No, Microsoft is not spying on you with Windows 10
Buy tinfoil futures.
I'm dead serious. There is apparently a growing and very vocal population of people who believe that Windows 10 is basically a 1984 telescreen come to life. They are convinced that with Windows 10 Microsoft has built a spying apparatus not seen since the height of the Cold War, scraping up every detail of your life and feeding it back to Redmond for who knows what nefarious purposes.
They're going to need lots of tinfoil.
They're also either wildly misinformed or deliberately agitating. Unless, of course, they're just crazy, which is entirely possible based on some of what I've read.
But most importantly, they are wrong, terribly wrong. And they're being whipped into a frenzy, or at least passively aided by the tech press. That group unfortunately includes ZDNet, which earlier this week unquestioningly repeated this incendiary allegation, posted on Reddit by someone who claims to be affiliated with an obscure torrent tracker, iTS:
Microsoft decided to revoke any kind of data protection and submit whatever they can gather to not only themselves but also others. One of those is one of the largest anti-piracy company [sic] called MarkMonitor. Amongst other things Windows 10 sends the contents of your local disks directly to one of their servers.
That's not true. It's wildly at odds with the facts, even. I keep tabs on a handful of well-established torrent sites, orders of magnitude larger than the ones complaining here, and none of them seem to have a problem with Windows 10.
There's literally no basis for that statement in fact. And yet you read it here. And on dozens of other sites, unfortunately, where a single lie gets repeated often enough to seep into the collective unconscious.
The bizarre belief that Windows 10 is a spying tool keeps popping up among conspiracy theorists. Via email, a reader sent me a link to this rant by an alternative medical practitioner who apparently is also an expert on the law and IT:
Windows 10's new license agreement ... gives Microsoft permission to Hoover up every particle of data on a doctor's hard drive. This will include any confidential patient-doctor emails that are stored there, any reports, any bills, and any short notes to staff through intra-network messaging (for example: "Spoke to Tom Mypatient today re gender dysphoria and desire to transition to female. Pls follow up with referral.")
No, it doesn't, doc. Here, take a sip of this calming tea and let's talk, OK? And let's get that torrent dude in here, too, because he needs someone to explain what's really going on.
Both of these poor benighted souls and a bunch of other people just like them base their belief on a paragraph from Microsoft's new, unified privacy policy. The clause lists the conditions under which Microsoft "will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders)..."
That narrow list of conditions includes legal demands, like search warrants and subpoenas and (presumably) National Security Letters, as well as actions necessary to "help prevent the loss of life or serious injury of anyone" or to stop attacks on Microsoft's services.
And those terms only apply to content stored online using Microsoft's services. Here's the earlier part of that agreement, the one that defines the content covered by that clause. This section of the agreement is apparently blocked by tinfoil and invisible to the Microsoft-is-spying brigade:
We collect content of your files and communications when necessary to provide you with the services you use. This includes: the content of your documents, photos, music or video you upload to a Microsoft service such as OneDrive. It also includes the content of your communications sent or received using Microsoft services...
So yes, if you send and receive email using Microsoft's consumer services or store files in OneDrive, there's a risk that a court could issue Microsoft a subpoena compelling them to hand over that information. (Pro tip: Microsoft offers Office 365 for Health, which provides cloud services and HIPAA compliance for medical professionals who care about that sort of thing.)
But there's no risk that Microsoft is gathering the contents of your local hard disk and sending it to anyone. Zero.
Microsoft is under a microscope, constantly, with its every move examined by security experts and privacy advocates. Windows 10 has been available in preview versions for nearly 10 months and in a final version for roughly six weeks, since build 10240 was released in mid-July.
You'd think if those 75 million hard drives were being scoured someone might have noticed. But so far, no word from anyone who actually knows how to use a network analyzer. Because it's not happening.
In fact, the specific terms that the good doctor was complaining about are completely unremarkable. Any company that offers modern computing services has nearly identical language in its privacy agreement. Compare these snippets from the Google, Apple, and Microsoft privacy statements:
It is certainly true that Windows 10 relies on online services to a much greater degree than previous Windows releases. That's the way of the world, especially one in which a billion people carry around devices that literally track their every movement around the world and report them to global telecommunication companies.
We expect personalized services. We expect relevant search results. We expect the devices we use daily to get smarter and more useful over time. We expect them to understand us despite our accents when we use speech-enabled features. We expect bugs in software and services to be fixed yesterday.
All of those goals require that customers willingly share information with the companies providing those services, with a corresponding commitment from the recipient of that data to guard it carefully and use it only for its intended purposes.
After carefully reading the Microsoft Services Agreement, the Windows license agreement (English, retail), and the Microsoft Privacy Statement carefully, I don't see anything that looks remotely like Big Brother.
I'm also not hearing a single peep of complaints from people who actually set up and run business networks, because they understand how utterly normal those privacy terms are in 2015.
If you're running a small doctor's office and are subject to HIPAA governance, I hope you're not buying consumer PCs from Walmart and plugging them into your office network and just hoping for the best. I also hope you're not relying on some angry chiropractor to tell you how to set up your network. Any business that cares about security, either because they're run by good people or because they're mandated to do so by law, should have an IT pro setting up their communication systems and their infrastructure.
If you don't understand that, I'm not sure even tinfoil can help.