Information collected by Windows 10 at maximum privacy configuration

Question

I am thinking about installing Windows 10 on a machine. However I am concerned about the information that it actually collects. I have searched a bit but haven't been able to find what information Windows 10 actually transmits to Microsoft or their partners.

I am mainly interested in Windows 10 Professional (I know Windows 10 Enterprise gives more control) and information whose collection cannot be easily disabled, either by options or through disabling of services.

---

I have seen How does Windows 10 allow Microsoft to spy on you?. It does not answer my question, I am specifically interested in what data is actually collected; not what the documents say can be collected, and and I am only concerned about those which cannot be turned off easily through privacy settings or disabling of services. E.g. although telemetry and error reporting are part of previous versions of Windows they can be easily turned off by disabling the corresponding services without causing any problems.

Answer 1

Edit: this answer includes information beyond what the question asks, mainly about settings less then the maximum. I have made it more clear by making the key paragraph start with a bold section.

Based on my observations of traffic from Windows 10, Microsoft's privacy policy and several articles from Microsoft and Others(see below) I think that the situation is far less bleak then the other answer indicates. You can turn almost all communication off if you like, and based on both my and others observations they abide by your decisions*.

First and foremost default Windows 10 has a very similar privacy policy to IOs, OSX and Android (1,2,3). This is becoming more common as operating systems become more cloud integrated. In order to use a Microsoft account for logons, syncing between devices, email or file storage the operating systems has to communicate with Microsoft servers.

Once you have enabled all of the privacy settings* the computer does still communicate with Microsoft (4). However when asked Microsoft responded with the following:

"As part of delivering Windows 10 as a service, updates may be delivered to provide ongoing new features to Bing search, such as new visual layouts, styles and search code. No query or search usage data is sent to Microsoft, in accordance with the customer's chosen privacy settings. This also applies to searching offline for items such as apps, files and settings on the device."

Which was consistent with the data that was being transmitted (4).

If you give Outlook or OneDrive permission they will access and upload your files. To quote:

"We collect content of your files and communications when necessary to provide you with the services you use." (3)

and

"Examples of this data include: the content of your documents, photos, music or video you upload to a Microsoft service such as OneDrive, as well as the content of your communications sent or received using Microsoft services such Outlook.com or Skype" (3)

But access to this data is REQUIRED in order for those services to function. Also in contrast to many other services Microsoft (5):

"Unlike some other platforms, no matter what privacy options you choose, neither Windows 10 nor any other Microsoft software scans the content of your email or other communications, or your files, in order to deliver targeted advertising to you."

There are still a few gotchas. If you use default settings you will leak a lot of private information, including keystrokes (see privacy policy section on Input Personalization). Also if you use Bitlocker and OneDrive you recovery key is backed up by default. Finally there have been reports of encryption keys be sent in the Full (level set by user) error reports.

A lot of people have been really beating on Windows 10 for privacy reasons. I think that this comes from two separate areas. 1. The privacy policy for the Beta and the insider version is very bad. And it did include unlimited access to local files. 2. Microsoft had never done things like this before (outside of certain issues with privacy found in Windows 8 and 8.1). However the amount of issues in 8 was less then 10. We had expected this from Google, not from Microsoft.

Will Microsoft help investigations as required by law? Yes they will. Has Windows 10, by default, traded privacy for convenience and features? Yes it has. But do they continue to invade your privacy when told not to? It appears that they do not.

*There have been reports of privacy settings being changed by bugs fairly early on in Windows 10's life cycle. Personally I believe that this was an accident as I have never written bug free software.

1. http://www.google.com/intl/en/policies/privacy/
2. http://images.apple.com/legal/sla/docs/OSX10103.pdf
3. https://privacy.microsoft.com/en-us/privacystatement/
4. http://arstechnica.com/information-technology/2015/08/even-when-told-not-to-windows-10-just-cant-stop-talking-to-microsoft/
5. https://blogs.windows.com/windowsexperience/2015/09/28/privacy-and-windows-10/

Also please read this excellent answer: https://security.stackexchange.com/a/96727/97432.

And this one: https://security.stackexchange.com/a/129401/97432.

Disclaimer: I do not work for Microsoft or any of their partner companies. All of this is based on my own observations and the work of others. As Windows 10 changes these observations may become invalid. I compiled these on July 7, 2016. Future readers take these with a grain of salt.

Answer 2

Well, first of all; you asked for a security researcher who investigated the Windows 10 Operating System regarding this issues. I haven't investigated the operating system, and, I'm not even a certified/professional security researcher. It'd be hard for someone to actually do this, because Windows is closed source, and 'blackbox-investigation' is hard to do regarding this issue.

However, Google has banned Windows as well; for several reasons of one being security. Windows wasn't secure enough. And no security = no privacy. So if even the security researches at Google dissadvise Windows... That might say something.

So, I have based this answer on Microsoft's Terms of Service and privacy policy. The thoughts of other privacy advocates and real security researchers,...

What they collect?

To start, Microsoft collects a LOT. They said themselves that these are some of the few things they collect:

• Search queries to Bing
• Data collected from third parties (non-Microsoft)
• Error reports (Loads of these of course ;) )
• Private communication including e-mail, videochat, and voicechat
• Your personal files
• Requests to the support center
• Which applications you use and when
• Cookie-information
• Security information
• Skype data (communication, chats,...)
• ...

And that's only to mention what Windows (10) collects, you're probably also using other software from Microsoft like e.g Skype or Edge. Also they collect things about you.

Government surveillance

Obviously, this data is saved on their servers. The NSA has a program called PRISM which allows them to access all data on all the servers of big companies like Microsoft, Google, Dropbox, Facebook, Apple,... So because of Microsoft having access to it, the government as well.

They don't use it

Their favorite defense is to say "We don't use the content of e.g your mails to target ads against you" That doesn't mean you don't use it at all, and doesn't take away the problem that you store it!

You can turn it off

Yes, you can try to turn everything off, but yet there are known problems that Microsoft resets these privacy settings with each update. Besides that, if you forget one thing, your whole privacy is still messed.

Compared to other's

Okay, so hopefully you know get how dangerous it is to use Windows for your privacy. But don't do other tech-companies the same? No, not really. Yes Facebook does collect information about you, but it's a social-network, that's the whole point of it. And yes, Google logs search requests; but they don't link them to YOU specifically and it's a search engine after all. Yes Apple does also collect info about you, but again, not in extreme ways like Microsoft, Apple collects a LOT less and won't be spying on you by reading e.g your email. And also, Apple won't randomly give every data to governments, they even fight for your privacy in court.

And than we have GNU... Well ... They actually don't collect anything... GNU is known for it's freedom, privacy,...

So yes, other companies do also collect data, but not such sensitive information as Microsoft, not so personal, not necessary linked to you,... That doesn't mean, we shouldn't keep requesting more privacy from these companies.

Maximum privacy configuration

And maximum privacy configuration, they still collect a lot like you can read in the following sources. And besides that, even if you put on 'maximum privacy settings' you can't trust it. There are issues that the settings get reset, and than I'm not talking about the Sync-Settings-function. It's extremely hard (impossible) to have maximum-privacy-configuration on Windows (10). It's built in a way, that whatever you do, they DO collect data.

And besides that, it's closed source. The things I listed are those that they have told themselves. Who knows what other things they collect without telling us? Your 'privacy-configuration' doesn't protect against those things.

And after all, it doesn't mean that if theoretically you're able to disable Windows 10 spying on you, the other Microsoft services ain't. They still give e.g the NSA access to services like e.g Onedrive. So you also mayn't use any Microsoft service to keep your privacy. And what's the point of using Windows than after all? And not to mention that on Windows you sometimes even use Microsoft services without knowing.

Sources

A few sources. First of all, the one of GNU is IMHO the best.

• The privacy policy of Microsoft themselves
• GNU explaining it
• Microsoft support forum keeping quiet, and an user explaining
• The keylogger in the final release
• Metadata is also a problem
• No way to turn it off
• What are they collecting?
• They ain't collecting just for ads
• PRISM program of NSA (Just look-up Snowden)
• Sync settings explained (Also known issues with these getting reset are known)
• Microsoft leaks encryption keys
• Microsoft over-co-operating to much with intelligence agencies

Finish

To finish, I hope it's clear, that when you care about your personal privacy - like all human beings do, even those who say they don't - Microsoft products ain't the best to use.

The things I listed are those that they have told themselves. Who knows what other things they collect without telling us?

I hope it's clear, that even with those max-privacy-settings, you can't trust such a company which tries to break your privacy in any way.

And to mention, I'm not the only one warning you. Germany has warned it's civilians about Windows, because it was insecure. Snowden says Microsoft can't be trusted. Google has banned Windows for it's employees for several reasons.

Stay safe.