[Njtechdiv] suspicious Windows 10 Privacy

[Mario]

again, don't panic, just be informed:

Even when told not to, Windows 10 just can’t stop talking to Microsoft,
It's no wonder that privacy activists are up in arms.
http://arstechnica.com/information-technology/2015/08/even-when-told-not-to-windows-10-just-cant-stop-talking-to-microsoft/

by Peter Bright, "Peter is Technology Editor at Ars. He covers 
Microsoft, programming and software development, Web technology and 
browsers, and security."

Aug 12, 2015 11:34pm EDT

Windows 10 uses the Internet a lot to support many of its features. The 
operating system also sports numerous knobs to twiddle
that are supposed to disable most of these features and the potentially 
privacy-compromising connections that go with them.

Unfortunately for privacy advocates, these controls don't appear to be 
sufficient to completely prevent the operating system from going online 
and communicating
with Microsoft's servers.

For example, even with Cortana and searching the Web from the Start menu 
disabled, opening Start and typing will send a request to www.bing.com 
to request
a file called threshold.appcache which appears to contain some Cortana 
information, even though Cortana is disabled. The request for this file 
appears
to contain a random machine ID that persists across reboots.



  Shown in the Fiddler debugging Web proxy, the request that the Start 
menu makes every time you start typing into it or boot your machine.

Some of the traffic is obviously harmless. On connecting to a new 
network, Windows machines try to request two URLs 
(www.msftncsi.com/ncsi.txt and ipv6.msftncsi.com/ncsi.txt,
the former over IPv4, the latter over IPv6) to ascertain whether a given 
network is routed to the Internet and if there is a captive portal in 
the way
(NCSI stands for "Network Connection Status Indicator"). These requests 
are very bare, with no machine IDs or other data sent. If you want to 
turn even
these off, there is a way to do so, but the privacy impact is minimal.

Some of the traffic looks harmless but feels like it shouldn't be 
happening. For example, even with no Live tiles pinned to Start (and 
hence no obvious
need to poll for new tile data), Windows 10 seems to download new tile 
info from MSN's network from time to time, using unencrypted HTTP to do 
so. While
again the requests contain no identifying information, it's not clear 
why they're occurring at all, given that they have no corresponding tile.

Other traffic looks a little more troublesome. Windows 10 will 
periodically send data to a Microsoft server named ssw.live.com. This 
server seems to be
used for OneDrive and some other Microsoft services. Windows 10 seems to 
transmit information to the server even when OneDrive is disabled and 
logins are
using a local account that isn't connected to a Microsoft Account. The 
exact nature of the information being sent isn't clear—it appears to be 
referencing
telemetry settings—and again, it's not clear why any data is being sent 
at all. We disabled telemetry on our test machine using group policies.

  We have no idea what's going on here.

And finally, some traffic seems quite impenetrable. We configured our 
test virtual machine to use an HTTP and HTTPS proxy (both as a 
user-level proxy and
a system-wide proxy) so that we could more easily monitor its traffic, 
but Windows 10 seems to make requests to a content delivery network that 
bypass
the proxy.

We've asked Microsoft if there is any way to disable this additional 
communication or information about what its purpose is. We were told "As 
part of delivering
Windows 10 as a service, updates may be delivered to provide ongoing new 
features to Bing search, such as new visual layouts, styles and search 
code. No
query or search usage data is sent to Microsoft, in accordance with the 
customer's chosen privacy settings. This also applies to searching 
offline for
items such as apps, files and settings on the device." This is 
consistent with what we saw (there is no query or search data 
transmitted), but also likely
to run counter to most people's expectations; if Web searching and 
Cortana are disabled, we suspect that the inference that most people 
would make is that
searching the Start menu wouldn't hit the Internet at all. But it does. 
The traffic could be innocuous, but the inclusion of a machine ID gives 
it a suspicious
appearance.

We've argued recently that operating systems will continue to make 
privacy-functionality trade-offs.
For many users, perhaps even the majority, these trade-offs will be 
worthwhile; services such as Cortana (Siri, Google Now), cloud syncing 
of files, passwords,
and settings, and many other modern operating system features are all 
valuable, and many will feel that the loss of privacy is an acceptable 
price to pay.
But the flip side of this is that disabling these services for those who 
don't want to use them should really disable them. And it's not at all 
clear that
Windows 10 is doing that right now.



On 8/5/2015 7:59 PM, Mario wrote:
> again, not to alarm anyone, just be aware:
>
> Windows 10 privacy problems: Here’s how bad they are, and how to plug them.
> http://www.slate.com/articles/technology/bitwise/2015/08/windows_10_privacy_problems_here_s_how_bad_they_are_and_how_to_plug_them.single.html
>
>
> Aug. 3 2015 12:24 PM
>
> Apple and Google may have ignited the trend of collecting increasing
> amounts of their customers’ information, but with Windows 10, Microsoft
> has officially
> joined that race. By default, Windows 10 gives itself the right to pass
> loads of your data to Microsoft’s servers, use your bandwidth for
> Microsoft’s own
> purposes, and profile your Windows usage. Despite the accolades
> Microsoft has earned for finally doing its job, Windows 10 is currently
> a privacy morass
> in dire need of reform.
>
> The problems start with
> Microsoft’s ominous privacy policy,
> which is now included in the Windows 10 end-user license agreement so
> that it applies to everything you do on a Windows PC, not just online.
> (Disclosure:
> I worked for Microsoft in the days of Windows XP.) It uses some scary
> broad strokes:
>
> block quote
> Finally, we will access, disclose and preserve personal data, including
> your content (such as the content of your emails, other private
> communications
> or files in private folders), when we have a good faith belief that
> doing so is necessary.
> block quote end
>
> Some have spun conspiracy theories out of that language. I’m more
> inclined to blame vagueness and sloppiness, not ill intent. With some
> public pressure,
> Microsoft is likely to specify how and why it will share your data. But
> even that won’t excuse Microsoft’s ham-fisted incursion into users’
> data, nor how
> difficult it is restore the level of privacy back to what it was in
> Windows 7 and 8.
> Apple
> ’s and
> Google
> ’s privacy policies both have their own issues of collection and
> sharing, but Microsoft’s is far vaguer when it comes to what the company
> collects, how
> it will use it, and who it will share it with—partly because Microsoft’s
> one-size-fits-all privacy policy currently applies to all your data,
> whether it’s
> on your own machine or in the cloud.
> As Microsoft puts it:
>
> block quote
> Rather than residing as a static software program on your device, key
> components of Windows are cloud-based. … In order to provide this
> computing experience,
> we collect data about you, your device, and the way you use Windows.
> block quote end
>
> In other words, Microsoft won’t treat your local data with any more
> privacy than it treats your data on its servers and may upload your
> local data to its
> servers arbitrarily—unless you stop Microsoft from doing so. Microsoft’s
> security story has been far from perfect; this move could make it far
> worse. For
> now, it’s not easy to restrict what Windows collects, but here’s how.
>
> Don’t Use Express Settings During Setup
>
> During installation, Microsoft will encourage you to accept its “express
> install” defaults. Without exceptions, these defaults will result in the
> maximum
> sharing of your information with Microsoft. Instead, select the “custom
> install” option, which will bring up a bunch of toggles. The first set
> of toggles,
> concerning personalization and location, looks like this:
>
> These settings all send your personal data to Microsoft with little
> upside for you (unless you like customized advertising). I recommend
> turning them all
> off.
>
> The second set of toggles is more cryptic but more important:
>
> While the first two settings here, for SmartScreen and page prediction,
> simply send more of your activity to Microsoft, the next two are
> subtler. Automatic
> connection to open hotspots and to your contact’s networks means that
> your computer will connect to certain networks without your explicit
> consent. Unless
> you trust Microsoft’s judgment and all of your contacts, it’s best to
> disable those. Last, sending error and diagnostic information may seem
> harmless,
> but when something goes wrong, that “information” might include tons of
> sensitive stuff—if you were editing a spreadsheet of your romantic
> dalliances when
> your computer crashed, it’ll get uploaded. If you feel like helping out
> Microsoft, you can leave this enabled, but I turned it off.
>
> Turn Off the Secret Settings
>
> The install settings are only a subset of Windows 10’s privacy settings,
> which occupy more than a dozen different pages and dialogue boxes across
> the user
> interface, none of them in plain sight. Moreover, one of them reveals
> that Microsoft wasn’t being quite honest during setup. When you turned
> off “Send
> error and diagnostic information,” you really only turned it down from
> “Full” to “Enhanced.” To really reduce the amount of information sent to
> Microsoft,
> you need to go to the Start menu, select Settings, choose Privacy from
> the list of settings, and then go to the Feedback and Diagnostics section:
>
> Choosing “Basic” will keep the amount of random data sent to Microsoft
> to a minimum.
>
> That leaves, however, the other 12 Privacy sections. I recommend going
> through all of them, painful as that may be, and carefully assessing
> what you’re
> willing to share. In a pinch, however, there’s only one really important
> one that wasn’t already changed during install, which is under Account
> info:
>
> This gives any app you install permission to see an arbitrary amount of
> your account info. Until Microsoft makes this considerably more
> fine-grained and
> transparent, as Apple and Google have done with their app stores, it’s a
> bad idea to leave it on.
>
> Use a Local Account
>
> Microsoft will encourage you to create a “Microsoft account” (formerly
> known as a Live ID) so that signing on to Windows is akin to signing
> into Microsoft’s
> online services. In this Microsoft is following Apple’s lead of
> associating your OS with a single account. This is the single biggest
> privacy compromise
> you can make. As long as you’re signed in, Microsoft could conceivably
> upload whatever data it wants to your server-side profile without you
> knowing. Without
> a Microsoft account, it’s harder (though hardly impossible) for
> Microsoft to lump your data together, and it disables other potentially
> problematic features
> like
> Wi-Fi Sense.
> Not using a Microsoft account will single-handedly protect you from many
> of Microsoft’s attempts to collapse the local-remote distinction in its
> privacy
> policies. Instead, use a local account, and use Gmail or Yahoo Mail or
> anything other than Microsoft.
>
> Don’t Let Microsoft Steal Your Bandwidth
>
> By default, Microsoft turns your computer into a peer-to-peer node to
> help it distribute Windows 10 updates, in order to save Microsoft server
> bandwidth
> costs. “Microsoft calls it Windows Update Delivery Optimization,” or
> WUDO. WUDO really should have been turned off by default, because it may
> slow you
> down and may even cost you additional money if you have a metered
> connection. Instead, it is also one of the hardest settings to turn off,
> requiring clicking
> through four obscure screens. I’ll walk you through it.
>
> First, start up Settings and click on Update & security.
>
> In the Windows Update screen of Update & security, select Advanced options.
>
> In Advanced options, select Choose how updates are delivered. (You may
> also want to change the drop down to “Notify to schedule restart” so
> that Windows
> won’t spontaneously reboot your machine after installing updates.)
>
> Finally, turn off peer-to-peer distribution of updates:
>
> It’s almost as though Microsoft didn’t want you changing that setting.
> (Microsoft really wants your bandwidth.)
>
> Don’t Use Edge or Cortana
>
> Microsoft’s Siri-imitating Cortana personal assistant and its new Edge
> browser are designed to take advantage of as much personal information
> as possible
> to customize user experience, take annotations, and learn all about you.
> Until Microsoft clarifies its privacy policies, I recommend against
> using them.
> Stick with Firefox or Chrome as a browser, or even good old Internet
> Explorer.
>
> This is not a complete list, but it hits the most important spots where
> Microsoft has made the defaults uncomfortably intrusive, nosy, or simply
> greedy. Microsoft needs to centralize these and other settings in a far
> more transparent and easy-to-understand box, clarify their implications,
> and pledge to users that it won’t upend their privacy settings in so
> egregious a way again. Until then, protect yourself.