Windows 10: Cortana keylogging saga won't affect enterprise versions

Windows 10has had a bit of a publicity problem. The trade-off for free software is higher personal data collection – and the Microsoft user base isn’t too pleased about it. ComputerworldUK looks at the terms and conditions plus the data collection features businesses should consider.

Data collection

PC owners who upgrade to the Windows 10 Software-as-a-service (SaaS) operating system have opted in to perpetual updates and improved features - in the same way a mobile phone or app might update. To fine-tune these updates, Microsoft developers will collect users' data. This includes Cortana, Microsoft’s answer to Apple’s Siri, which uses voice data to improve speech recognition and text checking algorithms.

Effectively, Microsoft is training its machine learning algorithm on its million-strong user base.

One aspect of its data mining involves keylogging: a method often associated with malware. Keylogging collects keystrokes, which it says it will use to correct spellings more effectively.

What else does it collect?

Microsoftcollects and uses contacts, voice input, searching history, calendar details, content and communication history from messages and apps, and device location information and location history. Those using WiFi Sense will not be able to hide their location, even if their account location service is turned off. In Microsoft Edge, the Windows 10 internet browser, Cortana also collects and analyses browsing history.

IT professionals swiftly took to online forums and social media sites with tutorials on how to change privacy settings on the OS as users clued up last week.

However, some users may not be able to remove this default feature. Microsoft says that if you are using a Windows 8.1 MDM server and have tried to put the telemetry feature to level zero on a Windows 10 mobile device, it will be silently set to level one.

The telemetry feature has three settings: level one sends basic data, level two sends enhanced data (including “usage and insights” data). Level three sends “full telemetry data including diagnostic data such as system state,” Microsoft says.

But it’s good news for businesses as Windows 10 for enterprises and server devices can be set to level zero. This means no telemetry data is sent from OS components - but you will need to switch it from default.

Bitdefender’s Chief Security Strategist, Catalin Cosoi, tells ComputerworldUK: “Telemetry tracking is enabled by default, but can be turned off via policies. The enterprise version of Windows 10 is the only SKU [version] that allows telemetry tracking to be set to off.

“Because enterprises have strict policies when it comes to data protection and confidentiality, Windows 10 for enterprises allows companies to opt out from sending any telemetry data to Microsoft, by enabling IT administrators to set data collection policies to non-permissive.”

David Johnson, a Windows analyst at Forrester, says that the new operating system privacy settings “do not present a risk that businesses should worry about any more than they would for iOS and Android-based devices.”

In fact, he believes that Microsoft’s commitment to being a trustworthy business should assure enterprise users, especially if it is to continue delivering features through the cloud.

“On the backend, Microsoft has taken care to process and store things like the information about how you write such that no sensitive or personally identifiable information is either stored at all, or that it's stored in a way in which it can't be reassembled,” he adds.

Enterprise should “worry less about Windows 10 privacy settings and more about how to make the most of Windows 10 capabilities for enabling employees to do the best work they can to win, serve and retain customers for the business.”

Microsoft’s history handing information over to third parties

It’s understandable why the general public were concerned about data collection. Microsoft’s track record with handing information over to third parties is variable. It is currently battling the US Department of Justice, which wants to retrieve emails held on a Hotmail server in Ireland. Microsoft says it is on foreign soil, but US defence lawyers argue that the government has the right to demand emails from any provider in the world.

Their stance is a far cry from accusations made by Edward Snowden, who revealed the UK and US surveillance activities, in particular their surveillance of citizens. In 2013, Snowden accused Microsoft of colluding with US intelligence agencies, helping the NSA to access individual communications and data through their apps.

He also alleged the vendor had assisted the NSA in bypassing encryption so it could get access to SkyDrive and intercept calls made through Skype, according to The Guardian.

ComputerworldUKcontacted Microsoft for comment but did not get a response.

Copyright © 2015 IDG Communications, Inc.

Where does this document go — OneDrive for Business or SharePoint?