Windows 10 – privacy issues
Windows 10 launched on 29 July 2015 with 14 million devices reported to have since adopted the new operating system (OS). However, a close inspection of the OS revealed a number of privacy issues due to the data reporting systems that are on by default.
These data reporting systems send large amounts of user experience and OS usage information directly to Microsoft, which argues this is used for bug reporting and system improvement.
This type of reporting is not new – Microsoft has been collecting such data since Windows XP. However, unlike Windows XP, the data collected is not just for error reporting and users have less control over what is sent. It has been discovered that much of the data relates to the development of personalised advertising for the Microsoft Store, and possibly other uses will be found as time goes on.
For law firms and clients alike, this poses a number of privacy issues as Windows 10 begins to gather information automatically for delivery to Microsoft’s Cloud as well as potential third parties.
This article will explore the issues and give some tips on how to protect your information if you have chosen to implement Windows 10.
By default, Windows 10 is given permission to collect data. The range of data collected includes, but is not limited to, typing, search queries, drive usage, crash reporting, contacts, calendar information, store browsing preferences, error reporting, and a host of other data that relates to how and what you do with your computer. This information is gathered and periodically sent to Microsoft to be used in anything from targeted advertising to reporting.
Microsoft’s reason to support data collection is to better enhance the user experience. However, this is questionable based on some of the reports already finding their way onto the internet from various industry experts.
One such example was a post from Cory Doctorow on Monday 10 August 2015, where a client reported to him that, following an upgrade of his 14 year old’s PC to Windows 10, he was provided with a weekly activity report sent to his email showing his son’s usage.
The report detailed what websites the 14 year old had visited, how many hours he had used the PC, and a break-down of how much time he had spent using his favourite applications. This was of great concern to the parent who considered that he was spying on his son due to the level of detail that was included in the report. After testing, it was found that every family member/user set up on the PC had the same level of activity reporting.
This level of reporting is on by default unless the installer manually opts out by forgoing the express installation and choosing their privacy settings.
This approach to privacy is questionable in light of Principle 3 of the Privacy Act 1993. As Principle 3 outlines, an agency that collects information from a subject is required to confirm that the person is aware of what data is being collected and how it will be used. This is obviously not going to happen where a person purchases a Windows 10 device that has Windows 10 pre-installed, as there is no warning dialogue box to check or any other agreement that confirms the user is happy for this information to be collected, sent, and used. Neither will users be adequately aware if they were to allow Microsoft to upgrade their PC to Windows 10 and used the express install option.
There is no information on how data will be used once collected and no easily obtainable information on how to disable the sending of the data. Some functions of the OS even provide a warning dialogue that the OS may become unusable if some of this data is not collected and, due to this, many keep the function enabled.
While it is generally accepted that Microsoft and others collect data for the Cloud and error reporting, the law requires that the information collected is only used for the purposes of which it is collected. I argue that the level of data collection goes far beyond this purpose. Further, I argue that even if the data is used for the proposed purpose, users have a right to decide what, when, and how the data is collected or to opt out of that collection.
This comes in the wake of Microsoft fighting a losing battle against US courts to protect client data held on servers in Ireland (Microsoft v United States of America), where the courts contend that all emails relating to an account held on Microsoft’s data centre in Ireland must be handed over.
If Microsoft now has the ability to collect and retain data from all over the world then, arguably, it has a duty to protect that data. Based on the ruling of this recent case it is unclear whether Microsoft can do so. There is an argument that the collection of data without informed consent, knowledge of what is collected or how it will be used, defies the principles of privacy in New Zealand and may see data being released to US courts or others that a law firm is under a statutory duty to protect.
How to disable functions
A number of issues arise for the protection of user data when implementing the new Windows 10 OS. In order to assist in mitigating the data collection, I have outlined some tips to reduce the amount of data collected and revert the OS back to a more anonymous reporting system.
First, do not use the express install, even if you are upgrading, as this will result in all data retention and sending policies to be enabled by default. Instead, choose “custom install” from the small button hidden near the bottom and turn off all sliders for “personalisation”, “typing and linking data”, and “letting apps use advertising ID and location”:
Next turn on the slider for “browser and protection” and “use page prediction”:
Turn off the slider to “automatically connect to hotspots” and turn off the slider to “connect to networks shared by contacts”. This has particular implications if a hacker uploads to your contacts and enables a malicious wifi hotspot.
In addition, when creating a user account, do not login to a Microsoft account. This account is stored on the Microsoft Cloud and acts as a hub for snapshotting your data. This system also syncs information between the Cloud and your PC applications, such as contacts and calendar to name but two, resulting in all information being retained and stored on the Microsoft data centre and subject to release. A better approach is to have a local account so that data becomes individualised to your local machine and only transfer to the Cloud the information you wish to be stored and have no privacy concerns about if released. While this may limit some of the OS functionality, these should be functions which a PC in a law firm does not require.
Now you can complete the install and move to the next section.
Once the install is complete, or if you have already installed, follow these steps to better protect your privacy:
Access the privacy settings window by clicking on the Windows icon on the bottom left of your screen and then click on “Settings”; then click “Privacy” in the window that appears. Here, you should disable the advertising ID, if not already disabled. The smart screen filter is safe to keep enabled so feel free to do so, but disable all other settings.
Next, choose the “Location” tab and disable your location, if not already disabled. In New Zealand, these settings do not yet work, but it is better to disable these for the day when Microsoft extends the network into New Zealand.
In the “Speech, inking and typing” section, disable all functions. Yes, this will disable “Cortana” (Microsoft’s version of a voice-activated assistant, similar to “Siri” on iPhone) and you may wish to enable some aspects. However, enabling this will re-enable the typing, text and speech information sharing you disabled above, so activate with caution and be warned that your data will once more be regularly sent to Microsoft.
The next tab is “Account Info”. Here, you should disable “app access”. By doing so, you will be able to choose the apps you wish to allow access to your information. Note, some apps, such as contact and calendar applications, may fail at first try due to the default denial of access and will require you to come back to these settings and approve the apps access before it will function correctly.
For users using Microsoft Office, disabling this function will not affect the contacts or calendar within Outlook, as this setting is only for applications from the App Store.
The final section in this menu is the “Feedback and Diagnostics” tab. Here, set the feedback frequency to “never” and the diagnostic and usage data to “basic”. Disabled is not available to non-enterprise, but by setting the slider to basic, testing has revealed that the OS now falls back to the anonymous reporting mode and no longer sends usage data from each account.
On a personal note, I also disable the running of store and Xbox applications in the background, which further protects against store and Xbox applications accessing personal data that is sent to Microsoft for analysis for advertising etc.
Next click the Windows button and just start typing a few letters of the word “Cortana”. Even though you have no text box, the “Start” screen will be replaced by a grey search window that shows Cortana and search settings. Click “Cortana and search settings” to reveal Cortana’s settings pane as shown below (you can also click on the cog icon if shown in your menu):
Set the toggle to “off” (usually disabled for New Zealand due to it not being available in our region). However, check and make sure as data will still be sent for the day it becomes available.
A final note is that while this will help to better protect privacy in Windows 10, it does not cover every possible data-sending policy. If you are concerned, it is recommended that you call your IT person and have them make the necessary changes to the group policies and registry to prevent any data moving out of your control.
Windows 10 provides a range of new features and stability that will be beneficial to both law firms and clients alike, and this article is not meant to discourage its use. However, there are a range of serious privacy issues with data retention and reporting to Microsoft. It is imperative that firms check their installations to make sure their data remains private and within the compliance requirements lawyers have under New Zealand law.
While this article provides information about protecting such data, it is not yet clear just how much data can be prevented from being sent. Firms may wish to see this as a cautionary sign before they rush out and upgrade. As a final disclaimer, the tips to aid you in the DIY solution set out in this article are a first step only and cannot guarantee anonymity. It is recommended that advice is taken from your IT support staff to maintain your privacy and that of your clients.