The title of this article is “Windows 10, Privacy 0: ESET deep dives into the privacy of Microsoft's new OS” and in it I will be providing analysis of Microsoft's privacy plans for Windows 10, some of the reasoning behind those changes, and also theorize about who else besides Microsoft might be interested. But as my first blog post on We Live Security since Windows 10 was released, there are two topics I would first like to address before we dive in. The first of these is a short discussion of what Windows 10 needs to accomplish, both for Microsoft and for its customers.

Note: This article is excerpted from a forthcoming white paper on Windows 10.

Windows 10 and Microsoft’s 10 Year Plan for it

July 29th, 2015 has come, and with it Microsoft has released Windows 10, which incorporates the most ambitious changes seen between two versions of Windows since Windows XP and Vista. Microsoft has found itself in an interesting position: Windows 8 (which I will use as an umbrella term to cover Windows 8, Windows 8.1 and Windows 8.1 Update) has met with lukewarm adoption, only finally surpassing Windows XP earlier this year. Windows 7 continues to reign on the desktop. With Windows 10, Microsoft has to deliver a version of Windows that is not seen merely as a capable upgrade to Windows 7, but also to please those who have not just adopted but embraced Windows 8.

Windows 10 is also the first release of desktop Windows to introduce consumers to Windows as a Service (WaaS). Such arrangements have been common in the corporate world where licensing allows enterprises access to the latest versions of Windows automatically, but it’s a new arrangement to consumers who are used to purchasing a license for one version of Windows and using it through its lifecycle of tiered support. With Windows 10, Microsoft plans to release new features and functionality during the ten-year lifecycle of the operating system, as opposed to releasing new versions. While this perhaps may not sound as ambitious as Windows 8’s Start Screen, it is actually a far greater change in how Windows is maintained by Microsoft. Microsoft has a goal of having one billion devices running Windows 10 by 2018, and that requires a different strategy than they have used in the past to reach that ten digit number.

Windows 10 and Your Privacy

Microsoft talks a great deal about the Windows experience, wanting the operating system to feel seamless and to be responsive to users. For Windows 10, frictionless is a word which has been bandied about. From any other company, this could (and should) be safely ignored as marketing drivel; however, in Microsoft's case, they are dead serious about providing users with a positive Windows experience. Of course, the interesting part of all of this is figuring what Microsoft considers a positive Windows experience.

"It always makes sense to review the privacy settings and the policies of whatever software or services you are using, and Windows 10 is no exception."

For Windows 10, this means allowing the user to move between different devices such as smartphones, tablets and PCs, not just while having all of their information at their fingertips, but in a way that is appropriate to the way in which we interact with different devices, and even those devices' locations in time and space. While none of this may be new to those of us using smartphones in the past few years, Windows 10 marks the first time this level of personalization and integration has been offered via a desktop operating system in what had previously been the realm of smartphones, and that has some interesting ramifications for privacy in a world where your computers are always on, always listening, and always watching you.

Or does it?

Microsoft’s privacy policies have traditionally been rather dry, but have basically been customer-centric. Measurements and other data (aka telemetry) that are collected are used for the sole purpose of improving Microsoft’s products and services, and the company goes to great lengths to avoid intentionally collecting any personally-identifiable information, always anonymizing or scrubbing it to ensure the origin of any private data they collect cannot be used to identify individuals.

setup-windows-10

Windows 10 installation: "If you do not choose the Express Setup option during installation, Windows 10 offers the ability to tweak its privacy-related settings."

Microsoft's collecting of anonymized telemetry for the purpose of improving its offerings is not even particular new. The Customer Experience Improvement Program (CEIP), was launched in February 2009, back when Microsoft Windows Vista was the latest version of Windows. Even then Microsoft was thinking about the privacy implications; hence it had its own set of Frequently-Asked Questions and Privacy Policy to provide additional information about how the company safeguards for its customers’ data. And in case you are wondering, the CEIP continued in the Windows 7, Windows 8 and in Windows 8.1 desktop versions of Windows, as well as their Windows Server counterparts. So, your computers may have been sharing anonymized data with Microsoft for the past six years.

Micosoft privacy principles

Microsoft Privacy Principles

With Windows 10, Microsoft believes one of key reason for users to upgrade is having access to Cortana, its search agent with voice recognition capabilities that can mine data such as your emails and contacts in order to give you information that is relevant to your interests.

While I have yet to see (or hear) Cortana offer me any information on my desktop, but on a smartphone running Windows Phone 8.1, it did offer to put a flight into my schedule after the airline sent me a confirmation email. And that's not particularly unique to Windows, either: on a smartphone running Android, Google offered to give me status updates on packages I'm receiving when it saw the waybills come through via email. These two examples show how companies such as Microsoft and Google scan your emails.

Is this a violation of my privacy? No, I don't think so, since I was prompted to enable these services when setting up the devices and I did give my consent.

Is it convenient? Yes, in both instances I found it useful. Especially in the case of not having to go and copy and paste a copy of my flight itinerary into my calendar. Convenience trumps security, though, which I'll get to in a moment.

It is invasive, or merely borderline creepy? Those are bigger questions to answer, and those answers are going to vary based on the privacy needs of the individual or the business.

I can definitely see situations where an individual might not want to have information about appointments with doctors, lawyers, family planning clinics and so forth parsed by an outside party, even if that outside party is a machine intelligence. Likewise, a business in a regulated industry – or one merely involved in a merger, acquisition or having an upcoming rounds of layoffs – may not want the particulars of those emails, calendar appointments and meeting requests to be examined at all, even if in aggregated form where the identifying data is anonymized.

"I can definitely see situations where an individual might not want to have information about appointments with doctors, lawyers, family planning clinics and so forth parsed by an outside party, even if that outside party is a machine intelligence."

It always makes sense to review the privacy settings and the policies of whatever software or services you are using, and Windows 10 is no exception. Before making the decision to migrate from Windows 7 or 8, you should carefully review these and think about what the implications might be to your home or business.

I'm from the government, and I'm here to help

Windows 10 potentially gives Microsoft access to the same information about your lifestyle that has previously only been accessible to popular smartphone operating systems such as Apple iOS and Google Android. And, for all of the numerous legal issues Microsoft has had over the past decades—and there have been many—the one issue Microsoft has generally not had much of are any data breaches involving the disclosure of its customers' personally-identifiable information (PII).

The same, though, may not be said of governments around the world, which may engage in activities such as requiring bloggers to register with the government, requiring a government-issued ID when purchasing Internet access (or devices capable of accessing the Internet), installing monitoring devices or state-operated firewalls and, of course, the wholesale monitoring of their citizens' communications. Even if it is only looking at the captured metadata and not the actual communications themselves, those metadata may be considered enough to justify extreme actions: Gen. Michael Hayden, former head of the NSA, stated last year "We kill people based on metadata."

This makes it easier to understand why Microsoft has been challenging the government's search warrant case for access to overseas data, and other governments are trying to help them do so (which is quite a change considering some of the same agencies were investigating Microsoft a decade ago).

There is still quite a bit of work to be done to secure the Internet, not just from criminals and rogue nation-states, but from governments that mean well but are clueless about how technologies such as encryption work.

Microsoft has been at the lead of fighting for users' privacy, not just because they understand that people will not use their products and services if they don't have any privacy, but because it is the correct thing to do. As long as Microsoft is able to fight that battle it should be safe for customers to use its products.

In closing

Microsoft has discussed privacy rights in their Microsoft on the Issues blog, to which I linked extensively in the preceding paragraphs. However, that's not all they have to say on privacy. Microsoft is a gigantic company, and they have many privacy policies for their operating systems and services. Here are a few to read if you're so inclined:

If you are concerned about ESET's own privacy policies you may find the privacy policy for We Live Security here, the privacy policy for our main ESET web site here, the privacy policy for ESET's support forum here and a copy of our EULA agreement here. ESET is headquartered in Europe and abides by EU laws when it comes to customer privacy, which are some of the strongest in the world.

“…and now for a brief word from our sponsor”

The other item I wanted to address was to answer any questions ESET’s own customers might have about Windows 10 support:

The short answer is yes, Windows 10 Build 10240 is currently supported.

For further information about ESET and Windows 10, see the following:

As always, updates to the latest versions of programs are free for licensed users.

I would like to thank my colleagues Bruce P. Burrell, Stephen Cobb and David Harley for their comments and feedback.

Aryeh Goretsky, MVP, ZCSE
Distinguished Researcher


Have you upgraded to Windows 10 or are you planning to do so? Have concerns about your privacy in Windows 10 had an impact on that decision in any way? Do you have any additional questions for Aryeh Goretsky about Windows 10? If so, let us know, below!