{"id":15087,"date":"2015-07-31T17:43:14","date_gmt":"2015-07-31T17:43:14","guid":{"rendered":"http:\/\/kasperskydaily.com\/b2b\/?p=4318"},"modified":"2019-11-15T22:58:17","modified_gmt":"2019-11-15T11:58:17","slug":"windows-10-data-control","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.au\/blog\/windows-10-data-control\/15087\/","title":{"rendered":"Windows 10: keeping control over your data"},"content":{"rendered":"

We\u2019ve written about a rather radical approach to updates delivery<\/a>, which Microsoft adopts with Windows 10. Now, since the OS arrived two days ago, new security-related concerns have surfaced. First and foremost, it is about control over the data on Windows 10-based PCs and other devices.<\/p>\n

It\u00a0all started with this tweet, which caught our eye yesterday:<\/p>\n

https:\/\/twitter.com\/kaepora\/status\/626773729197064193<\/p>\n

The author isn\u2019t just a random Twitter user; he\u2019s a PhD student at the French Institute for Research in Computer Science and Automation, studying applied cryptography (according to his own Twitter userinfo), so he apparently knows a thing or two on the matter.<\/p>\n

\u201cWell, really?\u201d was our initial reaction. We decided to dig deeper, and here\u2019s what we found:<\/p>\n

Windows 10: keeping control over your data<\/p>Tweet<\/a><\/blockquote>\n

BitLocker<\/strong><\/p>\n

First of all, device encryption is not new and unique to Windows 10; it\u2019s been introduced in Windows Vista, which makes it a 9-year-old feature. It was present in the top-tier editions of OS, though: Ultimate\/Pro and Enterprise.<\/p>\n

According to Microsoft\u2019s BitLocker-related FAQ, BitLocker Recovery Keys indeed may be saved to online Microsoft accounts, albeit it is also possible to save them to a local file.<\/p>\n

Also, take a look at this 2013 article<\/a>. It reads:<\/p>\n

\u201cFor domain-joined machines, there is also the \u201coption\u201d to upload recovery keys to Active Directory\u2014 in other words key-escrow to the IT department, (In quotes because the decision is not made by end users but configured centrally by IT policy.)\u201d<\/em><\/p>\n

And the most \u201cinteresting\u201d option is to use Microsoft\u2019s own cloud as an \u201ckey-escrow agent.\u201d And since Windows 8.1, any machine that happens to have requisite TPM hardware, BitLocker disk encryption will be enabled with recovery keys escrowed to MSFT automatically.<\/p>\n

In Windows 10 the BitLocker recovery keys are also stored to your account at OneDrive (Microsoft\u2019s cloud service) by default. This is grounds for at least some privacy concern, namely who actually owns the keys. Although it is unlikely that Microsoft may have actual access to these keys, hence the data encrypted with them.<\/p>\n

Data gathering, in troves<\/strong><\/p>\n

There are many other things to consider, though. Take a look at this article at The Next Web<\/a>. It appears Microsoft has introduced into Windows 10 a bit too many tools to gather data on users\u2019 activities.<\/p>\n

\u201cSign into Windows with your Microsoft account and the operating system immediately syncs settings and data to the company\u2019s servers. That includes your browser history, favorites and the websites you currently have open as well as saved app, website and mobile hotspot passwords and Wi-Fi network names and passwords\u201d,<\/em> the article says. It is possible to deactivate, but this will require a deep dig into settings, which many users may not be willing to do.<\/p>\n

Then there is the virtual assistant, Cortana, for which Microsoft will need some data. Namely:<\/p>\n

\u201c\u2026Your device location, data from your calendar, the apps you use, data from your emails and text messages, who you call, your contacts and how often you interact with them on your device.<\/em><\/p>\n

Cortana also learns about you by collecting data about how you use your device and other Microsoft services, such as your music, alarm settings, whether the lock screen is on, what you view and purchase, your browse and Bing search history, and more.\u201d<\/em><\/p>\n

As the TNW author notes, \u201cLots of things can live in those two words \u2018and more.'\u201d In fact, Cortana would be next to useless without this data, but again, there are privacy concerns.<\/p>\n Hello, Cortana. So you need some info?..\n

In addition, Microsoft is apparently going to collect the data \u201cfrom you and your devices\u201d \u00a0\u2013 and, as we know, Windows 10 is going to form a unified ecosystem for both PC and mobile devices. Windows 10 will log your activities \u2013 including the apps you run and networks you connect to \u2013 and will also generate a unique advertising ID for each device. And it will show the ads, ostensibly tailored just for you. This feature can be turned off as well in any device, but again \u2013 it sits deep in the settings.<\/p>\n

As for networks, there is a function called Wi-Fi Sense, which is said to be able to \u201ctap into your network of Facebook contacts\u201d. \u201cTechnically, Windows Wi-Fi is a third-party app that accesses your Facebook friends so Microsoft knows who you\u2019re friends with<\/em>.\u201d<\/p>\n

That doesn\u2019t sound encouraging. And reading the official sources<\/a> won\u2019t help much:<\/p>\n

\u201cWi-Fi Sense automatically connects you to nearby Wi-Fi networks\u2026 Wi-Fi Sense can do a lot of things for you to get you connected to the Internet using Wi-Fi, so you don\u2019t have to do them on your own. These include:<\/em><\/p>\n