I went into this article skeptical (due to the title, ZDNet, and how often unreasonable Windows 10 complaints get posted) but this one seems legitimate.
The WaitList.dat really does seem like a legitimate threat to security and privacy. I don't currently have a touch device to test the including Powershell script, but I'd be interested to hear what others find.
I actually understand why Microsoft is recording this information (since it helps them understand the user's sentence structure/words, to make recognition more accurate) but it is also a huge treasure trove of personal information that many wouldn't have been aware of.
I wonder if there is a way to store this information more securely?
Even if the data is not retained, it's possible that the trained model can leak information about the training examples. The field of differential privacy explores ways to make sure this doesn't happen.
It's "legitimate"... but anyone concerned about privacy should've already has this turned off (as I have ever since Windows 10 released). This won't happen if you turn off "inking and typing recognition" in the Windows setup screen during initial install (or later via the Settings app).
The argument could be made that Microsoft should do a better job to secure this file on your PC, but since if you're letting them create this file, they're sending all this data to the cloud anyways...
>It's "legitimate"... but anyone concerned about privacy should've already has this turned off
What about those that are ignorant? They may be ignorant about the implications of having personal data collected. They may be technically ignorant and thus unaware that they can turn off this feature. In the end it doesn't matter because the vast majority are, and arguably will remain, ignorant. Is there privacy no less important?
Features that collect personal information should always follow an explicit opt in policy to protect the ignorant. If companies are concerned that too many people will leave these features off then they need to take the steps required to educate the end user.
I agree, but my point is that when this setting is already keylogging you and sending your data to the cloud by default, the fact that it's also stored on your PC is hardly increasing your risk much.
There's a handful of laptop manufacturers that will ship with a preinstalled linux distro of your choosing. If you're comfortable with the one you choose, there's little inconvenient.
I'm a big fan of Linux, but the idea that it's free is only the case, as they say, if your time is worthless.
I use Debian, which is generally considered to be pretty stable and sane, and yet I've still spent tens and tens of hours dealing with issues that simply aren't a problem on Windows or Mac. Currently I'm fighting what I think is a DPMS issue where my external monitor wont wake up from the laptop dock after the monitors all sleep.
Ultimately, I think it's a price worth paying for the experience and flexibility I want, but it's very head-in-the-sand to pretend that it's not just as expensive as Windows, just you don't pay in cash.
Meh. Both partner and a very close family member have been users of Antergos Linux (based on Arch) for 2 years, and they don't even know it. The close family member has been using Linux on laptops since about 2005 (started with ubuntu). One is a philosophy major, the other an elementary school teacher. Neither has any technical background whatsoever. The hardest problem hit so far was changing from Gnome to Cinnamon (one didn't like Gnome's layout).
> the idea that it's free is only the case, as they say, if your time is worthless.
I wouldn't actually disagree, except that you seem to be implying that Windows is better. Especially with their increased rate of bugs in some recent updates, I'm not convinced.
Idk, I spend more time installing drivers on a windows install than the entire install and config of most linux boxes. Sure there are gotchas, but honestly i geat nearly as many in windows, but don't spend my time fixing the issue because I literally can't, and just have to live with the problem, or use crude workarounds.
For a long time now windows update has automatically installed the drivers for me and is what I typically recommend to everyone. Searching the web for drivers and downloading them manually will usually end in (even tech savvy) people installing crap-ware at best and malware at worse along side them. Configuring Linux is not a problem too as long as you pick the right hardware (which is usually just staying away from Qualcomm and Realtek NICs in my experience) and distro. The real time sink on linux is customizing it to the point where I am comfortable using it.
Right, I don't really understand what part of this is news. Search engines use indexes, and handwriting programs learn your handwriting: congrats you win the internet.
Everything about this seems to be trying to froth up outrage. Scary clickbaity headline, check. Quotes from named 'experts in the field', check. Embedded tweets showing how to 'expose your password', check.
From the perspective of a non-technical user, the format reads the same as an article on a major data breach. And yet we wonder why we have a hard time getting users to pay attention to real security problems.
I strongly disagree. You’re telling me Microsoft could not take any further steps beyond storing this in plain text? Come on. Someone steals your laptop and has a history of everything you’ve ever written, without it being clear that’s even a concern.
38 comments
[ 2.9 ms ] story [ 86.6 ms ] threadEdit: also a quick google shows that the existence and purpose of the file has been public knowledge for at least two years.
Yeah, there's a bunch of stuff on the Internet that's in the public, but actually isn't.
The WaitList.dat really does seem like a legitimate threat to security and privacy. I don't currently have a touch device to test the including Powershell script, but I'd be interested to hear what others find.
I actually understand why Microsoft is recording this information (since it helps them understand the user's sentence structure/words, to make recognition more accurate) but it is also a huge treasure trove of personal information that many wouldn't have been aware of.
I wonder if there is a way to store this information more securely?
Would text from random documents or emails on the system improve the recognition of handwritten text by a specific user?
https://privacy.microsoft.com/en-us/windows-10-speech-inking...
The argument could be made that Microsoft should do a better job to secure this file on your PC, but since if you're letting them create this file, they're sending all this data to the cloud anyways...
What about those that are ignorant? They may be ignorant about the implications of having personal data collected. They may be technically ignorant and thus unaware that they can turn off this feature. In the end it doesn't matter because the vast majority are, and arguably will remain, ignorant. Is there privacy no less important?
Features that collect personal information should always follow an explicit opt in policy to protect the ignorant. If companies are concerned that too many people will leave these features off then they need to take the steps required to educate the end user.
> text from every document and email which is indexed by the Windows Search Indexer service is stored in WaitList.dat
> This doesn't include only metadata, but the actual document's text.
I use Debian, which is generally considered to be pretty stable and sane, and yet I've still spent tens and tens of hours dealing with issues that simply aren't a problem on Windows or Mac. Currently I'm fighting what I think is a DPMS issue where my external monitor wont wake up from the laptop dock after the monitors all sleep.
Ultimately, I think it's a price worth paying for the experience and flexibility I want, but it's very head-in-the-sand to pretend that it's not just as expensive as Windows, just you don't pay in cash.
I wouldn't actually disagree, except that you seem to be implying that Windows is better. Especially with their increased rate of bugs in some recent updates, I'm not convinced.
https://github.com/B2dfir/wlrip
There may be other files that read this, but it was found with a quick search.
It indexes documents on the disc that are already plain text.
It only stores sensitive data if the user had sensitive documents on the disc that were then indexed.
Everything about this seems to be trying to froth up outrage. Scary clickbaity headline, check. Quotes from named 'experts in the field', check. Embedded tweets showing how to 'expose your password', check.
From the perspective of a non-technical user, the format reads the same as an article on a major data breach. And yet we wonder why we have a hard time getting users to pay attention to real security problems.