Security

Windows 10: Privacy and data sharing specifics you need to know

Windows 10 users, learn what information is shared with Microsoft by default, and how to configure your installation.

Image: Nate Ralph/CNET

The release of Windows 10 is an important transition for Microsoft, as the service model of Windows is changing from a finished product to a rapidly evolving software-as-a-service (SaaS) model. These changes include tighter integration with previously separate Microsoft services, and the inclusion of the Cortana virtual assistant. This integration also brings monetization opportunities for Microsoft, including monthly subscriptions for additional storage on OneDrive, advertising delivered with Bing searches from the desktop, a 30% cut from app sales on the Windows Store, and advertisements inserted in preinstalled apps, such as the MSN and Xbox content apps, and in the Solitare app.

Many of these features depend on transmitting personal information to Microsoft. Windows 10 does not presently have a unified "do not share" switch — many of the options are scattered around various menus. Additionally, the sharing of some information about your computer, and previously configurable options regarding some system behaviors are now compulsory.

Important considerations and comparing ecosystems

A substantial number of the features added to Windows 10 are intended to compete with the available analogues from the Apple and Google ecosystems. OneDrive, like Dropbox, iCloud, and Google Drive, offers additional storage for a fee. Cortana is Microsoft's answer to Siri and Google Now. Apple and Google also take a cut from app sales; that, in itself, is not controversial — the difference is implementation.

The user could uninstall these features (rather, these features' predecessors, Windows Live SkyDrive and the Bing Bar) in previous Windows versions; now, Microsoft embeds the features into the OS.

It is also important to note that a substantive amount of the data sharing can be configured during the installation, as long as the user does not select Express Install.

Cortana and Bing integration

Cortana requires a great deal of data to be useful, and in the privacy statement, Microsoft indicates that it "collects and uses various types of data, such as your device location, data from your calendar, the apps you use, data from your emails and text messages, who you call, your contacts and how often you interact with them on your device." While this isn't substantively different from the way in which competing services operate, this monitoring was previously limited to mobile devices.

When asked about this data collection, a Microsoft spokesperson stated, "Microsoft honors the controls and the customer's choice — if you turn off Cortana, information will no longer flow for Cortana. However, some of the same or similar information may still flow if needed for other functionality that a customer has opted into (e.g. if a customer uses Bing Maps, we may still collect their location)."

The Bing integration is now added to the taskbar, much to the frustration of people attempting to remove the Bing Desktop software delivered via Windows Update. Unlike Firefox and Internet Explorer, there is no way to change the default search provider, but Bing can be disabled. According to a Microsoft spokesperson, "If users do not want to receive Bing search results from the Windows search box, go to Settings, and turn off 'Online Search.' This prevents Bing from receiving your search queries and/or returning web results."

Of note, Microsoft has partnered with the analytics startup Interana for mining Bing search usage and user behavior data. According to a press agent for Interana, "Microsoft Bing recently purchased behavioral analytics solution Interana for the massive volumes of clickstream data generated daily." (Update on Aug. 5, 2015: Microsoft did not acquire Interana; it is a client of its services.)

Concerns with OneDrive security and the Microsoft account

Compared to the services from other cloud storage vendors, OneDrive does not offer at-rest encryption for home users. OneDrive support can't be uninstalled from Windows, though it can be disabled using the Group Policy editor.

Microsoft does not permit users to store any images that contain nudity, and violation of this policy is grounds for potentially having your Microsoft account revoked, which Microsoft has allegedly done in the past, even when the data was not publicly shared. According to Microsoft's services agreement, they "do not monitor the Services and make no attempt to do so." However, the contents of OneDrive accounts are subject to scanning via PhotoDNA.

The revocation of the Microsoft account would result in the inability of users to access their stored OneDrive data, Outlook mail, and subscriptions to or updates of software purchased in the Windows store, such as Office 365.

When asked about losing access to updates and prior purchases of content in the event of the closure of a Microsoft account, a Microsoft spokesperson stated, "You don't have to have a Microsoft account connected to use Windows 10. The closure of a Microsoft account would not prevent a customer from receiving updates to Windows 10. Updates come through the Windows Update that is unconnected to the Microsoft account."

Security updates and bandwidth sharing

For Windows 10, Microsoft has removed the ability for users to disable Windows Update, a decision covered in greater depth at ZDNet. Issues with Windows Update breaking display drivers have been reported in the RTM version, and Microsoft has used the utility in the past to push browser toolbars and other commonly unwanted add-ons. Microsoft does not allow users to permanently disable Windows Defender — it notes on the Settings page that "if it's off for a while, we'll turn it back on automatically." These decisions remove control of the computer from the user, though for the vast majority of home users, it's not a particularly big loss.

Windows 10 forces diagnostic and usage data to be transmitted to Microsoft, a behavior that cannot be prevented except for Enterprise and Server SKUs. This data "may unintentionally include parts of a document you were working on when a problem occurred," though Microsoft states that "we won't use that information to identify, contact, or target advertising to you."

By default, Windows 10 is configured to use Windows Update Delivery Optimization, which can transmit update data to any other computer on the internet. (For Enterprise and Education, this is limited to only PCs on the local LAN.) This setting can be disabled, and if you indicate to Windows that you are using a metered connection, this will automatically be disabled.

What's your view?

Do you have concerns about the information sharing behavior in Windows 10? Have these changes prompted you to stick with Windows 7, or move to an alternative? Let us know in the comments.

Also see

About James Sanders

James Sanders is a Java programmer specializing in software as a service and thin client design, and virtualizing legacy programs for modern hardware.

Editor's Picks

Free Newsletters, In your Inbox