Microsoft doing the Scroogle

Posted on August 28, 2015

1




With the advent of Windows 10, we have seen the pushing of this OS as a FREE upgrade onto consumer PC’s (those running legit Windows v7 or 8), as well as many small and medium business user systems. This has had the side effect of kicking off flurries of enquiries and concerns over what is actually going on from users.

Despite a widely broadcasted campaign by Microsoft many users are simply too busy and adept at tuning out the deluge of new tech marketing and advertising that get’s thrust at them. The result of the appearance of the Windows 10 upgrade prompts on Windows 7 or 8 systems has driven users to the web to investigate. Only to be confronted with widespread reports, some over hyped, but most generally accurate in communicating a new culture of user monitoring and data harvesting by Microsoft. Many in the industry are consequently being queried at every turn by customers, friends and family about what the implications are and seeking recommendations as to what they should do.

At the outset I would say that there is a lot of scaremongering going on over this. The sad reality is though, once you strip away the hype, the core facts are largely correct. Microsoft has reversed its moral high ground stance on data harvesting and joined the Facebook, Google, Amazon feeding user data feeding frenzy gutter.

In the old days (pre Windows 10) the answer was simple and heart-felt, Microsoft could be trusted. This vendor trust harmony has since been blown away, and as a Microsoft champion I have had pause to re-set and find myself running Mac OSX as Windows relegates itself to a second class citizen in the trust and privacy stakes. Truth be known I have broken Windows 10 so may times researching and testing disabling the monitoring that I have given up and for now relegate my use Windows 10 to certain use cases I cannot service in OS X.

Microsoft’s argument that this is just a continuum of its ‘Customer Experience Improvement Program’ (CEIP) is hard to swallow. Having read the new policy statements and how Microsoft is behaving it is just obfuscation of the truth. The fact functionality becomes so hobbled (if it does not break) when you attempt to disable the monitoring implies it is an integral part of the system now.

Microsoft have proactively taken measures to stop people disabling their monitoring and telemetry.  Not only do they now make it hard and as confusing as possible to Opt-Out by scattering the switches and settings across the registry, host file and end user interface toggle switches, they are engaging a methods to re-enabling tracking even once it is disabled by a user.

If anyone doubted Microsoft’s U turn on its attitude to data harvesting and monitoring then the recent revelation of its retrospective injection of ‘patches’ to install Windows 10 monitoring functions into Windows v7 and v8 puts the point beyond dispute.

These retrospective ‘patches’  transmit data through hard-coded server settings that bypassing the Hosts file and making it hard for all but the adept technical users to block their activity. This method of forcing the communication path blows away any credibility, it is a practice used by many classes of malware to circumvent end user intervention, anti-virus or firewall solutions.

These retrospective patches pushed down to Windows 7 and 8 users are described as:

  1. KB3080149 – An Update for customer experience and diagnostic telemetry
  2. KB3068708 – An encryption option for the data feed from KB3080149, (replaces KB3022345)
  3. KB3075249 – An update that adds telemetry points to the User Account Control feature to collect information on elevations that come from low integrity levels.

These are automated patches pushed onto systems under the default ‘Recommended Updates’ setting the the respective OS’s and represent functionality that is active by DEFAULT in Windows 10. So strictly they could be controlled by users, but only if those users are informed, which they are not.

To get rid of these invasive ‘patches’ there is a comprehensive guide in the gHack.net article ‘Microsoft intensifies data collection on Windows 7 and 8 systems’.

Or use the batch file solution if you prefer a scripted solution that does the same thing at https://voat.co/v/technology/comments/458715

In an odd twist, for a number of years Microsoft ran a ‘Scroogled’ privacy campaign against Google. Seen as the white knight taking the fight to the invidious data abuse by the likes of Google in a drive to build awareness of the Google type of pernicious data monitoring and harvesting activities. It would appear that Microsoft has thrown in the towel and adopted the’ if you can’t beat them, then join them’ state of mind. This is in the face of a survey in which Microsoft themselves found 83 % of users felt scanning emails was an invasion of privacy and 93% said they thought users should be allowed to opt out of such data monitoring services.

For many the Windows 10 generation of CEIP is little different from the criticism levied against Google and the Spyware and adware that plagues the internet. Microsoft definition of Spyware in this context is, quote 1 (Ref: http://www.microsoft.com/products/ceip/en-US/default.mspx) :

Spyware can collect information or act on your computer without your full knowledge or consent. Spyware can collect information or act on your computer without your full knowledge or consent. CEIP does not take actions other than those described in the Customer Experience Improvement Program Privacy Statement and you can choose to start or stop participating at any time.’

  • Microsoft fails the acid test – Ask a random sample of users to STOP their participation in CEIP and you will find that they cannot completely opt-out due to Microsoft hard coded measures amongst others. This request is swiftly followed by complete consternation of the monitoring that Microsoft is forcing on them. Microsoft has executed this in a way that fundamentally disempowers users by removing the means for them to easily and conveniently opt-out and elect what data they share and for how log and what purpose.

Quote 2 from the new Microsoft Privacy Policy Statement (Ref: http://www.microsoft.com/en-us/privacystatement/default.aspx)

“Finally, we will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders), when we have a good faith belief that doing so is necessary.”

As covered in this article and qualified in its quoted references, by its own definition Microsoft Windows 10 and now v7 and v8 is in all respects a class of Spyware, albeit I do not believe with any malicious intent, but just some appallingly bad policy wording and arrogant implementation. Summary conclusion on these two quotes:

  1. CEIP (Quote 1) – Users CANNOT readily opt out, and hard coded measures Microsoft has recently implemented reinforce this.
  2. Policy (Quote 2) – Microsoft reserve the right to in effect collect and do what they like with your data!!

When considered in tandem they are a huge compromise of end user privacy.

The most depressing note in this whole saga is that Microsoft charges end users for the privilege of monitoring, harvesting their data and their digital activities. Whilst Windows 10 is ‘Free’ for upgrading consumers from Windows v7 and v8, was a commercial paid for product for many.

For the brave you can download a comprehensive script to reverse Microsoft activities, but for many this will prove to be a technical hurdle too far. https://voat.co/v/technology/comments/459263

My conclusion is that Microsoft has lost its way at a key inflection point in user’s attitudes to their data and privacy in their digital lives. Most critically with the best version of Windows 10 for years (monitoring aside), that represents a unified platform opportunity not seen in the industry. Windows 10 is a future that Microsoft is betting on, but they have made a fundamental strategic cock-up over their handling of the privacy dimension.

Instead of engaging users and bringing them on-board in a new culture of rewarding CEIP participation and demonstrating a value respect for user data sharing, there are visible symptoms of a Microsoft cultural conflict in the opposite direction. Listening to the keynote speeches at the recent Worldwide Partner Conference championing privacy and trust is completely at odds with what they have put out into the market.

Microsoft is showing a regressive discordant behaviour in their instigation of technical autonomous or semi-autonomous functions without end user engagement or consent and zero acknowledgment of the value of user data. This has all the hallmarks of a clinical ‘engineering’ approach that has somehow been running off script. One that has been recognised and fostered by other IT vendors led astray often by marketing departments hungry for data to feed their analytical engines for commercial gain.

This is a deeply worrying industry trend that goes to the heart of the privacy debate and is rightly regarded as the top of a very slippery slope in the erosion of individual’s digital liberties and freedoms.

Advertisements