Friday, 19 August 2016

Microsoft isn't alone when it comes to Windows 10's sneaky data mining

Microsoft isn't alone when it comes to Windows 10's sneaky data mining

Another piece of research has emerged which has a pop at Windows 10's poor treatment of user privacy – although in fairness, Microsoft isn't the only company to be taking liberties hoovering up data, as the author points out.

The latest flak fired at Redmond comes from security analytics firm Plixer, the CEO of which – Mike Patterson – did some digging into Windows 10's privacy settings and the user data sent back to Microsoft's servers.

Patterson observed several things: firstly, that by default, Windows 10 sends a hell of a lot of data back to Microsoft if you install the OS with 'express settings' – and let's face it, while clearly those who are even moderately tech-savvy will tweak the setup, there are a lot of folks out there who won't be bothered.

The second point, also made by others previously, is that even if you do tweak said settings, and then dive into Windows 10's menus to turn off every data grabbing feature you can find, the operating system will still be sending some data back to Microsoft.

Patterson made some interesting further observations, noting that: "Even after disabling everything I could find, I noticed that some form of metadata was still being sent to Microsoft every 5 minutes. Microsoft was making a connection to ssw.live.com over an HTTP connection on port 80. The content was encrypted in a way that made it impossible to determine what was being sent.

"This is an interesting choice, as Microsoft could have sent the data over HTTPS via port 443 to prevent eavesdroppers from looking at the data; instead, however, they used an unencrypted HTTP connection over port 80. This extra effort to encrypt indicates that Microsoft not only didn't want non-authorized users of the machine from accessing the data – they also didn't want the end-user knowing what was being sent."

In other words, Microsoft isn't just failing to make it clear to users what data is sent back as a baseline, but it's also obfuscating this piped-out data.

Of course, there is a group policy feature called 'Allow Telemetry' which can be used to switch off all data collection, but the option to disable everything is only available in Windows 10 Enterprise, not the Home or Pro versions.

Although Patterson notes that it is possible, if you're particularly enterprising (pun not intended), to stop the data transmission manually by configuring your firewall to block the servers that Windows 10 hooks up with for telemetry purposes.

More than Microsoft

Patterson also observed that Microsoft isn't the only company guilty of this sort of practice. He found that Plantronics (the headset maker) is sending back encrypted data over HTTP port 80 every minute, and security outfit McAfee is sending data back using a DNS lookup that bypasses security mechanisms when it comes to many companies.

Patterson said: "While we agree that McAfee is a friendly vendor, we would like to know what they are sending, we want to be able to decrypt it using traditionally accepted decryption methods, and we want the ability to turn it off."

More transparency and control is needed, and not just from Microsoft. As Rahul Kashyap, EVP and chief security architect at endpoint security firm Bromium, chipped in: "It's unfortunate that many reputable brands are knowingly engaging in 'sneaky data mining' without providing upfront details to consumers. Moreover, it is important that users should absolutely be told – how long this data will be stored, the security of the data and what will it be used for. Failing to comply is a breach of consumer trust."

And in terms of the broader picture, let's not even get started on other firms, such as Google's vast data mining. It's certainly clear enough that the tech industry all round could do with cleaning up its privacy act, but Windows 10 is fully in the firing line right now – with volleys recently fired at the OS by the EFF and French watchdog the CNIL.

http://ift.tt/2bs9IJb

No comments:

Post a Comment