What You Need to Know about Windows 10 Privacy

By Woody Leonhard

Privacy has become such a huge issue with Windows 10 that many folks won’t install it, just because they figure Windows 10 is sending all their private information to Microsoft. What do you need to know about Windows 10 privacy issues? In one sense, it’s true that Windows 10 is prying into your privacy – Windows 10 snoops in ways no previous version of Windows ever dared. In another sense, though, increased snooping in Windows 10 is a sign of changing times. And it’s fairly obvious that Microsoft is no worse than most of the alternatives.

The important point is that you, the Windows 10 user, need to understand what’s going on — and you need to make decisions accordingly.

Like it or not, times have changed, and attitudes toward snooping have changed along with them.

The past: Watson to WER in Windows

Back in the distant past, the Windows 3.0 beta (in 1989-1990) included a program called Dr. Watson, which responded to Windows crashes by gathering all the data it could find and packaging it as a text file (drwtsn32.log). Dr. Watson was also smart enough to generate a core dump, which could be fed into a debugger on a diagnostic machine.

Dr. Watson worked offline. If you wanted to send your text log file or core dump to somebody, that was up to you. Dr. Watson was highly successful, leading to the identification and eradication of thousands of bugs (most, it must be said, in non-Microsoft drivers).

Around the time of Windows XP, Dr. Watson turned into the Problem Reports and Solutions program, which became part of the larger Windows Error Reporting (WER) system built into XP and then enhanced for Vista, Win7, and Win8. WER differs from Dr. Watson in many respects, not the least of which is an optional automated upload to Microsoft’s servers.

The folks who wrote WER, and those who poured through the dumps, knew full well that sensitive information might be transmitted as part of the WER collection. That’s why the good doctor asked for permission before sending the info on to Microsoft’s servers.

WER was a resounding success. Steve Ballmer says that WER let the Windows team fix 29 percent of all WinXP errors in WinXP Service Pack 1. More than half of all Office XP bugs were squashed in Office XP SP1, thanks to WER. WER became the envy of the operating system software class, propelling many doctoral theses.

Frighteningly, WER data wasn’t encrypted prior to transmission until March 2014. If you had a crash before then and WER kicked in and delivered it to Microsoft, anybody snooping on your Internet connection could see the contents of the report. There have also been allegations that the NSA hooked into WER reports.

Customer Experience Improvement Program for Windows

While Watson and WER concentrated on crash reports, an independent force arose in the Windows camp. Borrowing on the Business School buzz phrase “customer experience,” Microsoft’s Customer Experience Improvement Program (CEIP) gathers a wide array of information about your computer and how you use it, and then shuttles it all off to Microsoft. Historically, when Microsofties used the term telemetry, they were referring specifically to CEIP data. That’s changing as more telemetry becomes accessible.

CEIP (known internally in Microsoft as SQM, or Software Quality Management) started with MSN Messenger, moving rapidly to Office 2003, and then to Windows Vista and Windows Media Player. It’s been part of Windows and Office ever since. When you install any of those programs, Microsoft activates CEIP by default, although you can opt out.

Feedback & Diagnostics tab and DiagTrack in Windows 10

One part WER, one part CEIP, Windows 10 brings all the snooping together under the Feedback & Diagnostics tab. Telemetry in Win10 includes data uploaded by the Connected User Experience and Telemetry component, also known as Universal Telemetry Client, with a service application name of DiagTrack.

Microsoft has a detailed description of its telemetry collection policy in a TechNet post by Brian Lich. Lich includes an informative diagram that explains Microsoft’s conceptual levels of telemetry.

stock telemetry levels
Microsoft’s explanation of stock telemetry levels.

It’s far from a definitive list of what data gets sent to Microsoft, but at least the diagram should give you a basic understanding.

To see what you’re up against, click the Start icon, the Settings icon, and then Privacy. On the left, choose Diagnostics & Feedback. You see the Diagnostic Data dialog below.

diagnostic data Windows 10
The old crash reporting and CEIP settings have a new guise.

 

The Diagnostic and Usage Data setting is one of the key methods you have to reduce — but not eliminate — the Win10 telemetry sent from your PC to Microsoft. If you’re concerned about sending Microsoft your usage information, click Basic in the dialog you see above.

Although the Settings app only offers two telemetry settings — Basic and Full — Win10 supports four settings. You can get to the other two (called Security [Enterprise Only] and Enhanced) only if you run the Group Policy Editor. If you don’t know about the Group Policy Editor, you’re best off sticking with Basic.

What is basic telemetry and how does Windows 10 use it?

It probably won’t surprise you to find out that Microsoft collects, as part of its Basic telemetry, roughly 2,000 data points, updated every day. In April 2017, after a series of disclosures about privacy pursuits in the EU, Microsoft released a detailed list of its telemetry. You can see the list for Basic level telemetry in Win10 version 1709. Check out Microsoft’s site for a similar list for the Full telemetry setting is at this page.

The lists are mind-numbing, as you might imagine, and exhaustive. It appears as if they’re sufficient to defuse a rising tide of privacy protectionism in the EU. Whether privacy partisans will remain satisfied with this raw data remains to be seen.

Data privacy issues to come

Here’s what you need to know:

Microsoft collects telemetry — data about your use of Windows — no matter what. You can minimize the amount of data collected (the Basic setting, described in the nearby sidebar, but you can’t stop the flow unless you’re connected to a corporate domain.

The data being sent to Microsoft is encrypted. That means anyone who’s snooping on your connection won’t be able to pull out any useful information. It also means that people trying to figure out exactly what’s going out don’t have any chance of deciphering the stream.

There’s a larger picture. Windows, like the rest of the industry, is evolving. There has been no indication that Microsoft is any worse than, say, Google — and it’s likely that Apple undertakes similar data stockpiling. So do Facebook and dozens, if not thousands, of lesser snoopers.

If you want to minimize the identifiable data harvested from you and don’t feel comfortable with the fact that Microsoft collects data about you, best to switch to Linux, avoid Chrome (use Firefox), don’t use Google Search (use DuckDuckGo), and/or always run a VPN.

‘Course, you’d also have to avoid using a mobile phone — or even a landline for that matter — and pay with cash or Bitcoin only. You’d also need to avoid walking in public, given the current state of facial recognition, and hope you never end up in a hospital!

The question is how comfortable you feel entrusting all these companies — not just Microsoft — with your data. And heaven help ya if you live in a house that has a smart electric meter.

Data privacy will likely be one of the foremost legal questions of the next decade. There is already some data protection regulations in place for health records and credit records, but they don’t apply in this case. Unless people give up — which may be a reasonable reaction — there’s likely to be large-scale problems.