If you regret upgrading your Surface to Windows 10, then I’m about to give you another reason to regret it….. privacy concerns.
Turns out many people are unhappy with Windows 10 because of concerns about privacy. If you look in your settings, you’ll see a whole section with various privacy-related options:
By default, most of these settings are configured to share as much information (or access) as possible. While that’s awesome for functionality, it may mean that personal or sensitive data gets sent to Microsoft or shared with an unexpected application – that could land you in a lot of hot water.
For example, let’s say you work in a doctors office in the U.S. and have a Surface 3 with Windows 10. Let’s say you use Cortana to look for a particular patent’s history on your Surface.
Well, now you might have a problem…
You see, U.S. patient records are covered under HIPAA law and its rules are very restrictive. One of the big things you do not want to do with HIPAA data is share it with anyone without explicit permission from the patient.
Guess what? Cortana sends all of your search data to Microsoft to be analyzed and processed, so she can give you an answer (that’s why Cortana doesn’t work when you don’t have internet). Even though it’s been anonymized, you could end up liable for misusing HIPAA data (depending on certain factors).
Keep in mind, this is an extreme example and it is easy to mitigate with policy (“don’t use Cortana, for patient records”) but it highlights how a seemingly innocent thing can become a serious privacy problem.
Windows 10 Privacy Concerns on Surface: What Can I Do About It?
In this section I had a choice. I could either write up this long and complicated checklist of privacy settings with pictures that would end up being huge and unwieldy or, I could tell you about Do Not Spy and be done in just a few minutes. As I write this it’s 5:54 AM on a Sunday morning and I haven’t had my coffee yet so…. Do Not Spy it is.
Besides I’m sure you would appreciate brevity out of me for once, right?
Do Not Spy is a simple program written by pXc-coding that simply puts all of the Windows privacy options (normally spread across multiple locations) into a single window. It is very simple to use and even offers an explanation of what each privacy setting does.
There are a few things to be aware of however…
- When the program is started, it will ask if you want to make a restore point. DO IT!!! While the program works well, a few settings can’t be turned off by un-checking the box. For example, the Disable and Reset Cortana setting. Letting the program make a restore point will let you back out of your changes, if you need to later.
- There are two download options (ad-supported and donation)
- While the ad-supported version does not show ads in the main Window, it will try to include additional products during the installation process. Fortunately, all you have to do is uncheck the box:
- For a donation (minimum $5 USD) you can get a version that is not ad-supported and does not try to install the additional software. I would recommend you do this if you can spare the $5 because it will help them improve their software offerings.
- Your anti-virus software may see Do Not Spy as a threat (because it will try to access the registry and create a system restore point); so, you may have to add it to your “whitelist” before you can use it.
As far as what privacy settings you should use, it depends on what you use your Surface for and how much you trust Microsoft. For example, the Disable and Reset Cortana setting will prevent her from working – so if you like Cortana, you won’t want to check that box. Another setting disables OneDrive. Hence, turning it off would be a bad idea if you use OneDrive a lot.
Just take your time and read the description of each setting to make sure you want to change it.
Reminder: Don’t forget to let the program create a system restore point before adjusting the settings.
If using this program makes you uncomfortable, you can just go through the Windows 10 Privacy Settings section and turn off each setting you don’t like individually. In addition, you’ll probably also want to look at the Windows Update settings and Cortana and Search settings – there are several privacy-related items in each.
Windows 10 Privacy Concerns on Surface: Am I Safe Now?
You’ve done all you can at this point but your privacy still may not be safe… Ars Technica used a proxy server to look at what Windows 10 sends on the network and their testing showed that even with certain features disabled and privacy settings activated, Windows 10 continues to send information to Microsoft.
The data seems to be sent from multiple sources including OneDrive, Cortana, and Bing. This even occurs when a local account is used! While much of the traffic is fairly harmless, some of it is a bit concerning. Here’s a couple of examples:
- Even with OneDrive completely disabled and no Microsoft Account being used, Windows 10 appears to send information back to a server used by OneDrive. Why would it need to do that?
- When Cortana and searching the Web from the Start menu is disabled, if you open Start and do a search your Surface will send a request to www.bing.com for a file called threshold.appcache which appears to contain some Cortana information (disabled, remember?). The request for this file contains a machine ID that persists across reboots which means that they might be able to see and correlate all search requests for that machine ID.
When asked about this traffic, Microsoft told them:
“As part of delivering Windows 10 as a service, updates may be delivered to provide ongoing new features to Bing search, such as new visual layouts, styles and search code. No query or search usage data is sent to Microsoft, in accordance with the customer’s chosen privacy settings. This also applies to searching offline for items such as apps, files and settings on the device.”
While that is consistent with what they saw (there was no query or search data transmitted), it is counter to a “reasonable person’s” expectations. If Web searching and Cortana are disabled, the inference that most people (including me) would make is that searching from the Start menu wouldn’t use the Internet at all. But it does.
I’ll leave the implications of the persistent machine ID that could be used to track all of your searches up to you.
Windows 10 Privacy Concerns on Surface: Is That Legal?
If you’re starting to wonder how Microsoft can get away with this, it’s because the EULA (which I’ll bet you never read) is so broad it basically gives Microsoft the freedom to do whatever it wants. For example, this excerpt on privacy reads (the highlights are mine):
“We will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders), when we have a good faith belief that doing so is necessary”
All of which means that Windows 10 has the right to install whatever it wants on your system without notice and to read and disclose all your personal information and files when it sees fit – even with files you place in private folders. Hmmm….this sounds like Google….
Windows 10 Privacy Concerns on Surface: Tim’s Conclusions
Does all this mean you should avoid or uninstall Windows 10?
I would say – probably not (unless you don’t like Windows 10 for other reasons as well) but you will want to tweak the default settings. I recommend you either use Do Not Spy or manually adjust your privacy settings to set the privacy options to something you’re more comfortable with because the defaults are pretty much wide open.
At this point, you might be asking yourself; “but Tim, what about the EULA language and mysterious traffic you pointed out?”
Frankly, I really doubt Microsoft has any sort of nefarious plan to invade your privacy with Windows 10. Most of the problems, or suspicious activity, I pointed out above really come down to two things…. lawyers and programming shortcuts.
You can bet that Microsoft’s legal department was tasked to make sure Microsoft was protected from lawsuits in just about any situation; so, they wrote the EULA with such broad rules the NSA would wet themselves like an excited puppy if they could get away with just half of what Microsoft can. It doesn’t mean they had plans to access your data all along, it just means they wanted to be protected from liability no matter what.
That’s bad, don’t get me wrong, but it doesn’t mean getting there was cheesy-spy-movie-type nefarious laughter coming from the boardroom when Windows 10 launched.
As for the mysterious traffic…. well, I’ll bet that’s due to programming shortcuts when Windows 10 was being written, so that the programming teams could meet the requirements while still making whatever deadlines imposed on them. Let’s face it, that’s the reality of the corporate world.