255 comments

[ 39.5 ms ] story [ 4429 ms ] thread
First thing to do after installing Windows 11 : Disable Telemetry
We live in a hell world if we need to take extra steps to NOT be spied by your operating system
Already here - I’ve had windows 10 auto updates re-enable it at least 3 times over the years. I’ve given up frankly. It’s really crazy they get away with it.
Windows 10 still respects the Group Policy on Windows Update . If you’re on Home edition, there’s a powershell script that can enable gpedit for you.
I use WPD to block and disable it all. There's a lot more than a few settings to change.
Can all of it be disabled? Can you point to how?
Thank you for mentioning this program. I didn't know it exists, and I just downloaded it and ran it, and everything was set to enabled. I thought I had opted out of spying when I upgraded Windows 7 to 10.
Then don't use Windows.

If you aren't happy with Apple's telemetry, then use Linux.

If you aren't happy with bug reporting tools remove it.

Indeed. Regular people I get but developers voluntarily using it make no sense. But UI, but telemetry, but appl... As if there are no viable options out there
I'm glad the standard we hold ourselves to is to just not use shitty products that spy on their users instead of expecting/requiring them to be better
Their QA process is based around their telemetry.

They're not going to change it.

Also exaggerating by saying "spy on their users" is just misrepresentative.

And muddies the water when discussing actual spying on users computers.

It's also an exaggeration to say that they have QA process. They keep shipping faulty updates again and again.
It's not really a quality assurance process anymore if you wait for things to go wrong in the field. More like a quality remediation process.
(comment deleted)
And then update your software because you need security updates. And then disable telemetry again. And then update your software again. And then disable telemetry again. And then update software again. And then disable telemetry again. And then install Linux and never install Windows ever again.
I have since relegated to totally disabling Windows update due to this. As a bonus, my PC stays the same way, goes to sleep and stays asleep as expected without new unexpected features clogging my desktop every month.
I've rarely ever seen any discussion of Windows Telemetry actually discuss how it violates their privacy.

Is it not possible that the telemetry exists only to collect data on how to improve software? Do we know it's being used for advertising?

There are other risks than advertising/privacy. They can for instance analyse what applications from other vendors are frequently used and build in alternatives.
Do we know it’s not? Is it illegal for them to switch to using it for advertising in the future?

What I know is that they collect huge amounts of data and we don’t have protections on how that can be used.

And what that means is that it comes down to trust. And anyone who trusts Microsoft (or any of the tech giants) is naive or uninformed/ignorant.
It has become quite clear that user data is the goldrush that the majority of the world's biggest tech companies are feverishly mining. Whether they sell it today (advertising) or not is the smallest concern compared to a myriad of society-harming ways that it could be used in the future. A company like MS could sit on your data for a decade and then decide that can get away with far more data abuse than they could today. It seems like a good bet that the ways that our data can be used will continue to expand. We probably can just watch the tea leaves of China to see what our data use future looks like. How long will it be until we have a social credit system like China's?

>actually discuss how it violates their privacy

The privacy violation is the collection itself.

Unwanted surveillance is itself something that many of us object to. For example, I run uBlock Origin to reduce tracking, not because I think ads are evil.
If you want your software improved, open source it, and people will post gitlab issues. We all saw what happened with MS Calculator. It was a successful experiment.
They will never do this in areas where that would threaten their vendor lock-in.
Even if that was the case, and that there was no way to use the data to harm me, and it wouldn't be used to make a bland user experience, why take the risk?
Personally I don't care what it's used for. I just don't want it :)
Did you check your firewall logs to see if it actually disabled it?
It is near impossible. There are probably in excess of 30 or more group policy settings that would be needed to try to disable it. Even something as simple as signing into the Microsoft Store seems to enable additional telemetry like sending app launches to your Microsoft account history.
Best way to thoroughly block all telemetry on Windows is actually the built in firewall. Just block all outgoing connections and only enable them for your browser and whatever else you need.

According to a tcpdump running on the host of a Windows VM this blocks absolutely everything, even connections originating from kernel drivers. I tested this with LTSC though, so YMMV.

According to an MS engineer, you will be able to sideload APKs to Windows, which solves the problem for any app that doesn't need GMS:

https://twitter.com/ajonoguy/status/1408221001951809539

You will be able to install the software you want on the computer you own without going through some corporation's central "store"? The fact that this is surprising or noteworthy is just sad.
If APKs were normal Windows executables I'd agree with you. But given that they're not, there's not really an expectation that they'd just work.
Exactly—also given that side loading was, for a brief moment, a Windows Enterprise-only feature, if only for Metro apps.
What does the fact that they are not PE exes have to do with expectations about sideloading? Would you not expect to be able to side load a .jar either?
Microsoft previously disabled side loading of Metro apps. This happened in the Windows 8 era. You either had to purchase a side-loading key (per machine) or use Windows Enterprise.

My memory of the details is fading, thankfully, but I think side loading was disabled for 8.0 and 8.1 (without a key), and the restrictions were removed or relaxed in 8.2.

Parent was talking about side loading without store, not that Android Apps work on Windows. So it shouldn't be anything special to install whatever file format you want on Windows regardless the source.
That's absolutely not the same thing. I can download APK files all day on just about any operating system I want. That isn't equivalent to "installing" them.
It's not about the file type but the file source. On Windows the source of file to install bis irrelevant, so side loading is not a feature. So why is new that you can install files that are not from a store? Install APK? That's new. Sideload a program? Not new, it's windows standard.

Here some news for you. You can even side load Exe files and MSI files. See, nothing special. APK yes, side loading no.

(comment deleted)
Side loading is a term that in the context of Android applications is well understood to be installing android applications that are not on the Play Store. It is not a synonym for downloading files to your computer system nor is it a synonym for moving files between two devices.
>It is not a synonym for downloading files to your computer system nor is it a synonym for moving files between two devices

Actually, it is:

"Sideloading describes the process of transferring files between two local devices, in particular between a computer and a mobile device such as a mobile phone, smartphone, PDA, tablet, portable media player or e-reader." https://en.m.wikipedia.org/wiki/Sideloading

Additionally side loading refers to mobile devices not desktop PCs.

Yes, I suppose you absolutely can refute my point if you choose to discard the first half of my statement which specifies the scope.

Words can have different meanings under different contexts, and I'm providing you that context, which is important for understanding what people are talking about here. Please stop being obtuse.

You can just specify the scope as you like. It's about Windows mot about Android. Just because APK is an Android format doesn't change the context to Android.
Is it, or is not, possible to run arbitrary APK-formatted applications without regard for code signing or any app store[1]? If so, sideloading is not a thing, that's just the normal way to use a application[0]. If not, the operating system is malicious, and kaszanka's complaint about that fact stands.

0: Provided it runs on your OS in the first place, obviously; adding support for APKs in general is a meaningful feature, in the same way as wine adding support for EXEs on linux.

1: In the same windows has been able run arbitrary EXEs since... well the entire time it's existed, give or take incremental extensions and revisions of the file format.

They are not normal executables, but they sure are normal Android executables. I don't see how that changes the expectations about being able to execute them.
"Normal" (as in most common) means Google Play Store native apps. That's a lot of functionality to shim.
Sure. And 'normal' ELF executables link against libc and will not work if it's missing. If you want to argue quality-of-implementation[0] issues, go right ahead, but that's not the same problem as requiring code signing/app store.

0: ie, that windows doesn't really support APKs because it doesn't provide the APIs needed for them to work properly

(comment deleted)
I'm not sure ownership applies to today's software. When you buy it and get security updates for some time - sure, but when you get new features in mandatory updates it washes out what the actual product is. Maybe you don't want new features? Best you can do with Windows 10 is postpone updates for 35 days.
I suppose this will expose the lie that Android is anything like an open platform and not almost completely reliant on Google.
I'm sorry to disappoint you, but there's a repository of FOSS called F-Droid which has no ties to Google.
Most of the apps on my phone are from FDroid. This does not mean that you can have a phone with any comparable level of functionality without relying on Google. You can see for yourself by installing a stock android ROM with no google play services or microG.
How can you possibly think this is a rebuttal? Whoop de do, there exists an also-ran OSS marketplace on the platform. In what way does that rebut what the grandparent said?
There exists a repository named Cydia for iOS with no ties to Apple, therefore iOS is an open system? Google moves essential parts of Android to the proprietary Google services and can easily enforce restrictions for smartphone manufacturers, so 3rd party stores depend on Googles benevolence.
F-Droid has a major flaw, in that Android (as of now) doesn't allow auto-updating of apps outside of Google Play. I only install a limited number of apps from there for that reason.
In Android 12 app get updated too
Android allows any system app to update apps, whether the system app is Google Play Store or not.
Right. And microG is a perfect replacement that works flawlessly.

You see where this is going. Google has moved _so much_ functionality into play services that Android as a platform is losing features every day if you don't have it. It's fine for fully local applications, but should you rely on location services, dynamic module delivery, any maps service, etc, you are utterly fucked.

The problem is like any software feature nowadays it can be restricted in the future once general acceptance occurs. And most users who don't know anything abour sideliading will download from Amazon and not know what is going on.
Yes, the concerns raised about resigning apps and sideloading capability is not something the average Windows user will care about.

Android apps are also inferior to Windows apps, so the real question is: Who is going to use Android apps on Windows.

Android app developers seem to be the target group.

> Yes, the concerns raised about resigning apps and sideloading capability is not something the average Windows user will care about.

It's not something they'll understand the significance of. That doesn't mean it isn't important.

>Android apps are also inferior to Windows apps, so the real question is: Who is going to use Android apps on Windows.

Many people who use their phones for a lot of the time and want a similar/identical experience on their laptop.

>Android app developers seem to be the target group.

I disagree. It's for people who want snapchat or signal or whatever on their devices. Android developers already have emulators or test devices.

Yep. I've tried Android apps on ChromeOS and iOS apps on macOS. They're so out of place and clunky...the average computing user just won't like them. The developer angle is the only one that makes sense.
About that. Most people are great with having access to Android apps on their Chromebook... Android apps let you do work on a Chromebook (example:video editing) where a local app really helps. Some Android apps work really well. Others not so much... That is because the developer hasn't done what needs to be done to make their app behave with freeform window mode. Those that don't either grab the whole screen or run in a phone sized window. Android has always had mouse support (original Android phones had a touch screen and trackball). Apps that do support freeform window mode work really well on ChromeOS, too.

Ok, so why even have freeform window mode? Well, that is because Android has a "desktop mode" that is supported by some Android 10+ devices. If you have a USBC/HDMI/USB adapter (same thing you use with newer macs), you can plug your phone in and use it like a desktop. It's not great, but it is surprisingly useful, especially when an airline loses your laptop bag.

"Android apps are also inferior to Windows apps"

There is no windows app to access my credit card, an Monzo doesn't even bother creating a website to access your bank account.

Some functionality specifically requires a mobile app and is not accessible from websites.

Was just about to ask this.

Another question is, how does Amazon solve the GMS problem? Do they provide their own shim library, modify the apps somehow, or something else? Could the whole Windows 11 thing pressure developers not to rely on Google APIs now that there's more competition in the space?

It's like Huawei's HMS: it's not a drop-in solution, which means that you can't just upload the APK to the Amazon app store without changes.
I think this is going to end up giving a lot of power to the Android ecosystem. I never felt much compelled to make an Android app but now that I can possibly be as simple as double clicking an .apk and it opens in a window... that changes things quite a bit for me. Microsoft should tap into this synergy and somehow create an IDE that can pump out both Android .apks and Windows apps with the exact same design, usability and build pipeline.
(comment deleted)
While this is indeed worrisome, I’m not really sure Microsoft is any better than Amazon from a pure end-user point of view.

Microsoft has been a telemetry champion and has been collecting troves of personal data through Windows 10, all the while making it almost impossible for the average user to disable it (and re-enabling it with every major update).

So if Microsoft goes the same route as Amazon (resigning every app), it’s just a matter of choice between a rock and a hard place. On the other hand, even if they allow for the app developer to keep its signature, Microsoft is still probably very capable of gathering data and telemetry through their Android implementation.

Either way, and until it becomes illegal to collect data without explicit consent, I’m pretty sure we’re screwed…

The telemetry for Windows is a frequent topic here, could anyone clarify/compare the story for Mac OS?
In the Apple ecosystem you are asked once when setting up a new device if you would like to enable telemetry.
Apple devices still phone home constantly with things that amount to telemetry when you use them, even with analytics disabled.

Opening the App Store app, for example, sends your hardware serial number. Macs and iOS both maintain hardware-serial-linked 24/7 connections to Apple's push servers, too.

There aren't opt out UI settings available for the majority of Apple's phone-home.

The situation is a little better compared to Windows, but it's not perfect.

I always disable telemetry, but iphonesubmissions.apple.com:443, radarsubmissions.apple.com:443 and securemetrics.apple.com:443 are still contacted.

People messing with ocsp.apple.com:80 (https://github.com/StevenBlack/hosts/issues/1460) also need to be aware of ocsp2.apple.com:443.

The iAdSDK setting is somewhat respected, but all the Siri subdomains are pinged even if Siri is turned off.

I’ve never had to try and remove ads from macOS to the extent that I do with windows 10, it’s not devoid of advertising but not quite as bad
Moving the goalposts. The parent was asking about telemetry specifically.
You get ads on Windows 10? I've never seen a third party ad. They have had an ad for Office which was a live tile (which I have disabled because I do not find them useful.
Also not me, but American friends have always complained about this so I presume that they don't want to anger some regulators in countries where they don't put ads.
They were in the start menu. Ads for software and games. There was that candy crush saga game for ages.
Indeed even here in Europe. Cleaning the start menu from all that crap is the first thing I always do. I empty out the entire right hand side, because if you do so it actually disappears! But many updates put things back there.
Ads are telemetry now? Is "telemetry" just a catch all for "anything software does that I don't like"?
I'm pretty sure computer ads have always been telemetry.
This is a unique definition of “telemetry” as it usually requires collection of data. Some ads use telemetry for better targeting, but that isn’t all ads and definitely wasn’t true when things like banner ads were first introduced.
This is why I treat windows as my gaming console at this point. I game on it, thats it. Everything important I leave to linux/mac.
Wine/Proton is so good that you might find you don't even need it for that.
Games consistently get fewer FPS on my setup. 3750H GTX1650. Part of it is nvidia drivers being poopoo, most of it being CPU cycles overhead.
In my experience the nvidia drivers have been getting much better recently.

Proton's not perfect, but it's been mostly worth it for me not to have to boot windows.

Agreed. For anyone interested in FPS boost, try glorious eggroll proton.

I personally compile it myself off the AUR with the -O3 -march=native flags (look at the PKGBUILD for more details), and I get fewer FPS than Windows, yet more consistently than Wine. No microstuttering.

My experience is that even running Among Us (i.e. a very simple game) via Steam/Proton on Ubuntu LTS (i.e. the most common platform) was quite fiddly. Didn't have chance to try much else, Factorio is luckily native
For most things absolutely- I’ve had great success with proton. There are a few holdouts, especially in the VR space where Windows is still unfortunately very necessary.
> and has been collecting troves of personal data through Windows 10

How much PII is really collected via W10 telemetry? Or is the amount of times you click the start menu, accidentally search for something via Bing, then close that window now considered personal information?

It doesn't matter if it's PII or not. You ask before collecting. That's basic decency.

Not your computer. Not your data.

Not your computer. Not your data.

Unfortunately, Microsoft thinks otherwise. See the huge discussion here for example:

https://news.ycombinator.com/item?id=27629350

(tl;dr: thanks to Secure Boot, Microsoft had to give permission for Linux to boot.)

Also, don't forget the whole "Windows as a service" crap.

Your behaviour is personal to you and it is possible to identify a person based on that data.
For me it's a question if whether it is ever linked or able to be linked to specific app usage or details of that usage (thing Edge browsing behavior).

With industry privacy changes, having a persistent login at the OS level let's you do an end run around privacy protections in a browser, or incognito mode type stuff potentially.

I've been using Windows 10 since it's initial release and have never had telemetry automatically re enabled. I check the relevant settings regularly (every few months). I have no idea what all people on HN are doing that causes this to happen so frequently to them but it's never been a real problem. I wish I knew what I was doing differently so I could make a blog post about it haha.
I mean, what the HN and tech in general (edit: not general - sorry) audience wants is a totally zero telemetry, even if said telemetry is literally the list of installed updates. I personally think that's genuinely weird to me, since that Microsoft's "basic" telemetry only sends critical data like how many times Windows crash (and actually has the data reduced from 2015's state).
Yeah, knowing how much telemetry has helped me improve the user experience in the internal apps I work on I really don't think it is that evil. I think people just wish it was easier to enable/disable and that Microsoft was more transparent about it.
I think that the possibility of abuse (which has happened), possibility of government requesting that data (also happened, plus people here tends to be not inclined to give their data to any government), and possibility of leakage (general leakage not happened with Microsoft, but there's state-level hacks) means that even telemetry is tainted with privacy issues.
As someone who has worked on user-facing software, the part which bothers me the most is the reversal of user settings. MS is really bad about this, and even broke a linux install on a separate partition on my machine by changing the UEFI settings after an update without asking me. If I shipped software which did this, I would feel like I had to turn in my developer card.
Frankly this, as a developer. I call them "showstoppers" and if there is a god of programming, they are the ultimate sin. Things like

- breaking a user's multiboot

- deleting user data

Even if these are not bugs and merely the result of bad UX (lack of warnings and security for the user).

Deletion of all user data upon upgrade was a common 'problem' with earlier versions of Windows (I remember having such problems into the XP era, and I hear it happened to people on W10). Breaking other installs by MS is a common theme too in dual boot setups (whereas Linux bootloaders are more likely to pick up the Win install and offer access to it).

I remember vividly the last time it happened to me. I had been dual-booting Linux for some time (on a personal laptop dedicated to work). It was my first Linux OS, I was a newbie (precisely learning bash, programming for servers, etc). After some update, Win10 broke my dual boot. I was livid. It took me the better part of a weekend to fix it and avoid loosing all my work of several months (a lot of it was in the form of system files all over the place, I had no idea how to retrieve all that without ad hoc commands etc, and I had no idea what e.g. chroot was at the time. I learned, the hard way, haha — btw thx to the Arch Wiki for that weekend. It was a life saver).

The very next thing when I got access back to my Linux OS was to backup all my data, format everything and reinstall Linux fresh.

And that was it.

I've never used Windows ever since as my primary driver, only for testing purposes in VMs. That was 2016 iirc.

There are such things as showstoppers that make you instantly drop a product, never to look back. Microsoft's Windows desktop team never learned that, I don't know how they still pretend to be for "professionals". You don't do that to people who make a living with their computer (i.e. the vast majority of businesses nowadays).

> "- breaking a user's multiboot"

I have tried mutiboot with different Linux distros too and had it broken too many times, eventually I got sick of this shit. Fixing the bootloader should be a simple process but requires you to sacrifice a goat.

Never multiboot again, if I need another OS it goes in a VM.

When I absolutely have to, I install another OS on a separate drive with it's own bootloader and select the one I want in BIOS. That is actually reliable and never breaks.

Haha. One goat. Fool! You need at least four.
> When I absolutely have to, I install another OS on a separate drive with it's own bootloader and select the one I want in BIOS. That is actually reliable and never breaks.

Will this effectively encapsulate the UEFI settings? I had a problem where Windows turned off the wifi module on my MoBo to "save power" and it messed up the wifi on Linux.

It has become a meme to be "outraged" about companies collecting any data. People don't analyze if this collection impacts them or not. They react as if the company wants their first-born.
It doesn't matter if it impacts them or not. It's a violation of the social privacy standards that have existed for centuries.

Someone looking in the window and making an inventory of all my furniture doesn't impact me in any way. But it's still an invasion of privacy and wrong from the standpoint of common human decency. A concept that has become lost to a generation that's become acclimated to thinking this is normal. It is not.

> It doesn't matter if it impacts them or not. It's a violation of the social privacy standards that have existed for centuries.

I have no idea where you're getting this from. Governments regularly perform national census, and collect data from all kinds of institutions to inform their policy. Banks constantly analyze your bank accounts and activity. Utilities meter your use for both billing and their own planning.

This is not someone "looking in the window" this is two parties (you and the company providing some service or product to you) needing to exchange data so each can do their work properly.

Those "privacy standards" you cite that have existed for centuries... that's not a thing. It seems to be based on falsifying the history and present of how humans organize and govern systems out of ignorance. Data gathering IS the "normal". Of course it's been very limited and cumbersome before, now it's easier thanks to IT.

So if your only argument is a vague discomfort from this not being "normal"... you have no argument.

> This is not someone "looking in the window" this is two parties (you and the company providing some service or product to you) needing to exchange data so each can do their work properly.

The electric company probably needs to know usage for billing. Microsoft does not need any information about Windows users for the product to work. Even things like fetching updates doesn't need to leak information, although I'll grant that it's a little bit more work to avoid leaking any data.

> The electric company probably needs to know usage for billing. Microsoft does not need any information about Windows users for the product to work.

Honestly, it's amazing you can say this with a straight face? You don't think Microsoft needs to know which parts of its product crash or not, and are used or not, in order to deliver a well-working product?

I don't know if most of you here work with large-scale products, but Microsoft has no the luxury of going to every Windows user personally and asking them how's Windows and what you want more or and less of. That "conversation" happens through telemetry.

They somehow got by for years before telemetry was an option; the answer is mostly testing, focus groups, and user studies, along with intentionally-provided bug reports.
None of what you say replaces telemetry, it's an addition to it. And the question remains why we need to willfully ignore the Internet, and do things like in the 80s. What's the purpose of this idiocy?
(comment deleted)
> You don't think Microsoft needs to know which parts of its product crash or not, and are used or not, in order to deliver a well-working product? How about asking the user and testing before delivery of the product? MS outsourced the test to the users and enforces a feedback for their faults. Imagine doing the same 40 years ago. A company employees enters your home to gather data about faulty products. You do know how many private data is stored on PCs and smartphones? Do you know what people access this data?
Isn't that what the insider community was meant to be for? Getting cool new stuff in exchange for data and performance stats collection.

Just taking it from everyone without offering the ability to turn it off is very poor practice imo. I understand they want this data to improve stuff but I should have the ability to not contribute to it.

>This is not someone "looking in the window" this is two parties (you and the company providing some service or product to you) needing to exchange data so each can do their work properly. It's even worse. I can see the person looking through my window. I can close the blinds. At OS level I don't have that chance. I can't constantly monitor the outgoing traffic and I can't check the consequences of every update.

>Those "privacy standards" you cite that have existed for centuries... that's not a thing. It seems to be based on falsifying the history and present of how humans organize and govern systems out of ignorance. Data gathering IS the "normal". Ever thought that you and parent live in different countries with a different value for privacy? Even a "simple" thing like a census in Germany led to Constitutional Court ruling and the establishment of a new right, that of informational self-determination. And that was in the eighties and it was about a census in the form of a total survey to be carried out door-to-door by civil servants or agents of the public administration.

Now you private companies fathering more data more often than ever before. So it's worse, calling that "normal" is strange.

Trying to gather data about your product performance and use is "normal". The fact it's been always happening is also "normal". The fact you do more of it because of technology doesn't make it less normal. Is it abnormal you can shop for groceries 5 miles away with your car, because you wouldn't be able to by foot? What kind of a silly thought process is that.

Probably companies haven't been able to serve billions of individuals worldwide, so they had less data. Microsoft has more customers, and has more data to process.

No one here is describing WTF is this "data" harming them personally with. It's not personally identifiable, and it's extremely mundane. Surely Microsoft will destroy your life by having some stats on how often people in a given region play Solitaire.

So tell me how car or TV manufacturers gathered that data 40 years ago? It's neither normal nor was it always happening. It's an effect of the internet and was normally impossible before.
"The Audimeter (audience meter) was used from 1950 during the early days of television broadcasting. It attached to a television and recorded the channels viewed, onto a 16mm film cartridge that was mailed weekly to company headquarters in Evanston, Illinois, and used to generate the Nielsen Television Index. It was based on an earlier Audimeter that had been developed for the 1942 Nielsen Radio Index. Randomly selected "Nielsen families" homes were enticed to accept the Audimeter by including free TV repair service provided by TV Index reps, which was a valuable commodity when vacuum tube televisions predominated." - Wikipedia

In other words, for TV they paid a small portion of the audience to record and report their habits.

So they had to ask and pay. No problem if MS does the same. Currently they do neither.
Microsoft does ask. And it can easily adjust pricing up and then give you a discount for telemetry. But you won’t end up with more money as a result. So what did we achieve?
These are two different things that only on surface seems to be similar. The censuses performed by governments happen every few years (should be 10 years for majority of countries, if I'm not mistaken), while telemetry gathered by software happens almost on daily basis if not all the time. Then, depending on place, census may include every adult citizen or just representative part of the population and at the same it might be compulsory for those who were selected or who are required to participate.

Telemetry involves everyone by default and it's hardly optional unless you decide to actively fight it - speaking about Microsoft Windows here. The choices offered by Microsoft doesn't offer users true control over data they gather and process; hell, that actually applies to other big companies as well - you have just the illusion you are in control of what they managed to collect about you and the vague assurances, promises that they aren't up to no good with that stuff.

Government will most likely benefit from planning its politics having the data gathered from census while Microsoft might or might not use the telemetry data and honestly, seeing what they did with Windows 10 over course of all its releases, it doesn't appear they do actually use that telemetry data for anything. They don't even bother with users, power users opinions regarding the features that are causing issues in Windows.

>audience wants is a totally zero telemetry

does that audience lacks of experience with developing software?

How do you check that telemetry is disabled? Do you inspect packets that come out of your network card?
Well kinda yeah... MS is one of the biggest contributors to blocked requests on my pihole.
AFAIK it's tied to feature updates. If you have them disabled or use LTSC you basically never get settings randomly changed behind your back.
Like parent, I run a mix of Pro and Home machines with feature updates enabled, and my privacy/telemetry settings have not been changed back mysteriously. So I too wonder what I'm doing differently.
I sometimes wonder how profitable it actually is for Microsoft to be so pushy on data. What I mean is: I understand that MS is quite zealous internally about telemetry, but how effective is this data in terms of actually improving their profitability?

From the user side, I am quite sure it is hurting the experience. One example is logins. MS is pretty bad about requiring logins for products which don't really require it in order to complete the user journey - for instance I bought the Halo collection on Steam, and in order to play an offline, single-player game I have to log into an MS account. As a result I haven't played the game in months, because I have to use this MS account that I don't even want to have, and I can't be bothered to reset the password for when there are other games I can play which just start up with no arbitrary hoop to jump through.

And what does MS actually get out of it? I guess they can optimize their dark UI patterns to be better at tricking people into setting Edge as their default browser?

Being data driven is good, but it seems to me it's not working if the end result is compromising the core user experience.

User telemetry replaces what were once focus groups and market research. Without telemetry, Microsoft would be unable to determine what products were used, what features were used, and unable to determine prioritization for backwards compatibility and bugfixes, because it chose to rely on telemetry for basic business operations.
User telemetry replaces what were once focus groups and market research.

These things still exist, and many companies still use focus groups and market research. The company I work for, for example, does this extensively because I'm in the healthcare space and the legal department doesn't want us collecting information about our users without them really really really knowing its happening.

Another example is MailChimp. It not only does video interviews with its users to determine how they use the product, it pays you for your time.

Microsoft has the money and staff to do this basic research. "Telemetry" is just a synonym for lazy and cheap.

Yes and even besides traditional methods like user research, there are lots of indirect ways to measure the success of a product without resorting to invasive data collection practices.

For instance, you can track downloads, page views in documentation, the number of times a certain endpoint is pinged on the server etc. while still respecting the privacy of the user.

The practice to track a user's behavior across a wide array of products imo crosses a line, and is not needed to inform good product development.

A company could probably sell better to you if they hired a PI to follow your movements, and tapped your phone line, but that doesn't give them the right to do so.

I suspect there's also a fear about the accuracy of self-reported data. If you ask a user if he does XYZ, he may say 'no', because of a myriad of reasons (misunderstood the question, embarrassed, not allowed to disclose, etc.), but if you instrument it up and see he clicks it 200 times a day, that's probably the truth.

The problem is that analytics in a vacuum are just as misleading as testimonial data, if not more so. "0.6% of users touvh XYZ and only use it for an average of 17 seconds per year" could mean that it's an unloved feature that can be sunset, or that it solves a single niche task very completely and perfectly, and ripping it out will cost those 0.6% of users five hours each to replace.

I think there's also the risk of talking yourself into bad decisions with data as a justification. For instance, if you have a KPI to increase X, and making your UI harder to understand confuses users into doing X more often, from a data-driven perspective you've done the right thing, but you've made the product worse.
That might be the case, but it seems like mostly what they've been able to do with it is build products like Teams which nobody asked for and nobody wants, but people have to use because MS has some leverage to get it used in certain organizations.

There are exceptions like Office and VSCode, but it seems like for the most part MS products are things which people curse under their breath and don't like to use. Part of that is because of things like how their aggressive approach to telemetry bleeds into the UX, and it just seems a bit off if the tool you have for optimizing your product is actively making it worse.

You may not want Teams, but do not live in the illusion that nobody wants Teams. As proof: I want Teams.
What do you prefer about teams over alternatives? It may be anecdotal, but I have only ever heard people complain about teams.
Teams video-chat is great, easily better than things like Cisco's offering (and zero-security offerings like Zoom).

On the other hand, it's also trying to be a weird combination of Slack and Facebook at the same time (only less searchable than either) and that's pretty terrible.

Really think so? I think the free alternative jitsi is so much better than teams. I use teams for work and its video is pretty slow. Jitsi (I use this for my local makerspace) achieves a much better frame rate. Which makes it more realistic and improves communication.

It's also so much lighter on the computer than teams.

They complain about it in the same way they complain about computers in general. Sometimes it doesn't work right. That doesn't mean that 99.5% of the time it doesn't get the job done.
But for instance people like to be on slack, and Zoom calls were fun before everyone got sick of them. The sentiment around Teams whenever it has come up around me has always been one of pained obligation.
I haven't used teams in 3 years (I use what clients use, mostly it's slack) back then I really liked wiki + channel combo, it was super simple to keep channel specific notes in one place and everyone used it since it was right there, fast to update and search - way better than pinned messages which I find almost useless
From my experience, the only thing teams does mostly better than the alternatives, is the moment you're actually in a call. The audio quality seems to better than something like slack or alternatives in my experience.

But once out of a call you end up in a messy maze of random cluttered functionality and different, confusing styles of chat options, integration with a bunch of stuff that on paper sounds like a good idea, but in reality is annoying as hell and hard to navigate.

> how effective is this data in terms of actually improving their profitability?

I work closely with telemetry data coming back from Windows devices. There's surely a line from collecting this telemetry to an answer to your question, but I've never heard anyone in our group talk about the profitability of this data. In fact, it costs a lot of money to process and store such huge data, which is absolutely a concern -- so there's strong belief (which I share) that this cost of business is worth it because it lets us make what I hope are good decisions about where we should focus our efforts.

The telemetry that comes back encompasses many dimensions of the user experience, and it helps us do things like figure out when an insider feature is ready to GA; what drivers or devices do poorly and how we can improve the experience; how accurately we can predict battery life; etc.

> they can optimize their dark UI patterns to be better at tricking people into setting Edge as their default browser?

I don't think whoever is in charge of 'tricking' people into using Edge actually have the kind of telemetry that most people think about with respect to Windows data collection. A lot of people think there's some sinister plot here -- apparently as evidenced by your phrasing. But if you look at the UI for default programs, it's really just a slightly annoying "are you sure?"-kind of message. (I don't use Edge by default, but I just reset my prefs to Edge then back, and I wasn't harassed again, so this isn't a persistent nagging.)

> how accurately we can predict battery life

You do remember that Windows nowadays only shows "Battery xy %" instead of giving an estimated runtime, right? (Which is, btw., a "holy fuck what braindead idiot thought removing this is a good idea" moment, at first I thought Windows wasn't giving an estimate only in the first few minutes, but after a while I started googling around thinking that the lack of estimated runtime was a bug, but no, someone actually went in and removed it. A very clear and obvious example of actively, explicitly and intentionally user-hostile UX for what sure seems like no other reason than "we could, so we did".)

Apple did the same thing. Big Sur will only show you the percentage. Not the estimated runtime. You can find the estimated runtime by looking at the energy tab in Activity Monitor. There are also 3rd party tools that will show it. But by default, it's not readily visible.

Apple claims they did it because the runtime estimate wasn't accurate enough. Maybe Microsoft's reason was the same. Though it does seem user hostile to remove it, unless the estimate was substantially off and there's no way to fix it.

> Though it does seem user hostile to remove it, unless the estimate was substantially off and there's no way to fix it.

I think the problem is that users expect percent charge to be a direct, linear correlate of time remaining, but battery discharge isn't linear. Even if it were, predicting time left is tough. Giving the user a percentage rather than a (likely incorrect) time estimate seems like the less bad approach.

idk I always found it to be accurate enough. Also it was a helpful canary to see that if the estimated time remaining dropped quickly, it probably meant I was doing something power-intensive, which maybe I would want to do something about.

It seems like it would be trivial to change the default and leave the time estimate as an option.

Well they show it on a linear bar graph so thats on them
Battery discharge is quite linear, because the OS is using the information from the BMS chip in the battery pack, which tracks the energy stored in it rather accurately, and also tells you very accurately how much power is drawn or put in.

Personally I don't use Windows on any of my laptops, so I only noticed this one day on my work laptop. On my Linux laptops my status bar is literally just doing a weighted average of "time_remaining = energy_remaining / current_power", which works rather nicely.

That a supposedly top-notch software company like Microsoft is trying to gaslight their users into "predicting battery life is like hard you know! We're gonna remove it because it's so inaccurate, it's basically unsolvable aha" makes me throw up a little, but is also such an accurate and damning reflection of the way these companies conduct themselves.

Maybe a better explanation for why they would remove this is because they don't want to make battery degradation visible to the user. I.e. my battery used to get 4 hours of life, now it gets 2 and a half.
Perhaps, but pretending that this doesn’t happen is gaslighting.
Apple did this concurrent with reports that their laptops had poor battery life. They were likely exaggerated but I don’t think the reason was exclusively that the number was misleading.
In particular, it was because reviewers—particularly Consumer Reports—noted that Apple's new set of laptops had inconsistent battery durations. They'd run their test and get one number of hours, then re-run the test and get something very different. They ultimately decided the lower number was more important, because if you can't rely on a laptop to provide a certain amount of working time, the actual amount doesn't matter.

Apple responding by hiding the estimate—even on their older computers, where it worked very well—struck me as utterly missing the point.

Can you give an example of a type of decision where you feel telemetry was valuable in terms of making the best choice?
Their telemetry pushed me away from buying Windows licences.

I used to pay hundred of dollars for Windows Pro licences for all my machines at home (desktop, self-built HTPC, self-built NAS etc). - After MS went overboard with telemetry, I switched to Linux on everything except my desktop.

Recently I set up two new machines (printer server and gaming server), in the past I would have bought two Windows licenses for those, but I didn't, and installed Linux instead.

That's more than AU $650 in missed sales for MS.[1]

I am aware that I am just one single data point with no statistical significance, but I can imagine I'm not the only person in the world who is bothered by this.

[1] One copy of Win 10 pro is currently sold for AU $339. https://www.microsoft.com/p/windows-10-pro/df77x4d43rkt

Well, if you're using Windows you're stuck with Microsoft anyway. It's preferable not to add Amazon to the mix.

I'm not sure how the terms of the integration go, this could be avoidable - and it would be awesome if it was possible to port F-Droid to Windows.

Good questions asked.

In the short term, breaking the App/Play Store duopol will be a good thing.

But what will happen after that?

Good things for developers.

Good things for power users.

However I'm concerned about the impact on "normal" users that just want their stuff to work. There's little stopping a Facebook App Store from taking similar measures, for example.

Only thing that can compete with native app stores is the web, this means making the web standard even more bloated.

If you could install a store inside your browser and then buy web apps from there instead, your apps is no longer tied to the operating system, only to the store (that requires a compatible browser)

But I don't think it will happened because it doesn't benefit the two major players on operating systems, Microsoft and Apple.

What probably will happen is just solidifying the Android based native app as the dominant application platform, now you can develop against the Android SDK and cover 80-90% of the market, both desktop and mobile.

If you don't know Java already, it is time to learn. Welcome to the future - poms, jars, classpaths and AbstractFactoryFactory nightmares everywhere, buggy and slow Android apps running over a virtual machine with a user experience not adapted for mouse and keyboard. There will be Hacker News threads about how they miss good ol' Electron apps.

Isn't it time to just ditch "Stores" all together? We were way past that concept on the PC for decades, how on earth does it help to introduce it to desktop? Let ppl download there apks from the dev sources directly, and... oh wait... I'm just describing 'installing a program' as it has been for ages. Maybe this will at least help normal users to wake up and wanting to escape their jails. (oh sorry, I forgot, it's for their own good! o7)
installing applications from "wild" sources leads to possible virus injectiins etc. I sleep better knowing my parents won't br able to simply install things.

I like Android, where the default is the play store, but i can sideload or use f-droid as well.

Malware exists on the Play store too. My grandmother managed to download some aggressive adware bundled in a sudoku app.

Interestingly, she's avoided viruses on Windows for decades. I think thats because she wouldn't trust random apps from dodgy websites in the way she'd trust Google Play.

Malware certainly exists on the Play store, but when Google spot it, they can unilaterally remove it. IIRC, they also have the ability to remove it from devices where it was already installed. The app store model probably also delivers security updates to legitimate apps more effectively than every developer managing their own distribution.

My parents are also very cautious with what they install on Windows, and I think that's a pretty good approach. But it's pretty clear that plenty of people aren't so paranoid, and it's not always easy to tell a dodgy site from a legitimate one.

>when Google spot it, they can unilaterally remove it.

Microsoft can achieve the same goal already through Windows Defender. My app was recently flagged as a trojan (false positive) and it would be wiped from users' computers before they could even run it.

>they also have the ability to remove it from devices where it was already installed.

That Microsoft can't do, but I'm not really sure that it's a good thing...

>The app store model probably also delivers security updates to legitimate apps more effectively than every developer managing their own distribution.

Citation needed there.

That last one (the “citation needed”) is solved by stores that have auto-updaters. When a store isn’t used, it’s up to the app developer to provide a notification of an update being available, and many don’t do that.

Linux’s package manages show that quite well. I can update (almost) all my packages with a simple command. On Windows, if Inkscape has a security vulnerability that an update fixes, I'm not informed of this unless I follow the development or use an RSS feed of sorts.

Agreed. Of course it's possible in theory for every developer to have their own secure, reliable auto-update mechanism. But it's not easy - the docs of The Update Framework describe some of the challenges.

If every app handles its own updates, that also means that either you've got N background auto-updaters running, or the check has to wait until you run the software - and potentially get exploited by a hole patched in the update it's just downloading.

I still think developers should not be able to upload binary blobs to the store. The store should prescribe an official set of tools and build options. Developers should be required to upload their source code and build instructions.

The store will then build the application binaries based on provided instructions, run tests to make sure the application meets store criteria, and publish it if everything looks good. Perhaps there will need to be some manual intervention when necessary but we should be able to automate things more as we see more use cases.

That and the client "store" should be decoupled from the server store and users should be able to add/remove server stores as they see fit.

I would generally agree, but this puts a lot of trust in whoever is running the store: if Google/Amazon/Microsoft/Apple build and sign every application, they can quietly modify the code. It wouldn't necessarily be easy for even the developer to know that this was happening.
why should they make it so complicated? Apple or Google can manipulate the operating system. No need to manipulate individual apps.
That's broadly true, but I suspect it's a bit more difficult, at least on Android. Updating the operating system involves the company making the device (at least it used to, I'm not sure if that is changing), and it's much slower to roll out than an app update. I don't know if the extra bits like 'Google Play Services' have the necessary access to e.g. read private data from a messaging app.

As the OP is pointing out, the simple alignment of one platform with one app store is also a bit blurred. Neither Google nor Amazon control Windows. You can install the Amazon store on other Android devices. No doubt Samsung (and some other manufacturers) are trying to do their own marketplaces. And it's conceivable that in the future, they're forced to allow more competition (e.g. something like Steam for phones).

Adware is not the same as a virus that goes wild on your data.
I agree, but that's more of a function of Android apps not having full filesystem access by default. It has nothing to do with whether or not they can be sideloaded.
This false trust regarding stores is a real issue.
Somehow hundreds of package manager repos and all their mirrors work flawlessly on Linux.
If you use the official repos, those packages are (generally) vetted by the maintainers. Unofficial repos (sideloading stores) aren’t.
It's only worrisome if the Stores don't allow you to do that, AFAIK most people can still sideload apps on Android, not sure how the new Windows 11 Android apps work in this case.
Having downloaded a ton of Windows crapware back in the day... I spent most of my life programming and still wish I didn't ever have to say "Yes, I trust this unidentified developer".
I think the future for 90% of applications is really just to have progressive web apps. We're not quite there yet, but with WASM and WebGPU we're getting closer.
Second this, especially for games. Avoiding the 30% and bypassing Steam and the App Stores is going to be huge for game devs building in Unity and Unreal.
(comment deleted)

    we don’t modify and distribute your application code without your knowledge and approval º

    Notably, this person used “don’t” and “will not”… as opposed to “can’t” and “cannot” º
So the next stage in the plan for the tech giants is to now take control over all our software applications and really lock them down too?

With locked iDevices and smartphones that don't allow you to install the system software you want, that can be crippled and made unusable by the manufacturers, and have nearly unrepairable hardware (with lobbying opposing right-to-repair legislations), the tech giants have ensured that we have already lost control over our hardware devices. Today we only "own" them in name.

The article highlights a real worry - It is not at all far fetched to believe that by wrapping apps with their own proprietary codes, the tech giants can control and steal our app data (a very likely goal of all the tech giants) and even modify the apps to cripple them or convert it to a malware (at the behest of over-reaching governments).

This just adds to my worry, and ire, at App Stores, and provides a new perspective of them I had never considered before.

º https://commonsware.com/blog/2020/09/23/uncomfortable-questi... .

Hey, people want things fast and convenient, not so much secure, private or customizable. Those tech giants just appeal to that short-sighted mindset.

It's like trying to have a functional democracy with people who want it to be easy so it can get out of the way.

Big-tech control is just a side-product of atomization, as far as I can see.

Uncomfortable questions nobody asks because everybody is afraid of the answers.
Or they are worried losing sponsorships. Every company seems to be moving towards walled garden rent seeking data harvesting business model, so if they start asking question, they may start hitting the bottom line of many businesses.
You are right about companies looking for rent seeking. Rent seeking is a global trend unfortunately, and I'm pretty sure this trend will end bad for us.
Small anecdote: I needed a software suite for work and the cost was around $2800. I took a bank loan as I thought I could pay ~$300 a month until it is paid off and I didn't want to spent this much at once. I bought it. Few months later the company decided to embrace subscription model and you no longer find perpetual license on their site. That wouldn't be the end of the world, until my licenses started acted funny few months later (showing I don't have a license for some parts of the suite I paid for). The support said that they no longer support the version of software I have and they can only advice me to buy a subscription. They said they'll give me few months free for inconvenience.

I was shocked!

It’s been an interesting decade to be an Enterprise Organisation that’s been happy with Microsoft for more than 30 years.

We went into the cloud before Azure was a thing. AWS was a thing on the US when we did it, but back then no one in the Danish public service would’ve put our data into an American cloud. We instead rented iron instead of buying it, which sort of amounts to the same thing except it isn’t in your basement, but in someone else’s. Perfectly fine when the business case is there, which it was, and it helped us immensely for the world of today since we began getting everything virtual back then. Anyway, a decade later and now the move is going toward Azure (it could just as easily be AWS if Amazon had Office365) but it’s not like we want to move away from Microsoft as such. Yes we are idealists who want more open source in the public sector, but we’re also realists who have a staff of 30 to deal with the IT needs of 10.000 employees, some of which can’t tell support if the device they need help for is an iOS or Android device. We also don’t pay our IT staff enough to hire equal level talent for Linux systems, because that talent mass is just so much smaller.

Getting back to my point though. Over the years we’ve gone from using different Kanban and planning tools to using Microsoft teams and planner. We’ve gone from using different document sharing systems (and the strict control over these) to using OneDrive for business. We’ve gone from using Cisco software phones to using Skype for Business and teams. We’ve gone from using dreambroker to using the video tools in windows and teams for presentation. We’ve gone from having different ways of running the scripts that maintain our org data, and BI tools that present them, to using azure services and powerbi. We started our using Softomotive as our Robotics platform and became the leading public sector organisation with it, and Microsoft just bought it. The list goes on.

In short, we’ve gone from buying software from 30 different countries to simply using what Microsoft is now supplying through its platforms. We know it’s maybe not the best strategy, but it’s hard to defend not doing it when it’s both cheaper, easier for the organisation and what our IT staff wants because it gives them CVS that can be used almost every where.

Maybe this is just Microsoft being very good at spotting trends in the European public sector, but they are just so much better at it than agencies like Gartner, Deloitte, E&Y and even their competitors in the form of IBM and Amazon. Although as far as legalisation goes, Amazon has them beat by a lot despite starting slow.

Add CRM and ERP Systems as well, Dynamcis365 grants incredible bang for buck.
thank you for this detailed response -- I was on a team in the USA for a science company, under "transition" from plural, diverse vendors and stacks, to all Microsoft. It was in preparation for the sale of the entire company. Somehow management and the finance people together, in a locked room, decided that changing to one-hundred percent Microsoft stack was the move.

The engineers that carefully built large, performant, working science software on a dozen platforms, where almost always against the change. One of the founders and a Senior Scientist, would talk and talk, and in fact had moved to Microsoft stack personally also.

It was entirely obvious that the contrast between plural vendors, with plural engineering, was weighted against a single mono-culture of software and OS, and that decision makers went for the latter.

I'm an IT staffer at a company moving to everything MS and it's definitely not what I want. Everything MS do is just good enough to be viable but doesn't shine at anything. Competitive products tend to be really good otherwise they wouldn't have made a dent against the likes of MS that give most of it for free with M365.

My job has definitely become a lot harder since we went all in with MS.

This is an epic mess. Trying to catch up with iOS on Mac (ehmm..) but having a sub system over a subsystem .. I don’t think this will play out well.
Its just a built in VM with (hopefully) better perf and some nice file system interop. Where's the mess?
> Trying to catch up with iOS on Mac

Maybe, and barely. You've only been able to do this since November, and only on new Macs. When Windows 11 ships, assuming the TPM requirement isn't an issue, a bigger share of Windows users will almost immediately have this feature, rather than having to buy new hardware.

For real. Microsoft's attempts to compete with the Apple ecosystem kind of feel like DC trying to catch up with Marvel -- super rushed, half-baked, zero vision.

It's especially strange since .NET is a great cross-platform framework.

(comment deleted)
The Amazon Appstore on Microsoft Windows 11: A match made in hell.

This is all really concerning to me. Microsoft's embrace-extend-extinguish tactic[1] is now targeting both Linux and Android.

This is all so over-the-top evil that it would be funny if it wasn't so god damn depressing.

[1] https://en.wikipedia.org/wiki/Embrace,_extend,_and_extinguis...

This post for info purposes only having worked with the Amazon app store team and does not reflect my opinions at all, I haven't spent time thinking about if it's good or bad:

The resigning stuff is because they alter the apps to fix dependence on Google play apis and gsuite apis. Developers were not interested in rebuilding their apps for fire and other devices without those apis baked in and this was a good solution to ease uptake for fire/Amazon app store.

Also note that ms will control this android os, so they already control the signature verification method. They could do this without you knowing very easily by just with something like carrying a second sig and hash of what they modified and the original partial sums from the original app. Google and amazon or any os supplier can.

Signature verification is only as strong as the verifier code.

Glad to burn karma to put data out there.

Sure, there are any number of ways Microsoft could break their own security model. For example, they could stop verifying signatures entirely. The fact that they're not doing worse things doesn't make what they are doing less bad.

If the problem is that app developers don't want to fix dependencies on Google services, but Amazon has a tool to fix them automatically, why can't they just release the tool and let developers sign the output themselves? Sure, some devs might be too lazy to do it, but how does that justify forcing everyone to give up control over their signatures?

> If the problem is that app developers don't want to fix dependencies on Google services, but Amazon has a tool to fix them automatically, why can't they just release the tool and let developers sign the output themselves?

I would imagine the tool rebinds the Google APIs to Amazon's equivalent APIs rather than neutering them. Since Apps are relying on the API responses. I don't imagine Amazon wants Apps distributed outside their Store using their APIs and getting a free ride.

Am I missunderstanding things? Isn't the purpose of App Signing primarily for Google's software running on your device to verify Apps running in your device against public signatures Google holds on it's servers?

I understand there's a chain of custody and a developer can upload their App, then download it from the store and be confident it's what they uploaded. But Google now allows you to put your signing keys into their KeyStore on their servers. I guess you still have a copy and can verify an App is signed with your Key but since you didn't do the signing that isn't enough to ensure it was signed without modification.

> But Google now allows you to put your signing keys into their KeyStore on their servers. I guess you still have a copy and can verify an App is signed with your Key but since you didn't do the signing that isn't enough to ensure it was signed without modification.

In fact, Google is planning to soon force app developers to use this model, just like Amazon. Yes, it removes the ability for developers to know/control what code is running with their name attached to it, and it's bad regardless of who's doing it.

> Isn't the purpose of App Signing primarily for Google's software running on your device to verify Apps running in your device against public signatures Google holds on it's servers?

The primary (or at least original) purpose is to verify that app updates (or in some cases extensions/companion app that can directly access each other's data) are signed by the same key as the already installed app.

Though I supposed that these days PlayProtect will likely indeed check the signature against Google's database on first installation, too.

Huh - the signatures are for the store and store client to verify things.

And if you are going to use Android App Bundles or whatever google is recommending, you'll be using Play App Signing.

I guess I'm just curious what "keys" amazon is forcing you to give up. I'm not sure they even care about your keys.

> And if you are going to use Android App Bundles or whatever google is recommending, you'll be using Play App Signing.

As I said in another comment, it's not any better when Google is doing it instead of Amazon.

> I guess I'm just curious what "keys" amazon is forcing you to give up. I'm not sure they even care about your keys.

If we're being literal, they're not forcing you to give up your keys. They're forcing you to give up control over what code gets signed as part of your application -- that is, control over which signatures are considered valid. The end user has no way to verify that the application is what you released; they can only verify that it's what Amazon (or Google) decided to distribute on your behalf.

Imagine if GitHub decided to take every repository with signed commits and rewrite it so that the code was signed by GitHub, instead of by the original authors. Why would anyone have a reason to trust those signatures?

The issue is users trust google / amazon / github and their signatures MUCH MORE than they do random joe blow developers signatures.

Let me explain something clearly - most users are NOT checking developers signatures. The clients, their trust is in the google / amazon's of the world. What google and amazon are saying, and what users care about, is that this application went through whatever process google / amazon have to describe / disclose the developer and their details, whatever scans google / amazon do, whatever CDN distribution they use has not messed with things, whatever govt agencies / firewalls are between users and google / amazon have not messed with things etc etc.

Google already has access to users systems - if they want to root android they can (in most cases google play services has root already). Many users are more worried about bad behavior by apps on their system (and there is plenty of history of that behavior).

This also let's amazon / google etc re-target apps themselves. They can link to shim libraries to run on other platforms etc etc. The value there is high. Many developers aren't going to sort that type of stuff out.

This same model applies in open source. When Redhat / Fedora upgrade something, they can recompile their entire RHEL if they want to to target / work with whatever upgrade they've pushed. Again, users on redhat don't care about the developers signatures, they care about redhats.

Of course, on HN the outrage is going to be at Google, but most open source distros work exactly this way as well.

Given the choice between an Amazon app store and a Google one, running on my Windows machine...Amazon does seem the lesser of the two "evils".
> The resigning stuff is because they alter the apps to fix dependence on Google play apis and gsuite apis.

Except the article clearly states:

> Amazon wraps your app with code that enables the app to communicate with the Amazon Appstore client to collect analytics, evaluate and enforce program policies, and share aggregated information with you. Your app will always communicate with the Amazon Appstore client when it starts

Now, the original reason to do this might have been benign and well-intentioned, but the result is bad already. This is for now, who says they don't simply add ads like Google [0], or even without the developers knowledge like SF [1] once did? Ubuntu tried to only implement a search and it backfired badly [2], I hope this goes down a similar path.

As a side-note: Of course I'm very happy that competition to the PlayStore is getting some love. This is direly needed. But Microsoft could have gone with F-Droid easily. Trading a bad thing for something worse does not fill me with joy.

[0] https://news.ycombinator.com/item?id=27643208

[1] https://arstechnica.com/information-technology/2015/05/sourc...

[2] https://nakedsecurity.sophos.com/2012/11/01/ubuntu-search-am...

> But Microsoft could have gone with F-Droid easily.

Slipping that in at the end really hurts your argument. Microsoft opting to use F-Driod would be worse than starting from scratch and only benefit F-Droid.

Presenting F-Droid as an equivalent to any of the large stores is like trying to say a lending library in someone's front yard is the equivalent to Barnes & Noble or Amazon.

It's borderline delusional to compare F-Droid to the big players in much the same way it's silly to compare FOSS apps like GIMP to Photoshop. Sure it performs the same core function but they're in completely different classes.

They aren't equivalents unless you willfully ignore a lot of differences and that is just dishonest.

The most major difference being that I have come to associate apps installed via F-droid with quality, while I associate anything produced by the "Big players" with bloatware and trash.

Almost without exception, the more apps from "Big players'" stores I install, the more laggy and trash my experience on mobile becomes, until I am forced to buy a flagship. This is exactly the same way my PC experience had become prior to migrating to Linux. Now, I get to be in control of my computer, and honestly, if people would shift their attention from "it doesn't compare to 'insert hacked together proprietary trash X' " to, "who actually owns my data and computing devices?", we would immediately see a turnaround of this experience. The catch22 has always been, nobody is using the software on Linux enough for enough people to be submitting feedback, while simultaneously, not enough people believe Linux is worth moving to.

Those people still left supporting these corporations immediately jump to the same argument as always, while these "big players" find and innovate unique ways of slipping ever more propaganda directly onto your machine, all while you are stuck staring at the newest trash filter added to photoshop.

Quite honestly **** you good sir, how dare you **** on the effort of the Open Source community by even pretending for a second that you are not representing the opinion of the very corporations that would see these communities extinguished if it added so much as a cent to their quarterly profits.

Seriously, don't even try to represent what qualifies as software in today's world with what used to be "good" software.

There does not exist a program in today's world that isn't a bunch of hacked together trash, sticky-taped together by countless shortcuts, all in an effort to ship in time for the next deadline.

>The most major difference being that I have come to associate apps installed via F-droid with quality, while I associate anything produced by the "Big players" with bloatware and trash.

Oh c'mon, there are plenty of garbage apps on fdroid. Let's not kid ourselves here.

> The catch22 has always been, nobody is using the software on Linux enough for enough people to be submitting feedback, while simultaneously, not enough people believe Linux is worth moving to.

The problem is somewhere else: Most Linux software doesn't have commercial backers but is written by people to a "works fine enough for me" standard, often with no UX/UI design at all or copying from Windows/OSX at best. As a result, "ordinary" people used to the Windows/OSX get frustrated because of wildly differing design principles between programs, no design principles at all (hello GTK), basic stuff (hello Bluetooth, suspend, audio) not working or atrocious performance. I'm nearly 30 now and don't have the free time to deal with kernel recompilations, trying out forks or whatever just to have a basic system I can work with anymore.

"You get what you pay for" is a thing you might look past when you're young and only have to choose how to divide your time between experimenting with hardware, gaming and getting wasted.

And in most of the time, I can't even pay for proper support because the developers only make their project on their own as a side gig, which means no project management and issue handling either other than filing issues in a pile of issues in Github (or, worse, mailing lists)...

Edit: another thing that comes to mind... people always complain why schools aren't using FOSS but proprietary software (Windows, MS Office). Well guess what, teachers don't have the time to waste on bugs (Libreoffice is nowhere near as polished as MS Office is), explaining to parents why their kids have to learn something different to what everyone else uses at home or to maintain a FOSS-based AD. Samba is decent for a setup in which you have a team of experienced engineers (since you save on licensing costs heavily), but nothing beats the simplicity of a MS Server GUI.

> often with no UX/UI design at all or copying from Windows/OSX at best.

This might be correct but also misleading.

Since Ubuntu 6.06 the time to productivity and intermittance factor of Linux compared to Windows has been heavily in favour of Linux for many of us.

Also UX has become one of the strong points of Gnome 2, later Mate and KDE 5/Plasma: reliable, no nonsense, just works, no designers using you as lab rats for their next great idea.

I remember installing Windows back then and it was 4 hours solid work from starting what should be configuration of a "pre-installed" OS through one or two hours of waiting for actual installation to finally removing the last McAfee scareware.

Windows keeps getting better in some ways but still struggles with confusing control panels (yep, plural) and a mix of old, reliable menus, that Office "menu" thing and the newer "cleaner" approaches without menus.

Yes, this is one sided, but this is my view.

PS: I use Windows at the moment and I have used it on and off since 1995 so I know it all too well.

I don't get why you're downvoted, you got a very valid point.

Personally, my daily drivers for the last six years have been various generations of Apple devices due to their supreme hardware build quality on the one side and Windows' nastinesses from "BIOS manufacturers and hackers can hide malware in ACPI tables" to "Windows 10 has no way to disable telemetry and has ads in the OS".

> Windows keeps getting better in some ways but still struggles with confusing control panels (yep, plural) and a mix of old, reliable menus, that Office "menu" thing and the newer "cleaner" approaches without menus.

Worst thing about the control panels is... it's been over 9 years since MS introduced the "new" Settings app. And yet, in 2021, it is still a mess with stuff hidden in old-style panels, somewhere in the new-style app, and other stuff deep within Group Policies.

Why isn't everything available in Group Policies (which could also use a re-organization -.-) by default, with a well thought-out UI in the new Settings app by now?

> Why isn't everything available in Group Policies (which could also use a re-organization -.-) by default, with a well thought-out UI in the new Settings app by now?

It's a valid question but also not easily answered. The Control Panel still exists for a myriad of reasons. The Control Panel goes all the way back to Windows 3.x and contains interfaces to adjust things that while still supported are no longer relevant. The Control Panel also allows vendors to inject their own interfaces for managing settings, famously Synaptics Mouse Drivers and Flash.

Getting rid of the Control Panel is easier said than done. Unless or Until they cut support for legacy systems, the Control Panel will probably persist even if the UI is hidden from the user behind Feature Activation or something else.

>I can't even pay for proper support

Have you actually tried? I guess it depends on what you consider "proper support", but if you made a reasonable offer I'd be surprised if most devs wouldn't be happy to add this or that feature, prioritize fixing some bug for you, or troubleshoot some other issue. I mean a lot of them do it for free (me included).

I wonder what kind of software you expect support for, because in my experience most commercial end-user software has meh to terrible support. Exceptions are from small shops with passion projects or large companies, but only if you pay enterprise bucks. Like, how do you get Microsoft to fix a bug in Windows unless you are a big business customer yourself? You can certainly report bugs on their public forum and they might even acknowledge them, but some issues I've had were never fixed after years..

Ironically, with their open source stuff on GitHub you can directly report to their bug tracker where devs see it and it's more transparent what will get fixed and what won't. And then you could at least pay someone.

No doubt, if you pay big money you get great 24/7 support but as an individual it's a mixed bag. YMMV.

Try not to take things so personally that aren't even directed at you. Good grief.

FOSS is great but there are still plenty of places where it doesn't measure up, even in terms of pure functionality. Having an appropriate and level-headed understanding of things isn't `shitting on the effort of the Open Source community` and someone can recognize this without being a corporate shill.

I did not read Sebb767's comment that way. I read it as one user thinking about alternatives and stating what is technically possible. Technicaly no one needs an "app store", i.e., middleman, to run a program on a computer; meantime, F-Droid works. I think the strange analogies you make are just abstractions you have created in your mind. The comment you replied to offered no such bizarre analogies. HN is a site for intellectual curiosity. Trying to censor or bully free-thinking users into accepting the narrow-minded marketing of large corporations like Microsoft and Amazon is arguably not this forum's highest and best use.
> I read it as one user thinking about alternatives and stating what is technically possible

You're exactly right; my thought process was "if they want to go with an existing store, F-Droid might be an option".

> Trying to censor or bully free-thinking users into accepting the narrow-minded marketing of large corporations like Microsoft and Amazon is arguably not this forum's highest and best use.

I think cptskippy just wanted to say that F-Droid is in no way a suitable replacement; since he read my comment in a different way, he just emphasized this more than necessary :)

As 1vuio0pswjnm7 already correctly pointed out, my suggestion was based on the fact that if they wanted to go with an existing infrastructure, F-Droid would be a possibility.

> It's borderline delusional to compare F-Droid to the big players in much the same way it's silly to compare FOSS apps like GIMP to Photoshop. Sure it performs the same core function but they're in completely different classes.

I disagree with that. The software itself is clearly irrelevant in this case as they will hardly run the actual store app on windows and the required infrastructure is not a big problem for Microsoft. The existing app base is what matters.

To be fair, though, I wasn't aware of how alive the Amazon app store actually is.

F-Droid is just way too small, it has ~4000 apps vs ~500000 for Amazon's appstore.
Have you actually spent time in the Amazon android ecosystem?

It's absolutely terrible. Total amount of available apps is not a good metric for quality.

Agreed. 95% of all those apps are useless and rehashes of existing apps in some way. And the only reason the whole thing doesn't fall over is because of semi-random search that "spreads" some portion of user downloads to lower quality (or less popular) apps, thereby incentivizing the spaghetti-throwing-at-the-wall ecosystem that is the app stores.

Curation models are better in that sense, because they have a limit that forces a quality filter. The alternative is just an evolution of the spam model. You see it with Google turning the web into blog spam, YouTube with videos, ebay/Amazon/aliexpress with "products", and the app stores with their 5million "apps".

My guess though is that most of these apps haven't been updated for years.
> Your app will always communicate with the Amazon Appstore client when it starts

One of the consequences of this is that apps refuse to start if they haven't been able to connect with the Store in the past `x` days.

I mean, we could also ask Apple to officially support Homebrew while we're at it. The bottom line is... well, the bottom line. Microsoft is very willing to diversify it's partnerships as it's heading into a new decade, and I bet Amazon wasn't adverse to shaking some money their way for routing it all through their services.

It's not great, but it's significantly better (imho) than if they had exclusively chosen the Play Store. It's a creative way to gently pressure developers to publish to additional marketplaces, which indirectly pressures Apple since the Microsoft Store now doesn't force developers to route payments through their system (thusly reducing Microsoft's "cut" to 0% for many apps)

With both Mac and now Windows supporting these mobile-forced-to-desktop apps, I worry a bit about the poor UIs in our future.

On the one hand, maybe tablets will improve a bit because mobile apps will have even more incentive to spruce up their large-screen experiences.

On the other hand, literally every app I have seen auto-ported to desktop in this way has been awkward at best. Usually at least a few standard platform things just don’t work, like universal keyboard navigation. Having mobile UIs appear unaltered on the desktop is just jarring, at the very least requiring unnecessary scrolling and controls that do not resemble anything else.

And I am not convinced that this will improve with time; on the Mac side some of these pseudo-apps have had years to get better but they are still packed full of UI quirks.

> With both Mac and now Windows supporting these mobile-forced-to-desktop apps, I worry a bit about the poor UIs in our future.

The operating systems aren't the only ones to blame here. Haven't you seen desktop sites using hamburger menu? That abomination came to life thanks to mobile web.

Thanks to the paradigm "write once, publish everywhere".

As a publisher who recently redesigned one of our websites, using the hamburger menu across devices and screen sizes was strongly considered. It is very annoying on larger screens but these represent such a small traffic share that it is what it is... We still did not go ahead with that, but it was close...

Did you have/do market research or A/B testing on this? If the minority of your userbase are on desktop, maybe those users came from your mobile app and would be more familiar with the hamburger menu than a custom navbar.
We didn't do research on this, I mostly decided to keep the regular menu on desktops because I also dislike hamburgers there (due to the extra click).

But because the website is mobile-first in its CSS, we can very easily —some day— test this with Optimize for example.

Just another case of the interests of customers (users) and suppliers (developers) not always aligning. It’s not that different with physical tools.

Just ask a left handed guitar player about limited choices and/or awkward usability.

I rather have UIKit/Android apps on macOS/Windows than yet another web-bloated electron RAM eater.
In reality it will be a webview wrapped as android app and then executed on a subsystem on top another subsystem that is a virtual machine. Lets hope that the CPU architecture matches between the app and your machine so no emulation is needed.

It’s going to be great.

> Will Amazon agree to distribute Android apps unmodified from what developers upload, with the original signatures intact? Amazon’s behavior is policy, and policies can be rescinded.

Removing signatures by design in the face of a recent huge impact supply chain attack? Hopefully US Gov can leverage some simple purchasing controls (that don't require 'an act of congress') to convince Amazon to stop this behavior.

Here’s another uncomfortable question not mentioned there…

I wonder if this alliance will quell handwringing about Apple having some sort of “monopoly” simply by its choosing the contrarian path of designing, building, and marketing a full experience for those seeking one.

Dominant desktop platform + dominant mobile platform + dominant online commerce platform & cloud platform … versus a firm doing it differently: FAANG becomes FANG aligning against the odd A.

Quick, don’t let the market decide, ban Apple’s UX design model and the business model that sustains it?

Could be there’s room to let this one play out with Apple back to its innovation integrator chasm-crosser zone as niche underdog, rather than trying to preemptively pop the zeitgeist bubble stressing people out.

Finally I can start buying free apps again, which will needlessly spam my Amazon shopping history.

Other than that, I'm so happy that my Fire HD 8 bricked itself, and the Fire 7 is about to take its last breath, because there is absolutely nothing which I managed to like about Fire OS. Never again, and I hope that MS doesn't start to try to nag me into using it.

I used to work at Microsoft in the Windows team, and think that the product is a lot better than many people give it credit for.

That said, why exactly do I want even more kitchen sink functionality in my OS? In a world trending towards devices and services, we should see general purpose OS trending more towards slimmed-down, tailored-for-use implementations - maybe the same code base supports a game console and a streaming media device and a phone and a tablet, but each instance stripped until it's just what is needed. Why do I want bloat exactly?

For the same reason solitaire is an online app with ads now.
wait really? what's next? social media integration? The unironic irony of social solitaire.
Because Microsoft would be stupid to provide a barebones OS. What would an average user do with that? They install an OS and then spend days with hunting down different apps and configure them so that they can actually start using their device? MS (and honestly, any software company) has all the reasons and ability to provide a (more) complete solution. The only complaint one may have is to have ability to remove/disable the things you don't need - which you, as an experienced user, can do (eg. WSL is optional).

I'm not saying this results in a healthy industry (monopolies using their monopoly to get into a much wider field) but if you see the world from an average user on one end, and a profit oriented company on the other, it's rather obvious how things happen.

Also, all the apps they provide tie in with services they want to sell like M365.
Hmm this might be a better argument if we didn't use tablets as game consoles, streaming devices and phones.
The most uncomfortable question about Windows using Amazon Android store is related to developer app signing? How about: How does a company that absolutely dominated PC app market somehow need to embrace Android app compatibility? How were they not able to use dominance to capture the adjacent app market in mobile? This question is more uncomfortable because it attacks a character trait of Microsoft: arrogance.
I side-load the Google Play store on Kindle devices. I wonder if that will be possible here. If so, it's one way to avoid Amazon's app wrapper, and probably appealing for many more users than that sort of thing would usually be due to the Play store having a much wider selection.
Weren't they merely using the Amazon app store as an example?
The entire article hinges on this one premise,

> However, there is a dark cloud with all of this: the primary source of Android apps for Windows 11 users appears to be the Amazon AppStore for Android.

Is there any evidence of this? There's no linked article and it's entirely unsourced. I for one would NEVER install software that Amazon has had any hand in.

> "I can think of a number of countries who would love to convince Amazon to modify Facebook Messenger to bypass end-to-end encryption, for example."

How exactly can this be done?

Well, if you can modify the client, then you simply, dont encrypt the messages.
"Amazon modifies all those apps to be different than what the developers intended to ship"

But... the developer put the app on the Amazon store. They trust Amazon to redistribute it any hacky way they want. It's okay to say "I don't like Amazon tracking me" but it's not okay to lie and confuse the issue by saying that Amazon is doing app devs dirty.

It's also fairly trivial to decompile an APK to verify they haven't done something as obvious as adding or replacing classes. In the Play Store case, they are doing some extra asset minification and are serving split APKs with only the assets needed for the target device, which is certainly welcome as an end user with limited storage.

I would, however, enjoy a scheme where I could trace the Play Store's signature back to the key I used to sign the app bundle for upload. Like if I could sign their key with mine.

What's interesting to me is that the discussion so far has emphasized: security and freedom. It's clear that consumers care very little about these two ideas in the ways that the technological elite (i.e. HN) do. If I don't understand a technology and don't have an interest in doing so, I certainly don't want to manage it. So the values that these "uncomfortable questions" raise are irrelevant.

The way the average consumer views "security" is: "Is this a trusted brand?". As of today Microsoft and Amazon are trusted brands. Western Digital not so much. So instead of trying to understand how Windows 11 running wrapped Amazon Store Android executables might be insecure, users see the words "Microsoft" and "Amazon" and feel secure. (as a side note, security is really just a feeling anyways...)

With regard to freedom, what's freeing to the common consumer is the freedom to have access to functionality they care about. They don't care that someone else is tracking them or that they are limited to apps on these stores.

So, really, these uncomfortable questions are only uncomfortable for people who aren't the target audience of this feature.