How Much Does Windows 10 Spy on You?

Privacy has been a major concern among some users since Windows 10 was first released. Microsoft does provide a privacy web page where it details how and what kind of information Windows 10 collects. Windows 10 also includes a dedicated Privacy setting, which lets users configure and adjust what they want the operating system to know and access; from location services to the camera.

Version 1703, released in March 2017, was Microsoft’s first step toward being more transparent about the data collected by Windows 10. The software firm went a step further by providing a dashboard where users can configure even more settings in regards to advertisements in the web browser, your Microsoft Account, and services such as the Cortana digital assistant. This article takes a close look at Privacy in Windows 10 and how you can control what Windows 10 knows about you—and whether it even makes sense to do so.

What does Windows 10 know about you?

The information collected by Windows 10 focuses on several areas within the system: users accounts, installed apps, and services such as Location and the Bing search engine. Recently, Microsoft revealed more details regarding its progress toward being transparent about data collection in Windows 10. The software firm noted that a vast majority of the 500 million systems running Windows 10 consented to diagnostics data being collected.

For example, 71 percent of customers are selecting Full diagnostics data to help us fix things and improve Microsoft products. While your direct feedback like, “The privacy settings added to clean installs are a boon for the privacy minded,” and “Very well done,” is great to hear, we know there is still work to do to meet and anticipate the expectations across our diverse customer base and provide you with the best privacy experience possible. Source

But what exactly does this entail? Do people know they are agreeing to this? And when do you get to choose?

The best place to start with privacy in Windows 10 is when you first setup and configure a new Windows 10 PC. The out of box experience presents options for adjusting your privacy settings before you reach the desktop. Users can view additional information about what each setting does. Probably the two least important in Microsoft’s choice of data collection are Relevant Ads and Tailored experiences with diagnostic data. According to Microsoft:

Microsoft uses the data we collect to provide you the products we offer, which includes using data to improve and personalize your experiences. We also may use the data to communicate with you, for example, informing you about your account, security updates and product information. And we use data to help show more relevant ads, whether in our own products like MSN and Bing, or in products offered by third parties. However, we do not use what you say in email, chat, video calls or voice mail, or your documents, photos or other personal files to target ads to you. Source

So, if you want advertisements that fit your location and culture, this option is available to you—but it’s not necessary. As for security updates, I don’t need ads to tell me about a security update. Windows Update already does a rather good job of ensuring updates are downloaded and installed.

If you really want to know what Windows 10 does know about you, the Privacy setting in Windows 10 is worth reviewing. It clearly tells you what data it’s collecting and sharing with the built in apps and those from third parties.

Location Services

Windows 10 keeps tabs on where you are located and shares that information with websites and installed apps. Granular options are available so that users can limit location access to specific apps. Users do have the option to disable Location services entirely. In Windows 10, click Start > Settings > Privacy > Location.

Windows 10 also keeps a log of places you have visited for a short period of time on your device – about 24 hours. You can use the Privacy dashboard to clear this information. Bing, Maps, and Cortana benefit the most from Location services.

Bing services include search and mapping services, as well as the Bing Toolbar and Bing Desktop apps. Bing services are also included within other Microsoft services, such as MSN Apps and Cortana, and certain features in Windows (which we refer to as Bing-powered experiences).

When you conduct a search, or use a feature of a Bing-powered experience that involves conducting a search or entering a command on your behalf, Microsoft will collect the search or command terms you provide, along with your IP address, location, the unique identifiers contained in our cookies, the time and date of your search, and your browser configuration. Source

Users should think carefully about whether you should clear this data. Services such as Find My Device, which you can use to locate a lost or stolen device, depend on location services.

Search and Bing

If you use the Bing search engine to look for information, the site parses your search queries for both personalization and auto suggestions. This is not unique to Bing; Google does it too—Brian recently wrote up a piece on how to view and disable your Google Account history settings. Bing also works with Microsoft’s digital assistant, Cortana, so you can get answers to questions. If you want to clear this information, open the Privacy Dashboard, select the Search tab then click Clear search history.

Cortana

This leads us to Cortana, the digital assistant that powers a lot of intelligence built into Windows 10. Digital assistants are a fundamental part of services and operating systems today and in the future; whether it’s Google Assistant; Siri in macOS and iOS; Alexa on the Amazon Echo; or Samsung’s Bixby. Cortana’s method of collecting and tracking information is done through notebooks.

Users can find this setting by opening Cortana on the Taskbar then selecting the Notebooks tab. The settings tab let users adjust what Cortana collects, knows and your interaction. Many of these settings are unchecked by default, but you can periodically review them if you want Cortana to stop doing something.

In the next release of Windows 10, version 1709, also known as the Fall Creators Update, users will have a dedicated Cortana setting where they can easily find and manage these settings.

Users can also clear all that Cortana knows about them from the Privacy Dashboard.

Microsoft Edge

Microsoft’s new Edge web browser uses cookies to collect information about frequently visited web pages. Some of the default data saved include: your Browsing history; Cookies and saved website data; Cached data and files; and Tabs I’ve set aside or recently closed. Web browsers have been doing this sort of thing for decades; so this is nothing new.

If you want to delete the saved data in one of these options, click the More actions menu (…), scroll down, click Settings > click choose what to clear, then uncheck the options you want to keep. Scroll down then click Clear. You can configure Edge to clear these options each time you close the web browser.

Below that are links to additional settings where you can control what Edge knows about you in the cloud and your Bing search history.

Telemetry

Windows Vista was Microsoft’s first start to collecting diagnostics data in a way that could help to improve the quality of the Windows codebase. From BSOD’s to application compatibility, diagnostics help inform both Microsoft and third party hardware and software vendors about problems users are experiencing with their products.

This in return leads to timely fixes and more stable releases. Telemetry has evolved on a much grander scale in recent releases of Windows 10. For example, the Windows 10 Insider Preview program uses diagnostics to help find issues from users who volunteer to share it. Windows 10 with consent, can be configured to send information which includes browser and inking data.

What are your options?

Windows 10 is a web centric operating system and a lot of its innovation depends on how much it knows about you in order to accomplish certain tasks. For example, Apps such as Calendar, Contacts, Tasks and Email work in unison so you can view upcoming events, respond to emails or complete tasks you working on.

If I may be a bit frank, if you are not open to sharing some information, then you really should not be using Windows 10. You could, of course, try using a Local account, but you are delaying the inevitable. Everybody in the industry is doing some form of information collection, but it ultimately boils down to are you aware of it; does the service or application tell you; or give you the option to opt in or out? I think Windows 10 does an admirable job at that between the Privacy setting and the Privacy Dashboard.

I personally found the thought of going through each tab in Windows 10 and disabling specific settings, time-consuming, paranoid and ultimately futile. You are in a sense, crippling the benefits of Windows 10 to further improve the operating system over time. What are the consequences then if you want to go off the grid?

It doesn’t mean the option is not there to have some control over the information stored on the device; it is there and I think that’s probably the best part—you can disable it if you want. What I recommend users do is carefully review what’s web based, versus what’s locally stored on the device. An off the grid option is not really possible but there are some things you can do.

• Use a Local Account.
• Browse using an alternative web browser such as Mozilla Firefox.
• Use the Private Mode option in your favorite web browser.
• Setup a VPN on your computer so your data is securely transmitted.
• Switch your search engine to another platform such as Duck Duck Go.
• Don’t use online cloud services such as Dropbox, Google Drive or OneDrive—instead, you can save your files in a Personal folder.
• Use an email client such as Mozilla Thunderbird.
• Use Libre Office for productivity tasks such as word processing, spreadsheets.
• This is probably the most extreme: switch to a Linux distribution such as Linux Mint.

Conclusion

We want devices to be super smart when it comes to helping us know the world around us, but you can’t expect it to magically do so without volunteering some of your own information. Use your real life as an example—you likely have family and friends who know a great deal about you. Sharing that personal information is part and parcel to your relationship. It’s a similar concept with your “personal” devices. Sometimes, it’s just for us to get over the concept of our devices – otherwise inanimate objects – actually becoming intimate strangers in our lives.

How does Windows 10 allow Microsoft to spy on you?

Windows 10 is perhaps the most Internet-connected and cloud-centric operating system released by Microsoft to date. This, of course, has caused many users to be concerned about how the OS respects their privacy (or doesn’t).

Multiple sources are now claiming that this OS reports user data to Microsoft which could be violating the users’ assumptions of privacy. (A couple of examples are linked below.)

How legitimate are these concerns and claims? Is Microsoft actually collecting data about Windows 10 users’ location and activity? Are they actually authorized to do so, simply by a user’s acceptance of the EULA?

I’m aware that Windows 10 sends malware files to Microsoft for analysis. This is a common and generally-accepted practice for most antivirus products, and antivirus is known to be integrated into this OS. What about the other information?

4 Answers 4

When you acquire, install and use the Program software and services, Microsoft collects information about your use of the software and services as well as about the devices and networks on which they operate. Examples of data we may collect include your name, email address, preferences and interests; location, browsing, search and file history; phone call and SMS data; device configuration and sensor data; voice, text and writing input; and application usage. For example, when you:

install or use Program software and services, we may collect information about your device and applications and use it for purposes such as determining or improving compatibility (e.g., to help devices and apps work together),

when you use voice input features like speech-to-text, we may collect voice information and use it for purposes such as improving speech processing (e.g., to help the service better translate speech into text),

when you open a file, we may collect information about the file, the application used to open the file, and how long it takes to use it for purposes such as improving performance (e.g., to help retrieve documents more quickly), or

when you input text, handwrite notes, or ink comments, we may collect samples of your input to improve these input features, (e.g., to help improve the accuracy of autocomplete and spellcheck).

This is so serious that even some political parties here in France that have nothing to do with technologies denounced Microsoft Windows 10 practices.

A member claimed that the statement above does not concern the shipped version of Windows 10.

1. We have not been provided any proof that Microsoft removed all those monitoring modules of its Windows 10 beta version in the final release. And, since Windows is closed-source, there’s no way for us to check ourselves.
2. The media has reported a history of Microsoft spying as its practice (e.g. Microsoft, China clash over Windows 8, backdoor-spying charges, also NSA Built Back Door In All Windows Software by 1999).
3. For the shipped version of Windows 10, we can see the same information with smoother words: Privacy Statement

Additionally, after the release of the shipped version of Microsoft Windows 10, this is what was written in Microsoft Windows 10 Privacy Policy:

We will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders), when we have a good faith belief that doing so is necessary to protect our customers or enforce the terms governing the use of the services,

Only by the start of this August, and after lot of organizations and even political parties complained about Windows 10 being a spyware, Microsoft changed its privacy policy statement to softer terms to which I linked to. But is this change of policy statement followed by retrieving Windows 10 from the market and replacing it by a new one? Of course not.

Note that the last paragraph I quoted is only still available in external websites including famous newspapers by the start of this August (which thing means after Microsoft started already to sell its Windows 10), but we do not find this paragraph anymore in the updated version of the privacy policy statement anymore. So Microsoft removed it already.

From Windows 10 feedback, diagnostics, and privacy: FAQ (shipped version of Windows 10, NOT Pre-Release Preview), we can also read regarding Diagnostics Tracking Service:

As you use Windows, we collect performance and usage information that helps us identify and troubleshoot problems as well as improve our products and services. We recommend that you select Full for this setting.

Basic information is data that is vital to the operation of Windows. This data helps keep Windows and apps running properly by letting Microsoft know the capabilities of your device, what is installed, and whether Windows is operating correctly. This option also turns on basic error reporting back to Microsoft. If you select this option, we’ll be able to provide updates to Windows (through Windows Update, including malicious software protection by the Malicious Software Removal Tool), but some apps and features may not work correctly or at all.

Enhanced data includes all Basic data plus data about how you use Windows, such as how frequently or how long you use certain features or apps and which apps you use most often. This option also lets us collect enhanced diagnostic information, such as the memory state of your device when a system or app crash occurs, as well as measure reliability of devices, the operating system, and apps. If you select this option, we’ll be able to provide you with an enhanced and personalized Windows experience.

Full data includes all Basic and Enhanced data, and also turns on advanced diagnostic features that collect additional data from your device, such as system files or memory snapshots, which may unintentionally include parts of a document you were working on when a problem occurred. This information helps us further troubleshoot and fix problems. If an error report contains personal data, we won’t use that information to identify, contact, or target advertising to you. This is the recommended option for the best Windows experience and the most effective troubleshooting.

Note that only on Enterprise Edition one can turn Diagnostics Tracking Service off totally.

Diagnostics Tracking Service available in Windows 8.1, Windows Server 2012 R2, Windows 7 Service Pack 1 (SP1), and Windows Server 2008 R2 SP1 and Windows 10. The quoted paragraphs concern the Diagnostics Tracking Service mechanism in which other modules, apart from Telemetry, are included.

Diagnostics Tracking Service consists in these files:

• telemetry.asm-windowsdefault.json
• diagtrack.dll
• utc.app.json
• utcresources.dll

Note that the answer below claiming that nothing private is collected by Windows 10 as a qualified user may listen to the traffic of his Windows operating system is wrong. It is impossible to know what Windows collects and sends permanently. Windows does not stop sending information on his/her behalf as this study shows: Even when told not to, Windows 10 just can’t stop talking to Microsoft. But still what the official documentation describes is not very good for the user such as when Windows takes system files or MEMORY SNAPSHOTS, which may unintentionally include PARTS OF A DOCUMENT YOU WERE WORKING ON on when a problem occurred (From: What are the privacy and security implications of Windows Telemetry)

It’s worth noting that your first link is in relation to the Windows Insider program. The Windows Insider program provides you with pre-release software that does call home with usage details and other information. This is something that you agree to by installing the Windows Insider preview — if you don’t like it, you don’t have to install it, it’s completely your choice.

The EULA for the released version of Windows 10 doesn’t include this section and there is no evidence that this information is being collected (which of course could just mean they’re better at hiding it).

The second link that you’ve provided is regarding the Family functionality, this is functionality that has to be enabled in order for it to work and collects application usage statistics and browsing history. In the instance linked in the article, it’s perfectly possible that this functionality was enabled in Windows 8 and expanded upon when the upgrade to Windows 10 occurred. On my clean install I don’t have this going on so this isn’t enabled by default and has to be something that you opt into — again, when you opt into something like this you’re given an agreement to agree with stating that additional information will be collected. If the information wasn’t collected, functionality like this simply couldn’t work.

Windows 10 has a large number of privacy settings — many of these are on by default but they’re easy enough to disable by opening up the Settings app and working your way through the Privacy settings. This covers a large variety of options from your unique advertising identifier, which is shared across various applications to allow Microsoft to track your use of the apps and show you targeted ads, to Bing search in the start menu, which will send your search queries to Microsoft Bing. This also includes many settings from older versions of Windows, such as the SmartScreen filter, which sends URLs to Microsoft for validation.

Windows 10 also contains Cortana, with Cortana enabled, you’re asking Microsoft to provide you a personal assistant and this will include sending information about your activities (including applications you run, GPS locations, browsing history) back and forth between your machine and Microsoft. This can include things like your handwriting and what your voice sounds like, but these can be disabled individually within Speech, inking & typing within Privacy settings. Cortana isn’t unique in this behavior. (How do you think Google Now and Siri work?)

If you sign into Windows 10 with a Microsoft account, authentication is handled via Microsoft as well. This will also provide you with the functionality to synchronize your desktop settings, passwords, web browser settings and more between multiple devices running Windows 10. If these options are enabled then this is additional information that is synchronized to Microsoft’s servers. Each of the individual sync settings can be toggled in the Settings app under Accounts > Sync your settings, or you can simply not log in with a Microsoft account and use a local account. If you’re using Windows 10 Home edition, you will need to use a Microsoft account in order to enable BitLocker, and your recovery key will be uploaded to Microsoft’s servers. This restriction does not apply to Windows 10 Pro or higher.

With the «Sample submission» option for Windows Defender enabled, Windows Defender will send your files off to Microsoft — for example if you had some kind of confidential document with a macro in it that Windows Defender identified as a threat, with the option enabled, this file would be submitted to Microsoft for analysis.

As part of delivering Windows 10 as a service, updates may be delivered to provide ongoing new features to Bing search, such as new visual layouts, styles and search code. No query or search usage data is sent to Microsoft, in accordance with the customer’s chosen privacy settings. This also applies to searching offline for items such as apps, files and settings on the device.

It’s worth noting that Arcs Technica states this statement from Microsoft is consistent with their findings

Basically, as part of the Windows Feedback and error reporting, diagnostic data is reported back to Microsoft, this can only be disabled in the Enterprise and Server editions of Windows 10 through the use of group policy editor but can only be set to a «basic» mode on Home and Pro editions which «limits the amount of data sent». This can be set in the Settings app under Feedback & Diagnostics.

Microsoft have never hidden the fact that Windows 10 is supposed to be the last major release and that future functionality will be provided as automatic updates. Any such system will require information to be passed to Microsoft to work. Ultimately, there are a lot of components in Windows that will individually and collectively synchronize their status with their online counterparts and this will result in internet traffic.