Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



Concern Over Windows 10 Privacy Practices Grows

Microsoft has been getting bad press over concerns with Windows 10. There are two primary reasons: firstly that the company is, or has been, overly aggressive in pushing the operating system on existing Windows users; and secondly that it plays fast and loose with user privacy.

Microsoft has been getting bad press over concerns with Windows 10. There are two primary reasons: firstly that the company is, or has been, overly aggressive in pushing the operating system on existing Windows users; and secondly that it plays fast and loose with user privacy. The user privacy issue has prompted the French National Data Protection Commission (CNIL) to serve formal notice on Microsoft to stop collecting excessive user data.

Two new reports this week further illustrate the two concerns. In a DeepLinks blog published Wednesday, the Electronic Frontier Foundation (EFF) discussed both issues. On ‘aggression’, it described one particular action as ‘highly deceptive’. In May 2016 Microsoft quietly changed the effect of the cancellation ‘X’ in the top right corner of the window. “Specifically,” notes EFF, “when prompted with a Windows 10 update, if the user chose to decline it by hitting the ‘X’ in the upper right hand corner, Microsoft interpreted that as consent to download Windows 10.”

On privacy, EFF notes that the default Windows settings send “an unprecedented amount of usage data back to Microsoft”, and adds, “Worse yet, unless you’re an enterprise user, no matter what, you have to share at least some of this telemetry data with Microsoft and there’s no way to opt-out of it.”

It is this lack of user choice that bothers many people. Martin Zinaich, the Information Security Officer for the City of Tampa, recently described his own experience. “I upgraded to Windows 10 many months past and disabled all the privacy-sharing items. I was shocked to see [compattelrunner.exe] running.” The worst part is that he had told the system that he didn’t wish to participate in Microsoft’s telemetry gathering. “The GUI said I am not participating, but it is also grayed out. Am I ‘not’ participating? Digging deeper, I discovered it is in the task scheduler and set to run indefinitely.” And he could not disable the task.

This lack of user control is discussed further in a new blog posted Thursday by Plixer. It warns, “the controls offered to the user by Microsoft don’t sufficiently stop the OS from connecting online and communicating with Microsoft’s servers. In other words, even if you turn all sharing options off, Microsoft is still sending some data back to the mothership.”

Plixer found the same issue with other software products, such as McAfee (now part of Intel Security) and Plantronics. “McAfee was a bit different,” notes Plixer; “they would send data using a DNS look-up instead of HTTP/HTTPS.” It is also encrypted. “While we agree that McAfee is a friendly vendor, we would like to know what they are sending, we want to be able to decrypt it using traditionally accepted decryption methods, and we want the ability to turn it off.”

It is possible that all of the information surreptitiously sent home is perfectly benign. It is equally possible that it is used in the growing trade of user data sold for targeted marketing purposes. The problem is that the user simply doesn’t know and cannot stop it. 

Advertisement. Scroll to continue reading.

Mike Patterson, the founder and CEO of Plixer, told SecurityWeek, “The concern is that we can’t find anything that clearly outlines what they are taking. They are also using what appears to be an encryption method that prevents us from seeing what they are taking from our computers. Why not be open and up front about it?”

The danger, he says, is where this practice of quietly exfiltrating data is going. “What prevents any hacker from creating a web site that requires the end user to agree to the terms and conditions before viewing the content? Once a user agrees to the End User License Agreement (EULA) does this give them permission to take anything they want? Does this mean they can use my PC to host marketing material for an ecommerce site that legitimately sells just about anything? After all, we agreed to the EULA which gives them permission.”

The blog post calls for new laws to prevent applications from being crippled if data cannot be collected. “Hopefully, our government will get involved, as we fear that soon, the practice of not allowing these connections back to the Internet could end up crippling the software that we need to run our businesses.” He is, of course, talking about the US government — this practice is already disallowed under the European General Data Protection Regulation: an offered service cannot be denied on the basis of a user refusing to give up personal data.

EFF warns that an unrepentant Microsoft could soon “face backlash in the form of individual lawsuits, state attorney general investigations, and government investigations.” This will be inevitable in Europe once the General Data Protection Regulation(GDPR) fully comes into force.

SecurityWeek invited Microsoft and Intel Security to respond to the concerns raised by the Plixer blog. At the time of publishing we have had no reply from Microsoft. Intel Security’s CTO Steve Grobman sent us the following statement:

“Some McAfee products use DNS as a query mechanism for obtaining the latest threat data from McAfee Labs’ Global Threat Intelligence network. This provides on-demand access to threat intelligence to assist in determining if objects (such as files or network resources) are malicious or suspicious.

“When the protocol was developed, DNS was chosen as it enabled high availability of product functionality in a wide range of network and proxy configurations utilizing a well understood and highly stable network protocol. 

“The data transferred through DNS is encoded information needed to execute the query and provide product integrity validation. Intel Security is committed to the privacy of our business and consumer customers and takes great care to ensure that sensitive data unrelated to the necessary information required for product functionality is not transferred.”

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...


Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.


Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source...

Mobile & Wireless

As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for...

Cloud Security

AWS has announced that server-side encryption (SSE-S3) is now enabled by default for all Simple Storage Service (S3) buckets.


Meta was fined an additional $5.9 million for violating EU data protection regulations with WhatsApp messaging app.