Is Windows 10 telemetry a threat to your personal privacy?
Microsoft has built an entirely new telemetry system for its 'Windows as a Service' engineering model. In Windows 10, you can dial data collection back almost to zero, but you can't turn it off completely. Here's why.
Yesterday my colleague Adrian Kingsley-Hughes shared his thoughts on Microsoft's telemetry process, arguing that Microsoft needs to build a data collection 'off switch' into Windows 10. He characterized this suggestion as part of a "privacy brawl" between Microsoft and its customers.
The trouble is, Windows 10's telemetry system isn't designed with a simple on-off switch. Instead, it's a series of knobs that go to ... well, you know.
The argument for a telemetry kill switch baffles me, as does the implication that telemetry data is inherently at odds with personal privacy.
As far as I can tell, that "off switch" already exists, and when it's flipped to the correct position, I believe there's virtually no chance that Windows 10 telemetry information constitutes even a remote privacy issue.
In fact, there are more privacy protections in the telemetry framework for Windows 10 than there were in earlier Windows versions. I described these privacy options several weeks ago, but will repeat that section in its entirety here, because it's worth reading carefully, and because Adrian's post doesn't seem to have considered the privacy protections already available in Windows 10.
For Windows 10, Microsoft completely rebuilt its telemetry system. Last year, just in advance of the public launch of the first Windows 10 preview, Mary-Jo Foley wrote an excellent post about these engineering changes, which are at the heart of the "Windows as a Service" model. Here's where telemetry fits in:
I've heard Microsoft built a new real-time telemetry system codenamed "Asimov" (yes, another Halo-influenced codename) that lets the OS team see in near real-time what's happening on users' machines. This is how Microsoft may be able to measure how successful the features it "flights" with different user groups are. One of my contacts said Asimov is a system that the Xbox team originally built and used during its development process.
That real-time data is exceptionally valuable with Fast Insider builds, where the code is less polished and the whole point of telemetry is to find and fix bugs as quickly as possible.
But that data stream continues to be incredibly valuable, both to Microsoft and to the community of Windows 10 users, after the code is released to public branches. In recent years, Microsoft has been criticized for too many releases of defective patches and updates. Here's just one example from around the same time that Microsoft was getting ready to unveil Windows 10.
Without telemetry data, this type of problem isn't identified for days or weeks, until the support lines start lighting up and someone notices a pattern. With accurate real-time data about crashes and hangs, Microsoft engineers can spot a problem before it becomes a widespread support issue. There's already at least one high-profile example, published in late September:
[J]ust last month ... aggregate data showed us that a particular version of a graphics driver was crashing on some Windows 10 PCs, which then caused a reboot. ... We immediately contacted the partner who builds the driver and worked with them to turn around a fix to Windows Insiders within 24 hours. We used the data on Insiders' devices to confirm that the problem was resolved, and then rolled out the fix to the broad public via an update the next day - all-in-all, this data helped us find, fix and resolve a significant problem within 48 hours.
In earlier Windows versions, the telemetry system was known as Windows Error Reporting, which traces its ancestry to the Dr. Watson feature from the earliest days of Windows.
Windows Error Reporting was an opt-in feature. In Windows 10, the expanded telemetry system is on by default.
Microsoft insists that its telemetry system is designed to prevent any privacy issues. "We collect a limited amount of information to help us provide a secure and reliable experience," the company says, describing telemetry data without using the term. "This includes data like an anonymous device ID and device type. ... This doesn't include any of your content or files, and we take several steps to avoid collecting any information that directly identifies you, such as your name, email address or account ID."
I have watched Microsoft's behavior in regard to privacy over the years. This statement is consistent with the way the company works, in my experience, and I am unaware of any evidence from external sources that contradicts these statements.
So there's no on-off switch for this category of data collection. Instead, Windows 10 has three telemetry settings: Basic, Enhanced, and Full.
Here's what each of the three settings does:
Basic. This level includes information about security settings, quality-related info (such as crashes and hangs), and application compatibility. Microsoft considers this information essential for maintaining and improving the quality of Windows 10. It contains only anonymous identifiers and can't be used to identify an individual device or person.
Enhanced. This level includes the Basic information and adds details about how Windows and Windows apps are used, how they perform, and advanced reliability info.
Full. This setting, which is the default for Windows 10, includes all information from the previous levels, plus "additional details necessary to identify and help to fix problems." Presumably, this category includes error reports and mini-dump files after serious crashes.
Individuals and small businesses can change telemetry collection to the Basic level with the flip of a switch in Settings. Organizations running Windows 10 Enterprise or Education have the option to disable telemetry completely, although Microsoft recommends against it.
Look, the only "off switch" that works on modern computing devices is disconnecting from the Internet completely. Any device has to communicate with external servers to look up IP addresses, to receive updates, to synchronize data and settings with cloud services, to send and receive email, to browse the web, and so on and on and on.
Every one of those connections requires a minimal exchange of data that is typically logged for some periods of time. It is thoroughly reasonable to design Windows 10 in such a way that it can quickly identify defects and allow the engineers responsible for the product to fix those defects.
They have designed the user switch to dial that data collection from 11 all the way down to 1. But not to zero.
Meanwhile, those who want something closer to an actual "off switch" can have exactly that. If you're a business, you can deploy Windows 10 Enterprise and have your IT pros lock down every PC so that telemetry is completely turned off. If you're a consumer or a small business, you can take your pick of third-party utilities that can do the same thing. I haven't bothered testing any of them, but you can find links to two of them in Adrian's post.
As far as I can tell, Microsoft has no plans to block those utilities from working. They just don't want to invest engineering resources into building features they believe make it more difficult to maintain Windows.
This seems like a perfectly reasonable product design to me.