As operating systems come to rely more and more on cloud connected services, everything from a digital personal assistant to file sharing, there comes a sometimes mutually exclusive tradeoff between complete privacy and added functionality. When systems are properly managed this choice in a tradeoff should be a normal and practical decision for the end user. However, when it is starting look like users are being deprived of the choice between absolute privacy over added functionality, then things begin to alarm privacy advocates.
As WinBeta reported earlier this week in our how to section, the privacy features of Windows 10 have been getting a lot of attention and some skeptical responses. Under moving to a Software as a Service model, Windows 10 is more connected to Microsoft with more frequent updates and more interconnected cloud service features. This has created a worrying sense for some that Windows 10 is almost always on and always communicating with Microsoft. But to its credit Windows 10 does provide an extensive privacy settings panel that allows you to toggle off everything from your advertising ID, to your location, to what information individual apps are and aren’t allowed to access and much more.
However, Ars Technica investigated this further and discovered that even when the privacy settings are enabled, “these controls don’t appear to be sufficient to completely prevent the operating system from going online and communicating with Microsoft’s servers.”
Arts Technica notes that some of the traffic is obviously harmless, such as Windows 10 simply trying to establish if there is an internet connection. And some of this traffic contains no machine IDs or other data specific to your device. There are even further ways to disabling this.
But there is some traffic that was reported as looking “harmless but feels like it shouldn’t be happening.” For example, the Start menu will attempt to pull data to update Live Tiles from MSN even if all live tiles have been removed from the Start menu, presumably removing the need to pull any updating information for Live Tiles. Again this information contains nothing that identifies the user, Ars Technica notes that “it’s not clear why they’re occurring at all, given that they have no corresponding tile.”
What Ars Technica discovered that does look “a little more troublesome” is that Windows 10 still periodically sends data to the server used for OneDrive and other certain Microsoft services, even when OneDrive is disabled and the Windows 10 user is signed on through a local account not tied to a Microsoft Account. Ars Technica concluded that the information being sent appears to be referencing telemetry settings, even when telemetry was disabled.
Some information was also found to be “quite impenetrable” as their tests were conducted on a virtual machine with HTTP and HTTPS proxy that Windows 10 was able to bypass for certain requests to a content delivery network.
Ars Technica reached out to Microsoft for comment on how to disable this additional communication and why it is being sent. Microsoft responded saying,
“As part of delivering Windows 10 as a service, updates may be delivered to provide ongoing new features to Bing search, such as new visual layouts, styles and search code. No query or search usage data is sent to Microsoft, in accordance with the customer’s chosen privacy settings. This also applies to searching offline for items such as apps, files and settings on the device.”
Ars Tecnica says that Microsoft’s statement is consistent with what they saw, and that the traffic could be innocuous, but “the inclusion of a machine ID gives it a suspicious appearance.”
As powerful search engines like Bing become our local device’s internal search mechanism, it only makes sense that certain features built into the offline portions of the OS would need to be kept on parity with the online version, especially under a Software as a Service model. And that this could be accomplished in a way that doesn’t compromise privacy but allows for Microsoft to deliver appropriate updates and services when possible. Still, privacy, and transparency about privacy are going to continue to be hot button issues, and Microsoft could do more to communicate exactly what’s going on.