Security Analyst Concludes Windows 10 Enterprise 'Tracks Too Much'

A viral Twitter rant about Windows 10 Enterprise supposedly ignoring users' privacy settings has since been clarified. "I made mistakes on my original testing and therefore saw more connections than I should have," writes IT security analyst Mark Burnett, "including some to Google ads." But his qualified results -- quoted below -- are still critical of Microsoft:

• You can cut back even more using the Windows Restricted Traffic Limited Functionality Baseline but break many things.
• Settings can be set wrong if you aren't paying attention. Also, settings are not consistent and can be confusing to beginners.
• You are opted-in to just about everything by default and have to set hundreds of settings to opt out, even on an Enterprise Windows system. Sometimes multiple settings for the same feature. Most Microsoft documentation discourages opting out and warns of a less optimal experience... But you can't completely opt-out. Windows still tracks too much.
• Home and Professional users are much worse off due to limitations of some settings and lack of an IT staff... I'm not saying ditch Windows. I'm saying let's fix this. If we can't fix it, then we ditch Windows.

Defective by design?

[El+Cubano]

You are opted-in to just about everything by default and have to set hundreds of settings to opt out, even on an Enterprise Windows system. Sometimes multiple settings for the same feature. Most Microsoft documentation discourages opting out and warns of a less optimal experience... But you can't completely opt-out. Windows still tracks too much.

Correct me if I'm wrong, but isn't this essentially the definition of "defective by design?"

The increasingly hostile and draconian moves by Microsoft simply serve to prove that the majority of Microsoft customers are in a co-dependent relationship with Microsoft: afraid that no matter how bad things are with Microsoft, they will be worse without Microsoft. It must suck to live like that.

I know, I know. Some people cannot ditch Microsoft, but most people can and it would cost them only marginally more effort (and probably less in many cases) than they expend dealing with all the crap Microsoft is throwing at their customers these days.

Re: Defective by design?

[teg]

Most people don't give a crap about use privacy.

Proof: just a small uprising (mostly online by the same people who complain) when net neutrality and privacy rules were obliterated

More proof:

• Android market share. Remember, for Google the user is the product.
• Other Google products, like gmail, maps etc
• Facebook

All of which have a business idea of knowing as much as possible about you, so they can monetize you effectively.

Re:Defective by design?

[thegarbz]

Correct me if I'm wrong, but isn't this essentially the definition of "defective by design?"

Defective by design is about intentionally not performing the intended function. For all its flaws, Windows 10 still runs windows software just as well as it ever did.

"Deceptive by design" now that's a definition I can get behind.

Re:Defective by design?

[Elledan]

There is a way to fix Windows and remove all control from Microsoft. This way also doesn't involve Linux and kin.

If the ReactOS project got even 10% of the commits and money that Linux receives, it might soon become the Open Source alternative to even Windows 10, allowing everyone to ditch Windows without having to change the software they use.

Everyone would be better off, except for Microsoft, of course, but that's their own problem.

Re: Defective by design?

Whats worse? The company that gives you something free and takes your personal info in return or the company that charges you and still takes your personal information?

Hint: Windows ain't free and you dont have to use android to use google products.

Re: Defective by design?

[AmiMoJo]

This "you are the product" meme is stupid. When you watch TV, you are not the product even though they sell advertising on it. The relationship is clearly more complex than that.

In Google's case, there is relatively little lock-in to their products. Farm animals can't leave, they belong to the farmer. It's trivial to switch to another search engine, to another mapping site, to another email provider. Google doesn't even mind if you install uBlock and Privacy Badger from their official Chrome extension repo. If Google annoys users too much, or doesn't offer them something compelling to stay, their advertising business becomes worthless.

Yes, they are selling advertising targeted ads. But they don't allow individual users to be targeted or for advertisers to access user data directly, only in aggregate via the tools that Google provides. That's not a simple "you are the product" relationship.

Re:Defective by design?

[Highdude702]

You can crash it just by booting it.

I see that got that part of windows to work correctly... O.o

Re:Defective by design?

[Kjella]

If the ReactOS project got even 10% of the commits and money that Linux receives, it might soon become the Open Source alternative to even Windows 10, allowing everyone to ditch Windows without having to change the software they use.

Said no person with experience reverse engineering ever, at no point has trying to chase your proprietary competitor's blobs ever worked. WINE does an okay job running some Windows software, LibreOffice does an okay job opening some MS Office documents but you'll never repeat every quirk, bug and obscure functionality. You'll never get a fully working replacement for DirectX that isn't DirectX, not without 10x the resources Microsoft used to write it to reverse engineer it. That's not 10% of the Linux resources, probably more like 1000%. The only workable solution long term is to get people over to new, open standards like web apps written for W3C compliant browsers instead of IE6, games using Vulkan instead of DirectX, cross platform tools like qBitTorrent instead of uTorrent and so on.

Look at git, the version control software to develop Windows is now created by Linus Torvalds, what better endorsement can you get than the competition eating your dogfood? Look at all the cloud solutions booming because you can just spin up another Linux instance on demand without licensing worries. You don't win by mimicking the old, you win by delivering something new and better. And even if someone builds proprietary stuff on top of it (OS X, Android, Tivo etc.) you keep gaining ground. Even if the pace is somewhat glacial I never had the feeling open source went backwards, even if you look at stuff like Firefox then Chrome is mostly open source through Chromium. It would be a helluva lot less work to fork that than to start over. Tools like ASP.NET Core is being open sourced, Apple has open sourced Swift, for more and more of low-level infrastructure closed source just isn't kosher anymore.

Re: Defective by design?

[Kjella]

No, the meme is just fine. Ad-supported companies sell eyeballs, that is the product weather you like it or not. If the grain level is coarse that's no problem, like if you're a radio channel and play country music you know you have a certain audience and your advertisers know that too. The problem is that via electronic registration the grain level is extremely fine, via tracking cookies, accounts and loyalty cards they build up massive individual profiles. You can of course hand-wave and say the data will never be used in a way that's problematic: "But they don't allow individual users to be targeted or for advertisers to access user data directly, only in aggregate via the tools that Google provides."

Until it's leaked, hacked, sabotaged, there's an inside man, the police/courts/three letter agencies demands to see it, they hand out too much information, they give an unreliable subcontractor access today or at any point in the future. I work with a similar but different set of data, where we produce aggregate or de-identified data for external use but the grain data can be quite easily tied to an individual. First and foremost we're constrained by law, if someone passed the "Stop terrorism, fuck privacy act" it wouldn't be all that anonymous anymore. Secondly, we're guarding it like gold because there's really no un-sharing the information should it ever get out, but who knows when a hacker could find an Achilles heel. Third, it's hard to avoid every corner case where your profile stands out in a way that could be tied to an individual.

I'm not going to be completely paranoid about it but the safest kind of data is the type you never generate. Everything else can be collected, cross-linked, use and abused. Certainly for good, that's often why we're doing it in the first place but the road to hell is also paved with good intentions. If you live in an authoritarian regime the future is pretty grim because they're constantly improving their surveillance, often going hand in hand with convenience which is why Facebook etc. is so popular. As long as you're not doing anything they don't like...

Re: Defective by design?

[Brockmire]

You don't understand why Google became Google. They don't sell YOUR data, they tell advertisers THEY know a guy who might want their widget. They'll take a cut for showing their ad for their widget. This is different than selling a list of names and contacts where some small percentage is actually interested, this gets higher results because the targets generally are interested in the widget and have higher buy through rates.

You can't fix this.

The problem isn't Windows. The problem isn't even Microsoft.

The problem is that we don't have strict laws governing the protection of user data. There needs to be serious and utter consequences for pulling this sort of shit. The sort of consequences that would make any shareholder board go "holy shit, let's not fucking do that". Until that happens, absolutely nothing is going to change. You might be able to pressure Microsoft into releasing a patch or two that appears to offer some sort of reprieve, but then they'll get back to doing exactly what they've been doing before, and probably torque down the screws just a little bit tighter while they're at it.

Unfortunately, with the USA now gunning for net neutrality, I doubt anything like this would ever happen. Corporations have too much money and nobody gives a shit about the user. As long as the users keep paying for stuff (because they "have no choice" or don't want to slightly inconvenience themselves), nothing will ever change.

So you better get used to it, because Windows 10 is just the start.

Re:You can't fix this.

>What the security analyst forgets to mention is that the telemetry data sent to MS is anonymized.

Yeah I work at a place where I sometimes get "anonymized" data. Let me tell you I can still easily find out who it was about.

>I don't know how you would "protect" user data any better than that.

Don't send it in the first place. There's no law in the universe that says that you have to send it. Just stop sending it.

>A lot of new vehicles today upload data to the manufacturer and this data does include enough information to identify the owner.

And that has to stop.

>If Windows was really as bad as the OS political activists say MS would never have turned into one of the most successful companies on the planet. There has never been anything stopping someone from creating a platform to compete with MS.

What? Halloween documents etc. Microsoft has been colluding with OEMs to stop exactly that. Also, they break stuff on purpose. What are you talking about? Some parallel universe where Microsoft is not an asshole?

>All the early potential competition willingly sold their technologies to MS and took the money and ran.

Who?

>The applications that try to compete with MS Office suite are buggy clones that the Linux faithful promote as "good enough".

True. But that's in part because the specifications by Microsoft are incomplete. At least by now they were forced to release them - earlier it was *all* reverse engineering.

>And users do not run OS's they run applications. In the business world a competent IT can configure a stable and safe OS platform. Linux is not magically safe or stable by default and requires someone knowledgeable to configure the OS.

I agree.

Re: You can't fix this.

[orbit500]

EU GDPR is set to stick a giant spanner in windows 10 as it is doing with Facebook and Google data slurping. Check out the current cock blocking Redmond is getting on this and we're still a year out. Fines range up to 4% of global trade turnover, more than enough to brown trouser the board. Either they comply or quit the EU market. And that means any inbound EU data handling, not just EU based licence holders.

Re:You can't fix this.

[swb]

In a lot of ways, this almost begs for a kind of public health type of response.

In years past, most people would have willfully chosen poisonous product X for its low cost and rejected more expensive non-poisonous product Y. Or they would have rejected tax increases for improved sanitation or water filtration for the same reasons. Or they chose the patent medicine with an opioid versus the one with just sugar.

I don't know that we ever really made the masses more intelligent than they are now about these issues, on the whole. Everybody "knows" that some common medicine with opioids in it is risky, but I'd bet that even with this knowledge if you put tincture of laudanum in a cough and cold remedy it would become a best seller because it made people feel better.*

The best you could do was try to sway the more intelligent members about the risks and hope that would be enough to influence law makers to change the rules in ways that prohibited the bad ingredients, fixed the sewage system or removed the addictive drugs.

The larger problem here is constructing a public health type of argument that intelligent, non-technical people will understand and accept, in the hopes that these key influencers will be able to pass laws that force uniform standards for privacy or data collection. You'll never change the masses individual preference for free/cheap, you have to change the law to eliminate Microsoft, Apple or Google's ability to use this preference to exploit people for their own gain.

(* There's a whole other side argument to be made as to whether this really would lead to widespread addiction among the population as a whole, or whether we're really just preventing an acute crisis among a small subset of the population. One of the risks of public health is over reach and excess risk aversion, imposing restrictions and costs to eliminate increasingly smaller threats.)

Optimal Experience

[Darinbob]

The problem with optimal experience is that Microsoft means their own experience not that of the users. Optimal for them means that the customers are eyeballs for advertisers and with easy to access to data for analytics. Optimal experience for the actual users means that they can turn off Microsoft's control, nothing ever defaults to opt-in, and they don't get tracked or advertised to.

Better Solutioin

[Murdoch5]

It's call Linux and it's vastly superior in almost every way to Windows. Don't worry about Windows 10, just switch to the worlds best Desktop Operating system.

Re: Better Solutioin

[thundercattt]

Been a Linux user since XP, never looked back.

Stockholm syndrome

[whoever57]

I'm not saying ditch Windows. I'm saying let's fix this. If we can't fix it, then we ditch Windows.

We already know it's unfixable. What's the delay in ditching Windows?

I think that, for many people, if running Windows required the user to endure an electric shock, they would still not ditch it. They have such little imagination that an alternative is possible.

We?

[PinkyGigglebrain]

" If we can't fix it, then we ditch Windows."

"We" can't fix MS Windows, only Microsoft can.

Any one think they will?

Re: Let's ditch Windows, huh?

[thundercattt]

Or keep Windows nicely tucked away in a VM.

Re: Will you finally get to work already?

[DavidPetersonHarvey]

My business runs entirely on Linux. So does NASA. Those cute little Rovers that we have on Mars right now, Linux. Oil companies use special security Hardened versions of Linux to run the oil wells. If all these organizations are running Lenox just fine, the problem must be with you. :-)

Re:Will you finally get to work already?

[David_Hart]

WTF are you talking about? Linux works perfectly fine. Seriously. It really does.

The problem with Linux isn't that it doesn't work, it does, and usually quite reliably. The problem is, and I think that this is what the OP meant, that it just isn't user friendly.

Installing drivers are not automatic, like the are for most devices under Windows today. Finding applications to take place of existing Windows applications, including financial apps, are much more difficult. Granted, as more companies provide web based apps this becomes less of a concern. Finally, Linux still doesn't have major gaming support. If you want to play the latest high end games then you need a PC running Windows (Yes you can buy console systems, that's a different discussion).

Re: I'm not your home IT staff...

[__aaclcg7560]

Hahaha I had to do the same thing.

A coworker went a step further by requiring his customers to order and pay for their replacement parts through Best Buy so he can pick them up. No money comes out of his pocket for the replacement parts and he doesn't get stuck with a $300 video card because someone cancelled the job.

PlayOnLinux is the killer app

[xeno]

Yep, linux linux linux... all us geeks can rant about the virtues and advantages, but at the end of the day, the rank and file want to run office and a web browser. MS Office is the lock-in that sells Windows... and while Wine promised to solve that it's way too complex for most people. Enter PlayOnLinux, which makes common Windows software installation just as simple as on Windows. Point, click, install. Holy $#%@ it just works, and ALL that Windows telemetry is gone, because Windows is gone. And I don't miss it.

To keep it short: I set up Linux Mint and ran updates (about 10 min total install time, from bare metal), installed PlayOnLinux (about three clicks into the Software Manager app), then used that to install MS Office (including Visio), registered and all. The Cisco VPN works (of course), the browsers are faster (of course) and work well with corp apps, and MS Office just works. Tons of other stuff Just Works(tm). Corp IT never hears from me, all the tools just work, everything's much faster, and I didn't have to do ANYTHING at the CLI -- in fact, it was easier and much faster than typical interminable Windows setup processes. It's beyond me why people still put up with the stress of Windows, or insist that it's easier (it's not) or more secure (*snort*).

Re: one file disable

Unfortunately it is well documented that Windows 10 ignores the hosts file for "telemetry"

Ditch proprietary software. Not just Windows.

[jbn-o]

I'm not saying ditch Windows. I'm saying let's fix this. If we can't fix it, then we ditch Windows.

You should be saying ditch proprietary software precisely because nobody but the proprietor (the very party you can't trust) is legally allowed to fix this (where the word "fix" is a fix from the user's perspective, of course, since the software already works as the proprietor has programmed it to work). That's what proprietary software means and that power over the user is why proprietors distribute their software without respecting a user's freedoms to run, share, and modify the software at any time for any reason. The system's behavior can change at any time, so even if someone monitors what a particular variant of a non-free, user-subjugating OS does now that can change later. Perhaps the software only does something bad under conditions one doesn't typically reach, or maybe an update changes how the software behaves. Furthermore, said software updates don't have to come through an updating program which seeks a user's approval before installation (such as Windows Updates).

The GNU Project has no shortage of proprietary Microsoft malware and that includes universal backdoors, snooping on user's activities, ignoring user's settings on so-called 'privacy' settings, and sending identifiable data to Microsoft and third parties ("even if a user turns off its Bing search and Cortana features, and activates the privacy-protection settings").

Re:BS

[davester666]

While the guy might not be a world-class IT specialist, he does report the truth. Window 10 does track too much, and you can't even opt out of it.

Unfortunately, the last sentence of the summary is delusional. There is only one company that can "fix" it, and they refuse to.

Re: Will you finally get to work already?

I've found the opposite to be true. Linux ships with 99% of the drivers you'll ever need, on Windows part of the install is traditionally using another machine to search vendor sites for drivers. Also many things that are trivially simple on Linux, like channel bonding, are hard or impossible on Windows depending on vendor and hardware support.

Re: one file disable

Unfortunately it is well documented that Windows 10 ignores the hosts file for "telemetry"

Source?

It is well documented that Windows 10 ignores the host file for a list of "vital" MS services like Update. I have been unable to find any evidence the the telemetry urls get ignored too.

In fact they seem to be perfectly blockable by the hosts file.

Spybot anti-beacon

[nospam007]

Spybot abti-beacon fixes mst of it, even if it can't kill cortana.

https://www.safer-networking.o...

Re:BS

[iampiti]

Yes, only Microsoft can fix Windows, but they won't do it unless they feel threatened.
When the PS4 and Xbox one were about to be released Microsoft revealed that the Xbox would require constant connection to the Internet to play. They players revolted and Sony said they wouldn't do it. Microsoft (correctly, IMO) sensed that could be a fatal blow to their console and backtracked really fast.
Something of that caliber would have to happen for they to remove all the spying in Windows. What could that be? I can only think of mass migration of governments and big companies. Alas, that is very unlikely to happen.
In the end this is just another thing that shows how bad monopolies can be (In this case is a monopoly in the sense of "OS that can run Windows software and drivers", ReactOS could theoretically be an alternative but realistically they'd need billions of dollars to get close to Windows).

Re:BS

[zifn4b]

Window 10 does track too much, and you can't even opt out of it.

True, you can't opt out of it within Windows which is pretty much unethical in my book. There are third party tools available (like Spybot Antibeacon) where you really can turn it off.

Know what the problem is? Remember all that talk about big data being the next big thing? It's here and all this "telemetry" data is being sold because it is considered very valuable.

Re: BS

Spybot Antibeacon is decent, but best paired with W10Privacy.

Here's the thing about Win10 though: changing general settings, registry keys, and group policy settings isn't enough. You also have to block many domains and ip's of various Microsoft telemetry servers! The thing still spits out data even with every conceivable setting and tweak utilized!

W10Privacy includes adding firewall rules and hosts file entries to achieve this. I suggest copying those entries and blocking them at the gateway as well. Even then, every time a new MS patch comes out, I discover yet another process sending out unfocumented data to yet another telemetry server. It's fucking ridiculous.

Re: BS

[TheNarrator]

The one advantage of closed source over open source is it lets the IP owner keep things broken that would otherwise be fixed by the community.

Re:BS

[LVSlushdat]

The *REAL* problem is you can use the Antibeacon tool to turn off the spyware aspects of Windows, but every time you get another "update" or new version from MS, they default those spyware aspects back on, so you're playing an endless game of "whack-a-mole" trying to keep MS's nose of your bidness.. I used/supported Windows for 20 years as a sysadmin, and never really trusted MS, but since Windows 10 came out, ANY trust I may have had for MS has evaporated. When I retired in 2010, I moved all of my computers over to Linux and thats where they'll stay..

Re: Let's ditch Windows, huh?

[caseih]

Wrong. Windows 10 is quite usable in a VM for business and even programming tasks. Sure gaming probably isn't a go. But everything else works fine. I use Windows 10 in a virtual machine quite often, running Visual Studio.

fix it!

[sad_]

easy, just fork the code and remove all those tracking bits...
what is that? you can't do that?
well then there is nothing you can do to fix it, so ditch windows.