The base version of Windows 10, their flagship product (if not in terms of revenue, then mindshare) is stuffed full of adverts and defaults on about 6+ options related to telemetry the last time I installed a VM.
I think it would benefit large companies like Microsoft to realise that this sort of behaviour has knock-on effects. Every MS product is tainted by this because it ultimately has effects on trust.
If it's not making them, or can't be linked to, significant amounts of revenue, it would surely be beneficial in terms of customer numbers to stop doing this. Why?
I don't understand, or believe, that they're making significant amounts from this. It feels like bean-counter style decision making that doesn't take in to account the wider picture.
I'm not supporting the Windows-10 style telemetry (I have it turned off) but I don't think this is about money.
Let's take a hypothetical example of where you assign a given user a random ID, based on something (machine ID). You then track what this user is doing, in general, in the operating system.
You can find data points such as what % of users discover/use X feature, how many pin applications to the taskbar, use X app with Y app, have night mode enabled, etc.
This allows you to expend resources where they are actually needed, to improve the features that the majority of people would find benefit in.
And at the end of the day, none of the above features require knowing anything about WHO that person is. Sure, they can be classified into groups based on how they use the software, such as "business user", "power user", or "gamer" ... but not "John Doe at 123 Main Street, Hollywood, California".
This is likely all for product improvement and not for $$$. Why do they subject end-users and not opt-in testers for this? To get real world data at scale.
This is a common theory of telemetry but ultimately I don't think it makes sense.
It's a relatively new addition to the landscape and Windows isn't any better or easier to use than the 2000/XP days - at least in ways which telemetry would influence - the genuine improvements are all obvious wins like display compositing, kernel stability, etc.
It also dismisses the point that by including telemetry you've excluded some users, and your automated collection won't be aware of it at all in many cases.
Some won't ever use Windows 10 as a main desktop OS because it attempts to spy on them. They won't recommend it to others or develop for it either.
Other power users will use it, but will opt out. So your telemetry is now completely biased towards non-power-users.
This isn't sour grapes - I wouldn't be using Windows anyway because I'm a free software advocate - I just wonder if they've realised that the incentives line up to effectively ignore some of their "best" users.
> This is a common theory of telemetry but ultimately I don't think it makes sense.
It makes loads of sense, to me. It started with the Customer Experience Improvement Program, WAY back in the Windows 2000 era, if I recall, which you would see an option to enable or disable when you installed a Microsoft SDK. They clearly saw benefit from this information, so they expanded it to include the whole OS.
This collects lots of data for them, which helps them understand the usage of their products better, and a nice side benefit is that they can use the knowledge gained by organizing and inspecting this data in their "big data" offerings on Azure and in other places internally.
The greatest benefit of Microsoft's telemetry to others is that everyone focuses on MICROSOFT's telemetry, argues about MICROSOFT's telemetry, debates MICROSOFT's telemetry, endlessly, while literally 90% of the rest of the software you use (99.9% if you count software you use that isn't on your computer, like servers, routers, web sites, and so on) collects telemetry, also, even when you think you've turned it off. Nearly every game you have installed on your phone collects FAR more about you than Microsoft has ever dared try to collect, and no one knows or gives a damn because "OMFG MICROSOFT I HATE MICROSOFT
I don't care if they collect usage information from me. I truly don't. The entire Internet is trying to make me feel like I should care about usage data that originates from my computer, but I don't. I don't feel like it's my data if it truly is telemetric data about software usage.
I would use more free software if more of it were good enough to use. Of course, a lot of free software is GREAT, and I use a lot of that stuff, rather than paid alternatives.
>but not "John Doe at 123 Main Street, Hollywood, California".
How can you be so sure? Between IP addresses and what wireless networks are available you can get a decently precise location for the majority of users. And this is assuming you don't just capture the address and name when they type it in.
Okay, so maybe they aren't using it for evil yet. How many times has a large corporation been able to indefinitely resist the pull of an alternative revenue stream where the majority of the cost has already been paid?
> How many times has a large corporation been able to indefinitely resist the pull of an alternative revenue stream where the majority of the cost has already been paid?
Agreed. They are mining and storing a mineral (our data) that they may enrich and sell (or lose via theft) one day in the future. This is the worrying part. This is a direct violation of GDPR which states that if you don't need the private data for an explicit purpose for the user (not your company) then you are not allowed to keep it.
They are collecting usage-stats, aggregated data, in a way which deliberately has been decoupled from your identity so they won’t have to face the kind of liability issues you just mentioned.
If anything, MS seems like one of the few big actors in IT which “gets” GDPR, and they are using it their advantage in the enterprise market.
Of course unwanted telemetry (no matter how anonymized) is going to taint that image somewhat.
If my actions generate the data then it's my data, decoupled from my identity or not. Without my actions there's no data for them, ergo it's my data.
If they'd like to give me some consideration for my data I'd be happy to entertain their offer. (Being granted the right to use the software, in cases where I'm paying for the license, doesn't constitute consideration to me.)
If there is transparency with regards to the algorithm used, name one good reason why anonymized data is verboten.
Not alleging there is such transparency here, just raising the question. It always seems like even anonymous telemetry is considered harmful, and I don't understand why that is from a conceptual standpoint.
It's conceptually difficult for me to understand how anonymised data can be useful in any way.
There's probably, like, a particular way I move the mouse from the bottom left to the top right corner of my screen. A 'mouse cursor gait', if you will.
To be frank though, there doesn't need to be a reason. You're treating this as a Stockholm-syndrome esque situation - I don't need to use Windows, I definitely don't need to justify why I don't like certain aspects of it.
The reason they might want to just collect all data without asking is that there's a chance that making it opt-in could cause bigger bias problems in the data you collect. For example, what if "power users" are significantly more or less likely to opt-in? You could end up with a very distorted view of what features are most popular, or are giving people the most trouble.
Not saying that this concern is well-founded (I really don't know), or that this choice makes sense from a business perspective (I'm skeptical). Definitely not saying that this is the ethical choice to make (it isn't). Just trying to shed light on a possible thought process.
It's also worth mentioning that Microsoft is, to the best of my knowledge, relatively scrupulous about keeping their telemetry data anonymous. Meaning that they're still being way less sketchy about this stuff than your average e-tailer, or mass market retailers like Wal-Mart and Target.
Except they are taking things like file names, e-mail headers, recipients, and even in some cases they are taking documents. The recent recommendation from them was as follows:
"...[Microsoft] also recommends simply not using the web-only version of Office 365, or SharePoint Oneline. And it recommends periodically deleting the Active Directory accounts of VIP users and creating new accounts for them so that the diagnostic data associated with those accounts is eventually deleted."
Seriously, we should be deleting and recreating accounts in our own fucking domain to keep the data anonymous? Why is that on us?
They have you AD account info, and diagnostic data directly tied to it. There's no anonymization going on here at all. They're gathering it recklessly.
Also from that link:
"Much of what Microsoft collects is diagnostics, the researchers found, and it has seemingly tried to make the system GDPR compliant by storing Office documents on servers based in the EU. But it also collected other data that contained private information and some of that data still ended up on US servers."
The problem is that a lot of their telemetry and data comes from the Windows Insider program. These are the users who get the releases early to test. I don't know an average person who would want to test new features early, and deal with buggy releases and more frequent updates. And I don't know any power users who would even try to use an insider build for daily production use, since it's going to interfere with day to day work. If I had to guess, the insider builds are put mostly on people's secondary computers, where they will log in and fiddle around, then go back to doing what they really need to on a stable build. Seems like their data is biased from the beginning to me.
How much time have you spent making sure what you set hasn't been overridden after an update? Once I realized it was going to be a life-long battle, I swore off all MS products for personal computing.
> to improve the features that the majority of people would find benefit in.
> This is likely all for product improvement and not for $$$.
Read those sentences again. They are doing it so they can make $$$, whether that means nefariously using your data for advertising/tracking OR improving the product, it 100% translates into making money for them. Improving the product means they continue to sell the product you continually pay for.
I think you're missing the overall point - any for-profit entity that tells you it won't infringe your rights, will eventually infringe on your rights. Especially one that takes $110B/yr in revenue. I'd be happy to share countless stories of for-profit entities, especially in tech, that do this.
I think there's a big difference between these two things:
> 1: Using customer data to improve your product, to make them happier paying for it, which makes $$$
> 2: Using customer data to sell to someone else or to sell the user's attention, which makes $$$
The extra level of indirection through a product that you deliver to the user that provides value to them makes a huge difference between these two ethically.
That said, I will admit that a company can move from 1 to 2 completely seamlessly, without the knowledge of the user. A bean counter, unscrupulous wallstreet exec, or changing priorities may take something that was intended to only ever be 1 and turn it into 2. This risk may be too high for you and that's your call to judge, but I find it hard to fault a company just for trying to improve their product.
I do wish more companies took Apple's "differential privacy" approach which allows the data collection technology itself to draw a hard line between 1 and 2 that can't be crossed invisibly.
> You can find data points such as what % of users discover/use X feature, how many pin applications to the taskbar, use X app with Y app, have night mode enabled, etc.
> This allows you to expend resources where they are actually needed, to improve the features that the majority of people would find benefit in.
Let me give you a different idea. Instead of allowing you to expend resources where they are actually needed, it allows you to (often incorrectly) guess what users are trying to do.
Product improvement? You're not improving the product at all if you're not directly engaging the user.
This kind of argument is what companies always say is the reason for telemetry, yet somehow it finds it's way into being sold and abused for spam with distressing frequency. At this point it behooves us to not take information that has repeatedly been proven to be false at face value.
Everybody did not love it, it looked like a toy compared to the ‘rock solid’ Windows 2000. Only when Windows 7 came out everybody suddenly loved Windows XP.
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
And where do you see IP address in that big list of things to consider?
And how does the IP address (unlesss coupled with other data) identify you personally (as opposed to your PC or company network)? Hint: it doesn’t.
Also: if the IP you send to everyone on the internet is “your” personal, private data, who owns that data when your DHCP lease expires and someone else gets it? See how that doesn’t work? At all? Good good.
Yeah that IP address, unless coupled with other data, says nothing about you personally. I thought this much would be blatantly obvious to anyone even remotely competent on a techie site like HN.
In short: it doesn’t work that way which you hysterical anti-GDPR fanatics are mindlessly repeating.
If so, we’d have to shut down the entire internet and ban all server logs.
>I think it would benefit large companies like Microsoft to realise that this sort of behaviour has knock-on effects. Every MS product is tainted by this because it ultimately has effects on trust.
Those kinds of effects are hard to measure and quantify even if they are critically important to the long term success of a company, whereas the revenue from whatever they're doing with this data is directly reflected in their quarterly earnings report.
I run Pi-Hole DNS and Windows 10 is extremely noisy. I'd say half of my top 'blocked domains' are Microsoft owned, and there's only one part-time Windows machine on my network.
Roku devices are far and away the noisiest devices on my network.
Android seems pretty awful too, the higher the version number the more noisy it gets.
All of my Windows machines are running with the lowest level of telemetry that Microsoft permits you to set, I don't use any of those reg hacks hosted on github. Interestingly a Windows 7 laptop is much noisier than a Windows 10 laptop. Surprisingly Windows Server 2012r2 makes the shit list too. What's strange though is an always on Windows 10 desktop isn't even on the list.
Interestingly Amazon Echo and Google Nest DNS traffic is rarely blocked despite them being the top clients (behind Roku) by a fair margin.
The DNS logs for my home network are full of proprietary stuff.
All of my actual work systems do queries when I use them and that's it. Extremely rarely there'll be a hit out to NTP.
It's quite amusing, because by percentage, the systems I use 8 hours a day are barely even represented in the logs (contrast with my Android phone attempting to hit Google DNS and being prevented by the firewall, over and over, _forever_.)
The entire tech sector is being funded with advertising money. Monetization of personal data is the elephant in the room that nobody in the industry wants to talk about ever.
And since there's seems to be a GDPR violation in here, the only thing a microsoft employee would be authorised to do is refer you to the official press release.
The Enterprise version was full of adverts. After running through latest updates, I had to uninstall store apps again.
I'm getting a new PC in a week, I fully expect to spend time tracking down a Powershell script to uninstall a bunch of crap (thinking about it: that script was for visual studio to uninstall crap add-ons).
Maybe they want to be more like google, ad-driven - when you compare revenues and overall state of the companies, I can understand why some top managers decided for this. Also testing how much users will allow, which is a threshold constantly moving towards more apathy.
Its dumb, dangerous to users and I hope they will get a massive slap on the wrists. But Win10 is out for long time and nothing is happening.
This. If they’re convinced that it’s a good path for home users, it needs to be an automatic off for Enterprise editions not an ever changing list of Group Policy and MDM rules.
Wouldn't they be saving tons by not having to hire QA or do user experience testing? They can just push stuff into the wild and see how users tolerate it.
Not commenting on the article itself, but the chosen title which is clickbait to me.
The assessment is about Office ProPlus (actually called Office 365 ProPlus - I don't know why it's called "Office ProPlus Enterprise" in the article/assessment which doesn't exist as a product). The assessment also complains about Office collecting data so I wouldn't say it is fair to say that "Microsoft’s enterprise products covertly gather personal data on users" (which really includes a lot more products than just Office). The blog posts title is actually "Impact assessment shows privacy risks Microsoft Office ProPlus Enterprise" which is more specific than "enterprise products".
Maybe governments should start looking at open source alternatives rather than being more and more vendor locked by US companies. It would take time to switch and won't be that easy but it's certainly doable, as the French Gendarmerie shown when they've switched everything to Linux.
This displeased me recently with Office on the Mac. To even set the level of data to "basic", I had to fiddle with plists, and it's not even possible to switch it off completely. Luckily just finishing our migration to Libreoffice and ODF.
Get ready for a world of pain if you interact with anyone using MS office. "LibreOffice" (FFFUCK I hate that name) will gleefuly just strip anything it doesn't understand in the documents it opens. It doesn't just ignore formulae that an MS Office user carefully wrote, it straight up deletes that stuff. Without notice.
MS Office supports the open document format these days. LibreOffice does its best on the monstrosity that is docx if you ask it to, but you're better off using open formats.
Advice to corporate users (quote from the article)
> Periodically delete the Active Directory account of some VIP users, and create new accounts for them, to ensure that Microsoft deletes the historical diagnostic data
The fact that this is necessary is beyond retarded. Imagine you're a big corporate, paying money for a software product, and you have to jump through silly hoops to protect your privacy. I'd have a good laugh watching MS account execs explain this to me...
Among the recommendations is to not use SharePoint, and to not use oneDrive? Wow, those are kind of important products for many enterprises. I see the recommendations around these two as quite damning.
The title is missleading. The report is about Office 365 and for the Dutch Government. Since they are a government they probably have stronger legal requirements than your standard small business owner around the corner. So they probably can‘t use the SaaS Sharepoint offering by Microsoft to store their data.
I have worked for companies and with goverment contracts in the past and you had to use special hardware provided by the goverment to work on those projects. So it doesn‘t surprise me at all they they themselfes can‘t use SaaS offerings.
Perhaps but I think that point misses the underlying issue at hand -- with proprietary software users don't get any real control over the software. Even the corporate-friendly computer press reported plenty of stories about Microsoft's software which bear this out:
Windows 10 is quite nasty for many reasons all of which boil down to being nonfree, proprietary software. For example, it by default sent core dumps to Microsoft or whatever organization Microsoft chooses.
http://betanews.com/2016/11/24/microsoft-shares-windows-10-t...
So when the Privacy Company "recommends admins of the enterprise version of Office ProPlus in the Netherlands (although many of them should also be applicable to other countries) [...] Apply the new zero-exhaust settings" there is no reason to believe that one gains privacy from Microsoft in so doing. Ultimately one's control over proprietary software only goes so far as the proprietor will allow. This remains true notwithstanding user's requirements or willingness to investigate and implement whatever the computer owner wants changed.
Microsoft is merely illustrating the inherent and unjust control over one's computer proprietary software has. It is this power that is at the heart of what's so wrong with these recommendations, nothing to do with a relatively minor quibble over whether one set of users has different requirements for privacy or security than other users.
Seriously, could Microsoft work any harder to drive me away?
People are going to look at their bottom line and decide this money-grabbing maximal-ism just makes them greedy, unconscionable bastards.
Of course, that's never stopped their juggernaut, before.
For my part, watching this behavior, I'm all the more convinced that de facto UEFI control and the like need to be ripped away from them. They will exploit anything. The problem is, who can and will serve as a neutral steward -- of implementations and not just theory and maybe design?
As someone who installed a bunch of Ubiqiti equipment at a large church, I can see that once we have 1000 phones in the building, there's a non-trivial baseline of network activity that I attribute to Facebook, et. al., phoning home. In my company of 46K employees, it can't be a non-zero cost to have this telemetry activity leaching on our WAN connections, many of which are struggling to keep up with demand already.
Is it possible to firewall Microsoft products using only the things that the average person has access to? (A telecom-supplied router and a Windows computer.)
I don't believe it's possible to firewall Microsoft products in the general case of a power user that has access to an edge router.
You'd have to do something insane like IP whitelisting only for services you care about, hope that none of them use MS services like Azure, disable Windows Update entirely, etc.
It might be possible in the abstract sense of "right now nothing is getting out" but they have root on your box, it's closed source proprietary software, and you've basically broken the OS with this firewalling anyway.
You can Firewall Windows services. There is a inbuilt firewall and there may be default rules but you can customize it the way you want. It would be a pretty big security flaw if they let their services bypass the firewall. They may be profit oriented but not stupid.
As discussed in the other thread, Windows firewall is garbage for this particular type of problem:
1/ it's not novice friendly (your best suggestion thus far required users to input dozens off lines of code into cmd.exe)
2/ it's defaults still allow Windows telemetry to get through (which was the exact thing the GP was trying to protect against)
3/ it's a pain in the arse to keep updated compared to any of the other suggestions made in this thread.
If the only option was Windows firewall or nothing, then I'd suggest people go with a PiHole since it takes an equal amount of technical know how to get the initial set up done. But at least once PiHole is set up, it's self managing (unlike Windows firewall) and will have much saner defaults too.
Thankfully though, there are other software firewalls for Windows that address the limitations I've described above. I've named one, another poster has listed a few others. If the option is software firewall or nothing, then I'd strongly recommend that user go with a third party one instead of relying solely on Windows firewall.
To use Windows Firewall, you would have to know what to black- or whitelist. Even most powerusers do not know that, and it could change with every update anyway.
Therefore, Glasswire/Little Snitch-type firewalls are being used, where you get an alert during connect() time, and you can create the rule on the spot. Windows Firewall cannot do that, and neither can UIs built on top of it, like TinyWall.
A software firewall might work. It's been years since I last ran Windows but there were decent 3rd party solutions like Zone Alarm where you could white list specific applications and the specific sites they tried to connect to.
A software firewall needs to fully trust the underlying system to be effective. What if, for example, Windows telemetry had a way to circumvent their own official network stack so that the firewall doesn't even see those packets?
Pure speculation of course, but they have the sources so they could do that.
Yeah that thought had crossed my mind too. I'd be very very surprised if that were the case - in fact it could arguably get Microsoft in trouble since they're then circumventing security controls - however you're definitely right that they have the ability to do so if they chose to.
The point of Zone Alarm and it's ilk is that you can have deny all rules and you'd get a desktop notification when an application attempts to make an outbound connection - which you can then approve or deny. As far as I know Windows firewall doesn't do this. Thus with Windows firewall you'd need to know all of the services you want to block up front - which is definitely not that easy for experts let alone the novices the GP was discussing.
The way you describe it would not be feasible for a novice either. Almost every piece of software you use today needs internet access. That‘s why Microsoft delivers Windows with sane Firewall rules and just asks if you‘re in a trusted network and adjusts the firewall rules based on that. Also most software developers configure firewall rules during setup. If a unknown executable will try to access the internet there is a pop-up like you described that asks you if you want to allow access.
Anyways the OP was asking if there are any tools available to the basic user to deny internet access for these telemtry services and there is the inbuilt Windows Firewall. I even found a script [0] that does what the OP is looking for. I‘m not sure if it‘s up to date though. All the information needed to update the script is published in the public documentation provided by Microsoft though. Thanks to GDPR you have extensive documentation on all things telemtry related to Windows 10 and Microsoft Office. For most users setting their telemetry settings to basic should suffice.
> The way you describe it would not be feasible for a novice either. Almost every piece of software you use today needs internet access. That‘s why Microsoft delivers Windows with sane Firewall rules and just asks if you‘re in a trusted network and adjusts the firewall rules based on that. Also most software developers configure firewall rules during setup. If a unknown executable will try to access the internet there is a pop-up like you described that asks you if you want to allow access.
You're assuming that Zone Alarm et al wouldn't also contain sane defaults ;)
> Anyways the OP was asking if there are any tools available to the basic user to deny internet access for these [telemetry] services
To which I offered one possible solution
> and there is the inbuilt Windows Firewall.
Windows firewall is not novice friendly though. This is why -and at risk of repeating myself- I suggested a 3rd party solution that was designed specifically for home users who might not be technical rather than suggesting Windows firewall.
Contrary to what you seem to assume, I was aware of the existence of Windows firewall before your post however I wanted to suggest something that I felt might be more accessible for non-techies.
> I even found a script [0] that does what the OP is looking for. I‘m not sure if it‘s up to date though. All the information needed to update the script is published in the public documentation provided by Microsoft though. Thanks to GDPR you have extensive documentation on all things [telemetry] related to Windows 10 and Microsoft Office. For most users setting their telemetry settings to basic should suffice.
At least now you're finally starting to contribute something to the question rather than dismantling anyone else who was trying to help :) However your "novice friendly" suggestion requires manual steps to be kept updated - which have to be manually researched - and is installed via dozens of lines of code into cmd.exe. I think you and I have very different ideas about just how capable the average novice is. While I do actually prefer your solution from a technology ideology, it's definitely more of a power-user solution than something I'd expect novices to do. However at least the GP now has two solutions he can choose from.
First: I'm sorry if I came of as aggressive. That wasn't my intention.
> You're assuming that Zone Alarm et al wouldn't also contain sane defaults ;)
I worked with third party firewalls and that is the case. They also are most of the time really similar to the Windows default.
My point is the Windows Firewall is a really good product. It's easy to understand for a normal user since it basically asks if you trust the network when you join it. This means no technical knowledge is needed for a sane configuration. Most normal users I know are overwhelmed by the Pop-Up they get when the Windows Firewall asks them if they want to allow Internet access for a unknown application.
The problem is there is no good solution to avoid the collection of telemetry data for the basic Windows user. But this is not a problem with Windows, this is a problem with most software in the year 2018. Since telemetry is everywhere and it's used more and more. If a basic Windows User is really privacy conscious they should jsut configure the settings at the first login (I think they are easy enough to understand and you can disable most of the data collection there) or get a professional help them setup their system.
> My point is the Windows Firewall is a really good product. It's easy to understand for a normal user since it basically asks if you trust the network when you join it. This means no technical knowledge is needed for a sane configuration.
The issue is Microsoft still send telemetry data even with those default configurations. After all, if it didn't, we wouldn't be needing this discussion in the first place because telemetry wouldn't then be a thing on Windows. Thus you're suggestion here doesn't address the question the GP has asked for.
> Most normal users I know are overwhelmed by the Pop-Up they get when the Windows Firewall asks them if they want to allow Internet access for a unknown application.
That is probably quite true. There's is no perfect solution. But asking a normal user to input stuff in the command line and then manually keep those lists up to date is definitely NOT easier than clicking a pop up. So your point about the difficulty of pop ups here is moot considering you've failed to provide a better alternative that does protect the user against Windows telemetry.
> The problem is there is no good solution to avoid the collection of telemetry data for the basic Windows user. But this is not a problem with Windows, this is a problem with most software in the year 2018.
I'd say it's totally a problem with Windows considering Microsoft haven't just ignored the problem but instead actively contributed to it. Thus now we don't just need to monitor 3rd party application to ensure they behave; we need to monitor what the OS itself is doing (and thus we cannot trust Microsoft's own default firewall rules any longer). So yes, you have a partial point that no good solution exists for novices but I think Windows does deserve a large part of the blame now given it's complicit in the problem.
If the data collection is “anom-user-123456789 launched the built in email-client 20 times and sent 30 mails”, I suspect that’s not exactly HIPPA or ITAR-regulated data.
At my work we are considering moving to the cloud with exchange and other services.
I will make sure these articles will certainly be topic at next meeting
The article didn't necessarily clarify what type of data was being reported back, which I think is key. It mentions diagnostic data (I'm assuming crash logs and such), but it says "personal data" without specifying.
I think that would be a very helpful bit to surface before a solid judgement call can be made. Anyone with more info?
> Microsoft collects and stores personal data about the behavior of individual users
I feel like this sentence is phrased maliciously. The adjective "personal" is applied to the more generic term data, rather than the more specific term behavior.
By placing the adjective on data, it encourages the reader to imagine the worst possible scenario. By simply moving the adjective you can more accurately describe what Microsoft is doing and avoid allowing the reader's imagination to run wild.
> Microsoft collects and stores data about the personal behavior of individual users
You could also remove the adjective entirely because the term individual has the same implication. This makes it sound even more innocuous.
> Microsoft collects and stores data about the behavior of individual users
Personally, I don't find any of your revised phrases to be less disconcerting at a gut level. "Personal data", "personal behavior", etc is all the same to me.
Personal data could be anything like your SSN, CC# or other secrets.
Personal behavior is a more specific classification like "user scratches his butt every morning" or "user picks nose".
In the context of Office Applications it's going to be even more specific things like "user always tries to click on URLs in emails before CTRL+clicking them."
Maybe Microsoft will be the first company that has to pay 4% of their global revenue to the EU under GDPR. Microsoft will have a hard time arguing against a government report
Zeroing out the lest-interesting octet of an IPv4 address is only a placebo that doesn't provide any useful anonymity. The other data being collected at the same time almost certainly has enough identifying entropy to correlate a partial IPv4 address with other personally identifying records, probably trivially.
For a longer explanation, see my post about the &aip=1 feature in Google Analytics that does the same thing to the end of the IP.
This is fair, I can only say that we (in my team at least) have gone great lengths to anonymize data as much as possible. No internal user IDs, no user entered text, it got to a point that we were becoming ineffective in diagnostics of outages...
Unless there is no opt out.. Unless the data is for core functionality, a lawful purpose you have to have consent. I would consult a lawyer on this if you have any doubts. I suspect Microsoft have done already though.
It's good, though, that the European countries stood together and told Microsoft, Google, Apple, Amazon and Facebook to get bent and go home!
As an EU citizen, my response to "we're sorry not sorry but due to recent EU laws, we can't continue to offer you this service" is: get bent, go home. I hope we, as the software development community can finally understand and appreciate that the insane proliferation of personal data modern tech has become dependent upon is a Bad Thing.
The problem though is also the complexity. If I want to actually make my product better by knowing if my product crashes in the wild, then it is far more complex to do now in the EU. And in particular the potential risk is huge. For many companies who aren't at the scale of a Google or Microsoft, the best solution is to simply not be available in EU -- at least until you reach such a scale that growth into the EU is required.
If I want to actually make my product better by knowing if my product crashes in the wild
There are many ways to achieve that goal. I am not buying the argument that automatic data collection about everything you do is there to "improve our software".
That really isn't that huge anymore, and it's definitely not growing that fast.
I don't think you want to make a consumer argument because consumers buy expensive stuff everywhere.
There are also larger and more growing consumer markets.
The better argument would IMHO probably be "They need to sell business products and to businesses there, and the EU businesses are spending more than elsewhere".
I don't think that we are that far away from that being a reality. Particularly one as shaky and with teeth as small as the EU possesses.
The kind of cash that Silicon Valley corps can throw around could be a serious shot in the arm for Eurosceptic political parties hoping to weaken or separate from the union.
Serious question: Why do you care Microsoft (or any company for that matter) collects your code editor telemetry?
Addendum: Check our Google Analytics, Hotjar, and Facebook ad targeting if you _really_ want to see “violation of privacy”. In reality, companies want to know how users use their products to make them better.
I prefer to view it from the other side: Why should anyone collect any telemetry from anything that I use without me explicitly opting in?
When I run into a problem, I will opt in as necessary (usually through the process of providing a stack trace / core dump / diagnostics data as requested). Outside of that, my usage habits are my business and my business alone.
Nobody needs to know how, when, or why I'm using anything without my explicit permission.
Vim/Emacs don't collect telemetry on what I'm doing, both are still great (both included to avoid the holy war).
EDIT: Or rather, why should I have to justify my desire for privacy? Why do I have to setup a series of DMZs, proxies, firewalls, or total disconnection, in order to retain that?
If you bought a physical tool that I manufactured. Your need the tool to do your work and switching to something else would be expensive in both time and money due to interoperability problems and lost time.
Do you care if I stand behind you taking notes about how you use the tool in your work? I promise I won't write down your name in my notes. I just want to know how you use my tool in your work. For research purposes. It's not a "violation of privacy"; I wouldn't take notes on what you're working on - I just want to know exactly how you use my tool in your work. I'll even be careful to not get in your way ("most" of the time). I just want to know how you use my tool so I can make it better.
If I did this to you without explicit prior-authorization from you (such as a contract describing what I'm authorized to do), would you allow it? Would you order me to get off your property? Would you call the police to have me arrested for trespassing and possibly corporate espionage?
Making tools out of software instead of steel doesn't grant permission to using someone's property without their explicit permission.
Also, unauthorized use of private property is still unauthorized even if your goals are useful. Other companies doing the same bad behavior doesn't justify that behavior; trespassing is still trespassing even when a lot of people are doing it.
They are completely intransparent about what they collect and legal systems around the world also fail catastrophically at regulating this in any way.
What if they send the data contained in the text files that I open with that text editor? There's partially passwords and such in the files that I edit.
If I knew exactly that all they send is the average size of the files I edit or similar data, I would actually have no problem at all. But Microsoft has proven a lot of times already that what they consider perfectly acceptable telemetry is not in the slightest the same as what I consider acceptable. So, even with something as innocuous as text editor telemetry, I can't trust them to not fuck up and for some reason collect data that I consider sensitive anyways.
> Why do you care Microsoft collects your code editor telemetry?
How about, "Because it's none of their fucking business."
Microsoft has clearly gone all-in on the SV surveillance-capitalism model of doing business, and this is exactly what motivated their acquisition of GitHub imho.
I definitely think this should be opt-in but I also think that it's silly to focus on just this scenario. I'd bet dollars to doughnuts that Google Docs and every other web based business tool use similar telemetry data to guide their UX and product investments as well as to preemptively address bugs.
Instead of useless things like GDPR we need laws that prohibit forced telemetry in software. Instead of just a 20mil+ fine, we need a fine plus jail time for the people involved. This is malicious software. This is a person spying on you, stalking, industrial espionage, etc all in one. But of course, making a very simple and clear law would actually make life difficult for bug business. They would be forced to stop bad practices for real. Also goverments love the idea of having access to that sweet, juicy, "encrypted" data if needed.
I'm not sure that a blanket ban on automatic opt-in to telemetry is the right call. Most consumers don't have the requisite knowledge to make an informed decision when to opt-in.
I would like to see laws requiring transparency in telemetry, though. Require all telemetry to be in plain text, and auditable by 3rd-party software (say, by antivirus/privacy software).
I think it would benefit large companies like Microsoft to realise that this sort of behaviour has knock-on effects. Every MS product is tainted by this because it ultimately has effects on trust.
If it's not making them, or can't be linked to, significant amounts of revenue, it would surely be beneficial in terms of customer numbers to stop doing this. Why?
I don't understand, or believe, that they're making significant amounts from this. It feels like bean-counter style decision making that doesn't take in to account the wider picture.
Anyone from MS willing to chime in?