Microsoft has been getting bad press over concerns with Windows 10. There are two primary reasons: firstly that the company is, or has been, overly aggressive in pushing the operating system on existing Windows users; and secondly that it plays fast and loose with user privacy. The user privacy issue has prompted the French National Data Protection Commission (CNIL) to serve formal notice on Microsoft to stop collecting excessive user data.
Two new reports this week further illustrate the two concerns. In a DeepLinks blog published Wednesday, the Electronic Frontier Foundation (EFF) discussed both issues. On ‘aggression’, it described one particular action as ‘highly deceptive’. In May 2016 Microsoft quietly changed the effect of the cancellation ‘X’ in the top right corner of the window. “Specifically,” notes EFF, “when prompted with a Windows 10 update, if the user chose to decline it by hitting the ‘X’ in the upper right hand corner, Microsoft interpreted that as consent to download Windows 10.”
On privacy, EFF notes that the default Windows settings send “an unprecedented amount of usage data back to Microsoft”, and adds, “Worse yet, unless you’re an enterprise user, no matter what, you have to share at least some of this telemetry data with Microsoft and there’s no way to opt-out of it.”
It is this lack of user choice that bothers many people. Martin Zinaich, the Information Security Officer for the City of Tampa, recently described his own experience. “I upgraded to Windows 10 many months past and disabled all the privacy-sharing items. I was shocked to see [compattelrunner.exe] running.” The worst part is that he had told the system that he didn’t wish to participate in Microsoft’s telemetry gathering. “The GUI said I am not participating, but it is also grayed out. Am I ‘not’ participating? Digging deeper, I discovered it is in the task scheduler and set to run indefinitely.” And he could not disable the task.
This lack of user control is discussed further in a new blog posted Thursday by Plixer. It warns, “the controls offered to the user by Microsoft don’t sufficiently stop the OS from connecting online and communicating with Microsoft’s servers. In other words, even if you turn all sharing options off, Microsoft is still sending some data back to the mothership.”
Plixer found the same issue with other software products, such as McAfee (now part of Intel Security) and Plantronics. “McAfee was a bit different,” notes Plixer; “they would send data using a DNS look-up instead of HTTP/HTTPS.” It is also encrypted. “While we agree that McAfee is a friendly vendor, we would like to know what they are sending, we want to be able to decrypt it using traditionally accepted decryption methods, and we want the ability to turn it off.”
It is possible that all of the information surreptitiously sent home is perfectly benign. It is equally possible that it is used in the growing trade of user data sold for targeted marketing purposes. The problem is that the user simply doesn’t know and cannot stop it.
Mike Patterson, the founder and CEO of Plixer, told SecurityWeek, “The concern is that we can’t find anything that clearly outlines what they are taking. They are also using what appears to be an encryption method that prevents us from seeing what they are taking from our computers. Why not be open and up front about it?”
The danger, he says, is where this practice of quietly exfiltrating data is going. “What prevents any hacker from creating a web site that requires the end user to agree to the terms and conditions before viewing the content? Once a user agrees to the End User License Agreement (EULA) does this give them permission to take anything they want? Does this mean they can use my PC to host marketing material for an ecommerce site that legitimately sells just about anything? After all, we agreed to the EULA which gives them permission.”
The blog post calls for new laws to prevent applications from being crippled if data cannot be collected. “Hopefully, our government will get involved, as we fear that soon, the practice of not allowing these connections back to the Internet could end up crippling the software that we need to run our businesses.” He is, of course, talking about the US government — this practice is already disallowed under the European General Data Protection Regulation: an offered service cannot be denied on the basis of a user refusing to give up personal data.
EFF warns that an unrepentant Microsoft could soon “face backlash in the form of individual lawsuits, state attorney general investigations, and government investigations.” This will be inevitable in Europe once the General Data Protection Regulation(GDPR) fully comes into force.
SecurityWeek invited Microsoft and Intel Security to respond to the concerns raised by the Plixer blog. At the time of publishing we have had no reply from Microsoft. Intel Security’s CTO Steve Grobman sent us the following statement:
“Some McAfee products use DNS as a query mechanism for obtaining the latest threat data from McAfee Labs’ Global Threat Intelligence network. This provides on-demand access to threat intelligence to assist in determining if objects (such as files or network resources) are malicious or suspicious.
“When the protocol was developed, DNS was chosen as it enabled high availability of product functionality in a wide range of network and proxy configurations utilizing a well understood and highly stable network protocol.
“The data transferred through DNS is encoded information needed to execute the query and provide product integrity validation. Intel Security is committed to the privacy of our business and consumer customers and takes great care to ensure that sensitive data unrelated to the necessary information required for product functionality is not transferred.”