Software

Windows 10: Microsoft forces you to choose between privacy and security, say campaigners

The civil liberties campaign group the Electronic Frontier Foundation says Windows 10 needs to offer "real, meaningful opt-outs" to users when it comes to data collection.

windows-spy.gif

Microsoft is facing renewed calls to change the way Windows 10 collects data about users, amid fresh accusations that the OS violates privacy.

Civil liberties group the Electronic Frontier Foundation (EFF) said Microsoft makes users "choose between having privacy and security" in how the OS handles data collection.

The campaign group is referring to Microsoft's advice not to use Windows Update to patch machines that have been switched to the lowest level of data collection, known as the Security level.

"There's no good reason why the types of data Microsoft collects at each telemetry level couldn't be adjusted so that even at the lowest level of telemetry collection, users could still benefit from Windows Update and secure their machines from vulnerabilities, without having to send back things like app usage data or unique IDs like an IMEI number," writes Amul Kalia, intake co-ordinator at the EFF.

Kalia suggests the argument that Windows Update relies on a certain level of telemetry in order to work is being used to impose data collection on home users.

"In other words, Microsoft is claiming that giving ordinary users more privacy by letting them turn telemetry reporting down to its lowest level would risk their security since they would no longer get security updates," he said.

Only users of Enterprise, Education, and IoT core editions are able to set Windows 10's data collection to the Security level. Users of the Home and Pro versions are only able to reduce telemetry settings to the more data-hungry Basic level. On this setting, Windows 10 collects information about security settings, quality-related info (such as crashes and hangs), and application compatibility.

Last month the French data protection watchdog, the Chair of the National Data Protection Commission (CNIL), said Microsoft should make it possible for all editions to reduce data collection to this lower Security level. The CNIL has given Microsoft three months to change how Windows 10 collects data about users or face a possible fine of up to €150,000 for breach of the French data protection act.

By default, Windows 10 sends what the EFF describes as "an unprecedented amount of usage data back to Microsoft", much of which is used to personalize content and the help provided by Windows 10's built-in personal assistant Cortana.

"Here's a non-exhaustive list of data sent back: location data, text input, voice input, touch input, webpages you visit, and telemetry data regarding your general usage of your computer, including which programs you run and for how long," said Kalia.

Microsoft says it is possible to opt-out of much of the data collection it uses for personalization. However, in the latest update to Windows 10, Microsoft has removed the off switch for Cortana, although it is still possible to disable the assistant by editing the Windows Registry.

The EFF also criticizes Microsoft for not being clear about what it does with the data it collects from Windows 10 users.

"While Microsoft insists that it aggregates and anonymizes this data, it hasn't explained just how it does so. Microsoft also won't say how long this data is retained, instead providing only general timeframes," said Kalia.

Aside from its privacy concerns, the EFF also questions the tactics that Microsoft used to get people to upgrade to Windows 10 from Windows 7 and 8. After Microsoft launched the offer of a free upgrade last year, the firm adopted an increasingly aggressive approach in its attempts to persuade people to switch, first making the upgrade process begin automatically on most home machines and then temporarily making it easier to inadvertently accept the upgrade. By the end of the free upgrade period, there were more than 350 million devices running Windows 10.

"Time after time, with each update, Microsoft chose to employ questionable tactics to cause users to download a piece of software that many didn't want. What users actually wanted didn't seem to matter," said Kalia.

The EFF ends with a warning to Microsoft that the firm needs to start addressing concerns about Windows 10's data collection.

"The company needs to acknowledge its missteps and offer real, meaningful opt-outs to the users who want them, preferably in a single unified screen. It also needs to be straightforward in separating security updates from operating system upgrades going forward, and not try to bypass user choice and privacy expectations," said Kalia.

Fail to do so, he cautions, and Microsoft will face more government investigations and see more users abandon Windows, he said.

For its part, Microsoft insists that Windows 10 respects its users' privacy. In response to the accusations by the French CNIL, Microsoft VP and deputy general counsel David Heiner said: "We built strong privacy protections into Windows 10, and we welcome feedback as we continually work to enhance those protections." It stresses that it takes steps to avoid collecting user content, such as files, emails and chat logs, and will never use content to target individuals.

In response to the EFF allegations, a Microsoft spokeswoman said: "Microsoft is committed to customer privacy and ensuring that customers have the information and tools they need to make informed decisions," adding that Microsoft adjusted the approach it took to Windows 10 upgrades in response to feedback.

Read more on Windows 10

About Nick Heath

Nick Heath is chief reporter for TechRepublic. He writes about the technology that IT decision makers need to know about, and the latest happenings in the European tech scene.

Editor's Picks