Windows 10 Privacy Problems


Windows 10-privacyWindows 10 is hot off the presses, the verdict is in, and it’s mostly positive. I’m a big fan of the Windows OS, and love the return of the start menu, but have to wonder what Microsoft was thinking when the privacy options were reviewed. We have plenty of Windows 10 tips to get you started, but this post focuses on privacy.

The evolution of an always on internet has lead to wonderful things such as fully redundant backup of photos and videos. It also means that a lot of our personal information is available on-line. This isn’t a problem for most people, but some are cautious for various reasons. Incorporating the internet of things into our operating systems was only a matter of time. But is that ok? Should you be worried? Did you miss Windows 9?…

So what happened to Windows 9? Well, Windows 8.1 was actually version 6.3, build 9600. Windows 10 is the 10000 range and so Microsoft decided to skip Windows 9 to help prevent developers and OCD sufferers going bald. Windows 10 is the gradual and natural evolution of Windows 8. Several excellent new features have been included to take advantage of the cloud environment which most of us can enjoy. Some additions, such as a new peer-to-peer update system seems logical although annoying.

Some of the new additions were a little surprising upon first inspection. Windows 10 has a whopping 12 pages of privacy settings, many of which are somewhat ambiguous. My top tip to tightening up the privacy options on Windows 10 is simple: Avoid “express install” when upgrading or installing the operating system. This will show far more granularity, including the privacy settings. Below, I examine those which I believe to be the most important changes to Windows, regardless of the chosen installation option.

Important Privacy Changes

Some of these options, such as location data, seem to be designed with mobile usage in mind. This isn’t a list of Do’s and Dont’s, merely personal preference. Most of the options are fairly innocuous to most users, but if you’re worried about the NSA or Chinese government you may want to take a closer look…

These options are available under Settings » Privacy »


General:

privacy settings-general2

Let apps use my advertising ID for experiences across apps (turning this off will reset your ID)

The Microsoft advertising ID is a per user identifier shared with marketing partners associated with Microsoft. This will, to the average user, mean nothing more than more personal with the aim of being less annoying. The clue as to the function of a unique identifier is in the name; it’s designed to make tracking a single user in a busy crowd easier. Tin foil hat wearers and spies may want to disable this.

Send Microsoft info about how I write to help us improve typing and writing in the future

Security and privacy advocates have suggested suggested this could be a Microsoft keylogger. Let’s be honest, Microsoft could covertly do so if they desired. I would hazard a guess that this option is designed to help improve usability of mobile devices such as the Surface.

Location:

privacy settings-location2

When location services for this account are on, apps and services you allow can request location and location history.

As above, this option is clearly aimed at mobile usage. Most people don’t take their desktop to Starbucks or work. It will, however, be useful for location based searches in Bing – or Google, if you’re not a Microsoft employee. All individual applications default to ‘Off’ which is nice.


Camera / Microphone:

privacy settings-camera_microphone

Let apps use my camera / microphone

The two options above are fairly obvious. Disabling will make running a Youtube channel difficult, while enabling them will mean the devices are accessible for/to applications. These are per-application settings, so can be set as desired. As with ASLR, hackers will probably find a way to bypass this if they really care about your data.

Speech, inking, typing:

privacy settings-speech, typing

Windows and Cortana can get to know your voice and writing to make better suggestions for you. We’ll collect info like contacts, recent calendar events, speech and handwriting patterns, and typing history.

I, for one, am not comfortable with my computer constantly listening for me to say “Hey, Cortana” or “Ok, Google”. This is another good example of personal preference. I have nothing to hide, but also don’t want hackers watching or listening to me have sex, for example. Nobody expects to get hacked… until they do.

Account info

privacy settings-account info

Let apps access my name, picture, and other account info

Unless you decided to name your computer “Dave’s government hacking PC at 101 North Lane, London”, this is probably fairly safe to ignore. Applications can see your user name which is admittedly tied to your Microsoft account, but if you need to worry about this, you don’t need me to tell you why.

Other devices:

privacy settings-other devices

Let your apps automatically share and sync info with wireless devices that don’t explicitly pair with your PC, tablet, or phone

Microsoft is constantly looking to improve usability and functionality to keep up with Google’s Android and Apple’s OSX operating systems. This option was introduced to help improve connectivity with devices on the same network. If you own a Windows phone or Xbox One and want it to work without being a networking and security genius, leave this on.

Feedback:

privacy settings-feedback

Windows should ask for my feedback

This is an ambiguous option but has been in Windows for a while, under Windows error reporting and other services. I appreciate the options page dedicated to this. The options are “Automatically” (default), “Always,” “Once a day,”Once a week” and “Never”. Just how paranoid are you?

Additional Privacy Concerns

I didn’t elucidate on the entire 13 pages of privacy settings for obvious reasons. But sadly, I’m not finished. Below are a few additional changes which should be noted…

WiFi Sense

wifi sense message

Wifi Sense was added with the apparent aim of helping users connect to wireless networks of contacts. Networking for nans, if you will. The Wifi Sense FAQ cites two possible uses:

Automatically connect you to open WiFi networks it knows about by crowdsourcing networks that other people using Windows have connected to. These are typically open WiFi hotspots that you see when you’re out and about.

I’m a little worried about their definition of crowdsourcing. My infosec Spidey sense is tingling a little. This depends on how important ease of network connectivity is to you. I’m experienced enough to enter my own Wifi password, but my nan isn’t.

Automatically connect you to WiFi networks that your Facebook friends, Outlook.com contacts, or Skype contacts have shared with you after you’ve shared at least one network with your contacts.

I have mixed reactions to this change as it assumes that people on my Facebook friend list are actual friends and trusted. A Twitter user I follow recently posted an exploit that crashed anyone reading the message on an iPhone. It wasn’t intentional, but encounter problems such as this when the entire planet is hammering your code.

The positive side is that Microsoft sends an encrypted copy of your network keys to their servers, which are then passed to other users you trust. I trust them as far as I can throw an NSA subject access request court order.

Wifi Sense will probably get mainstream media coverage at some point. It looks like an easy target for hackers interested in your credit card details.

You can change your Wi‑Fi Sense settings choosing Settings » Network & Internet » Wi‑Fi » Manage Wi‑Fi settings, then changing these settings under Wi‑Fi Sense:

  • Connect to suggested open hotspots
  • Connect to networks shared by my contacts

Protecting your network also requires changing your network’s SSID to end with “_optout”. Forget the tinfoil hat, Wifi Sense makes me feel like I want to wrap my laptop in tinfoil!

Bitlocker and OneDrive:

Microsoft have been encrypting drives, by default, since Windows 8.1. Devices supporting Hardware Certification Kit (HCK) under the Trusted Platform Module are automatically encrypted to help improve security. This is a great improvement for the average user’s security. Encryption keys are now stored online using OneDrive, which is where the controversy comes in. Unless you’re worried about your ISP or the NSA getting your keys on the upstream, then stealing your computer you should be safe.

The new privacy options remind me of the initial Windows firewall release; allow everything by default. This was changed to a strict white list after people realised you could Google for C:\ drives. I expect adjustments to be made over the next few updates. Until then, I’ll stick to Windows 8.1.

 

Posted in:
About the Author

Adam Davies

Adam is an internet developer with 17 years programming experience. He learned to program by reverse engineering protection algorithms of well known software, where he developed a passion for security. He can be found working as an SEO consultant for Judd Associates and completing numerous freelance projects in his spare time.

There are 9 comments

Your email address will not be published. Required fields are marked *