Windows 10: catching up to Google?

windows-10-is-spying-on-every-user-but-theres-a-way-outWindows 10 has turned out to be a very interesting update to the popular desktop operating system. Apparently, Microsoft envies Google for their success in spying on everyone and their dog through the Internet. Accordingly, Microsoft could not resist turning Windows into a mean spying machine. People were mightily surprised when all of the new spying features of Windows started to get uncovered.

To start with, the EULA, the license agreement, actually states clearly that Microsoft will collect the history of browsing, WiFi access point names and passwords, and website passwords. All of this information will be stored in the “user’s” Microsoft account, i.e. on the servers of Microsoft. Every user will receive a unique identification number that will be available to third parties for targeted advertisement.

When you use BitLocker for disk encryption, the key will be also stored at Microsoft! The license agreement states that the password will be copied automatically to OneDrive servers. I told you that going with BitLocker was not something a sane person would do, didn’t I?

And now all of that personal data can be used by Microsoft at will:

We will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders), when we have a good faith belief that doing so is necessary to protect our customers or enforce the terms governing the use of the services.

See, it’s not just in case that a court issues an order, but simply whenever Microsoft thinks that they need to.

Some observers report that the license also reserves the rights for Microsoft to disconnect “unlicensed hardware”. I did not find that part in the EULA though, I don’t know if it is true. I found something else though. Windows 10 will also remove your anti-virus or other anti-malware protection: “other antimalware software will be disabled or may have to be removed”.

That’s the part about EULA. There is also Cortana, the virtual assistant, and various parts of the OS that submit various information to Microsoft. Well, Cortana can be disabled. However, it turns out that even disabling every single thing that reports user information to Microsoft does not help – Windows 10 still reports a lot of things, now without even informing the user. Apparently, the user cannot switch off all of the monitoring.

One of the things that cannot be switched off is a built-in keylogger. The keystrokes are recorded in a temporary file and then submitted to Microsoft servers. Keylogger is active even when you are not logged into the Microsoft account.

Another thing is the microphone and camera. Whenever the microphone is on, it records the sound and transmits it to the servers of the company. The same happens to the video camera, the video is recorded automatically and the first 35 MB are sent over to Microsoft.

Microsoft explains that all of this is necessary to create a database of users, so that the targeted advertisement can be sold to third parties. However, these are obvious privacy violations and some of them are even performed without informing the user.

Microsoft has also announced that some of the features of the Windows 10 will be backported to the previous versions of Windows. So we can expect soon the updates for previous versions that will introduce these spying features across all of Windows computers.

Continue the TrueCrypt discussion: Windows 10

I already pointed out previously that I do not see any alternative to the TrueCrypt for encrypting data on disk. TrueCrypt is the only tool that we can more or less trust so far. You will probably remember that Bruce Schneier recommended to use Windows encryption, the BitLocker, instead of TrueCrypt and I called that idea nonsense. To prove me right, here comes the Windows 10 End User License Agreement (EULA) that states explicitly Microsoft will retain the keys to the encryption.

windows-10-is-spying-on-every-user-but-theres-a-way-outThis is rather amazing but, indeed, if you used the BitLocker to encrypt the data on disk, the key will be copied by Microsoft to the OneDrive servers. Of course, that makes the encryption quite pointless as the OneDrive servers are controlled by Microsoft and they will give the key to government authorities and intelligence agencies.

Moreover, Microsoft actually reserves the right to do anything they want with all your data, which by definition includes your keys and the data protected by the encryption:

We will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders), when we have a good faith belief that doing so is necessary to protect our customers or enforce the terms governing the use of the services.

So, really, all of your information is not only accessible to the government and intelligence agencies but even the company itself will access and manipulate your data whenever they believe it “necessary”.

Yes, TrueCrypt remains the only tool for disk encryption on Windows and you cannot, in good faith, claim that BitLocker is a good substitute for it. And, really, go Linux already.