ARN

Microsoft’s tin ear for privacy

The company keeps defending data-gathering features that some people don’t want instead of just making them optional

Microsoft keeps making news of the privacy front, and not in a good way.

Much has been made of the way Cortana in Windows 10 may invade your privacy by collecting data such as the words you speak and the keys you strike. Though that is disturbing to many people, Microsoft has responded by noting that Cortana needs to know that information in order to fulfill users’ requests. That’s true, but beside the point. The real issue, as my fellow columnist Steven J. Vaughan-Nichols points out, is that it’s extremely difficult, if not impossible, to completely turn off Cortana.

Another potential privacy danger is more hidden than Cortana, buried deep in Windows 10 — what’s called telemetry data. Telemetry gathers detailed information from every Windows PC, laptop and device about how Windows 10 is being used. So it tracks, for example, what software is installed on the system, what crashes occur, when and how they occur, and more. And there’s no way to turn that off, unless you use the enterprise edition of Windows 10 and your IT department essentially flips the “off” switch.

Microsoft claims there’s no need for users to worry about the privacy implications of the telemetry data gathered by Windows 10 because the company aggregates and anonymizes the data and doesn’t collect personal information such as names, email addresses and account IDs. A blog post by Terry Myerson, Microsoft’s executive vice president for the Windows and Devices Group, titled “Privacy and Windows 10” claims that the information is used to improve the reliability of Windows and applications that run on it.

But Microsoft has been called to task for the practice by privacy advocate the Electronic Frontier Foundation. A blog post by EFF staffer Amul Kalia criticizes the company not just for collecting information for Cortana, but also for collecting telemetry data. Kalia writes: “A significant issue is the telemetry data the company receives. While Microsoft insists that it aggregates and anonymizes this data, it hasn’t explained just how it does so. Microsoft also won’t say how long this data is retained, instead providing only general timeframes. Worse yet, unless you’re an enterprise user, no matter what, you have to share at least some of this telemetry data with Microsoft and there’s no way to opt-out of it.”

Microsoft counters that if a PC didn’t allow this kind of data to be collected, it might not work properly. But there’s a problem with that argument: If that’s the case, why does Microsoft allow telemetry to be turned off in the enterprise edition of Windows 10? Don’t businesses care about their PCs working properly?

This brouhaha is one more example of Microsoft’s tin ear when it comes to privacy issues. For example, when Microsoft released Windows 10 last year, it introduced a feature called Wi-Fi Sense that raised privacy flags because it allowed the operating system to share your Wi-Fi passwords with others. In fact, it wasn’t really a privacy invader because no automatic sharing occurred, and the power to turn it on or off was in users’ hands. But sometimes perception is reality, and as Microsoft stubbornly defended Wi-Fi Sense, it got a great deal of unnecessary bad press along the way.

When the Windows 10 Anniversary Update was released this summer, Microsoft saw the light and killed the Wi-Fi Sense features that people worried invaded their privacy. (Though its reason may have been that few people found the feature useful.) But at the same time, it also changed Windows 10 telemetry settings so that they couldn’t be turned off. And that was a bad thing.

This is an issue that has as much to do with perception and choice as it does with privacy. I think it’s unlikely that the telemetry data Microsoft gathers is particularly dangerous and invasive. But if it worries people, they should be given the power to opt out. The EFF recommends exactly that, saying that Microsoft should “offer real, meaningful opt-outs to the users who want them, preferably in a single unified screen.” Microsoft should take up the recommendation, if only to be seen as the friend of privacy advocates, not their enemy. It would garner the company a good deal of favorable publicity, something that’s often rare for Microsoft. And those who worry about their privacy would feel more comfortable using the latest version of Windows.