by itself is already bonkers.
At the very least, they admit that they:

- Uniquely identify you, your device, and your location/network.
- Record what you navigate and search on the internet.
- Record what you watch, listen to, and read.
- Record your purchase history.

Not that it matters though. I believe almost everyone does this nowadays.
At least they are being transparent.

Re:Any evidence...

[freeze128]

Wait a minute...

- Uniquely identify you, your device, and your location/network. - Record what you navigate and search on the internet.

Through Edge, Internet Explorer, or Cortana, of course, but what about a 3rd party browser?

- Record what you watch, listen to, and read.

Maybe from Windows Media Player, but what about VLC or KODI?

- Record your purchase history.

From the Microsoft Windows Store, but how about a 3rd party web browser?

This list just raises more questions than it answers.

Thanks, but

Why can't we turn it off entirely? I can troubleshoot my own PC and don't need it "phoning home" - EVER.

Re:Thanks, but

[Mashiki]

You don't need it. I don't need it. We're also the extreme minority who don't need it. We're getting this because everyone else can't troubleshoot their own PC/device.

Re:Thanks, but

[denis-The-menace]

It's been tried.

They try to upload to 100s of different DNS names and IPs...just like spyware.

Re:Thanks, but

[ilsaloving]

Not even that. We're getting it because Microsoft believes that they can get away with it. If it was just for troubleshooting, they wouldn't need half the information they're collecting.

Re:Thanks, but

[ausekilis]

Or maybe, instead of a constant firehose of crap going to Windows servers, we can have a dialog and elect to send stuff to MS when a problem happens. You know, how things used to be. They can create as detailed a dump file as they need, but I should have control over if/when it gets sent somewhere.

Re:Thanks, but

[CanadianMacFan]

What in the world makes you think that this has anything to do with troubleshooting your PC/device? It may sound like a nice excuse for them to say that it allows your computer to be kept up to do date easier but a good package manager does that. This is all about them using your data to make money and they can't make that money if people turn off the flow of data.

Option missing

[lapm]

So still no choise of Dont spy my shit...

Calling Stallman

[jawtheshark]

We all know that without the source, it is impossible to verify their claims.

Removed half of stats before disclosing

"Our teams have also worked diligently since the Anniversary Update to re-assess what data is strictly necessary at the Basic level to keep Windows 10 devices up to date and secure," says Myerson. "As a result, we have reduced the number of events collected and reduced, by about half, the volume of data we collect at the Basic level."

I wonder what they felt they needed to remove before they were willing to publish the disclosure.

How about 'NO' data collection?

[Rick+Schumann]

How about you don't 'collect' anything on anyone for any reason, you bastards?

What non-diagnostic data is collected?

[QuietLagoon]

The Tech Net article lists the diagnostic data. Is any non-diagnostic data collected?

Re:What non-diagnostic data is collected?

[iCEBaLM]

Any data is diagnostic if you say it will help you fix issues.

But yes, full commands of apps that request elevation, personally identifiable IDs like username, xbox IDs, etc. The list is bloody massive.

A Missing Detail

[surfdaddy]

They are transparent about the Creator's Update. But they have reduced the telemetry by about half, saying that they realized they didn't find all telemetry useful. So you don't really know what they *have been* collecting prior to the Creator's Update. For all we know they've removed a bunch of more onerous details that could have *upset* us.

Perhaps scale it back a bit.

[fahrbot-bot]

"Sperm Count" (listed on page two) seems unnecessary.

Re:Perhaps scale it back a bit.

[brianerst]

They need this information to see whether to offer you the family plan.

Re:Don't forget about open source projects.

[Raenex]

Some open source supporters will make claims like "But they're being transparent!" or "But you can opt out!" or some other nonsense like that.

But guess what? None of that matters!

It does matter. It's relatively trivial to opt out of Mozilla's data collection and to know what's being collected, whereas that's absolutely not the case with Microsoft. So when you say shit like this:

"we cannot consider them to be any better than Windows, or conversely, we can't consider Windows to be any worse than projects like Firefox"

I know you're either shilling for Microsoft or being idealistically stupid about practical differences.

Too little too late...

[XSportSeeker]

Look at the f*cking thing and see how reasonable it is:
https://technet.microsoft.com/...

It's completely ridiculous. Windows 10 is basically spyware disguised as an OS at this point.

Reduced by Half

[tsqr]

Is "reduced by half" anything like "increased by a factor of 2"?

I miss the critical information

[Opportunist]

"Why should I believe you?"

Time and again we have been lied and misled by Microsoft. Give me one good reason I should believe this.

And it has to be using

[kilodelta]

Bing to upload the stuff. I block bing at my firewalls and the logs constantly show my Win10 laptop trying to connect to Bing.

Edited MSDN Article about Full Levels...

You should look into the msdn historical edit article where they showed that microsoft removed verbiage on it's MSDN page about collecting even worse information such as your documents and allowing microsoft employees investigating any crash reports sent by your machine to actually remotely access your machine and view your documents and run your programs.

Not trolling either. It was a link passed around here awhile ago and microsoft even sent a takedown to the wayback machine which previously had the edit but now does not. Yet on a different microsoft site that lists wiki-style diff's of it's pages, it's still there.

Someone find it please. They are backpedaling so hard on this it's sad.

Re:Don't forget about open source projects.

That AC's position is much more consistent and sensible than yours is. That AC is saying, ``Data harvesting is wrong.'', while you're saying,``Data harvesting is wrong, except if you can opt out, or except if you know what's being harvested, or except if moz://a is doing it, or except if it's called telemetry, or except if Google Analytics is used to store it, or except if ...''. Face it, data harvesting is wrong. It doesn't matter who is doing it, or how they're doing it, or why they're doing it, or what they're doing with the harvested data. It's wrong. There aren't degrees of wrongness here. All incidents of data harvesting are equally wrong.

Re:Don't forget about open source projects.

[Raenex]

All incidents of data harvesting are equally wrong.

No, the world is not black and white. Otherwise Richard Stallman would be a practical person instead of out on an idealistic island. People like Stallman are useful as standard bearers, but in the real world we deal with practical choices that require us to distinguish between varying degrees of "wrong".

Solution: Find a way to get an Enterprise build

[ErichTheRed]

We're rolling out Windows 10 in a very low-bandwidth environment, and in some cases a no-bandwidth environment. (Yes, they still exist today!) Turning off telemetry was one of the reasons we upgraded the OEM licenses from Pro to Enterprise -- there's just no need to use precious connection time sending usage data to Microsoft. And yes, that means "paying twice" for the OS, once to the OEM and once for the Enterprise subscription.

In my opinion, Microsoft did a very poor job of communicating what the difference between Home, Pro and Enterprise was. Basically, anyone with Home and Pro is getting the OS for "free" in exchange for telemetry data and information they can sell to marketers, period. Pro is Home with the ability to join a classic AD domain. This is very different from the days of Windows 7, where Pro had enough features to make it the default OS for business deployment. What Microsoft is doing is pulling more and more features under Enterprise, including the ability to opt out of constant feature changes. The result is that most large companies are buying Enterprise upgrades and getting on the subscription treadmill.

I think the best thing they could do right now is to let anybody buy the Enterprise version as a one-off, or make a complete shut-off of the telemetry available but slightly difficult to find in every edition of the OS. Even if they made the telemetry controllable by a few hard to find registry keys, the vast majority of consumers wouldn't touch any of the default settings and they'd still be getting data from them. Microsoft just got done "giving away" Windows 10 to millions of Windows 7 and 8 users in the form of the free upgrade, and the indication is that they will be on the same major release forever from now on, just releasing big update packages once or twice a year. Enterprise customers are subsidizing this development by still paying license fees in the form of subscriptions -- those millions of PCs that were upgraded for free only have the revenue stream of the marketing data coming in until they're replaced. And if Microsoft sticks to their promises, there will be no more revenue for traditional boxed software upgrades either -- no Windows 11 release they can ship out on DVDs to stores is coming.

Do I like being a product for marketing companies to mine data on? Not really -- and I do think Microsoft should be transparent about why they're doing what they're doing. I think all the companies doing this (Microsoft, Apple, Google, etc.) are going to have to find a new way to operate once the social media and advertising bubbles pop too...right now all of them are subsidizing their phone OS development with the fact that they have access to very personal data on a device you carry with you 24 hours a day.

Re:He's lying

[fisted]

Why is this at -1? The data is encrypted, and Windows users presumably don't get to look at the keys.
So literally people have to take MS's word for it. Oh well.

"to help keep Windows up to date"

[WaffleMonster]

The justifications offered by MS are as ridiculous as they are hilarious.

"Activity for run of the Transient Account Manager that determines if any user accounts should be deleted for devices set up for Shared PC mode to help keep Windows up to date. Deleting unused user accounts on shared devices frees up disk space to improve Windows Update success rates"

Seriously so you have to know how many local accounts, when I add, change and remove them. When they first login and their sids I keep on my own machine because there is some insanely comical correlation between local accounts and available disk space?

It's not like you are not already explicitly stealing volume information via Census.Storage and SetupPlatformTel.SetupPlatformTelActivityEvent. And who the fuck installs software without check for available disk space first? Is the success rate of an action really undeterminable prior to taking it because disk space? I don't think even Microsoft is stupid enough to believe their own BS.

Also love the generic key/value data access schemes where the full list of available keys that can be transmitted are not specified anywhere.. Only the top level interface to transfer the data.

FieldName - Retrieves the event name/data point.
Value - Retrieves the value associated with the corresponding event name

If your going to be transparent don't be transparently slimy. You may impress end users with better things to do with reams of context deprived technobabble but there are plenty of people in the world as smart or smarter than the people who compiled this crap.

Comment removed

[account_deleted]

Comment removed based on user account deletion

blackbird

[spongman]

one solution is to use blackbird to turn off all telemetry and uninstall builtin spy/adware. be warned, though, i had some basic things break (like start menu search) after running it.

Re:Don't forget about open source projects.

[Just+Some+Guy]

I disagree. RMS is supremely practical over long periods of time. His core message is "if you tie your fate to something you don't control, you will get burned." I've never seen this not be correct. Vendors come and go. Sometimes they change their pricing model from reasonable to extortionate. Maybe they discontinue features that were critical to you. Perhaps they throw away the whole thing and start over. But whatever form it takes, the end result is the same: if you can't control it, it will control you.

Apple and Microsoft have probably been the best major companies for keeping their changes small and manageable. Eventually you had to migrate off VB6. Eventually you had to click the "also compile this for Intel" checkbox in Xcode. But that doesn't change the fact that if you use their platforms, you are subject to their business decisions, even when they conflict with yours.

Perhaps hypocritically, I'm typing this on a Mac. I've decided that given Apple's track record, they're probably not going to yank the rug out from under me overnight. But you can bet that all the code I write is in FOSS languages and deployed to FOSS operating systems. I can change my desktop OS - with some pain and gnashing of teeth to be sure - without compromising the things I design. That's because RMS is correct: he's convinced many of us that it's practical to choose open platforms instead of closed shininess where it really matters.

Microsoft Compatibility Telemetry

[neoRUR]

I have:
Set the settings to Basic.

Disabled it in the registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection
added the keyword AllowTelemetry and set it to 0.

Changed the Group Policy level to Disabled:
Computer Configuration\Administrative Templates\Windows Components\Data Collection And Preview Builds\Allow Telemetry
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection

Disabled the services, and killed the processes:
- Connected User Experiences and Telemetry Service.
Connected User Experiences and Telemetry process
dmwappushsvc process

Rebooted the machines

And the Microsoft Compatibility Telemetry still shows up once and awhile.

And this has happened on several machines.
So its still there and still comes back and its still collecting data.

Re:Don't forget about open source projects.

[Altrag]

From what I've seen, yes you are. They're making it fairly trivial to reduce the data collection (from Full to Basic) but I don't see anything about disabling it all together.

Citations?

[Optic7]

At the very least, they admit that they:

- Uniquely identify you, your device, and your location/network.
- Record what you navigate and search on the internet.
- Record what you watch, listen to, and read.
- Record your purchase history.

Any citations for these (like field names in that huge list) that you could provide? I searched for some keywords to find anything related what you mentioned (ex: web, browse, history, internet, purchase, etc) and could not find anything as nefarious sounding as your summary. Perhaps I'm not looking closely enough and it's a huge list, so citations would be appreciated. I really would like to know if they are collecting the info you listed. Thanks.

Re:Don't forget about open source projects.

[Just+Some+Guy]

I don't think that's a good analogy. Most things in life are fungible: while we might prefer Safeway's canned corn to Costco's, for all intents and purposes one can substitute for the other. Marketing aside, Shell and ExxonMobil gasoline are mostly identical. I like Levis jeans, but there are other brands on the market and my Kohl's shirt and Target socks are 100% compatible (well, my wife might make fun of my pairings, but I don't go into anaphylaxis if the brands don't match).

The same is true for Debian and Red Hat - while I have my preferences, software I write on one will run on the other with minimal tweaking. Linux is the product I need and there are many, many vendors who will provide it to me. If Red Hat closes tomorrow, I'm a couple of Dockerfile lines away from not noticing or caring. That's absolutely not true of macOS or Windows. Again, I don't think Apple or Microsoft is likely to pull the plug on them tomorrow, but they could (and have) so substantially modify them that stuff no longer runs unchanged on them. If/when they do, there's literally not a thing you or I could do about it but ride the unsupported legacy tail as long as we can while we rushedly port to new platforms.