EFF takes a deep dive into Windows 10's brutal privacy breaches

Microsoft's deceptive hard-sell to gets users to "upgrade" to Windows 10 (the most control-freaky OS to ever come out of Redmond) is made all the more awful by just how much personal, sensitive, compromising data Microsoft exfiltrates from its users' PCs once they make the switch.

Microsoft's stated target of one billion Windows 10 devices by the end of 2018 has led the company to do some desperate, sneaky, and even fraudulent things to "encourage" users to make the switch: from bundling the OS with auto-downloaded browser- and security-updates to changing how a dialog box worked so that clicking the X in the corner was taken as consent to blow out your old OS and replace it.

But that's nothing compared to the spectacular privacy dumpster-fire that burns at the heart of Win 10. As the Electronic Frontier Foundation's Amul Kalia documents in progressively more-frightening detail, by running Windows 10, you invite Microsoft to collect (and retain) enormous amounts of information about you and what you do with your computer, with no way to turn the worst of it off.

While we understand that many users find features like Cortana useful, and that such features would be difficult (though not necessarily impossible) to implement in a way that doesn’t send data back to the cloud, the fact remains that many users would much prefer not to use these features in exchange for maintaining their privacy.

And while users can disable some of these settings, it is not a guarantee that your computer will stop talking to Microsoft’s servers. A significant issue is the telemetry data the company receives. While Microsoft insists that it aggregates and anonymizes this data, it hasn’t explained just how it does so. Microsoft also won’t say how long this data is retained, instead providing only general timeframes. Worse yet, unless you’re an enterprise user, no matter what, you have to share at least some of this telemetry data with Microsoft and there’s no way to opt-out of it.

Microsoft has tried to explain this lack of choice by saying that Windows Update won’t function properly on copies of the operating system with telemetry reporting turned to its lowest level. In other words, Microsoft is claiming that giving ordinary users more privacy by letting them turn telemetry reporting down to its lowest level would risk their security since they would no longer get security updates1. (Notably, this is not something many articles about Windows 10 have touched on.)

But this is a false choice that is entirely of Microsoft’s own creation. There’s no good reason why the types of data Microsoft collects at each telemetry level couldn’t be adjusted so that even at the lowest level of telemetry collection, users could still benefit from Windows Update and secure their machines from vulnerabilities, without having to send back things like app usage data or unique IDs like an IMEI number.

With Windows 10, Microsoft Blatantly Disregards User Choice and Privacy: A Deep Dive [Amul Kalia/EFF]