62 comments

[ 3.6 ms ] story [ 111 ms ] thread
I like most of Brad Smith's initiatives, but I hope the end-goal here isn't to just put more Windows on voting machines. Because the last voting machines that got Windows are some of the least secure devices around, many of them still unpatched for many years.

I know that's not all Microsoft's fault, but if that's their "solution" or others similar to it, then we'd be better off without them in the long term.

And that's without even mentioning the whole issue around proprietary software being used in the voting process (even if it's just for counting votes, because nobody ever checks or audits those after the fact anyways, and the numbers are always taken at face value).

"It’s clear that democracies around the world are under attack. Foreign entities are launching cyber strikes to disrupt elections and sow discord. Unfortunately, the internet has become an avenue for some governments to steal and leak information, spread disinformation, and probe and potentially attempt to tamper with voting systems. We saw this during the United States general election in 2016, last May during the French presidential election, and now in a broadening way as Americans are preparing for the November midterm elections."

Now that is a strong first paragraph. Microsoft is essentially saying that Russia did indeed influence the 2016 election (presumably in collaboration with Trump). I know the facts are public, but I did not expect such a big company to take such a political position.

It's not a political position. It's a statement of fact (excluding your presumption, which wasn't implied in the article) supported by both national political parties and the sitting president. https://www.nytimes.com/2018/07/17/us/politics/trump-putin-r...
> supported by both national political parties and the sitting president.

This coming from a company from a country that can barely be considered to be democratic and that has the largest modern track record of interfering with foreign states' elections means that it holds very little value.

> It's not a political position.

It is indeed a political position.

> It's a statement of fact

Sure, but it's still in the domain of politics.

There are more and bigger "threats to democracy" (whatever that means) than what they are cherry picking here, which indeed makes this a very politically charged initiative.
Please Microsoft, I accept thee as my lord and savior. Please guide me what to think! /s
By subverting privacy Microsoft is a threat to democracy itself.
This is a non sequitur. It is not clear that privacy (specifically privacy of data on Microsoft systems from court order, if that's what you mean) is necessary for democracy. On the other hand, the ability to unmask people who are subverting elections is useful for democracy.
>It is not clear that privacy (specifically privacy of data on Microsoft systems from court order, if that's what you mean) is necessary for democracy

Microsoft has included a keylogger [1] in Windows 10 that's enabled by default. Everything you type from a Windows computer is stored on their systems. They also "may" collect data from your microphone. Every modern Windows computer is essentially a wiretap. And all that is just one warrant away from government agencies. They're collecting more info on you than the KGB could ever dream of.

[1] https://www.pcworld.com/article/2974057/windows/how-to-turn-...

> It is not clear that privacy (specifically privacy of data on Microsoft systems from court order, if that's what you mean) is necessary for democracy.

How would democracy ever work if people had no privacy?

How would democracy ever work if people had absolute privacy? It wouldn't, but that isn't what we were discussing either.

The claim under discussion is that the privacy loss that is affected by Microsoft's privacy policy is detrimental to democracy. That claim was presented without any support.

Seriously. This is the same Microosoft that collects keystrokes, webcam footage, browsing behavior, file system use, and dozens of other analytics from every computer running Windows. And now they're pushing to have government officials dependant on them. They have a million times more data than Cambridge Analytica at this point. Who knows how much damage they could do?
> This is the same Microosoft that collects keystrokes, webcam footage, browsing behavior, file system use, and dozens of other analytics from every computer running Windows.

{{Citation needed}}

>"Microsoft collects and uses various types of data, such as your device location, data from your calendar, the apps you use, data from your emails and text messages, who you call, your contacts and how often you interact with them on your device. Cortana also learns about you by collecting data about how you use your device and other Microsoft services, such as your music, alarm settings, whether the lock screen is on, what you view and purchase, your browse and Bing search history, and more.”

>But this is not all, as this piece of software also analyses undefined “speech data”: “we collect your voice input, as well your name and nickname, your recent calendar events and the names of the people in your appointments, and information about your contacts including names and nicknames.

>But Microsoft’s updated privacy policy is not only bad news for privacy. Your free speech rights can also be violated on an ad hoc basis as the company warns:

>“We will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders), when we have a good faith belief that doing so is necessary to”, for example, “protect their customers” or “enforce the terms governing the use of the services”.

https://edri.org/microsofts-new-small-print-how-your-persona...

>How to turn off Windows 10's keylogger (yes, it still has one)

https://www.pcworld.com/article/2974057/windows/how-to-turn-...

"Microsoft does not collect any personal information via inking or typing.... The data is put through rigorous, multi-pass scrubs to ensure it does not collect sensitive or identifiable fields (e.g., no email addresses, passwords, alpha-numerical data, etc.). Data is also chopped into very small bits and stripped of sequence data so it cannot be put back together or identified. The data samplings collected are limited; Microsoft is not capturing everything you write, nor is it capturing data every time."

https://lifehacker.com/what-windows-10s-privacy-nightmare-se...

So the keylogger part (your claim "everything you type from a Windows computer is stored on their systems") isn't true. Anything to back up your webcam claim? Your rant about what Cortana collects is necessary for Cortana to do its job, just as storing emails is necessary for an email service to do its job.

> Microsoft does not collect any personal information via inking or typing....

That's claim that cannot be verified.

Until Microsoft provides a clear, unobfuscated method to verify what is being sent, and also option to 100% disable all phoning home, there will be a suspicion of their own making.

Anything other is just obfuscation and PR.

Why don't you set a breakpoint just before it encrypts what it's collected, peek in memory and find out for yourself?
That it the market Microsoft is aiming for? Will your grandma do it? Or she doesn't need the transparency and fair dealing?
Your grandma comment is misguided. Your parent comment has a good point.

If a system is sending out sensitive data, there is a way to figure it out by setting breakpoints and reverse engineering the payload that is getting encrypted.

Once a researcher finds whether or not sensitive data is being sent, the researcher can publish the information so that your grandma can know about it and she can have the transparency and fair dealing she needs.

Or, you know, demand from the vendor to supply a system that doesn't need a researcher, who was able to secure a funding for such an endeavor.

Meanwhile, the point still stands: windows phones home, sends out the data, which are encrypted in transport, obfuscated inside, and the user has zero control about it. Requiring the user to prove which data were send and which weren't is dishonest; it is the vendor who has the source code and knows exactly the answer for what is being asked of the user.

Problem is that Microsoft still enjoys a practical monopoly on workstations and desktops, so there's very little pressure for them to actual do what people are asking. Case in point: we still have forced updates and ads in the start menu.

If there were a worthwhile competitor, I know a lot of people who would switch in a heartbeat, but even then Microsoft probably wouldn't care. I am increasingly convinced that it is Microsoft's unstated goal to kill off desktop personal computing entirely so they can push people into a subscription-based cloud service for everything.

If the vendor supplied such a system or provided the answer to your question, would you trust it? Why?

You always need independent researchers to verify vendor's claims.

That's where the transparency comes in.

In most linux distribution, when you have a crash and the crash reporting is enabled, you can peek into what exactly is going to be sent. If you have smallest of the doubt, you can opt to not send anything. Or opt out of sending anything, ever.

Of course, seeing that the data you submit is used to solve your specific problem, and not disappearing into black hole just to feed some analytics, helps with the motivation to submit.

No need to debug the constantly changing code. Even if your researcher verifies, that a specific release sends only such and such data, the next months release can send something else. The verification would take longer than a month, and given the cadence of releases, would be permanently out of date.

If the vendor wrote crash reports which you could review before sending, would you trust that the crash report is actually what is being sent?

If you opted out of sending anything, do you really trust that the vendor is not sending anything?

You still need to research what is going on at the low level to be sure if something is being sent or not and what is being sent. Your grandma is going to rely on the information obtained from independent researchers.

Yes, the behavior of Linux distributions are also independently audited by independent researchers.

There is a lot of broadening going on
"Last week, Microsoft’s Digital Crimes Unit (DCU) successfully executed a court order to disrupt and transfer control of six internet domains..."

What does this mean? Was the domains hosted on Microsoft DNS servers? Or did Microsoft get a court order to go after domains hosted by other companies? I'm probably missing something, but isn't that the job of the police?

The article says what it means and lists the six domain names. The domain names look like domain names owned by Microsoft and its customers, so Microsoft can take them down for impersonation.
Not all of them where impersonating Microsoft domains. Still can't understand how Microsoft managed to take these domains down if they weren't hosted by Microsoft in the first place.
Latter,they work with governments a lot to take down malware domains and such
Why is the court letting Microsoft handle these cases? I understand it's convenient if Microsoft is the one detecting the domains and handing the case over to a court. But shouldt't these crimes be investigated by proper police?
They don't directly enforce any laws. Think of it like neighboorhood watch people that find suspicious criminal activity and call the cops.

They do all the investigation and leave the guns,handcuffs and prosecution to the government.

This seems similar to the scheme in which Microsoft diverted the no-ip.com DNS to their servers some legal shenanigans, namely some system of being able to get a judgement without informing the owner of the domain they were going after.

Ars Technica http://bit.ly/2whNn9x, zdnet https://zd.net/2MLdcZU

Since when did they become the policemen of the internet. and do the judges who authorize these things have an understanding of the internet at all?

You have to hand it to Microsoft's PR machinery. While companies have been offering similar services, not many wouldn't have tried to link it to "broadening threats to democracy".
I like how they talk about democracy and at the same time are probably the most cooperative large tech company when it comes to releasing customer info to authoritarian governments.
I thought this was about the censorship of Gab posts that occurred a few days ago which they ordered.
It's seems this is quite an acceptable plan to move forward. MS doesn't seem to plan to intervene in local politics, merely shield against foreign politics intervening in local politics. Especially when you offer those services in foreign countries, the other players seem to fail spectacularly.
Microsoft gets involved in domestic politics all the time.
This is great, but I'd like to know if it extends in the other direction; one of the great ironies of the Trump Administration has been the wrecking of the State Department, who along with the CIA have had a habit of getting involved in the elections of other countries. Up to and including replacing democratically-elected socialists with military dictatorships.
I think another proof that the U.S. is not about spreading democracy but only seeking it's economical interested is illustrated by Tunisia. The tiny nation is the only democracy in North Africa and is struggling economically. If the U.S. were adamant about supporting democracy, the obvious thing to do is to ensure that Tunisia succeeds in becoming a full democracy.

https://en.m.wikipedia.org/wiki/Democracy_Index#/media/File%...

> one of the great ironies

If you take everything you hear on TV and read in the newspaper as true I suppose.

"...It’s clear that democracies around the world are under attack..." Yup, and it's very clear which country is responsible for performing most of those attacks. Is Microsoft offering any solutions to protect the rest of the world too?: "...the country intervening in most foreign elections is the United States with 81 interventions, followed by Russia (including the former Soviet Union) with 36 interventions from 1946 to 2000 - an average of once in every nine competitive elections..." https://en.wikipedia.org/wiki/Foreign_electoral_intervention
Really? Going to hold actions taken over 70 years ago against the US of today?
The research results quoted contain election interferences between 1945 and 2000. Since then it has only become far worse. So no, it's not been 70 years ago since the last election interference conducted by the US and yes I am holding this kind of action against the United States and so should you: https://www.globalresearch.ca/us-interfered-in-elections-of-...
Your link provides the following to support your claim: "That’s just till 2000! The US has gone nuts since then."

Do you really accept that as proof?

It also contains "...Since 2000, the U.S. has attempted to sway elections in Ukraine, Kenya, Lebanon, and Afghanistan, among others..." - Ukraine: https://www.theguardian.com/world/2013/dec/15/john-mccain-uk... - Kenia: https://www.globalresearch.ca/foreign-interference-in-kenyas... - Lebanon: https://wikileaks.org/plusd/cables/09STATE35241_a.html

More links with detailed information: https://www.forbes.com/sites/dougbandow/2017/08/01/interferi...

https://www.cato.org/blog/hypocrisy-election-interference "...More recently there have been Macedonia, Serbia, Albania, Bosnia, Ukraine, Russia (especially Yeltsin’s 1995-96 campaign), Algeria, Lebanon, Palestine, Cyprus, Iraq, Pakistan, Afghanistan, Kyrgyzstan, Tajikistan, Yemen, Vietnam, Indonesia, Japan, South Korea, Philippines, Congo and several other countries in Africa, and, in Latin America, every country multiple times including within the last fifteen years Haiti, Dominican Republic, Honduras, Panama, Nicaragua, Venezuela, Columbia, Paraguay, Peru, Ecuador, Bolivia, Brazil, and Argentina. Brenner’s list is an ongoing project. It does not include Canada, and just possibly there are some Canadians who might find that omission to be unjustified..."

Extensive source of information on US election interferences: https://books.google.nl/books/about/Diplomatic_Interference_...

https://consortiumnews.com/tag/american-exceptionalism

https://zodml.org/sites/default/files/%5BJoseph_Smith%5D_The...

(comment deleted)
This is nothing more than a thinly veiled Office 365 marketing ploy.

If their 2FA is anything like what they’ve done with Azure I wouldn’t be holding my breath. Microsoft is barely out on parole in my eyes from their horrid security and privacy track record, and has shown many signs of recividism to be engaging in this charade.

They're session security is hilarious.. a session token is still valid for at least 6 hours after logging out.. even after their humorous advice to close all browser tabs (which as expected doesn't do anything server side)
Because who better than Microsoft to save our democracy?

I can't think of anyone ... oh wait ... I can! What about Apple and Google? Yes. Please. Apple, Microsoft and Google - together - save our democracies! You are the only ones who can.

Thank you.

-- the little people

You forgot about FakeBook. In my country, FaceBook bans users if their posts mention certain politic (Henadii Moskal). For the sake of democracy, of course.
Hoping for a corporate congress?
That's your response to Microsoft fixing a problem they have the ability to fix? Would you rather they didn't fix it?
Microsoft, the self-appointed unelected guardians of democracy who will privately decide what is and what is not a threat.
I find it peculiar that this announcement comes out following the establishment of a link between Soros funded orgs and the facebook/twitter/et. al censorship. Seems fairly coincidental.

I an not fond of the idea of tech companies electing themselves guardians of democracy. In fact I think there should be a total ban on corporations involvement in politics.

Fascinating. As of this moment, this page seems to have far more virulent anti-Microsoft sentiment than I can recall seeing in any HN posting recently. It's almost as if people are blaming the messenger for some reason.
I think HN has had its eternal September over the summer. A significant portion of comments on a lot of threads are becoming ever more political.

Which is a little annoying as HN was one of the few places that hadn’t been infected by American politics. I’m Scandinavian, I don’t much care about the war between red and blue.

I know, right? Almost like someone decided that investing a little bit of energy to manipulate a relatively small forum whose members wield an out-sized amount of power might generate a spectacular bang for the buck.
Microsoft has a Digital Crimes Unit? Is that like a police/vigilante enforcing function? Curious to learn more - seems unique, or is this common with big companies?
Every big company has a forensics / investigations team. This team will interface with law enforcement as necessary.

This is common.