Microsoft’s New Privacy Tactic: (Even) More Transparency

Posted on April 5, 2017 by Paul Thurrott in Windows 10 with 42 Comments

Microsoft's New Privacy Tactic: (Even) More Transparency

Back in January, Microsoft finally bowed to the inevitable and said that it would become more transparent about the privacy settings in Windows 10 and in the cloud. This week, the software giant reaffirmed this direction, perhaps at the prodding of EU privacy watchdogs.

The real impetus for this week’s missive is unclear, given that it doesn’t actually provide much in the way of new information. But the fact that it was co-penned by Terry Myerson, who heads the Windows and Devices Group, and Microsoft Privacy Officer Marisa Rogers is, I think, important to note.

The stakes here are high: Since Windows 10 first shipped in mid-2015, it has come under ongoing fire for what I feel are completely fabricated or misunderstood privacy concerns. This FUD was easy to ignore because it’s so fanciful, and because Windows 10 had–and still has—much more substantive issues to worry about. But regulatory bodies in Europe and elsewhere obviously have nothing better to do than to listen to every conspiracy theory they’re presented with. And some have started warning Microsoft that Windows 10 is in violation of local privacy statutes.

This is why I noted that Microsoft has lost the Windows 10 privacy FUD war back in February. Because, real or imagined, governments like the EU are now changing the design of Windows yet again. And this despite the fact that Microsoft’s monopoly is long gone.


In any event, Microsoft is now backpedaling mightily in order to find some middle ground between the anonymous data tracking they feel they need in order to keep Windows 10 users safe and the legal requirements of the locales in which Windows 10 is sold. And the strategy they’ve settled on, very belatedly, is to be completely transparent about what they’re doing.

“Today we’re sharing three new things that will help you be more informed about your privacy with Windows 10,” Mr. Myerson explains. “We are improving in-product information about your privacy. We are updating the Microsoft privacy statement to include more information about the privacy enhancements in the Creators Update … And we are publishing more information about the data we collect.”

That latter bit is perhaps the most interesting.

According to Myerson, Windows 10 with the Creators Update will offer “Basic” and “Full” levels of data collection. At the Basic level, Microsoft will only “collect data that is necessary to keep your Windows 10 device secure and up to date.” But at the Full level, Microsoft will “use diagnostic data to improve Windows 10 for everyone and deliver more personalized experiences for you where you choose to let us do so.”

The big question here, of course, is opt-in. That is, how and where does one choose between these levels of data collection? (And for privacy fans, why isn’t there a “None” option?)

As it turns out, Microsoft provides basic UIs for choosing when you upgrade to the Creators Update or otherwise acquire Windows 10 on a new PC. There’s no real news there: We found out about all that previously.

What is new, however, is [the full detailing of what data Microsoft does collect at that Basic level](use diagnostic data to improve Windows 10 for everyone and deliver more personalized experiences for you where you choose to let us do so.).

“The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Windows Store,” the Microsoft website explains. “When the level is set to Basic, it also includes the Security level information. The Basic level helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. This helps Microsoft fix operating system or app problems.”

Likewise, Microsoft provides a detailed summary of the data it collects at both levels.

One can only assume that Microsoft believes these disclosures will satisfy the needs of regulatory bodies around the world and we can all just move on. But if I’ve learned anything from this episode, it’s that we’re never moving on. I suspect we’ll continue talking about Windows 10 privacy for years to come.


Join the discussion!


Don't have a login but want to join the conversation? Become a Thurrott Premium or Basic User to participate

Comments (42)

42 responses to “Microsoft’s New Privacy Tactic: (Even) More Transparency”

  1. Jaxidian

    All of this stuff gets sent back to Google, Apple, Samsung, and others. Why is Windows any different? That said, I'm not a fan of some of the stuff Windows sends back (and nags me about when I disable) - improving privacy is a very good thing to do! I just don't understand why these regulatory bodies haven't cared about data being sent back on the devices that have even more personal information on them (where you physically are and when you are there, etc)!

  2. StephenCWLL

    This is a good start but it's no substitute for allowing us to know when the telemetry is collected and being able to see a full report of the data BEFORE it is encrypted to be sent to Microsoft HQ. I'm not surprised by anything in that list.

    Microsoft don't even tell people that when you do system monitoring via the feedback hub, it's not just monitoring the issue you chose in the drop-down box, but creating a full dump of system logs to send back to Microsoft HQ. I'm not bothered by them having the data but why can't they just say first?

    • BinBinLives

      In reply to StephenCWLL:

      Bingo. My biggest issue with telemetry is not that I think Microsoft is abusing my data, but that I am not in control of the data my machine is sending out. My computer (emphasis on "my") should not be broadcasting anything to anyone that I have not specifically approved. 

  3. BoItmanLives

    More lip service. Still waiting for that Telemetry OFF option.

    This is the #1 most requested feature and complaint, and its absence alone is keeping 10 adoption stalled at 25% since 2016. If Telemetry is as innocent and benign as MS wants us to believe then prove it with an Off option.

    • TheJoeFin

      In reply to BoItmanLives:

      I doubt if this is as important as you make it out to be. Windows 7 didn't do a bunch of new telemetry so why didn't people move off XP? They don't care enough to do it, or they have some special use case and don't want to mess anything up.

    • MikeGalos

      In reply to BoItmanLives:

      Really? This one request, that any technically competent person knows is silly, is the sole reason that's blocking migration for all the base that haven't upgraded yet?

      Care to provide your source for that claim?

    • tboggs13

      In reply to BoItmanLives:

       First, market share is slowly but steadily growing. Where you live depends on the market share. In North America, Windows 10 is already the dominant version of Windows. More than Windows 7 by a few percentage points and the gape is increasing every month.

      Second, many might list it as one of their concerns, because they scanned a headline somewhere, but there is no way a significant number care at all. If they cared, Windows 10 should be the least of their worries.

  4. RonH

    I doubt that most people know what telemetry is

  5. Waethorn

    Is it just me, or are people seeing systems with high CPU usage for something they call "Compatibility Telemetry" lately? I've seen more than a few systems where they're completely unusable because that background process is grinding away for hours after boot-up.

  6. jrswarr

    Given the stink Microsoft gets on this - I am surprised that there wasn't some massive march on Washington over the repeal of the broadband privacy rules. Microsoft has valid reason the collect much of this telemetry - The only reason that Verizon wants this stuff is so they can sell it.

    Quit worrying about Microsoft selling your personal info - the ISP's are about to have a field day - and there isn't a thing you can do about it.

  7. hrlngrv

    Playing Devil's Advocate, why would MSFT need to collect any data with regard to the Windows Store? Windows 10 can't work without Windows Store apps?

  8. Dan

    Lol, damn. Look at all that info that is collected. That is a fingerprint! And Paul thinks its no big deal, just look away.

  9. Darmok N Jalad

    Google now also provides more information about what they collect in the dashboard. I bet most people have no idea it is there, but for the people that ask about privacy, they can at least see something. It may not be entirely complete, but saying nothing about what you're collecting is the best way to fuel paranoia. MS should have been ready for this from day one, but they struggle so mightily on external communication. It's always too late and too corporate.

    • BinBinLives

      In reply to Darmok N Jalad:

      Good point. Google has also always been upfront that user data gets collected for advertising. With Microsoft it's just been the typical wall of corporate silence.

      Google also provides free apps with demonstrable value. In Windows 10 I have not found any value over Windows 7 - its all mobile oriented crapware. And Windows 10 is a paid retail OS. I understand all the automation if Windows was indeed free, but it wasn't. I paid for an OS license, not a "service" like Netflix.

  10. BinBinLives

    Still no OFF button. Sigh.

  11. chaad_losan

    The truth is the only people who care about this are geeks and governments. The average person has no clue what so ever that any of this exists. Nor do they care. They have much bigger things to worry about like. Paying rent, buying food, getting their children to school on time. Seeing their doctor, getting refills on medication. Their computer phoning home with telemetry data is down there wanting to clean out the cat box.

  12. brettscoast

    This is clearly a work in progress the benefits of keeping your PC up-to-date and running problem free is uppermost in their minds. I welcome any transparency from Microsoft but keep it simple less is more.

  13. RobertJasiek

    To provide the promised transparency, Windows must provide a plain text log file of the data to be sent, at the very least for the Basic level. Simple!

    • TheJoeFin

      In reply to RobertJasiek:

      I wouldn't want that. It would make it way to easy for some malicious program or something sniffing the network to get all the info. I'm okay with Microsoft having that information but not everyone.

      • RobertJasiek

        In reply to TheJoeFin:
        In reply to TheJoeFin:

        What is your problem with a log file residing in plain text on your own computer with system file access rights? Malware being able to read thar file can also read all your personal files on the computer. The thief wants your personal data rather than the log file! For your pleasure, the log file being in transfer can be encrypted. So what is your problem? That your computer already has malware on it? This can't be your reasoning.

        • MikeGalos

          In reply to RobertJasiek:

          Known data (which could otherwise have been transient and discarded) in a known format at a known location is a lot more risk than the attacker having to recreate that data.

          • RobertJasiek

            In reply to MikeGalos:

            Such as your own files, various other Windows log files, large parts of the registry and the even manager's log. By your argument, you would want to get rid of all of that. Your reasoning does not make sense. Regardless, like for other log files, there can be the option to let Windows (not) create it alt all.

            • MikeGalos

              In reply to RobertJasiek:

              So, you're agreeing that adding an extra file in a known location with a known format capturing transient data is an increased risk. Good.

              As to the 'option' to say 'no telemetry', of course you'd swap that for saying you will never ask for support or complain about bugs your telemetry would help find and not whine when your particular way of using a UI is deprecated because nobody knows you use that method rather than the more common one (things like ctrl key combos or alt key combos or double click actions). Right?

        • TheJoeFin

          In reply to RobertJasiek:

          There are things that Microsoft can do to make Windows and their users a bigger target or a smaller target. The less unencrypted system log files sitting around a system the better.

  14. rameshthanikodi

    The list of data they collect is legit as hell. And as 100% expected, it's all system telemetry and zero user-identifiable or compromising data. I don't know how much more transparent they would need to be after this to make people Shut The F*ck Up.

    • Waethorn

      In reply to rameshthanikodi:

      Let people see what the telemetry data actually is, and maybe people will shut up. But they won't. So the argument is always "what does Microsoft have to hide in the data they collect about you?".

      • rameshthanikodi

        In reply to Waethorn:

        Go there, look for the data you're so desperate to control, and then search for in the Event Log, and then smile about how it's a bunch of gibberish about your system's health and nothing to do with you.

    • BMcDonald

      In reply to rameshthanikodi:

      It's only "legit" if you believe the data MS is listing is what is actually being submitted.

      Until I see a huge "OFF" button or the ability to create a plain text file (on demand) of ALL telemetry data that would be part of a standard submission - this entire "transparency" effort is just another load of crap - positioned to make people believe MS is actually being legit.

      • rameshthanikodi

        In reply to BMcDonald:

        I believe it. If you don't, that's your loss, and really, it's your problem. All Microsoft can do is to tell you what they collect, and they've done that.

        You don't get a plain text file of the data Google, Amazon, or Facebook uses to target ads at you either. And those are actual personal information, not system metadata which is what Microsoft is collecting.

      • FullyLoaded

        In reply to BMcDonald:

        Well if you don't believe they are telling the truth now then why would you believe the "OFF" button actually works if they provide it?

  15. navarac

    Please remember, Paul, that though they like to think they are, the EU is not a "government".

    • Thomas Parkison

      In reply to navarac:

      The European Union is trying to be like the United States of Europe but it ain't working out so well.

    • Paul Thurrott

      In reply to navarac:

      That is semantics. It is very much a government in the sense that it takes on governmental roles at a super-country level.

      • RobertJasiek

        In reply to Paul Thurrott:

        The EU shares power in a complicated manner. E.g., the Commission is a) excutive but not exclusive and b) exclusive initiative legislative but not adopting legislative. E.g., the European Council (not to be confused with the Council of the EU consisting of ministers) is executive. Hence the EU had more than one body that is executive. None of them is an exclusive gouvernment. All of this is not linguistic semantics but a system of checks and balances.

    • Bob25

      In reply to navarac:

      The distinction is hardly relevant in this case for Microsoft.

  16. edboyhan

    I have no problem with Microsoft's telemetry policies.

    I took a look at the TechNet article where the "basic" info is described in detail. The format as laid out in the article has some of the feel of the system event log in that it details items collected along with the events that trigger their collection. While the information is less than what was collected previously, the document is many pages long. The descriptions of what is collected, and why is very low-level. Obviously, not everything specified is collected all the time -- a lot of items are only generated at system install time.

    Since the information is voluminous, and very low level, it is not possible for me to decide what the privacy implications of the "basic" level may be. I am sure there are those out there that will be able to ferret out those implications, and I am sure that there will be those that will scream loudly that their privacy is being despicably invaded.

    At a high level it appears that MS is attempting to build a picture of the H/W & S/W (including apps) picture of all W10 users' configurations, and any significant events that will assist in error diagnosis.