When it comes to Windows 10 privacy, don't trust amateur analysts

Another day, another sensational report from Forbes. Oh my goodness, is Windows 10 really "phoning home" thousands of times a day? Nope. In fact, anyone who has even a basic understanding of how networks work should cringe at this shoddy report.
Written by Ed Bott, Senior Contributing Editor

February 15, 2016: In a bizarre series of updates, Gordon Kelly has apparently retracted the story in this article, although his updates don't use the words "correction" or "retraction." You really can't make this stuff up.

Update 15/02/2016: Microsoft has dismissed the data on the Voat thread as completely flawed. This supersedes the 'no comment' initially supplied for this story and all parties acknowledge this changes the context from which the original story was written.

The update also references "[a]n apology from Microsoft UK press agency 3MZ" on a follow-up story.

Gordon Kelly of Forbes is at it again, whipping up a frenzy over Windows 10. This time he claims to have found SHOCKING EVIDENCE that Microsoft's telemetry is collecting STAGGERING amounts of data from Windows 10 users.

Sadly, what Mr. Kelly's post* proves is how very, very little he understands about modern computing or networking. Seriously, his article is pure gibberish, technically. But more than 100,000 people have read it so far, and apparently they believe Mr. Kelly.

I feel sorry for those poor benighted souls.

What makes this whole sorry state of affairs even worse is that Mr. Kelly hasn't even done any of his own research. Instead, he is relying on ... well, I'll let him tell you:

Blowing the lid on it this week is Voat user CheesusCrust whose extensive investigation found Windows 10 contacts Microsoft to report data thousands of times per day.

Voat is a Reddit clone. The user CheesusCrust is ... well, we really have no idea who he is.

Henceforth, I shall refer to him as "Mr. Crust."

There is nothing in Mr. Kelly's article to indicate that he spoke with Mr. Crust to verify his credentials or gather any additional data.

What Mr. Crust did was to install Windows 10 Enterprise edition (apparently an evaluation version) in a virtual machine, using the free VirtualBox running on Linux Mint. Mr. Crust says he performed a custom installation where he "disabled three pages of tracking options."

[A side note here: Actual network administrators configuring Windows 10 Enterprise have hundreds of Group Policy options at their disposal, including fine-grained controls over telemetry and privacy settings. There's even a fourth option, not available to users of retail and OEM Windows 10 editions, that dials telemetry back to an absolute minimum. There is no evidence that Mr. Crust is aware of these options.]

And then, Mr. Crust reports, he "configured the DD-WRT router to drop and log all connection attempts via iptables through the DD-WRT router by Windows 10 Enterprise."

Oh dear.

Mr. Crust says his intent was to "analyse the network traffic of Windows 10 on a clean install." If there are any readers with networking experience in the audience, they might see the flaw in his methodology. If your software needs to connect to an outside resource to perform a specific task, and the connection drops unexpectedly, you will not get any traffic to analyze. Even worse, when the software detects an unsuccessful connection it will try to connect again. And again and again and again.

So what might have been a single, short data exchange could instead turn into multiple connection attempts.

Mr. Kelly is outraged:

The raw numbers come out as follows: in an eight hour period Windows 10 tried to send data back to 51 different Microsoft IP addresses over 5500 times. After 30 hours of use, Windows 10 expanded that data reporting to 113 non-private IP addresses. Being non-private means there is the potential for hackers to intercept this data. I'd argue this is the greatest cost to owning Windows 10.

I might have to pause here for a second to allow those of my readers with networking experience to try to make sense of those last two sentences. Don't even try. It's gibberish.

Helpfully, Mr. Crust supplied the raw data, which I plugged into a spreadsheet so I could perform my own extensive investigation. The results are unintentionally hilarious.

[Update: It appears that Mr. Crust has deleted his post and indeed his entire Voat account. The Forbes post that relied on his data remains unchanged.]

First of all, 602 connection attempts were to, using UDP port 137. That's the broadcast address where Windows computers on a local network announce their presence and look for other network computers using the NetBIOS Name Service. It's perfectly normal traffic.

Another 630 of those connection attempts were Domain Name System lookups to the router itself,, using UDP port 53. That address is the router itself.

Why is Windows performing those DNS lookups? One big reason is that's how Windows checks whether you have access to the Internet. If there's a problem with your Internet connection, you get a yellow overlay on the network icon down at the right side of the taskbar.

To do that test, Windows first performs a DNS lookup of www.msftncsi.com. It then makes an HTTP request to retrieve the page ncsi.txt from that site. This file is a plain-text file and contains only the text "Microsoft NCSI." (NCSI stands for Network Connection Status Icon.) Finally, it performs a DNS query for dns.msftncsi.com.

The whole procedure is extensively documented .

DNS queries aren't "spying." Neither are NetBIOS name broadcasts on your local network. So far, that's 22.3 percent of the so-called traffic that's easily accounted for as "not spying," unless you think there's something sinister about a two-word text file that has been downloaded trillions of times from that poor Microsoft server.

Next up is a staggering 1,619 connection attempts using UDP port 3544 to the address, which Mr. Crust was unable to identify, along with another five attempts using the same port to other servers.

That address does indeed belong to Microsoft. It's a Teredo server, teredo.ipv6.microsoft.com. Teredo is an Internet standard that is used to supply an IPv6 address to a PC that speaks only IPv4, making it easier to perform secure and reliable communication between two endpoints without having to worry about network translation. It's also well documented and doesn't involve any exchange of information other than IP addresses.

In short, Windows keeps trying to make a simple connection using its IPv6 capabilities, but the router keeps dropping those connection attempts. So it keeps trying again and again.

That's another 1,624 entries we can add to the "not spying" list. So far, by my tally, more than 52 percent of the connection attempts are completely harmless and involve no data collection at all.

Another three connection attempts are using port 123. That's the Network Time Protocol, which devices use to retrieve the current time from authoritative servers on the Internet. Setting the clock on your computer is not "spying."

Mr. Crust's list has another 549 connection attempts on port 80, which is plain old HTTP. Windows doesn't have a web server installed by default, so those are all incoming connections, with Windows trying to retrieve data. They're not sending it the other direction.

We also know from Microsoft's documentation that it all telemetry data transmissions are encrypted, so it's highly unlikely that any of those unencrypted HTTP connections on port 80 would have included telemetry data had they been allowed.

Many of the addresses on the list belong to content delivery networks (CDNs) like Akamai Technologies and CloudFlare. Some of those downloads are possibly trying to refresh live tiles in the provisioned MSN apps (News, Sports, Weather, Money, and so on). There are perhaps some updates to Windows and the Windows Store in there too.

We might know more if Mr. Crust had allowed his machine to complete some of those connections so he could perform some actual traffic analysis. But he didn't, so we can't.

We can, however, safely conclude that none of those connections would involve any "spying."

Which leaves us with 2,100 connection attempts in eight hours over port 443. Those are secure (HTTPS) connections designed to exchange data so that it can't be intercepted in transit.

We have no idea how many secure connections that machine would have made in eight hours had Mr. Crust actually allowed them to complete. The number would almost certainly have been smaller, perhaps by an order of magnitude or even two.

And of course, those connections are not all about telemetry.

The most important one is the Software Licensing Service, which checks the state of Windows activation periodically. By dropping those connections, Mr. Crust is not allowing those activation and validation checks to complete. Windows gets very cranky when that happens, which could explain why there were more than 1,700 connection attempts to a handful of addresses in a single range of IP addresses managed by Microsoft.

Other content that gets delivered securely over port 443 includes Windows updates, Windows Defender updates, and updates from the Windows Store for apps that are provisioned on every Windows 10 machine. Windows 10 attempts to contact OneDrive, also securely, to see if there are any saved settings for the current user. There are lists of known malicious websites that get delivered to the SmartScreen service in a hashed and encrypted format.

And yes, there is certainly some telemetry data in there. We have no idea whether Mr. Crust changed the default Diagnostic and Usage settings to Basic. If he had, there would probably be a single ping to Microsoft's servers when the machine starts up, which would disclose what that setting was, whether Windows Defender was up to date, and whether his installation had experienced any failures in software or driver installation.

If he had kept the Enhanced or Full settings, Windows would periodically deliver a batch of anonymized usage data to Microsoft. (Of course, since he wasn't actually using the machine, there would be no data to exchange.) But we don't know, because Mr. Crust didn't actually do any traffic analysis.

Meanwhile, Mr. Kelly might want to write a little less and study a little more. I know some networking experts who've done some excellent video training courses where he could learn a lot about TCP and UDP and HTTP. I could even recommend some books that might be helpful.

But something tells me he really isn't interested in learning.

* As always, I hate to line Mr. Kelly's pocket with traffic for such shoddy work, but if you insist on reading, the Forbes post is here.

Editorial standards