Microsoft walks a thin line between Windows 10 telemetry and snooping

There’s a mud-slinging contest underway in the tech press again, and it’s all about Microsoft’s data gathering — again.

In particular, Yusuf Mehdi’s Windows Experience post, announcing that 200 million machines had used Win10 in the preceding month, includes details about Win10 usage — 44.5 billion minutes spent in Microsoft Edge, 2.5 billion questions asked of Cortana, more Bing searches per device, 82 billion photos viewed in the built-in Photo app — that make some folks wonder how much of their own activity is now in Microsoft’s databases.

Predictably, Mark Wilson at Betanews jumped in with a question about privacy, which he sent to Microsoft, receiving the usual “no comment” reply:

Microsoft’s spying is intrusive enough to reveal how long you have been using Windows 10, but the company is not willing to be open about the collection of this data.

Predictably, Gordon Kelly at Forbes let loose with a tirade:

Microsoft admitted it not only logs its users time on Windows 10 but also their time using Microsoft Edge … and gaming … and streaming games … and counting your search queries … and every single time a user opens a photo.

Predictably, Ed Bott at ZDNet retorted:

Much of the “controversy” is being spread by dedicated Microsoft haters and clueless writers who make a living with breathless clickbait. They’re actually not interested in facts, because the controversy sells so well … this is not “spying.” It’s analytics.

As most of you know, I’ve been covering Microsoft’s telemetry and snooping for years. The situation’s become more important recently, as Windows 10 has raised Microsoft’s tracking to completely new levels — and Windows 7 and 8.1 are apparently being retrofitted, gradually and largely surreptitiously, to Win10 standards.

Here’s what I know for sure: It doesn’t matter what Microsoft’s collecting. What matters is how Microsoft uses the data.

If you’re in the Bott sphere, Microsoft collects all this information, strips away personally identifiable details, and presents the results in anonymous but enlightening aggregate. That’s at the heart of telemetry.

If you’re in the Kelly camp, you fret over the original data, the stuff that has your ID attached to it. Microsoft may count how many times people open photos in total, for example, but what about the data that says you, personally, looked at a photo of a terrorist?

I would argue that neither side has examined the overarching issue: Trust. We, as Windows customers, have to trust Microsoft to use the data it collects in a responsible way. (You get to define the term “responsible.”) Has Microsoft earned that trust? It’s a thorny question — and the answer today may not be the same as the answer tomorrow.

Kelly’s Forbes article describes the data gathering revelations as “nasty surprises.” Frankly, I’m surprised that he’s surprised. We’ve known about these shenanigans for quite some time. I’ve been writing about them for more than a year. The fact that Microsoft snoops in Windows 10 is well known. What isn’t so well known is the quantity and type of data being kept.

The retained data goes way beyond typical usage information. I, for one, was shocked to find out how much Microsoft keeps as personally identifiable telemetry entries. In the process of the Windows 10 Fall Update flip-flop, we learned that Microsoft had in its files historical settings for four security preferences — advertising ID, Background apps, SmartScreen Filter, and Sync with devices — for every single Windows 10 machine.

That should make you wonder exactly how much information Microsoft is keeping about your specific machine.

I don’t buy the lily-white portrait of Microsoft collecting data for the good of the product. Back in September, Windows honcho Terry Myerson posted a blog that says:

From the very beginning, we designed Windows 10 with two straightforward privacy principles in mind:

• Windows 10 collects information so the product will work better for you.
• You are in control with the ability to determine what information is collected.

Experiments conducted immediately after that post showed that Windows 10 was collecting data even with the myriad privacy settings turned off, and sending it to bing.com. What data? We don’t know. Microsoft encrypts everything prior to sending it to its servers, and it has yet to give a full accounting.

I also don’t buy the idea that Microsoft is throwing away all of its personally identifiable telemetry data. While we haven’t seen much advertising in Windows 10 yet — the Weather Universal app showed ads for a short time in the beta, and the advertising entries in the Start menu (Start > Settings > Personalization > Start > “Occasionally show suggestions in Start”) appear sporadically — I think it’s a fair guess that we’ll see more advertising in the not-too-distant future. Windows spotlight — a lock screen “feature” primed for advertising — could turn commercial at any moment. Cortana’s advertising capabilities are in their infancy. Will Microsoft send all of that personal info to the bit bucket, or will it be retained to help guide the new wave of advertising?

Targeted advertising may not bother you. As a Google customer for many years, over many products, I’ve grown accustomed to it. The important point is that you understand the data’s being collected. You have some control over what’s collected — Bott has an extensive article on the topic, and I wrote an overview of blocking approaches in August — but in the end, you can’t block all of it. The data’s there on Microsoft’s servers, and you can neither examine nor erase any of it.

Microsoft has made promises about some of the data, and I see no reason to doubt the veracity of its statements. For example, Microsoft says of its online services:

We tell you about things we think you’ll like. For example, we may send you email to remind you about items left in your online shopping cart. We also display advertising, and we’d prefer to show you ads you find interesting. We don’t use what you say in email, chat, video calls or voice mail, or your documents, photos or other personal files to choose which ads to show you.

That’s certainly a laudable promise. But it doesn’t cover many important bases.

You can think of Microsoft’s collection of information about you as innocent telemetry data. Or you can think of it as privacy-busting surveillance. Tomato/tomahto. The important question is how Microsoft will use the data. And how much you trust Microsoft to do what you feel is right.

Kelly ends with a call to action that I believe is both fair and overdue:

Microsoft needs to come clean and state everything it tracks, exactly what can and cannot be stopped by users and why. Now let’s be clear: Windows 10 is Microsoft’s product so it has the right to do whatever it likes with it, but only after a full disclosure to customers of its practices so they can make an informed choice about whether or not they wish to be a part of this data gathering process.

Of course, the fact that Kelly made the proposal dooms it to failure from the start.