Windows 10 was released on July 29, 2015. Since then, over 200,000,000 users have upgraded across 190 countries, one fifth towards Microsoft’s goal of a billion users in two years, and by far, the largest software upgrade performed in parallel in history. (Microsoft Blog)
Microsoft set lofty goals for how Windows 10 would work. Windows 10 would be the last “version” of the operating system to be offered. (Forbes Magazine)From this point forward, Windows 10 represents a level of functionality, enabling the computer, offering responsiveness, and anticipating the wants, needs and desires of soon to be a billion users.
To achieve this, the operating system no longer represents a static set of capabilities. Microsoft has been designing a “live” operating system for years, incorporating the lessons learned over the years, along with the growth of the connected internet, and combined these to develop Windows 10 around the idea that the operating system is no longer a static thing, but is an evolving interface between the user, the hardware, software and the internet. Microsoft has positioned this as Windows as a Service. (Tech Radar)
Microsoft Windows 10 “with the most secure Windows ever.” Copyright Microsoft Corporation 2016 http://microsoft.com
About SafeView
The SafeView Research Report is intended to give you a snapshot of technology risk management issues. SafeView is a reliable source for automated risk, threat and vulnerability data, and advisory services to help you mitigate and remediate issues.
Microsoft Windows, v1, November 1985, Copyright Microsoft Corporation, http://microsoft.com
To offer an operating system as a service, Microsoft had to offer a very flexible operating system, one that can tolerate a wide spectrum of hardware already in existence. They had to develop systems that collect information, patterns, interactions with users, and allow the interface to adapt, recommend changes, and make the experience of using a computer legendary, exciting, and rewarding. (Microsoft)
Windows 10 Desktop, July 29, 2015, Copyright Microsoft Corporation, http://microsoft.com
After making an operating system that was amazing in its ambitions, and in the fact that they did actually deliver, they added something else. As of the early access releases, users were informed of the system integrated into Windows 10 to collect telemetry, clicks, usage models, search, system performance and send that all back to Microsoft to make the final product better. Telemetry for Beta or Early Access software seemed acceptable. Users were warned, and were well aware that information was being collected. (Forbes Magazine)
Windows 10 Technical Preview EULA, Copyright Microsoft, http://microsoft.com
Windows 10 upgrade, http://microsoft.com
Users started getting icons on the Windows start bar, allowing them to reserve their free copy of Windows. Microsoft worked hard to maintain a smooth upgrade experience for everyone. The 6GBs of operating system were downloaded quietly in the background. When ready, the users were given the opportunity to start the install. A few reboots later, and Windows 10 was installed. In the event that users did not like the upgrade, they would be allowed 30 days to roll back to the old operating system.
Within two months, a hundred million users had installed Windows 10. (Microsoft Support)However, the turmoil for Microsoft had just started, as researchers found that Microsoft had not removed the telemetry debuted within the Early Access Release. Rather, they just stopped telling users about it, but collected more information for production users than had even been done for the testers. Microsoft defends their need for this data. They assert that they require lots of detailed user information to allow the operating system to dynamically evolve and serve the needs and desires of a user. Herein lies the problem, as their answer seems incomplete and disingenuous.
Privacy vs Convenience, Copyright EMC, http://emc.com
Privacy versus Convenience
Why would it collect this data? A Scroogled campaign video, where Microsoft seems to accuse Google of exactly what they are doing with Windows 10.
Advertising revenue? Microsoft’s data collection includes creation of very specific preferences and an advertising user ID, where they can send customized content to a user’s desktop, I doubt for free.
Windows 10 Advertising ID, http://microsoft.com
Microsoft is a big company with customers and stockholders to satisfy. They had a huge misstep with VISTA, an needed to get things on track. The company business policy is moving to the cloud. Netscape did it in 1994, Google did it in 1995 along with Yahoo, ebay and Amazon. Sun Microsystems had an office suite that ran in the browser in 1997. Google has had a formidable office suite as part of their Apps for Business for a long time now. With the release of Office 365 and Windows 10, Microsoft is making clear the fact that they have to embrace the “cloud”. To do this, information is valuable, and user experience is paramount.
“We will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders), when we have a good faith that doing so is necessary to protect our customers or enforce the terms governing the use of the services”, Microsoft said in its recently updated new terms of services agreement. (Ars Technica)
I do not doubt that Microsoft is collecting very granular details about software and hardware issues in order to increase reliability and performance. However, they are also harvesting all voice commands and typed search commands, and all URLs and much content entered through the Edge browser. So, Microsoft is making the OS work better for a user, and even improving the video driver on a new computer, and pushing the fix rapidly. It is the other stuff that gets a little intrusive. Capturing all searches, typed and voice, uses of the browser, starts to look like marketing material. So, Microsoft claims that much of what they collect is not used for ads, but some is. So, they are also collecting email content, pictures, file names, contacts and more. While they claim that this information is not used for marketing, it is also “anonomized”. They claim that they do not collect personally identifiable information from the computer. However, this counters the collection that was done for the Early Access Release, and other sources that seem to indicate that Microsoft is collecting much more than they readily admit to. Just within the privacy agreement, they confirm that they collect a user’s email address, and in iterations of the agreement, actually assert ownership of collected data and rights to share it.
Users want an operating system that works, an internet experience that is enjoyable, and hardware that functions as expected. Windows 10 is a very sophisticated operating system, far evolved from the Windows XP that we all maintain fond memories for. However, in this new world, the Windows 10 user is potentially trading private information, private activities, in exchange for convenience. (Tech Times)
Microsoft Logo, Copyright Microsoft Corporation, http://microsoft.com
Compliance with regulators, stockholders, clients and patients
The problem at this point is not that Microsoft is collecting data. Rather, the problem is that Microsoft won’t provide a clear answer, transparency and a chance for objective review and ongoing audit. While individual users may sacrifice some unclear information collected by Microsoft in exchange for a fast computer that gets to Internet and email, it is different when there are compliance issues.
Large enterprises have internal senior management that needs to be aware of information that is being collected, how, how often, and how it is being used. It is not enough to just turn it off without a clear way to review that it has turned off. A large organization has information distribution issues, potential privacy issues within certain countries and from country to country around the world.
Lawyers need to insist on reviewing every bit of data collected within their firms, and have the opportunity to share the data, redact private information, or disallow it all, upon review.
Healthcare providers, governed by HIPAA, need to attest to certain data management and protection practices. Without being able to absolutely confirm what information is collected, from where, and sent to where, healthcare providers are at a drastic risk for HIPAA patient privacy issues.
The reality of what is collected
The information that Microsoft collects within Windows 7, 8.x and 10 is obfuscated through a myriad of ports and communications channels, and encrypted carefully. Microsoft has stated repeatedly that the information is anonimyzed, but collected to improve the Windows user experience, and also to improve the performance of the operating system.
Lets look at the information that Microsoft probably has, and what they can do with it
While data collection individually within the Telemetry and CEIP of Windows may not be coupled with Sensitive Personal Information, a few examples show how this information is at Microsoft’s fingertips.
10 workstations, encrypted NAS device for medical content, cloud based medical management system for patient information, pictures, medical history and electronic billing
– Machines running Windows 7
– New machines running Windows 10 from vendor
– Systems patched with recommended and critical updates
Microsoft has access to
Usernames and password for cloud medical management system
Access to filenames for content stored on NAS
Access to all replicated content accidentally stored on OneDrive
Unsecured access to critical and secure patient medical data
Based on the information schema above, any medical office running any supported version of Windows, even the enterprise version, may have violated patient privacy, and needs to disclose this based on HIPAA requirements.
A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information. An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:
The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
The unauthorized person who used the protected health information or to whom the disclosure was made;
Whether the protected health information was actually acquired or viewed; and
The extent to which the risk to the protected health information has been mitigated.
100 workstations, 5 Windows servers, 5 NAS devices, 1 encrypted NAS device, hosted Sharepoint, local practice management system, cloud based matter management and time management software, corporate law, medical malpractice, social security benefits, retirement planning,
– Most machines running Windows 7 Enterprise
– Partner laptops running Windows 10 Enterprise
Microsoft has access to
Usernames and password for matter and time management system
Access to all client content stored directly on Sharepoint, or mapped to local network via VPN, but linked within Sharepoint
Unsecured access to critical and secure client medical, financial and business data
Biometric data
Based on the information schema above, any law office running any supported version of Windows, even the enterprise version, may have violated client privacy, and needs to disclose this to clients, based on the American Bar Association.
Generally when we use the term “data breach” (also known as “information security breach,” “breach incident,” and “data security breach”), we are talking about an event that releases the personally identifiable information (PII) of an individual without that individual’s consent or knowledge. PII is usually defined as being composed of name, address, and some combination of the following:
Date of birth
National and state identification number (in the United States this means Social Security Number and driver’s license number; in Canada this means Social Insurance Number and driver’s license number)
Account numbers for credit card or debit cards
Passwords and codes
Biometric data (e.g., fingerprints)
“Trust, but verify”, President Ronald Reagan said to Mikhail Gorbachev, December 1987 in Washington, DC for the INF Treaty signing.
Summary
According to Wikipedia, a Trojan horse, or Trojan, in computing is any malicious computer program which misrepresents itself to appear useful, routine, or interesting in order to persuade a victim to install it.
It is impossible to comply to privacy policies with Windows 10 without a few changes. A policy defines generally what information is shared internally, is protected, how the information is moved, using what means, and how this is verified in practice. Doctors, lawyers and CISOs at global organizations have the same issues.
While they all have policies and high level ideas about how private data will be kept private, and what information that is not private can be shared, there has to be a way to validate this. Windows 10 users need a way to review all the data collected, monitor it for personal objections, or violations of defined policies, and from there, refine internal audit and compliance management procedures.
It is not that we don’t believe Microsoft when they say that they are not collecting personally identifiable information, and that they won’t do anything bad with it, we just don’t have enough information to make an objective judgement. Business and personal users need the ability to confirm that the data collected is within the scope of the privacy agreement, and within scope of agreements professionals have with regulators, licensing organizations, insurance providers, stock holders and business partners. For Microsoft to resolve this going forward, they will need to actually embrace transparency completely. Allow people to review the collected data, and earn credits to upload the data, as they choose. The way Microsoft is doing it now only confirms suspicions that they are only telling us what we want to hear, and they are not willing to prove it.
