81 comments

[ 3.0 ms ] story [ 155 ms ] thread
Smart business from Microsoft, and a gauntlet of sorts for other global tech firms.
Agreed. There's no reason why Microsoft - a software and hardware maker - couldn't be more like (or even supercede) Apple in this regard - i.e. treat the user as the customer not the product.

Further to that (without wanting to be cynical), it's probably also easier for MS to avoid the potentially complex jurisdictional issues that GDPR raises. One privacy code-base to rule them all.

> Agreed. There's no reason why Microsoft - a software and hardware maker - couldn't be more like (or even supercede) Apple in this regard - i.e. treat the user as the customer not the product.

Besides Apple's sky-high margins and complete control over the iPhone ecosystem, with a vice-like grip on app developers, no reason whatsoever.

If Microsoft made $400 per Windows PC that was sold, and 30 cents on every dollar of windows software ever sold (And had a competitor called Froogle with a steady 70% market share, whose business was based on user monetization), they'd probably be less interested in monetizing their users. I'm not entirely sure that's a world you'd want to live in, though.

For context, Microsoft's fiscal 4th quarter, as reported last July, saw profits of $6.5 billion, doubling year on year, largely due to strong growth in its cloud offering.

Strong privacy offerings might cut that to - what? $6bn?

Leveling the playing field means that people who provide good privacy options are no longer out-false-competed in a race to the bottom.

It's entirely plausible that companies will actually see their income increase.

Here's a question I haven't seen asked or answered:

Can I now (in 4 days time), ask Microsoft for all the data it's hoovered up from my Windows 10 installation?

I've only seen people talking about GDPR as it applies to websites, but as far as I'm aware, it applies to all software.

Can I now (in 4 days time), ask Microsoft for all the data it's hoovered up from my Windows 10 installation?

Did you go to the dasboard linked in the article?

https://account.microsoft.com/privacy

It does show non-website data, such as voice queries, location data, media played, product & service performance, app & service activity, Cortana notebook (commute preferences, etc.). It seems that you can also clear this data in the dashboard.

But I don't have a Microsoft account (only ever used local accounts in Windows 10). How can I ask for all my data which is associated with my installation/license?
This is a very good question. I suspect that at some point someone will fire up their lawyers and find an answer.

Not only that but you can’t opt out from data collection at the moment.

Only the basic telemetry (which I assume doesn't include any personal data) can't be opted out of in Windows 10 home. Other privacy settings have to be opted in now. The recent "April update" forces you to say yes/no to all data collection settings.
This! I don't use the MS account for my installation. Nevertheless, a lot of stuff must be sent to them about me.
My best guess would be that your data is going through pseudonymization and so you are no longer uniquely identifiable.

[1] By contrast to anonymization, Article 4(5) of the GDPR defines pseudonymization as “the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information.” By holding the de-identified data separately from the “additional information,” the GDPR permits data handlers to use personal data more liberally without fear of infringing the rights of data subjects. This is because the data only becomes identifiable when both elements are held together.

[1] https://iapp.org/news/a/looking-to-comply-with-gdpr-heres-a-...

No, look at the actual law and you see that is plain wrong:

(26)

The principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person.

I think the actual answer is that you send a snail-mail letter to MS, supplying proof of identity, details of your license and ask for all the PII that they have on you.
Go here: https://aka.ms/privacyresponse

I have no clue what information they'd need from you to answer that question, but at least you can get a response without having to send a physical letter.

There is an option to delete all diagnostic data collected (Windows 10 1803). You can find it under Settings->Privacy-> Diagnostics & feedback-> Delete diagnostic data. As others have mentioned you can access and manage it using the portal that is linked.*

* I work at Microsoft.

Would that delete the data that has already been transferred to Microsoft?

And as others mentioned: the portal is useless for people without MS account. What about those?

That's exactly what this option does. It deletes everything that has been collected up until that point.
Why not allow to me to stop that collection in the first place?
You can, what do you see on your report that you want to stop?
> You can.

How? Unless you have Windows 10 Enterprise Microsoft will not allow you to opt-out of basic telemetry.

> What do you see on your report that you want to stop?

Why does that matter?

How can i delete all my skype history that's clearly on your servers?
Can I now (in 4 days time), ask Microsoft for all the data it's hoovered up from my Windows 10 installation?

I'd also suggest asking for proof. For that you will require non encrypted traffic streams and/or source code ...

Nonsense. Where in the GDPR is it specified that you are entitled to the providers' IP? Auditing compliance is done by parties trusted by both sides, certainly not by amateurs and certainly not by individual vigilantes.
If Microsoft is anything like my company, they’ve stopped collection on any PII that they can’t deliver back to the user in response to a privacy request. So they probably have stricken those columns from their DB and are only aggregating data.
The GDPR applies to any processing of personal data, regardless of whether it's a website, software or even paper records.
Ok so there’s a privacy policy on this website and a standard “we use cookies” header but where is the consent management platform that’s supposed to let me review all the purposes and vendors used on the site so I can choose which ones I want to give consent to and which ones I don’t. The https://github.com/appnexus/cmp appnexus cmp is the only cmp I’ve found that’s open source and provides a clear reference to what GDPR means as far as integrating the actual GDPR spec for an euconsent signal, a UI for managing consent, and deferring cookies/data-collection until after consent. Gdpr goes into effect in 4 days and I still haven’t seen any CMPs integrated in the wild. Has anybody?
I haven't seen a single one of those in the wild yet, only "we've updated our ToS with a section about your private data, agree or stop using our service", which simply does not fly.
I'm pretty sure that GDPR doesn't mean you get to decide which vendors Microsoft gets to use. The commitment is that Microsoft and all vendors they use will be following GDPR.
Don't forget that 'consent' is only one of the bases to collect data. Where the data is vital to the ability to run the service, it will be being collected on the basis of contractual agreement, not consent.
I've seen a lot of privacy policies include lines like "we collect your activity data on the website, so we can improve your experience" or "we use cookies to gauge how to improve our services" or "we collect usage data to improve our marketing across other sites and platforms", which are both horribly vague and certainly not vital to run the service.

I took those lines basically verbatim (translated from Danish) from Just-Eat's Danish website. I am pretty sure they're violating GDPR, based on what they say in their privacy policy. Collecting usage data and sending data to third-party marketing companies is not vital to running a food ordering website. A ToS is not a legally binding contract, and I have not been asked for direct consent to their use of my data.

Those that you describe, should certainly be asking consent, or at a real push, listing the cookies and their names so that you can block them in-browser.
Yes I have, for a medical company I recently did DD on. It was done pretty good actually and they are considering fielding it as a separate (whitelabel) product for others.
Here's a marvelous example I've stumbled upon yesterday: https://juro.com/policy.html

The entire privacy policy is very well done (and beautifully designed, I may add). Clear options, transparency over who gets your data, ability to use the product without providing PII and all sorts of other goodies.

Specific quotes related to consent:

> If you have previously given consent to our processing your data you can freely withdraw such consent at any time. You can do this by emailing us at support@juro.com. If you do withdraw your consent, and if we do not have another legal basis for processing your information, then we will stop processing your personal data.

Disclaimer: I'm not affiliated with Juno nor am I their user. I just randomly stumbled upon their privacy policy.

It may be a good policy, but this is unrelated to the point on cookie consent made in the parent post. In fact the Juro site uses a variety of analytics cookies without even having a cookie banner in place, let alone any granular system for managing cookie consent.
Fine, here's a Dutch public broadcaster: https://www.npo.nl/

Upon opening it, you'll see a button labeled "Cookie-instellingen aanpassen". Clicking on it allows you to fine tune their cookie policy. "Functional" and "Analytics" categories can't be disabled, while the other (third-party) cookies can.

Thanks! Although I gotta say that they offer no options in relation to analytics cookies which is technically in breach of the e-Privacy directive as those cookies are not strictly necessary here. There are a few cookie solutions that can be used here - BT.com has a decent user flow.

The new e-Privacy Regulation coming into force next year will however, as presently drafted, provide an exception from consent for analytics programmes that only use gathered data on a per-site basis (so excluding Google Analytics for example).

Privacy: ability to opt out of all data collection.

Microsoft privacy: inability to opt out of all data collection unless you pay for enterprise edition.

This makes a mockery of any policy.

Also ads for Candy Crush in you operating system.

Microsoft is scum. They have not changed from the 90s, they are just better at hiding it.

Yep. My only that some of the UWP apps you can’t uninstall easily like Xbox etc.

Really the deal breakers for me recently are:

1. Privacy defaults to none and can only be optimised for none in Windows 10. Only did they back down for enterprise customers because they know they wouldn’t get away with it.

2. Bundling of crapware.

3. Shipping on by default telemetry in dev toolchain (.net core)

4. Blinding marketing detracting from the masses of data collection.

5. Any attempts to confront this result in silence, “it’s good for you” or “tough shit”.

They’re not a good citizen. They just tell you they are.

Unfortunately my livelihood depends on them at least in the short term.

Microsoft is reinventing itself.

You can disable those ads. You can remove apps like Skype. Manually or with an app such as O&O Shut Up. I also use Classic Shell instead of the new start menu.

Microsoft is reinventing itself.

Really? I though that was just standard corporate marketing.

They are changing, that still doesn’t mean that all things they do are good things.
You're missing the point.

Do you buy a car and have to peel all the advertising stickers off the windscreen, disable the tracking devices and scrub candy crush off the dashboard.

Nope.

> Do you buy a car and have to peel all the advertising stickers off the windscreen

Yep, something akin to that. Nearly all dealerships - whether luxury brands or not - place some form of dealership identification / promotion on your car when you buy it and without asking permission. That can be a sticker in the door well, it can be an obnoxious attached badge physically on the car surface (never happens with luxury dealerships), it can be a license plate frame, and so on.

That isn’t the norm here in the UK at least.
Eh, the dealer sticker in the back window is pretty standard here isn't it?

I hate them! I've scrubbed them off a few cars now.

Go have a look around. Since about 2010 it's frowned upon. There are a few dealers who do it but most of the new cars don't have them.
Just goes to show how often I change my car I guess :)

My current one is an 08.

Two years newer than mine :)
Do they put them back with every servicing too?
And do they track you?
> Microsoft is reinventing itself.

Agreed.

They're no longer selling software licences, but targeted ads based on what you do locally on your personal computer.

And people "allow" this by not jumping through hoops to disable it.

> They're no longer selling software licences, but targeted ads based on what you do locally on your personal computer.

They're doing both, but Google does something like that as well (that doesn't make it right, but it puts it in perspective that its the newest rage), and Microsoft is a convicted monopolist. The old Microsoft was much more evil than the current.

I don't care if they're better or worse than they used to be. I don't care what the other guy is doing. Forced telemetry is deeply, deeply unethical.
Hatera gonna hate

What about Guitar Hero crap boundled with every Mac?

What Guitar Hero crap? Honestly asking, I have never seen anything related to Guitar Hero on my Mac.
Probably means Garage Band, which is free multi-track recording software.

How dare they ship privacy respecting productivity software with their OS instead of Candy Crush!

Ah, thanks. For some reason, it didn't click for me. Probably because I always do a fresh install after buying a new Mac (which does not install Garage Band).

But indeed, are we really comparing a productivity tool that isn't used to extract more money to a third-party game that thrives on in-app purchases?

I guess that Windows users are generally less upset about such bundling, since OEMs have done it for years.

Yeah it only comes bundled if you do a "full" install off the MacOS media. I do a fresh minimal install on mine.

Windows users, myself included, have always been upset about the bundling. When you buy a PC these days you have to spend about 2-3 hours removing all the crap from it or doing an install from scratch to remove the cocked up default windows install. I think that less upset is more toleration via attrition. Accepting the status quo.

Also besides the disk space usage the extra apps do not slow down your computer in any way. They are not active unless you use them. Unlike much of the bundled crap on a Windows machine.
This isn't Microsoft putting that junk on your computer.

In a stock install of Windows you will have Windows Store installs of Candy Crush and some other junk, but none of it is running when the machine boots. It's also very simple to delete, but it is annoying it is there in the first place.

> It's also very simple to delete

Microsoft placed it into my library and you can't remove it unless you first install it and then uninstall it and I don't want to install it so I'm stuck with it. It's egregiously a dark pattern[0]. On the other hand Garage Band is first party code which presumably enjoys the same level of quality as the main OS so it's fine.

[0] https://en.wikipedia.org/wiki/Dark_pattern

Also, you have to look at ads every time you update with their app store.

Same thing on iOS.

Edit: changed “the App Store” to “their app store”, since that’s a common term that Apple shouldn’t have been able to misappropriate.

I really hope you didn't mean GarageBand, which is just entry-level music production software.
Candy Crash is just entry level arcade game.
Microsoft are nowhere near as relavant now as in the 90s. In the 90s you had no real choice - even at the end of the decade there were a lot of things that linux couldn't do.

In today's world where the OS is the web, that doesn't really apply.

> Privacy: ability to opt out of all data collection.

GDPR - I would expect that, for windows (which I believe comes pre-loaded with spyware), you would have to explicitly opt in

> Microsoft privacy: inability to opt out of all data collection unless you pay for enterprise edition.

Which just proves that it isn't essential to be opted in

I was just wondering whether there is an automatic update to Windows disabling (all?) telemetry, then let the user make the choice to opt in without grey UI patterns and fud.
The "April update" that is getting rolled out does this on the first start after the update. You get asked what each privacy setting should be. I felt it was fairly easy to understand and not trying to trick you.
>Respecting the privacy rights of consumers everywhere

Anyone who tried to disable the Windows 10 tracking knows what a load of shit that statement is.

(comment deleted)
I'm not convinced.

I run a Pi-Hole [0] to redirect all advertising-related queries to a black hole. When tracking the most-blocked domains, Microsoft is at the very top [1].

For instance, when I enter "Office" into the start menu, Microsoft immediately sends a ping to bing.com and Microsoft's telemetry servers. That is, Microsoft is sending all of the data entered into the start menu to Microsoft's servers, even when using the 'Pro' version and with 'full' telemtry off.

When it was first detected that Microsoft was adding telemetry calls to all compiled programs in Windows [2], Microsoft said it was mostly for event debugging for programmers. Now I'm not so sure -- look at your Microsoft account privacy settings to see that Microsoft tracks when you open applications. (They say on the page that not all data is shown there).

Unforutnately, there is no way to opt out of this. You can "disable" full telemetry, but you still have to opt into "Basic" telemetry, which still sends your advertiser ID, the programs you run, and the queries you put into the start menu. I'm concerned that Microsoft is not going to stop here. They have a real incentive to capture as much data about you as they can -- they currently earn about $1 billion in advertising through Bing.com search queries. Unlike Google or especially Facebook, however, it's much more difficult to opt out of Microsoft's tracking -- so many people depend on Microsoft Office or other Windows programs that I can't fully switch to Linux.

I don't know how this is acceptable through GDPR. There are so many problems with what Microsoft is doing:

1. There is no way to opt out of telemetry

2. There is no way to see all of the data that Microsoft has collected

3. Microsoft has severe lock-in because so much software is written for Windows-only

4. Microsoft has an incentive to increase their telemetry, not decrease it.

[0] https://pi-hole.net/

[1] https://imgur.com/a/MbjtYJe

[2] https://old.reddit.com/r/cpp/comments/4ibauu/visual_studio_a...

How much I would pay for EU to make a good example of Microsoft and fine then billions for not complying to GDPR policies.
(comment deleted)