In-Depth
What Does Microsoft Know About You?
We take a look at all the various sources of data Microsoft collects from customers, how it stores and uses that data, and how its use of it stacks up against Google and other competitors.
Just about every software vendor or Web service collects information about its users. Some do it with more subtlety than others, but the fact is that there's hardly an application or Web site that doesn't gather some sort of intelligence about you every time you use it. Microsoft, of course, is no exception. From Windows Activation Technologies (WAT) to Bing, Microsoft stockpiles information on you even when you don't sign up for services such as Hotmail. But what does Microsoft know about you?
Actually, a more appropriate question might be: What kind of information about you can Microsoft see? It could see a lot, but there are some things that the company chooses not to view or store. For example, the unpopular WAT, formerly known as Windows Genuine Advantage, is perhaps the least intrusive of the Microsoft information-gathering tools. Bing and Hotmail get a little more personal, but experts and IT professionals say that they're less worried about Microsoft regarding privacy than they are about some other high-profile vendors.
What Microsoft Knows
Microsoft starts collecting information on you and your system within minutes of you starting up a brand-new system. We asked Brendon Lynch, senior director of privacy strategy at Microsoft, to help us compile a step-by-step explanation of what Microsoft knows and when it knows it.
The flow begins when you first start your system, log on to Windows and go through the WAT validation process.
"WAT doesn't store your name, address, e-mail address or any other information that Microsoft can use to identify you or your computer," Lynch says. "The tools will collect information used for aggregate reporting, which include computer make and model; version information for the operating system and software; region and language settings; a unique number assigned to your computer by the tools; [hashed] product key and product ID; BIOS name, revision number and revision date; and [hashed] hard drive volume serial number.
"When a system is identified as non-genuine," Lynch continues, "additional information may be sent to Microsoft to better understand why your system failed validation. This information can include error codes and the names of file paths that compromise the integrity of your system."
Make the choice to use Microsoft Online Services, and the transfer of data to Redmond continues. Microsoft Online Services go a little deeper than WAT. Here, for instance, is what Microsoft collects on a random user who searches via Bing: "When Microsoft receives a Bing search query, we collect a number of pieces of information, including the search query provided, IP address, unique identifiers contained in cookies, browser configuration and the time and date of the search," says Lynch, rattling off a list of information that's standard collection fare for search providers.
But, Lynch adds, while Microsoft might know a lot about your browsing habits, it doesn't really know -- or want to know -- that much about you. "As part of our privacy safeguards, search terms are stored separately from account information that could personally and directly identify an individual, such as e-mail address or phone number," he says. "This helps protect against unauthorized correlation of these details. In early 2010, we announced that we'd enhance our existing search data-retention processes by deleting the entire IP address from search queries after six months. This step provides even stronger privacy protections for Bing users."
Lynch also says that Hotmail follows a similar policy. "It's important to note that when demographic information is used for advertising purposes, we use a technical method known as a one-way cryptographic hash to ensure that personal information, such as name or a user's personal e-mail address, isn't used to select which ads a [Windows Live] user receives," he says. "Our advertising platform selects ads based only on data that doesn't personally and directly identify the individual. As a matter of policy, Microsoft takes steps to separate any information that can be used to personally and directly identify a user from the information in its ad-selection system."
Run into your first application crash, and you've got the option to send more information to Microsoft. One of the biggest concerns users have about Microsoft and privacy is about error reporting. The Microsoft privacy policy on error reporting spells out very clearly what kind of information the company collects when a user reports that an application has crashed. According to the policy, error reporting involves collecting information on:
- Where the problem happened in the software or hardware
- Type or severity of the problem, if known
- Files that help describe the problem (typically system- or report-generated files about software behavior before or after the problem occurred)
- Basic software and hardware information (such as OS version and language, device models and manufacturers, or memory and hard disk size)
The error-reporting process also collects your IP address, but the Microsoft policy says that the company doesn't use IP addresses to identify or contact users. Microsoft says that users who are concerned about the privacy of error reporting simply shouldn't submit reports at all.
The policy states: "Reports might unintentionally contain personal information, but this information is not used to identify you or contact you. For example, a report that contains a snapshot of memory might include your name, part of a document you were working on or data that you recently submitted to a Web site. If you are concerned that a report might contain personal or confidential information, you should not send the report."
All of that adds up to a solid data-retention policy that respects privacy, especially in comparison to the data collection that some other vendors do, says Marius Oiaga, editor in chief of Softpedia, a software Web site based in Romania. In fact, he says, the average computer user would do well to follow a privacy policy as strict as that of Microsoft.
"Microsoft certainly does a better job at protecting information it collects compared to some users that share even the most intimate details of their life on social networks, or with customers that hand over their username and password after receiving a message claiming their e-mail accounts will shut down unless they comply," Oiaga explains.
Useful Information
So, Microsoft could know a lot about you, but it chooses not to -- or at least not to associate specific information with individuals. But what does Microsoft do with all of the information it collects? Good things, mostly, IT pros and experts say. The Microsoft error-reporting process, driven by data collected from users, has led to more stable versions of Windows and other improvements in recent years, says Dave Nickason, an IT pro at a law firm in Western New York. Microsoft also tracks information such as how customers use drop-down menus as opposed to buttons in Word, or how people navigate in Excel. The company takes that information into consideration when updating and developing new applications.