Welcome to the year 2008! - Windows 10 and data security

Sven Krumrey

Just when you think you've seen everything - along comes Microsoft and amazes us. By now, it's common knowledge that Windows 10 likes to "phone home", but it's still worth taking a closer look at just how much (or how little) Redmond values data security. Think of it this way, if data security was a limbo pole, Microsoft has just made sure you'll bump your head. We've just gotten new details on how much data is sent by Windows 10 along with the conclusion that we've gone back in time to the year 2008.

They're always watching us

Recently, the Internet Security Days event was held, a meeting where experts discuss the topic of data security. Unlike in the world of Apple, where missing ports are lauded by the media as true innovation, this event is covered by the special press only and hesitantly. You won't find any CEOs of multi-billion dollar companies but "only" experts there - which makes it harder to fit their news into the mainstream format. Shame, since they touch on issues that affect the (data) security and privacy of each and all of us.

Two repeating issues that still concern us in the year 2016 are: How much data is collected and how carelessly does it get send out? We all know Microsoft's mantra that data is only collected to improve the "user experience" - and to display a couple of ads. This might seem halfway plausible for some telemetry data (system usage and diagnosis) and Cortana only becomes useful once she has access to your personal data, if you intend to use her at all. But why does Microsoft need my WLAN key? In case one of their employees happens to stand below my balcony and needs to get online? Why do they have to know about the applications that are installed on each machine even if they never caused any errors that would require Microsoft to take action? If you're using a delicate file sharing program - they will immediately get wind of that.

What remains when everything's in the cloud?

Another mystery is why Office, beginning with Office 2013, sends entire document paths plus format type, title and author to their servers. That's news to me! When I save a document locally I expect it to stay there and not make its way into the cloud, this includes the title! Your Microsoft Edge web browsing history, it won't get any more private than that, also gets sent. And if you happen to use "Microsoft Hello", the feature that uses biometric data such as fingerprints or face recognition to log you in, that data is also sent to their servers. Naturally, we're assured that everything stays anonymous even though we're not given any details as to how they manage that. How long your data is saved is another company secret.

Until now, you basically had to trust in Microsoft's reticence but that's not the only risk any more. Windows 10 not only sends out a lot of data but it does so through insecure channels. The encryption mechanism employed is sub-standard because it doesn't detect forged certificates. Experts have already successfully launched man-in-the-middle attacks to intercept the data streams. But that's not all: Not only can they "listen in" but they can also manipulate the data. This means third parties could alter what you send into the cloud so that you'll receive the modified files the next time your PC syncs up. There are better alternative but Microsoft doesn't use them.

Is Windows 10 even legal?

All this reckless data hogging has also lead to further investigation by several countries to determine whether Windows 10 is safe and legal to use in businesses and government facilities. Particularly EU countries that have strict regulations against spying on employees may find that Microsoft is in violation of their privacy laws. This poses an interesting question: Why are private consumers less protected than working people?

Participants of the Internet Security Days eventually arrived at the conclusion that Windows 10 employs data and security standards from before 2008. That's what you get for using insecure channels to send files into the cloud. Microsoft will have to answer the question of how much data is really required to provide a functioning, efficient system. If even government institutions, not exactly known for rapid response times, are starting to feel alarmed, things have definitely gone too far. Microsoft should acknowledge that - and act.

Back to overview

Write comment

Please log in to comment