The time has come to have the Microsoft / Windows 10 discussion. For those of you that follow one or several of the myriad of tech news sources available online, I don’t need to say anything else. You know exactly where this article is going. For anyone else who hasn’t stumbled across any of the headlines of the last several months, the discussion in question is about data collection, forced upgrades, and control. Microsoft has chosen a path with their implementation of Windows 10 that crosses a line, or frankly several lines, in terms of user privacy and user choice, and I believe it is time for me to weigh in and help move this conversation forward.
I readily admit that nothing I am about to share or discuss is particularly new or innovative. These Windows 10 concerns have existed since the beta releases and have been thoroughly covered in the tech and IT security media. My motivation is simply the fact that I have finally reached my personal boiling point. I was asked this week by colleagues in my office why I have not written about these issues or raised an electronic red flag. Sadly, the most honest answer I could give then and share now is that I was avoiding the conversation because: A) it hasn’t really affected me personally as an OS X user, and B) I don’t honestly know what the solution would or could be to this problem. That said, I do not think this conversation can be avoided any longer and it is time to speak up.
Before we get into examining why I felt the need to avoid this conversation, let’s take a moment to frame the issues with Microsoft and Windows 10, and the best starting point is Microsoft’s new approach to user data collection. With the release of Windows 10, Microsoft has defined certain data collection points that they believe are important, if not necessary, to providing the best user experience possible. In a blog post from September 2015, Terry Myerson, Microsoft’s Windows Chief, attempted to justify the data being collected by Microsoft by defining the 3 core areas where data collection was beneficial if not necessary: data used for safety and reliability, user personalization data, and advertising data. According to Myerson, this data greatly enhances the user experience and is transmitted, collected and stored in a safe and responsible manner by the team at Microsoft. Many in the world of tech and IT security are openly questioning these claims and are quick to point out the difficulties experienced when attempting to stop or block these data collection processes.
To provide a little perspective, a colleague of mine has the following statement taped to his office door:
Microsoft’s service agreement for Windows 10 is 12,000 words in length. Here’s one excerpt from Microsoft’s Terms of Use that you may not have read:
“We will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders), when we have a good faith belief that doing so is necessary.”
To better understand the pervasiveness of Microsoft’s data collection strategy, you only need to look at the Windows 10 achievement milestones Microsoft is bragging about and sharing with the world. The Hacker News, an IT security news and blogging site, deftly outlined the following stats shared by Microsoft to start the new year:
People spent over 11 Billion hours on Windows 10 in December 2015.
More than 44.5 Billion minutes were spent in Microsoft Edge across Windows 10 devices in December alone.
Windows 10 users asked Cortana over 2.5 Billion questions since launch.
About 30 percent more Bing search queries per Windows 10 device compared to prior versions of Windows.
Over 82 Billion photographs were viewed in the Windows 10 Photo application.
Gamers spent more than 4 Billion hours playing PC games on Windows 10 OS.
Gamers streamed more than 6.6 Million hours of Xbox One games to Windows 10 PCs.
Microsoft is clearly sharing these statistics to tout how successful the Windows 10 rollout has been and how well received the product is with end users, but these statistics are also a brazen admission of how deeply Microsoft is monitoring its user base and exactly how much data they are collecting about the Windows 10 population. Just break these statistics down. Microsoft is cataloging overall usage hours by end users, specific application usage hours, Cortana requests, Bing queries, photo and video content usage, and cross platform communications. As a potential end user, you should be both afraid and appalled by these statistics.
Another frightening data collection area that should be considered is Microsoft’s new approach to whole disk or device encryption. Device encryption is a new, free service available for all Microsoft devices with the necessary supporting chipsets and hardware. For those of you in the corporate world familiar with Microsoft’s professional Bitlocker offering, the underlying technology is the same across all platforms. However, unlike Pro and Enterprise users, the Home/free device encryption solution Microsoft is now providing across the board lacks the options available to Bitlocker deployments when it comes to how the encryption key is handled. To make a long story short, if you are using the free or Home solution, Microsoft is collecting and storing your encryption key on their servers and associating it with your Microsoft account. They did not ask. They simply did this because they determined it was best for the end user and his/her overall experience. If you have Bitlocker in an enterprise environment, you do have other options for storing and managing encryption keys, but even with that process, if the wrong boxes are checked, the result can be keys being submitted to a Microsoft repository. Ponder that fact for just a moment. If/when Microsoft’s server resources get compromised, then a huge portion of the world’s end users will have their private encryption keys published and available for public consumption.
So how did Microsoft, and as an extension, we as the end user public get to this point? The answer is system updates. Microsoft writes them. End users need them to fix OS and application problems. IT security professionals, myself included, harp that critical and security-related patching is vital to stay ahead of the cyber crime curve. So Microsoft leveraged this delivery mechanism to start sending out “critical” updates to users to prompt, then highly encourage, then all but force an upgrade to Windows 10. Microsoft used similar updates to open communications paths and allow for new data collection points. Filtering these updates is very difficult for the average, non-technical Windows user, and the more technical user has started seeing features break and options unavailable if patches were not applied. Microsoft basically took advantage of a captive audience and began to build their “OS utopia” one update at a time.
As we speak about a captive audience and the Microsoft update process, let’s take a moment to look at the announcement this week surrounding support for Internet Explorer. Microsoft has announced that as of January 12, 2016, all versions of Internet Explorer prior to IE 11 or Microsoft Edge will cease to be supported and will no longer receive security updates. Though there are some exceptions for embedded versions of Windows, this basically means that IE 7, 8, 9, and 10 will no longer be patched. Along with these versions of IE, Microsoft also quietly indicated that Windows 8 as an operating system will also no longer be supported. On its face, this announcement is not an evil act. It is important for organizations and individuals to update and upgrade software to the latest version, especially an application as vulnerable to attack as a web browser. But let us be clear. This was not an altruistic act by Microsoft to move users to a safer and more secure platform. It was a targeted act that moves users to the most current and most pervasively monitored version of an application, and it also encourages an upgrade path to Windows 10. There are very practical implications to this move by Microsoft. Many organizations and individuals rely upon legacy web applications that simply do not support new versions of IE. Others simply do not have the time and resources to update and retrain. There is the real potential for a security vacuum with the lack of patches for legacy versions of Internet Explorer.
I began this article with an admission that I have honestly been avoiding this conversation for a couple of reasons. First of all, I am primarily an OS X user and these problems don’t directly affect me. OK. I admit that is a bit of a cop out. I still own several Windows devices, as do my children, and of course, many of my customers. But in truth, as I sit and type here on my Macbook Air, I do not personally fear many of the intrusions I have outlined to this point, and at some level, that fact kept my boiling point in check. That said, I have experienced some of the pains I have detailed in this article, especially in the support and configuration of devices for my teenage boys. These issues do exist in the real world and need to be addressed, but that fact also leads to the second reason why I have avoided this conversation. How do we solve or begin to solve this problem?
At the heart of this problem is the most commonly used operating system on the planet – Windows. Though far, far from perfect, Apple OS X and the many flavors of Linux available throughout the world do not generally have the same number of privacy concerns that Windows 10 enjoys. In all honesty, there are many ways you can share your private information with the good people of Apple, but those options can be fairly easily controlled and disabled by the end user. So, is the solution to press the world to go out and buy Macs? I don’t think so. For many, this is a cost prohibited scenario. There is a sunk cost to hardware already purchased. There is a learning curve. So is the solution a custom distribution of Linux that can run on already purchased hardware? Maybe, but even that option is difficult and unlikely to gain any traction. Once again, there is a learning curve and a populous that simply lacks the skills and resources to transition away from Windows. Sadly, at the end of the day, we are discussing a market that Microsoft has dominated for more than 20 years. We are navigating on a boat that simply turns too slowly.
So what is the answer and is there a solution? I freely admit that I do not know for sure. But I do have hope. I have hope for the simple reason that we still have a voice. We can still complain about the level of intrusion Microsoft is making into the lives and actions of its end users. We can share these concerns with the masses, with the press, and with the legislators that have such a keen desire to tout the need for both security and privacy. We can choose to save our money and invest in better software and hardware whenever possible. We can collaborate as a community on tweaks and fixes and filters for Windows 10 that can curb the loss of data. Frankly, we can become the community of IT users and professionals that we have always pined for – a group of people concerned for the common good and willing to work together and share information to make the cyber ecosystem a safer and more reliable place to work and play. It is not easy and it will not quick, but the effort is well worth it.