Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Microsoft Privacy Windows

Test Version Windows 10 Includes Keylogger 367

wabrandsma writes From WinBeta: "One of the more interesting bits of data the company is collecting is text entered. Some are calling this a keylogger within the Windows 10 Technical Preview, which isn't good news. Taking a closer look at the Privacy Policy for the Windows Insider Program, it looks like Microsoft may be collecting a lot more feedback from you behind the scenes. Microsoft collects information about you, your devices, applications and networks, and your use of those devices, applications and networks. Examples of data we collect include your name, email address, preferences and interests; browsing, search and file history; phone call and SMS data; device configuration and sensor data; and application usage." This isn't the only thing Microsoft is collecting from Insider Program participants. According to the Privacy Policy, the company is collecting things like text inputted into the operating system, the details of any/all files on your system, voice input and program information.
This discussion has been archived. No new comments can be posted.

Test Version Windows 10 Includes Keylogger

Comments Filter:
  • Yeah (Score:5, Insightful)

    by ceide2000 ( 234155 ) on Sunday October 05, 2014 @10:36AM (#48068193) Homepage

    I shall pray to my new overlord!!! How long till the goverment demands that data to protect our children from terrorists?

  • by Anonymous Coward on Sunday October 05, 2014 @10:39AM (#48068211)

    All your privacy are belong to us!

  • STASI style OS is spying on you.

  • by TheRaven64 ( 641858 ) on Sunday October 05, 2014 @10:40AM (#48068223) Journal
    It's an early test program. The entire reason that it exists is to see how people use it, whether the UI decisions make sense, and what the designers overlooked. It is not intended for normal use and it is not intended for production environments.
    • by Anonymous Coward on Sunday October 05, 2014 @10:46AM (#48068257)

      It's an early test program. The entire reason that it exists is to see how people use it, whether the UI decisions make sense, and what the designers overlooked. It is not intended for normal use and it is not intended for production environments.

      The nature of the data collection will force the collected data to be skewed, because nobody in their right mind will put their "real" stuff on that machine, so they won't end up using it in a normal manner.

      • Re: (Score:2, Interesting)

        by TheRaven64 ( 641858 )
        True, but that tends to be the best you can do in HCI testing. Users won't do the same things with a camera pointed at them as they'll do in private, but you hope that they'll do enough that's the same that you get useful results.
      • by X0563511 ( 793323 ) on Sunday October 05, 2014 @01:17PM (#48069009) Homepage Journal

        You're testing. You're not using it in a normal manner.

        You're bug hunting.

        • by Reziac ( 43301 ) *

          But how can I find bugs that affect normal use if I'm not using it in a normal manner?

          I've got nothing against a test build reporting everything I *do*, such as save a file; that's the whole idea. I do have a problem with them collecting info on what that file contains; that's none of their business.

          --signed, the beta tester who can break anything

    • by wisnoskij ( 1206448 ) on Sunday October 05, 2014 @10:49AM (#48068281) Homepage
      This. What would even be the point of releasing a test version of windows if they were not tracking what you do?
      • by Anonymous Coward on Sunday October 05, 2014 @01:01PM (#48068939)

        This. What would even be the point of releasing a test version of windows if they were not tracking what you do?

        Like all previous software test versions. So that users could test their actual applications, especially with the private data that they can't hand over to Microsoft, and report back if there are problems.

        The joy with which people defend the jackboot of their opressor as it pounds down upon their faces is a bit scary sometimes. Does nobody think "how did everybody live and produce software for the last 40 years before there was total surveillance" before they post this kind of explanation?

        • by exomondo ( 1725132 ) on Sunday October 05, 2014 @05:38PM (#48070033)

          Like all previous software test versions. So that users could test their actual applications

          That's not what the technical preview is for, the details have not been finalized yet so testing your applications against it now is pointless, they make that point quite clear:

          Windows Technical Preview may be substantially modified before it’s commercially released.
          http://windows.microsoft.com/en-au/windows/preview [microsoft.com]

          So I'm not sure where you're getting any idea that testing on this version would be of any benefit.

          Then they detail how they may work to resolve issues:
          Also, if your PC runs into problems, Microsoft will likely examine your system files. If the privacy of your system files is a concern, consider using a different PC. For more info, read our privacy statement.
          http://windows.microsoft.com/en-au/windows/preview-faq#faq=tab0 [microsoft.com]

          So if you've gotten this far and you're paranoid about privacy would you not think "ok maybe this technical preview is not something i want to be involved in?"

          The joy with which people defend the jackboot of their opressor as it pounds down upon their faces is a bit scary sometimes.

          As is the joy with which people who don't read come up with conspiracy theories about how everybody is out to get you! I'm sure this is all some big conspiracy (probably with the NSA?) to get people to install this technical preview and get their passwords to their email (though I thought the NSA already had all this stuff) so they can find out if you're a terrorist.

    • by Anonymous Coward on Sunday October 05, 2014 @10:52AM (#48068303)

      It's an early test program. The entire reason that it exists is to see how people use it, whether the UI decisions make sense, and what the designers overlooked. It is not intended for normal use and it is not intended for production environments.

      There is no justification for this. The purpose of testing is to collect data about the system itself and how it operates in end user environments; this is collecting information about the end users themselves rather than just the machine, Microsoft has no business collecting that.

      • Re: (Score:3, Insightful)

        by TheRaven64 ( 641858 )

        purpose of testing is to collect data about the system itself and how it operates in end user environments; this is collecting information about the end users themselves rather than just the machine

        How long does it take a user to find the correct button to dismiss a dialog? How many users use keyboard navigation rather than the mouse to navigate dialogs? How many times do the people who do use keyboard navigation hit tab without typing doing anything that would modify the field? All of these things require a keylogger (or a camera pointed at the screen) to find out and give valuable data when designing a UI. You'd hope that there's something client side that filters out anything that might be a pa

        • Re: (Score:2, Troll)

          by the_B0fh ( 208483 )

          You don't know how long a pop up window is active without a key logger? You kidding me?

          My god, how do people even make excuses for shit like this?!

        • How long does it take a user to find the correct button to dismiss a dialog? How many users use keyboard navigation rather than the mouse to navigate dialogs? How many times do the people who do use keyboard navigation hit tab without typing doing anything that would modify the field? All of these things require a keylogger (or a camera pointed at the screen) to find out and give valuable data when designing a UI.

          None of which requires them to know the passwords that I enter into websites or applications. Sure, they need something to measure timing data or whether people use the keyboard for certain things. It does not require knowing all keystrokes.

        • There are ways to collect such data and process it into something that still gives answers to all those questions once transmitted over the wire, but does not expose any PII.

      • It is only valid to collect such info if users actively and knowingly consent to it. A warning dialog should be displayed, with the default being 'opted out' of the program, and a "do you want to opt in to the program" message.

        Unfortunately Google came along and made it the norm to try collect every piece of information humanly possible about your users - Microsoft are still better than Google, but this is a sign that they may be trying to follow everyone else in the industry in the "collect info" game - bu

      • by r_naked ( 150044 ) on Sunday October 05, 2014 @01:45PM (#48069097) Homepage

        Absolutely there is justification for this, and as has been pointed out MANY times on this thread already, THEY MAKE IT VERY CLEAR.

        * Install it in a VM
        * Don't visit your normal sites / "private" sites that you don't want MS (or whoever) to know about
        * Create new accounts for any site that you don't care that they know you visit, but you don't want them to have your login credential.

        I mean this is brain dead stupid obvious shit...

        I am running it because I WANT MS to get that feedback. I don't want them to be tracking my normal usage though.

        I have switched to Linux Mint after the Win8 fiasco, but I don't want to see MS fail. They keep me in business, so I want to give them as much feedback as possible.

        This whole article is a non-issue if you pay attention to what you are agreeing to. *sigh*

        -- Brian

      • The purpose of testing is to collect data about the system itself and how it operates in end user environments; this is collecting information about the end users themselves rather than just the machine.

        I don't know how you even begin to build a machine or a system that responds properly to its users without studying its users "in the wild."

    • by Anonymous Coward on Sunday October 05, 2014 @10:59AM (#48068341)

      Yes, it's a test version.
      In final release this keylogger will be built in and hidden much better, so you won't find it that easily.

    • by nine-times ( 778537 ) <nine.times@gmail.com> on Sunday October 05, 2014 @11:03AM (#48068363) Homepage

      I think there was even some notice when I downloaded it, I only remember it vaguely, but I did see it. It was a prominent warning that said something to the effect of, "We will be collecting data on how you use this, including pretty much anything we want to collect, but the data will be aggregated and anonymized, so we won't collect personally identifiable information." So it's not like they were secretive about it.

      So you may not feel comfortable about it, but in that case, you should be able to just use production versions of Windows.

    • Re: (Score:3, Insightful)

      by Bob9113 ( 14996 )

      What do you expect?

      Informed consent; a condition not satisfied by something buried in dozens of pages of legal boilerplate. "We're watching everything you do" is not something that falls into reasonable expectation, even for an early test program. Requiring consent as a condition of use may be fine; failing to place a large, explicit notice on screen is utterly disrespectful to the user and an unconscionable violation of the most basic security practices.

      • by Mashiki ( 184564 )

        Informed consent; a condition not satisfied by something buried in dozens of pages of legal boilerplate.

        I was going to say, are you new to /.? But according to you UID that would be a no, and since it's a no I'd have figured that you would already know that this is pretty much the norm in all OS testing, technical testing, beta testing, UI development, etc. MS, Apple, BSD, various flavors of 'nix have all been doing this for a while. By a while I mean more than 12 years.

      • Informed consent; a condition not satisfied by something buried in dozens of pages of legal boilerplate.

        But it isn't "buried in dozens of pages of legal boilerplate", it's right there at the start of the privacy policy and linked to multiple times in the explanation of the program informing the user that data will be collected, in addition it is written in plain English.

        Requiring consent as a condition of use may be fine; failing to place a large, explicit notice on screen is utterly disrespectful to the user and an unconscionable violation of the most basic security practices.

        Downloading and running software like this when the information about it is clearly presented to you (even more clearly than in previous pre-release programs from Microsoft and other vendors) is an unconscionable demonstration of stupidity. I

    • Higher levels of data capture should require more than just 'permission'. It should require explicit user actions. Just because MS is technically capable of recording pictures of you "testing" their program in the nude (or with your spouse nude in the background) doesn't mean that they actually need to do it or should do it.

      The capability should remain off until such time as the user decides that (s)he wants to enable it -- and then only until the user turns it off (My preference would be to see it turn

    • by darkain ( 749283 )

      Actually, it *IS* intended for normal production use, and is something we've been using every day already.

      Name a browser that DOESN'T ping back home for auto-complete results? When you type into the address/search box, those results have to come from somewhere. The privacy policy is simply codifying this process.

      • Name a browser that DOESN'T ping back home for auto-complete results? When you type into the address/search box, those results have to come from somewhere. The privacy policy is simply codifying this process.

        Name a browser that doesn't allow you to turn it off.

        • It's still a problem when we have to constantly pay attention what kind of datamining features are introduced and what there is that we should know to turn off.
    • It's an early test program. The entire reason that it exists is to see how people use it, whether the UI decisions make sense, and what the designers overlooked. It is not intended for normal use and it is not intended for production environments.

      Not intended for normal use or production environments.. yet they still want to collect feedback... which excludes normal use of product? How does this work? Lets be real it is one thing for MS to spout these things to set expectations and CYA...reality is with any public test release like this guinea pigs are exactly what they are seeking.

      Whatever happened to.. you know asking people what they think? Perhaps have them take a survey?

      Seems like a better strategy than getting egg on your face in public wi

  • by Constantin ( 765902 ) on Sunday October 05, 2014 @10:46AM (#48068259)

    The article mentions that this 'feature' will be turned off once Windows 10 reaches broad distribution. Makes perfect sense actually

    First you prove that the back door you've installed in the OS operates as expected. Then you sell key logger access to your user base on a case-by-case basis to the FBI, CIA, NSA or any other agency that is shaking big wads of cash in front of your nose while holding a 'keep it all secret' and 'get out of jail free' card for good measure (see various sections of the patriot act and other anti-terrorism, save-the-children, etc. legislation that have been aggressively 'interpreted').

    Thus, encryption and other defensive measures are easily rendered useless as no AV system will detect a key logger 'feature' that is part of the operating system.

    More profit for MS, less security for it's users. Brilliant.

    • The more that computer software "advances", the more I think about getting another hobby. Computers used to be so much fun. :(
    • Re: (Score:3, Insightful)

      by Anonymous Coward

      Any decent software company that does usability testing (and more companies need to be doing this) also tracks everything the user does. If it's done in a lab, there's also eye tracking and video recording of the subject. They'd be something wrong if Microsoft wasn't tracking these things. Even a lot of websites track mouse movements and clicks across their entire site, at least here it's a test release of the OS. Go back to college and retake your usability course, or are you a self taught master who d

    • by PigleT ( 28894 )

      It's a lot harder to prove that something doesn't exist, especially once we know it *can* exist.

    • What a nice shiny hat you wear.

  • The whole intent of this kind of program is to gather data as to how real world users are using the software. What applications are they loading, what settings are they changing, where do they get hung up, do things crash, etc. Bringing people into a focus group or lab setting isn't going to give the same results.

    I'm sure MS has a whole regression test suite and a formal QE process that's going to give them some idea that there aren't egregious faults with what they are shipping, but that's not going to entirely cover the semi-random ways which a real human being is going to be using the OS. If someone using the software encounters a problem, it can send a more complete picture of what was going on if it has more data.

    I'd expect that this will not be shipping in the real product.

    • Wording is very important: 'Turn it off' or 'remove it'?

      It should also be noted that they promise to add/remove features all the time. This doesn't necessarily mean that they will also do it.

      Besides -- if there really is a need to turn on keylogging and video capture, it should be under the explicit control of the user and only for as long as the user enables it for debugging purposes.

      There is. of course, the problem that if the data is there, it makes life SOOOO Much easier on a malware author who

    • The whole intent of this kind of program is to gather data as to how real world users are using the software. What applications are they loading, what settings are they changing, where do they get hung up, do things crash, etc. Bringing people into a focus group or lab setting isn't going to give the same results.

      Why not ask?

      • by enjar ( 249223 )

        Because it's explicitly a "technical preview" or "beta" or "pre-beta invite only" or "not intended for production" system. I've participated in numerous betas for other products like MMORPG games, and I always expected I was being watched and monitored. Not for evil reasons, but more for usability or analysis. I signed up to be in the beta, was accepted, so I'm seeking out this kind of experience.

        I can't imagine that other vendors aren't collecting information in similar manner. Why send out a beta if it's

  • Windows 7 + the NSA.
  • by sensationull ( 889870 ) on Sunday October 05, 2014 @10:53AM (#48068313)

    And that just relegated it to only ever being in a virtual machine, trapped in a cage where it belongs. Sorry MS, a key logger is a few steps too far even for a preview, sure monitor the hell out of it but a privacy destroying key logger is a few steps too far. It's a shame as it does look like a nice OS even caged.

  • by Dorianny ( 1847922 ) on Sunday October 05, 2014 @11:02AM (#48068359) Journal
    This is all speculation based on the privacy policy. To my knowledge no one has done any research to find out exactly what data. if any besides Crash Reports, Microsoft is actually collecting.
    • by ledow ( 319597 )

      Because it could be almost impossible to know.

      De-compiling or tracing Windows is not a small task, especially not if we're talking kernels, signed-drivers, etc. With TPM etc. you may not even be able to investigate much of the boot process.

      And monitoring packets that go back over the network - well, that's what TLS was INVENTED to make safe from even packet-level snooping.

      So it's one of those things that's almost impossible to do, probably can't be done with reverse-engineering (or otherwise breaking the E

    • Yes. It's obvious Microsoft isn't making use of all that lovely data. American companies are famous for taking less than they can legally get away with. (snicker)

  • In a couple of months somebody will be able to disable it. Microsoft's Achilles's heel is that there are hackers out there who try to break and investigate things all the time. There is no piece of "perfect code" that can't be hacked and I'm sure there'll be a registry file posted oh github that will disable all this shit.

  • As a sidenote, Windows 10 TP comes with a feedback button right in the Start Menu. If there are any nitches in the OS, you have an opportunity to voice them to Microsoft.
  • I figured as much, just based on my cursory review of the EULA. That's why I haven't even logged in to any of my accounts using the Win10 preview.

    I'm not sure why they force people to post on a forum to provide feedback - include a feature right in the preview OS that lets you submit feedback (simple, like how Firefox does it).

    Anyway, if I can't even enter any data without being spied on, there's not much I can do in the way of providing real usage scenarios. And since I'm not even being paid to evaluate

  • This is a huge vulnerability. Microsoft's claim that the code "turns off" after the test period has to be viewed with scepticism. If they can turn it off, they can turn it back on. Or someone else can.

    This is telling us that Windows 10 is totally unsuitable for any business with security requirements. Lawyers, banks, and medical service providers probably can't use it and be compliant with the regulations in their industry.

  • like MacOS X 10.9 was free.

    In order to do that, you become the product they sell to other companies by logging everything you do.

    This is really no different than what Dotcom companies do. Collect info on you when you use their website and then sell it to the highest bidders. It keeps their website free and targets you with ads and spam.

  • We complain about Google's data collection for demographics, but Microsoft is taking the next step: a version of Windows that can track your bank balances and most private fetishes. Profit!

  • I'll just stick witht Win 7 thankyou

As of next Thursday, UNIX will be flushed in favor of TOPS-10. Please update your programs.

Working...