LastPass is the first and only password manager extension for Windows 10 Edge in the Microsoft Store (Fall 2016). The LP Secure Notes appears to use the standard Msft spelling engine and dictionaries. My understanding is that usage data from inking and typing generally and specifically including spelling is shared with Msft by default.
Q1: Is telemetry or even instrumentation a serious risk in this context? Are the Msft procedures to securely collect, transmit, and sanitize the data sufficient?
Q2: What settings have to be changed to protect the contents of Secure Notes?
Q2A: For example, is changing the Windows 10 typing settings for autocorrect, highlight, and suggestions necessary? Sufficient? Or does that only affect the display and not the collection?
Q2B: Is changing the Privacy, General setting "Send Microsoft info about how I write to help us improve typing and writing in the future" necessary? Sufficient?
Q2C: Must "Getting to know you" setting also be disabled? Note, useful details here certainly include that this doing so disables Cortana (including the Start Menu search?) and that clearing cloud data is an extra step. The difference between "stop sending" (Q2B) v. "stop collecting" (Q2C) may be relevant.
Q3: Can this even be "fixed" from the user side or does this require LastPass to modify their extension to exclude the text area (and other fields?) from spell check (similar to "spellcheck=false" attribute on a web page or defining it as a password field) and possibly other Win10 "features".
Supporting detail would be appreciated as well as the specific steps and insight into the consequences.
An excerpt from a Microsoft response to a Lifehacker query published Aug 5, 2015, regarding privacy of "Getting to know you" and Send Microsoft info":
This is the inking and typing function, which users can turn off at any time. Microsoft does not collect any personal information via inking or typing. It is gathered for product improvement purposes, for example, to improve the handwriting visual translation engine, or to improve the user dictionary, language library and spell check functions in Windows. The data is put through rigorous, multi-pass scrubs to ensure it does not collect sensitive or identifiable fields (e.g., no email addresses, passwords, alpha-numerical data, etc.). Data is also chopped into very small bits and stripped of sequence data so it cannot be put back together or identified. The data samplings collected are limited; Microsoft is not capturing everything you write, nor is it capturing data every time. What Windows 10's "Privacy Nightmare" Settings Actually Do
Some additional background:
Msft FAQ - Speech, Inking, Typing, and Privacy
What are the privacy and security implications of Windows Telemetry
