News

Microsoft Changing Privacy Controls in Windows 10 Creators Update

• By Kurt Mackie
• 01/10/2017

Microsoft plans to change some of the privacy controls associated with Windows 10, with two main additions coming this spring.

First, there's a new "Web-based privacy dashboard," which shows a user's privacy settings and selections. It will let users who have signed in with a Microsoft account "clear data such as browsing history, search history, location activity, and Cortana's Notebook."

Next, Microsoft has reduced the privacy selection options during Windows 10 setup from three options (Basic, Full and Enhanced) to two options (Basic and Full). These privacy options determine what sort of information gets sent back to Microsoft, which the company calls "telemetry." Microsoft briefly describes what its Basic, Full and Enhanced telemetry-reporting labels mean in this article.

Terry Myerson, executive vice president for the Windows and Devices Group at Microsoft, announced the changes today, adding that "we are launching two new experiences to help ensure you are in control of your privacy." He appeared to direct that comment to consumer users of Window 10, noting that Microsoft's privacy controls for organizations are described in this Windows telemetry TechNet document.

Windows 10 is a service-enabled operating system designed to run on mobile devices, as well as PCs. It has received criticisms regarding privacy. For instance, a French data protection commission published complaints back in July, giving Microsoft three months to address the issues. More recently, the Electronic Frontier Foundation blasted Microsoft for disregarding user choice and privacy.

Arriving This Spring
Microsoft's two new privacy changes are currently showing up for some Windows Insider Program testers as Microsoft has issued a test release this week to its Windows 10 "fast-ring" testers. Commercial release of those two privacy features is planned for the Windows 10 "creator's update" release, which is expected to arrive this spring, perhaps in April.

Windows 10 users who have already chosen privacy settings will get prompted again with the release of the Windows 10 creators update. If a user previously had elected Enhanced telemetry reporting, they'll be prompted to switch to either the Basic or Full option.

Telemetry, according to Microsoft's explanations, gets sent by the operating system to improve Microsoft's products and services. In contrast, Microsoft refers to information exchanged by applications as "functional data." For instance, Cortana, Microsoft's digital assistant on Windows 10, exchanges functional data when a user asks a question.

Management Controls
IT pros can control telemetry settings using Group Policy, mobile device management solutions, Windows 10 registry settings and at the provisioning level. When telemetry is set using those methods, the preferences set by individual end users will get overridden, according to the TechNet article.

Microsoft's announcement didn't explain why it was getting rid of the Enhanced telemetry reporting option, which was previously described as a "default" setting. For instance, the Enhanced level is currently described in the TechNet article as "the default level for Windows 10 Enterprise and Windows 10 Education editions, and the minimum level needed to quickly identify and address Windows, Windows Server, and System Center quality issues."

There's actually a telemetry reporting level below the Basic level, which is called the "Security level," but it's just available for some Windows 10 editions (Enterprise, Mobile Enterprise, Education and IoT Core) as well as Windows Server 2016, the TechNet article explained. The Security telemetry level only can be configured using management policies as there's no graphical control to set it. It's possible for the Security level to deliver personal information to Microsoft, but the TechNet article suggested it can only happen "in rare circumstances," such as when the Microsoft Malicious Software Removal Tool reports registry entries made by malware to Microsoft.

It's possible for organizations to turn off the telemetry reporting altogether, although Microsoft advises against taking that action. It requires either turning off Windows Update or using an update server on premises with management tools such as System Center Configuration Manager or Windows Server Update Services. In addition, organizations would have to turn off Windows Defender and automatic sample submissions. They'd also have to turn off "linguistic data collection."

Microsoft uses Secure Socket Layers encryption when transferring telemetry data, as well as "certificate pinning." Microsoft also claims that it doesn't share the personal data of its customers with third parties "except at the customer's discretion or for the limited purposes described in the Privacy Statement."

The Privacy Statement is actually a series of links to other privacy statements. IT pros get lots of fine print to read.