EFF rips Microsoft for "blatant disregard of user choice and privacy" in Windows 10

In a signed editorial, a staffer from the Electronic Frontier Foundation has blasted Microsoft for its aggressive Windows 10 upgrade program (now ended), and also criticized its privacy defaults.
Written by Ed Bott, Senior Contributing Editor

Concerns over Microsoft's privacy practices aren't going away.

In a blistering editorial, the Electronic Frontier Foundation has criticized Microsoft's strategy for rolling out Windows 10.

The EFF, a nonprofit 501(c)3 organization that bills itself as "the leading nonprofit organization defending civil liberties in the digital world," accuses Microsoft of "disregarding user choice" in its year-long free upgrade campaign for the new operating system.

The author of the signed editorial, Amul Kalia, also accuses Microsoft of disregarding user privacy. "By default," Kamil writes, "Windows 10 sends an unprecedented amount of usage data back to Microsoft...."

The editorial is especially critical of Microsoft's telemetry collection:

A significant issue is the telemetry data the company receives. While Microsoft insists that it aggregates and anonymizes this data, it hasn't explained just how it does so. Microsoft also won't say how long this data is retained, instead providing only general timeframes. Worse yet, unless you're an enterprise user, no matter what, you have to share at least some of this telemetry data with Microsoft and there's no way to opt-out of it. [emphasis in original]

"The tactics Microsoft employed to get users of earlier versions of Windows to upgrade to Windows 10 went from annoying to downright malicious," the editorial says. "Time after time, with each update, Microsoft chose to employ questionable tactics to cause users to download a piece of software that many didn't want."

In an emailed statement, a Microsoft spokesperson responded:

Microsoft is committed to customer privacy and ensuring that customers have the information and tools they need to make informed decisions. We listened to feedback from our customers and evolved our approach to the upgrade process. Windows 10 continues to have the highest satisfaction of any version of Windows.

The Microsoft statement included links to the company's privacy policy, to a separate Windows 10 and your online services page, and to a September 2015 blog post, Privacy and Windows 10.

The post's author isn't a member of EFF's legal staff. Kalia's bio identifies him as an Intake Coordinator, an EFF staffer with two years of experience whose role is to work with lawyers and activists in identifying issues that are "worthy of advocacy - especially when legal action is not necessarily the best approach."

The timing of the post is odd. If the issue of aggressive upgrades is really worth addressing, that section might have had a greater effect months ago. As of today, the Get Windows 10 program is over and there is no indication that any other Microsoft projects are engaging in the same tactics.

The EFF's characterization of some Windows 10 features is also incorrect. For example, the editorial says most of the data collected is used to power Cortana, and it criticizes Microsoft for not giving users a choice before collecting that data: "[M]any users would much prefer to opt out of these features in exchange for maintaining their privacy."

In reality, Cortana's feature set requires opting in. If you never click in the Cortana search box, or if you decline the consent request when it's offered, none of that personalized data is collected. See for yourself.

On the left is the what a user sees when using Cortana for the first time in the Windows 10 Anniversary Update:


Left: Cortana default Right: Cortana consent request

Clicking "Cortana can do much more" opens the consent screen on the right. Arguably, "No," would be clearer than "Maybe Later," but still, this is unquestionably an opt-in process.

The EFF's criticism of telemetry collection also faults Microsoft for setting the default to the highest level and for offering the "no telemetry" option only to enterprise customers. The aggressive default is indeed worthy of criticism, but limiting the fourth level to enterprise customers has a sound technical underpinning: Some basic data collection is absolutely essential for Windows Update, a critical security feature, to work properly.

Microsoft can't deliver security updates, bug fixes, and driver updates to a device without knowing some information about the hardware and installed software on that device. Enterprise customers can work around this issue using management tools like Windows Server Update Services, which aren't available to consumers.

The EFF also acknowledges that some media criticism represents "misinformation and hyperbole," with a link to my article calling out a particularly terrible example from Forbes.

Still, the fact that a highly regarded organization like the EFF is weighing in on this issue is a sign that Microsoft has, at a minimum, serious trust issues.

Over the past year, when these issues have arisen, the company has consistently delayed its response and then hidden behind legalese and vague statements about policy.

Ironically, privacy should be a competitive advantage for Microsoft, given its competitive position with Google, whose entire business is built on collecting data from its users and turning it into advertising profiles.

These issues aren't going to go away. If Microsoft wants to address the issue head-on, it should do so from the office of the CEO. And maybe it could invite experts from the EFF and other organizations in to audit its practices and procedures instead of just expecting its customers to trust that it's doing the right thing.

Editorial standards