Vista is Watching You

greengrass writes "Are you using Windows Vista? Then you might as well know that the licensed operating system installed on your machine is harvesting a healthy volume of information for Microsoft. In this context, a program such as the Windows Genuine Advantage is the last of your concerns. In fact, in excess of 20 Windows Vista features and services are hard at work collecting and transmitting your personal data to the Redmond company."

Egomanical monitoring of the populace?

[LoadWB]

Is this another example of Bill Gate's Microsoft micromanagement leaking out into the general public, or is this truly a way for Microsoft to help fool-proof Windows operations?

If this is nothing more than a way for Microsoft to ensure that Windows operates properly and to find potential issues, data collection should be an option. A lot of power users won't want it, and a lot of paranoid public won't either.

Of course, what choice do they have if they want/need to run Windows? If enough of the system monitors your usage and activity, not using those services pretty much makes your computer a brick.

Aside from privacy concerns, how much storage space and processing power is being used for this endeavor? Couldn't all that be put to much better use?

Re:Egomanical monitoring of the populace?

[Necreia]

"Aside from privacy concerns, how much storage space and processing power is being used for this endeavor? Couldn't all that be put to much better use?"

Of course, Aero.

Re:Egomanical monitoring of the populace?

[sucati]

I think this is the idea behind dual core: 1 core belong to microsoft, 1 core for you

Re:Egomanical monitoring of the populace?

[geobeck]

1 core belong to microsoft, 1 core for you

No. All your core are belong to us.

Re:

[Real_Reddox]

"Sending private data, Accept or Deny?"

Re:Egomanical monitoring of the populace?

[brunascle]

Of course, what choice do they have if they want/need to run Windows? If enough of the system monitors your usage and activity, not using those services pretty much makes your computer a brick.

if the OS can function without an internet connection, it damn well better be able to function on a firewall that blocks access to MS servers.

Re:Egomanical monitoring of the populace?

[LoadWB]

heheh Until the first update to Vista which requires that the information be dumped. It appears that Microsoft is slowly trying to head towards a near-constant connection of the end-user to their system, for what purposes is a matter for conjecture. And might this be precursor to a subscription-based OS?

Microsoft is stepping over some big lines here.

Something else comes to mind... what about users still on dial-up? Won't the transmission of this user information completely clog the line?

Re:Egomanical monitoring of the populace?

[Hoi Polloi]

It should be interesting how this clashes with China's own obsessive need to control people's PCs. I can see it now at Redmond, thousands of Vista inquiries being returned "Nothing to see here, move along."

Re:

[KenRH]

It should be interesting how this clashes with China's own obsessive need to control people's PCs.

Kina as many other Asian nations is moving towards Linux. They don't want to pay M$-tax and they espesialy don't want MS or NSA spying on them.

Re:

[TheLinuxSRC]

Go to the American Registry for Internet Numbers [arin.net] and search for "Microsoft". You will see pages similar to the following:

Microsoft Corp MICROSOFT (NET-131-107-0-0-1) 131.107.0.0 - 131.107.255.255
Microsoft Corp MICROSOFT-VEXCEL (NET-192-92-90-0-1) 192.92.90.0 - 192.92.90.255
Microsoft Corp NETBLK-MSOFT-NET (NET-198-105-232-0-1) 198.105.232.0 - 198.105.235.255
Microsoft Corp MICROSOFT-1 (NET-199-103-90-0-1) 199.103.90.0 - 199.103.91.255
Microsoft Corp MICROSOFT-CORP-MSN-3 (NET-199-103-122-0-1) 199.103.122.

Re:

[WilliamSChips]

If Microsoft wanted to spy on you they could easily get an IP that isn't Microsoft. Besides, do you really trust your host file on a Microsoft system? They're known for bypassing it specifically for that kind of stuff.

Re:Egomanical monitoring of the populace?

[Bert64]

How about people who pay for bandwidth usage?
Would you be able to charge microsoft for the bandwidth used by this unwanted feature?

Re:

[nurb432]

Considering you indirectly agreed to it all in the EULA, i doubt it.

Re:

[wellingj]

Application yes.... Operating System...?
I'd draw the line right there...

If MS actually asked "do you want to use the net to get feature x, y or z?"
I might bite on that as ok... but who knows what kind of information they are gathering.
But if I had bought Vista I would demand to know what I paid for and why MS thinks it is.
so damned important they not tell their customers...

This is my single biggest push to free software

[maillemaker]

>It appears that Microsoft is slowly trying to head towards a near-constant connection of the end-user to their system, for what purposes is a matter for conjecture.

And it's not just Microsoft doing it.

This "phone home" crap is the single biggest thing that is driving me to consider open-source alternative operating systems and software.

The second biggest thing is that it seems more and more that with commercial software every time I install an "upgrade" it is really an upgrade for the /author/ of the software, not the user - more DRM, more restrictions on how I can use the software, instead of better software for /me/. It's seriously getting to where I don't trust commercial upgrades anymore. It seems like 90% of the time or better a commercial upgrade limits what I can do with the application instead of enhances it.

It's really all come down to games for me. If my games would all run on Linux I'd be there tomorrow.

Re:This is my single biggest push to free software

[kryten_nl]

http://games.cedega.com/gamesdb/ [cedega.com] check it out, add it as a bookmark.

Re:This is my single biggest push to free software

[Anonymous Brave Guy]

I'm about to put together a new PC. I fully expect to dual-boot between XP (not Vista) and some flavour of Linux. As with others here, games are the major reason for installing XP at all, with multimedia support a close second. So, I went along to that page with great interest.

Unfortunately, all it tells me is that pretty much every game I want to play on the new machine is completely unplayable under Cedega. As with so much of Linux history, the answer seems to be "it's making progress, but it's just not good enough yet".

Re:This is my single biggest push to free software

[brunascle]

It's really all come down to games for me. If my games would all run on Linux I'd be there tomorrow.

this is the reason my desktop is still XP also. it's become not much more than a gaming console. but you'd be surprised how many good, native linux games there are. i was (recently). check out the linux gamers live cd [linux-gamers.net].

Re:This is my single biggest push to free software

[hackstraw]

It's really all come down to games for me. If my games would all run on Linux I'd be there tomorrow.

All I can say is I'm glad I don't have anything important like games to dictate what OS I use. Yes, in some respects I'm being a troll/sarcastic here, but also games appear to be _the_ driving force for technical people here on slashdot to tie them to Windows. Other less technical users simply don't know any better.

Maybe I'm just an eletist or whatever, but I simply don't need the headaches that come with Windows. I had a couple of crappy jobs back in the 1999-2000 era that required Windows, but other than that I've been Windows free since 1997 or so both personally and professionally.

To me, the OS is just software. Just like I have a choice in shells, window managers, desktop environments, web servers, whatever. For many reasons, technical, stylish, reliability, ease of use, ease of maintenance, etc, I simply can't find a reason to use Windows.

If games were that important to me, I would buy a console, or two or three.

Re:This is my single biggest push to free software

[Kamokazi]

The problem is the console gaming experience is very different and generally considered quite inferior by those who prefer PC games. This is due to numerous reasons, but mostly:

1) Multiplayer games and game modes (consoles are finally starting to catch up)
2) Modability and expandability of the titles
3) Better graphics (if you're willing to plunk down the cash for the hardware)
4) Unique and indie titles

Now most PC games can be played on Linux through a DirectX emulator, however there is almost always a performance hit, and often it's as bad as half your framerate going down the drain...the games are just heavily optimized for Windows (most Mac games are the same way...~20% performance hit on the same machine if you use OSX instead of bootcamping into Windows).

What's become worse is that MS is now requiring Vista for some games...games that don't even require the newer DirectX 10...I've had to make my gaming PC dual-boot into Vista now just for Shadowrun. Halo 2 'requires' Vista as well...and it has awful Xbox 1 graphics...it sure as hell doesn't need Vista to run properly. And what's worse is Vista will make most games suffer 10%+ performance hits as well (hence the dual booting).

Bottom line...serious PC Gamers are stuck with Windows.

Re:

[Anonymous Brave Guy]

The genre of game is more the deciding factor for me. Some genres, such as first-person shooters, convert very well to consoles, and indeed many of the best recent titles in this genre have started out or remained exclusively on one console or another. However, many genres naturally have an interface that is too complicated for your average console games platform. Can you imagine controlling a complex real-time strategy title like Supreme Commander via a little handheld unit with a few twiddly things and pu

Re:

[Anonymous Brave Guy]

Hmm... all the major consoles support USB keyboards. Is the problem simply that the console game developers don't support these keyboards?

I suspect it's just a vicious circle. Most console owners presumably don't have keyboards because games don't tend to need them and they don't come as standard, and vice versa. If someone developed, say, the best ever RTS to run on a console and supporting powerful, keyboard-based controls to execute complex commands, I imagine that situation would reverse pretty quickly in that segment of the user base, but who wants to be the first company to risk something like that in a business like gaming?

sounds just like

[namekuseijin]

"Bottom line...serious cocaine addicts are stuck with crack"

Re:

[Dunkirk]

Don't say that the performance of Windows-based games takes a hit on Linux. I've run Linux on the desktop for 12 years. Every few months, I get the bug to "try it again." The last time I did so, I pirated -- yes, pirated -- I've bought it 3 times, and never gotten it to actually play the games I wanted to play -- Cedega, and took it for a drive. On both Counter Strike and Battlefield 2, the game played BETTER under Linux than it did under Windows. BF2 was appreciably better. However, two things kept me from

Re:

[McDutchie]

Bottom line...serious PC Gamers are stuck with Windows....NOT!!!!! Simply set up a dual-boot system, and only boot into windows to play games and use Linux to go online and do anything else but your games.

In other words, serious PC gamers are stuck with Windows.

Re:This is my single biggest push to free software

[mcrbids]

This "phone home" crap is the single biggest thing that is driving me to consider open-source alternative operating systems and software.


Phone home is DRIVING you? To CONSIDER open-source? And you are considering these as ALTERNATIVEs? Sounds to me like you are squarely locked up in proprietary land, and that, generally, you like it there. But you need to fit in around here, so you use words like "crap" to add weight to your otherwise meaningless stanzas.

Put your money where your mouth is. If you like the open stuff, use it. Otherwise, you're just so much hot air, and heated air comes rather cheap around here.

And here's a great example: It's really all come down to games for me. If my games would all run on Linux I'd be there tomorrow.

Re:This is my single biggest push to free software

[d34thm0nk3y]

Yeah, what an asshole. Choosing an OS based on software requirements! Who is he to choose the OS that runs the software he wants.

Re:This is my single biggest push to free software

[Ephemeriis]

This "phone home" crap is the single biggest thing that is driving me to consider open-source alternative operating systems and software.

I got sent out on a call last week... Their complaint was that the PC was running fairly slow and that it kept asking to connect to the Internet (yes, the poor souls were still on dial-up). I honestly expected to find an assortment of spyware/malware on the machine. Instead, I found a pile of legitimate software was trying to phone home.

Just about any HP camera/printer/scanner will install an update utility. Java has a updater that runs in the background. Real Player, Adobe Reader, Flash Player, Quicktime, and assorted Sonic software all have their own background updaters.

Re:This is my single biggest push to free software

[Tony Hoyle]

HP drivers are pathetic. The printer driver for my printer is a 600mb minimum install (the 'enhanced' software is another 500mb). Every 3 or 4 minutes a console window flashes on the screen - their phone home software is a console app and they haven't even bothered to hide the window.

Oh and that's just for the printer.. the scanner part of the driver is nonfunctional on vista (despite the driver being the latest vista driver), and the whole thing won't install on OSX (a small (for them) 250mb driver) because they stopped supporting it after 10.4.2 and it's hardcoded to reject a version higher than that.

For a while now I've been telling people to avoid HP like the plague because their drivers are is spyware infested bug ridden crap.

doubt it

[DogDude]

Microsoft is stepping over some big lines here.

Either that, or they're just using their pool of hundreds of millions of users with tens of millions different hardware/software configurations in order to collect bug data.

That's really the most obvious and the most likely answer.

Re:doubt it

[SatanicPuppy]

They already do that with the "Report this bug to Microsoft?" screens that pop up in XP every time a program crashes...And frankly, I SHOULD be able to opt out if I choose to do so. Hell, they should want me to be able to opt out, so if I do something and crash a program, I don't send them weird data.

The OP is right; this is a precursor to a subscription based OS; that's microsoft's dream, where everyone just pays the OS tax on a monthly/yearly basis, and gets "free" upgrades on a once-a-decade cycle.

Re:doubt it

[Ravnen]

Did you read the article? It goes on about things like your IP address, and the web browser you're using being sent to Microsoft. This is essentially the information you send to every website you visit, unless you're using an anonymising proxy. Using Windows Update on XP, which runs via IE, almost certainly sends this same information to Microsoft, as does any web-based update function to the respective OS provider. The whole article reads almost like a joke.

Sending an IP address and the name of a web browser to an update server is hardly something to be concerned about. Microsoft's forays into advertising, on the other hand, are certainly something to keep an eye on. For the moment I'm a paying customer, but if advertisers become the paying customers and I'm simply a target for advertising, then I'll worry.

Re:

[include($dysmas)]

reminds me of those bogus anti-spyware sites:

you computer is broadcasting an ip address!

like ... oh noes!

Re:

[Nazlfrag]

Sure they send your IP address and your browser details, and all file name extensions, all URLs visited w/Parental Controls enabled, all PnP devices installed (so your complete hardware specs), your Games folder(?!) etc. I'm not sure what else gets sent but from the list they provided I'm sure there's plenty more.

Activation, Customer Experience Improvement Program (CEIP), Device Manager, Driver Protection, Dynamic Update, Event Viewer, File Association Web Service, Games Folder, Error Reporting for Handwriting Recognition, Input Method Editor (IME), Installation Improvement Program, Internet Printing, Internet Protocol version 6 Network Address Translation Traversal, Network Awareness (somewhat), Parental Controls, Peer Name Resolution Service, Plug and Play, Plug and Play Extensions, Program Compatibility Assistant, Program Properties--Compatibility Tab, Program Compatibility Wizard, Properties, Registration, Rights Management Services (RMS) Client, Update Root Certificates, Windows Control Panel, Windows Help, Windows Mail (only with Windows Live Mail, Hotmail, or MSN Mail) and Windows Problem Reporting are the main features and services in Windows Vista that collect and transmit user data to Microsoft.

Looks like a lot more data than an IP address.

Detailed Service list

[Joe U]

Activation - Annoying anti-piracy check. This is the worst of the group, because it can't be turned off.
Customer Experience Improvement Program (CEIP) - Optional feedback program.
Device Manager & Driver Protection & Dynamic Update - Gives you an option to scan for updated drivers.
Event Viewer - Optional, If you click the 'get more information' it sends a query for, (get this) more information.
File Association Web Service - Same as above.
Games Folder - Downloads pictures and ratings for your games.
Er

Re:

[Jaknet]

If you want to remove the "report this to microsoft". Then right click My Computer > Properties, select the Advanced tab, select the Settings button (third one down under Startup and Recovery) and un-tick the send an Admin alert. Also on the "error reporting" button at the bottom of the Advanced tab, just select the "disable error reporting, but notify when critical errors occur"

Cannot remember off the top of my head which one stops the "report to Microsoft" pop-ups, but with both you can rest easy and n

Re:Egomanical monitoring of the populace?

[B'Trey]

it damn well better be able to function on a firewall that blocks access to MS servers.

Has anyone done any network captures to see what sites are being contacted? Is blocking *.microsoft.com sufficient? Is there a list of IPs that can be blocked?

Re:Egomanical monitoring of the populace?

[click2005]

In XP, Microsoft hard coded the IP addresses of various servers into libraries and software so it bypasses any attempt to use DNS resolution to block it. I'd bet in Vista there is something worse. Maybe thats why they were working on some kind of BitTorrent/P2P protocol. Route the data through other people's machines to get around blocking.

Re:

[Dan Ost]

Such traffic can always be blocked at an external firewall. Even the most basic router will let you blacklist IPs/domains. Short of colluding with router makers, there is nothing Microsoft can do about this.

Re:Egomanical monitoring of the populace?

[Anonymous Brave Guy]

The point being made earlier in the thread was that this doesn't always work, because the IP addresses for certain services (Windows Update is one, IIRC) are hard-coded and the hosts file is never checked by Windows when resolving these addresses.

Re:

[B'Trey]

I wouldn't be at all surprised if there's some sort of attempt but, to the best of my knowledge, there's no way for Microsoft to bypass the access list on a router or firewall sitting between the machine and the Internet. But I also wouldn't be surprised if, if one IP can't get through, the machine will try several others, including ones that aren't assigned to the microsoft.com domain. Thus my asking if anyone had done any network captures to see where the packets are actually going. I'm not running Vis

If you get burned, it's your own damn fault.

[FatSean]

Come on, knowledge of Microsoft's shadey buisness and programming practices has been well documented for over a decade. Plenty of time to migrate away. W2k is going to fade away, and I'm already looking into becoming all-Linux here at home. My employer still uses windows on employee machines, but I don't care because I only do work-related stuff on the laptop. I suppose I might want to segregate the VPN-using MS machine from the rest of my network incase Vista+1 decides to sniff my packets or something.

No, it isn't.

[jollyreaper]

I don't have nearly enough ram.

Re:No, it isn't.

[FredDC]

Just put a tin foil hat over your computer!

If only they told me,

[sumi-manga]

like Google does, maybe I wouldn't be microwaving genuine Vista Ultimate DVDs into petrol...

Notice how it's not "My Computer" anymore?

[Junior J. Junior III]

I hear the icon on the desktop isn't called My Computer anymore, it's now just "Computer". I guess in the fine print it says "BillG's Computer".

Re:

[kendoran]

With the new vista tech, it definitely doesn't ACT like my computer anymore.

Ah! The irony!

[c0l0]

In the article, there's a Vista technology referred to as "Rights Management Services (RMS) Client" - I guess I'm not the only one who's midldy amused about the acronym used for that service ;-)
What's especially delicate about it is that the service's name uses the term "Rights", where many who are in favour of digital freedom would probably deem "Restrictions" a much better fit.

I bet if Richard Stallman were dead by now (please note that I'm glad and happy that he's alive and kickin'!), there'd be a chance he'd be rotating in his grave at high speeds because of this.

Re:Ah! The irony!

[mwvdlee]

If I promise to manage my rights, can I disable this system?

Re:Ah! The irony!

[Actually, I do RTFA]

I bet if Richard Stallman were dead by now (please note that I'm glad and happy that he's alive and kickin'!), there'd be a chance he'd be rotating in his grave at high speeds because of this.

Then, we could hook his body to a generator. So, everytime something like this happened, we could say "at least we just cut down on greenhouse emissions."

Re:

[Junior J. Junior III]

Perhaps there's hope, and RMS can sue MSFT for the illegal infringement of his initials.

Re:Ah! The irony!

[digitig]

Perhaps there's hope, and RMS can sue MSFT for the illegal infringement of his initials.

Prior use (unfortunately). RMS stood for "Root Mean Square" before Richard Stallman was a package in his father's installation manager.

Re:

[lawpoop]

I bet if Richard Stallman were dead by now (please note that I'm glad and happy that he's alive and kickin'!), there'd be a chance he'd be rotating in his grave at high speeds because of this.

No, he would be rolling in his grave if GNU or some other GPL software were hijacked into this level of privacy invasion.

If he were in his grave, he would be resting soundly, like a baby in a bilum, because the course of events are turning out just as he predicted [gnu.org] -- non-open, unfree software is being used to limit the freedoms and access to information of the average computer user.

I work in an FDA-regulated environment,...

[Yewbert]

... and this kind of undisclosed(?) sneaky communication has to be considered a security risk from our side, and one which may very possibly invalidate the state of validation (in, again, the FDA-regulated sense) of numerous production-related systems that might eventually run on Vista platforms. We're testing Vista now, and as soon as I get my hands on a copy, I'm gonna poke arounnd and try to figure out what data is sent where, what happens if you cleverly block it, what options there are to just shut these features the f*** off, and many et ceteras,...

Re:I work in an FDA-regulated environment,...

[dave420]

It's fully-disclosed and hardly sneaky. If you block it, it will still work fine, but you lose updates to Windows and its components, you won't get your DRM certificates for media it's introduced to, your IPv6 NAT service won't work as expected, and online help features stop working. Want to stop them? Firewall rules, or disable the services.

Everything has to be considered a security risk from your position, otherwise you're not doing your job :)

If you read what he said, you'd see

[DigitalReverend]

He works in an FDA regulated environment, not works for the FDA. There are several companies that are heavily regulated by the FDA. I used to work for a pharmaceutical research company and almost every piece of software requires some kind of validation in order to protect no only the the pharmaceutical companies, but also the patients as well.

  While most IT environments can install Patches and Service Packs and Updates at will, this is not the case for FDA regulated companies. The update or patch will be installed on a system that has no access to any real data, each step of the installation is documented down to each mouse click complete with screen shots, then the installation is performed following that document by a person who didn't write the initial instructions, and they will then take screen shots of their installation. Then once it has passed the installation steps, then there are instructions written up for each thing that needs to be tested and validated, that is also complete with screen shots, and each mouse click and keyboard entry. Those instructions are sent to someone else who goes through each step, and takes screen shots along the way, and if that passes, it can then go on to production where the installation is performed, with screen shots, and a final series of tests, with screen shot is also done. All the documents are printed out as the FDA hasn't completely allowed electronic storage.

So where the normal IT guy clicks download/install and maybe makes a log of it. A simple windows update in an FDA regulated environment will produce a mountain of paperwork. If anything along the line has the potential of revealing any confidential information against FDA regulations, then the software will be rejected. Vista at this point has been rejected so far.

Vista's biggest enemy

[drgonzo59]

Vista's biggest enemy is not Linux -- it's Vista. Americans take their privacy too seriously to ignore this if this becomes public. Of course, one could argue that by now the 'war on terror' has taught us to just bend over when the government says so, but hopefully, the reaction will be a little bit more violent when Microsoft asks us to 'submit'....who knows.
 

Re:

[EveryNickIsTaken]

Americans take their privacy too seriously to ignore this if this becomes public.

Either you're not American or you don't pay attention to the news. Most Americans have been FUD'ded into ignoring privacy concerns.

Re:

[LoadWB]

And there is it: Privacy is a tool of terrorism.

If you're trying to keep your affairs private, then you must have something nefarious to hide... you terrorist.

Re:Vista's biggest enemy

[Hoi Polloi]

I was all for protecting my privacy until they offered me a free copy of "Minesweeper 3D" and "The Best of American Idol" audio tracks!

Re:Vista's biggest enemy

[UbuntuDupe]

Americans take their privacy too seriously to ignore this if this becomes public

You mean, you wish they wouldn't ignore this?

"OMG! Vista violates my privacy!"
"So what are you going to do about it?"
"I'm going to use a different operating system!"
"Which one?"
"Well, uh, the other one."
"Which other one."
"Like, the other Windows."
"Which other Windows?"
"Um, I guess ... XP, is it?"
"Do you know how to install an operating system?"
"Well, no ... I mean, I just won't buy computers with Vista."
"And where do you buy a computer without Vista?"
"Um ... I can just choose XP when I order one."
"And when XP is discontinued?"
"Then I'll get a completely different operating system, from a different company."
"You mean a Mac?"
"Oh, heavens no."
"Then what?"
"Um ..."

Re:

[truthsearch]

I don't know about that. XP did pretty much the same thing, to a smaller extent, and with similar statements in the EULA. That didn't stop sales.

Now if corporate desktops attempted to send too much information to Microsoft then some heads would roll. But that's not going to happen.

Re:Vista's biggest enemy

[apathy maybe]

Americans take their privacy seriously? Since when as the average yank done that?

Sure you have some folk who do, but considering the supermarket "loyalty cards" (and it isn't just in the US of course), the various voting things (e.g. who's the hottest "singer"?), using plastic cards to pay for everything and so on...

Meh, I'm sure you get my point, which is that only some people (around the world), take their privacy as seriously as you seem to think.

Re:

[Intron]

You can use the same name that I use when I have to fill out a form to return something or get a "loyalty" card: Moe Delaun. The funniest part is that since I use my actual address, I now get junk mail addressed to Mr. Delaun. I should try checking my credit score.

Anonymous?

[MontyApollo]

Seems like they would want to keep this data anonymous as much as possible too, or it would seem like they would have an endless barage of subpoenas for civil lawsuits like divorces, where one spouse wants evidence that the other was cheating.

Re:

[db32]

When they have shown that you can identify a person by their google searches, or by browsing habits, and any other number of things "anonymous" data is just a bullshit artists way of calming you while he takes your info.

Have we learned nothing?

[kebes]

The privacy concerns are obvious. I, for one, do not want to agree to having all kinds of (largely unspecified) information transmitted to Microsoft.

But even putting that aside for a moment. Assume that Microsoft is a friendly company and that you are confident they will never use this information "against you." Even in that case, this is a really bad idea. Why? Because security works best when you *minimize* the avenues of attack. By sending this information to Microsoft HQ, your OS opens itself to new attacks. On the one hand you have the possibility of MS's servers being hacked, and your information stolen (or the transmission being intercepted and copied). But much worse, this transmission functionality can be co-opted by malware or viruses.

Every functionality you include in the OS is a functionality that "the enemy" (malware, viruses, crackers, etc.) can (and will) use against you. In particular, every network-enabled program is a potential security breach. Hence, we should always be disabling as many services (especially network services) as possible. By having all kinds of code that is constantly communicating outside the machine (with no notification to the user), built into services that the user cannot sensibly disable, you are leaving a tempting target for "the enemy" to find vulnerabilities.

Add to this the fact that it makes it harder on network admins to pick out suspicious traffic. If all these Vista installs are constantly sending out packets of information, how can the sysadmin tell when one of those machines has been taken over, and that "phone MS HQ" service is now sending nefarious packets?

Get used to it.

[Anonymous Coward]

Face it, the advent of the internet has brought to the world many great and wonderous things. However, there is a dark side to connectivity, and it's name is, connectivity. If you want to be part of the whole, you have to accept the inherit lose of privacy that is associated with it. Doesn't matter how much you dislike it, but as a whole EVERYTHING is becoming more connected, you can't truly expect your privacy to somehow remain immune from all this "openness".

Those who thrive in this environment (and

Re:

[voice_of_all_reason]

Not really. It's a reasonable assumption that you can disable these services to some degree like in XP (error reporting service, for example). No fuss, no muss. Either through the system itself or some sort of hax.

Participating with caution

[Lonewolf666]

If you want to be part of the whole, you have to accept the inherit lose of privacy that is associated with it. Doesn't matter how much you dislike it, but as a whole EVERYTHING is becoming more connected, you can't truly expect your privacy to somehow remain immune from all this "openness".
To some extent this is true, but that does not mean we should give up more privacy than what is unavoidable.
In the context of this article, I think it is bad to have a bunch of services on my computer that send more data

Don't worry, it's not Vista...

[Actually, I do RTFA]

It's just: Windows Update, Web Content, Digital Certificates, Auto Root Update, Windows Media Digital Rights Management, Windows Media Player, Malicious Software Removal/Clean On Upgrade, Network Connectivity Status Icon, Windows Time Service, and the IPv6 Network Address Translation (NAT) Traversal service (Teredo).

See, typical /. overreaction

Re:

[Actually, I do RTFA]

Sorry, I left out: Activation, Customer Experience Improvement Program (CEIP), Device Manager, Driver Protection, Dynamic Update, Event Viewer, File Association Web Service, Games Folder, Error Reporting for Handwriting Recognition, Input Method Editor (IME), Installation Improvement Program, Internet Printing, Network Awareness (somewhat), Parental Controls, Peer Name Resolution Service, Plug and Play, Plug and Play Extensions, Program Compatibility Assistant, Program PropertiesCompatibility Tab, Program C

Re:

[LordEd]

Sarcastic Microsoft bash aside, all of the listed services are those that require connection to an external source. The "windows time service" makes me a bit suspicious that the author just picked everything that made any form of network communication without regard to information sent/received.

On Windows time service [microsoft.com]:

The following list describes various aspects of Windows Time Service data that is sent to and from the Internet and how the exchange of information takes place:

Port: NTP uses User Dat

Negro, puhleeese

[$RANDOMLUSER]

Microsoft will get your "Internet protocol address, the type of operating system, browser and name and version of the software you are using, and the language code of the device where you installed the software." But all they really need is your IP address.

Huh, I thought I supplied that information to every website I visit.

Every time you install a Plug and Play device, you tell Microsoft about it in order to get the necessary device drivers. The same is the case for PnP-X enabled device, only that Windows Update is more actively involved in this case.

Oh noes!!! They need to know my device to supply the driver?

Good grief, I hate Microsoft as much or more than the average Slashdotter, but most of TFA is just alarmist FUD.

Re:

[account_deleted]

Comment removed based on user account deletion

Spyware?

[CaptainPatent]

Isn't it ironic that the very company charging insane amounts for a "safe and secure" OS is essentially using spyware embedded in the system itself when the average user shells out a decent amount of money to prevent spyware programs?

If there wasn't enough of them already, add this to the stack of reasons not to use Vista.

Is Vista a product, or a service?

[Morgaine]

I expect that the majority of people believe that they're buying a product when they purchase Vista, or when they purchase a PC with Vista pre-installed. That presumption may be entirely wrong though.

Certainly from Microsoft's point of view, and in view of their total focus on WGA, you've agreed to a single-payment licensing deal. EULAs may not be valid in some jurisdictions, but that doesn't seem to concern them. You live within their worldview, or else ... or else nothing, that's the only option. In fact then, you haven't purchased a product at all, but a service without any agreed terms.

Likewise, from the content providers' point of view, your PC and its software certainly doesn't belong to you, which implies that you haven't purchased Vista as a product. Instead, it's just a delivery vehicle for their content, and Microsoft is the guarantor of DRM safety to ensure that this is so. The fact that you've paid for your hardware and software as if it were yours seems to have escaped both content providers and Microsoft alike.

Perhaps in the future, people who are not technical will not own computers at all, but only rent content delivery vehicles?

That's where Vista seems to be heading ... although Microsoft probably wants you to continue purchasing without owning.

Re:

[Esion Modnar]

...but only rent content delivery vehicles?

It's called Screw-Haul.

Won't matter

[SnarfQuest]

Very few people will care about this. Even if MicroSoft were collecting their credit card numbers and access codes, they still wouldn't care. Just look at how often they click on all those "verification" emails, and give this information away. You can make up an obvious "evil" email, explaining that you want to steal all their savings, and they will still click the link and enter their personal information.

Most people are just stupid when it comes to computers and securing their personal information.

Re:

[Actually, I do RTFA]

Are you kidding? If Microsoft was collecting (and using without my consent) my credit card numbers, I'd go out and buy a Vista machine right now. As my lawyer friend would say "How do you punish a company with hundreds of billions of dollars?"

Article Breakdown

[thePsychologist]

This article is a lot of FUD. But there's lots of truth in it too. Even though some of this transmission of data is optional and can be turned off, it still goes too far because most average computer users don't know about this stuff. Hence it's taking advantage of people without their knowledge.

hardware hash, which is a non-unique number generated from the computer's hardware configuration but no personal information.

This is not good. Probably only used to invalidate your copy of Windows once you change the motherboard.

The Customer Experience Improvement Program (CEIP) is optional, and designed to improve software quality.

This service asks your consent, and is okay and OPTIONAL.

Via the Device Manager, Microsoft has access to all the information related to your system configuration in order to provide the adequate drivers.

Again: if a device is plugged in, a dialog first comes up and asks the user if he/she wants to search the internet for a driver. And the service NEEDS the name of the device to search for one.

Similarly, Dynamic Update offers your computer's hardware info to Microsoft for compatible drivers.

That's because you ASK for it. Similarly if I Google a problem, Google gets my search query. But they're collecting stats on hardware, and that's pretty normal for an OS company. After all, it'll help them build a better OS (not likely though).

Event Viewer data is collected every time the users access the Event Log Online Help link. By using the File Association Web Service, Microsoft will receive a list with the file name extensions.

Just the extensions?? Big deal. Here's a partial list for my computer: *.raw, *.mov,...wait, this person has some Apple format on their computer...DESTROY. Can they use this information to help with vendor lock-in? Maybe.

Metadata related to the games that you have installed in Vista also finds its way to Microsoft.

Maybe this is going a bit off the deep end. What I install is my business and not theirs.

The Error Reporting for Handwriting Recognition will only report to Microsoft if the user expressly desires it to.

This asks your consent, and is okay and OPTIONAL. Why are they even including this in this article?

Through IME Word Registration, Microsoft will receive Word registration reports. Users have to choose to participate in the Installation Improvement Program before any data is sent over at Microsof[t].

This asks your consent, and is okay and OPTIONAL. So, if you register, it receives the data. No surprise there.

Ever used a print server hosted by Microsoft? Then the company collected your data through Internet Printing. Network Awareness is in a league of its own. It does not premeditatedly store of send directly information to Microsoft, but it makes data available to other services involving network connectivity, and that do access the Redmond company.

Makes data available to services that contact Microsoft does not mean this data will be SENT to Microsoft. FUD.

Via Parental Controls, not only you but also Microsoft will monitor all the visited URLs of your offspring.

If this is actually true, then it's too far. Direct monitoring of the sites!

Hashes of your Peer Name tied to your IP address are published and periodically refreshed on a Microsoft server, courtesy of the Peer Name Resolution Service.

Too far. But I'm not sure what a Peer Name is now. And I doubt it's very useful.

Every time you install a Plug and Play device, you tell Microsoft about it in order to get the necessary device drivers. The same is the case

It's the Boogie Man Under the Bed!

[rueger]

Lord, there are surely a hundred SERIOUS attacks on our privacy every day that deserve attention. Why is someone wasting time getting all paranoid because MS software sends back error reports?

Will we now see a companion story about how OS X, Firefox, and Thunderbird are all collecting "personal information" and transmitting it back to Apple and Mozilla.org?

Comment removed

[account_deleted]

Comment removed based on user account deletion

Blame the EULA

[kebes]

The paranoia claims are really ridiculous.

Frankly, if companies want to stop people have having paranoid reactions to EULAs, they should stop writing such blatantly over-broad EULAs in the first place. Go ahead, read a random portion from the EULA for Windows Vista [microsoft.com]. It contains all kinds of broad statements limiting what I can do with the product, while simultaneously disclaiming all warranty on their part, and giving them broad ability to do as they please and change the terms as they please.

As long as companies write such ridiculous EULAs, it is only natural that people will react this way to them. Frankly the only reason that more people are not scared and appalled at EULAs is that no one actually reads them. Probably many of the things claimed in EULAs would not hold up in a court of law. But if all the terms of the EULAs were actually legally enforceable, then it would not be at all paranoid to be concerned about them: the terms are, after all, very consumer-hostile.

New Apple ad

[ducomputergeek]

"Hi I'm a PC" "And I'm a Mac." Mac sees PC with phone in hand, watching a 3rd person. "So what you doing?" "SHHH! I'm collecting data on that user over there. And phoning hom." *to person on other end* "Yeah, he's reading a news site. No, it's not MSNBC. Is he allowed to do that? Confirm or deny?"

Comment removed

[account_deleted]

Comment removed based on user account deletion

Just how secure are the MS servers?

[sjames]

Even if you decide that you believe MS 100% and trust that they won't quietly change the terms in a year or two (a right they do reserve) to allow them to collect personally identifying information AND sell, it, just how secure are their servers? Any chance their admins will sell the data on the side for obscene amounts of cash?

Does any unique but not personally identifying information also appear in personally identifying Word documents? What is their policy if the NSA wants a copy? What is their policy if Bill needs a favor from Congress?

Funny, my Linux boxen don't collect any information at all and still they run nice and stable and get their updates as needed.

Who do you trust?

[HangingChad]

The bottom line is you have to transmit personally identifiable information to Microsoft to keep Vista running properly. Unless you're willing to go to extreme lengths to sanitize every bit of outbound data.

I know my ISP is keeping records of where I visit on the internet. But if that really worried me I could tunnel through to a secure proxy and all they get is the proxy IP. If you block Microsoft at the firewall your operating system will stop working and you won't be able to get security updates.

Finished updating my home network to Kubuntu this weekend. Very nice. I support Microcrap all day and going home to my Linux network is like diving into a clear, cool pool at the end of a hot day. Everything is so fluid, easy to manage, low stress computing. Funny thing, I remember a day when going with Microsoft was the low stress networking option.

Those days are over.

And you wondered why ....

[Jerry]

Bush's DOJ switched sides and now our government supports Microsoft so vigorously both here and in abroad.

Besides the free gift of your personal info, the are those backdoor keys. They didn't call them "NSA keys" for no reason.

Re:

[jonnythan]

It's a little OT, but truth is an absolute defense to slander. Slander is, by definition, untrue.

Re:

[gEvil (beta)]

Yes, but it's justified
No
A-one, a-two, a-three. Three.
Lard, sugar, vanilla, other nasties.

Re:

[MontyApollo]

There is some quote about just because you are paranoid doesn't mean someone is not out to get you.

I think the paranoia is more about what info MS is collecting and what they are doing with it. There's probably a low chance of this info being used negatively against you since they don't track your identity, but you never know.

Re:Tagged as paranoia?

[plague3106]

Is it paranoia if the OS really *is* sending tons of data to Redmond?

Is it? I saw nothing in the article that actually tried to attempt to see what information, if any, was being sent. All I saw was a really paranoid reading of an EULA.

Is it slander if it's true?

Just because something is in a license agreement doesn't mean its happening. People said the same thing about Windows update. The truth of the matter is it sends what OS / service pack your running and you get a list of updates available, which then is parsed by your computer to see if it needs them or not. Also, what updates are needed but not installed is reported back. Not exactly terrifying data.

The core question remains

[Opportunist]

Why don't they tell you? Every halfway serious program I use that has to report information home (or at least wants to, for statistical purposes) asks me first, or at least informs me that it is going to do that now. Some programs even tell you what exactly they're going to send (and, behold, checking source and the transfered data shows that they actually tell you the truth).

Usually I don't mind. They probably sell that information (not about me, but about their "user base") to someone to make some money that way, since I don't pay for the honor to use their program for free. No problems there.

A problem arises when said data is transmitted without my consent. Without me even knowing that it is being sent. Am I supposed to trust a company that it isn't going to do shady business with my data when they're sneaky about it?

Now, I'm not saying MS does. But, seriously, why the cloak-and-dagger approach? Just tell the user "Vista is now gonna send MS the following information about your system, anonymized so it can't be tracked, and we want it to see what hardware platforms our system should run best on. Thanks for your co-op."

What's wrong about that? If someone doesn't care, heck, one more click on "accept" isn't going to be even noticed in Vista. And if someone does care, the smell of fish is not gonna hit his nose when something like this is being exposed.

Re:

[weicco]

But, seriously, why the cloak-and-dagger approach? Just tell the user "Vista is now gonna send MS the following information about your system, anonymized so it can't be tracked, and we want it to see what hardware platforms our system should run best on. Thanks for your co-op."

Well how about reading Windows Update Privacy Statement from here http://technet2.microsoft.com/windowsserver/en/lib rary/3998fef5-4e07-4128-881d-754375b679121033.mspx ?mfr=true [microsoft.com] or updated version from Windows Update site from here

Re:Devil's Advocate

[kebes]

Well they say the information is anonymous, but it includes things like your IP address. So they can convert that it non-anonymous information quite easily.

So... some reasons why this is probably a bad idea:
1. If they discover that you are running non-legit software, they can track you down. (And considering that any such analysis will always make mistakes, even users of legitimate copies of software should be worried.)
2. If MS's servers get compromised (or a bug is found in the "secure transmission" protocol), third parties can obtain your data. Depending on exactly what is being sent, this could be a privacy breach, security breach, or both.
3. Having services constantly establishing these connections is a security risk. Malware or viruses may be able to exploit it as a point of infection. Or, they may be able to use it as a means of spreading copies of themselves, or secretly transmitting information back to a third party. Every unnecessary service (from a user perspective) is a security breach waiting to happen.
4. Having code running that doesn't explicitly benefit the user is a waste of resources. This means overhead on your computer and overhead on your internet connection.
5. The EULA seems to state that they can change the terms as it suits them. This means that they can push updates through Windows Update that increase the scope of the data obtained. Perhaps they eventually decide to drop the anonymous clause. I don't think signing over so much freedom and privacy is a good idea, regardless of how "well-intentioned" the recipient of your rights claims to be.

And finally, there is the general "bad vibes" I'm sure we're all getting about this. It would be one thing if it were an additional feature that you could turn on if you wanted to. Something like "Help MS improve the quality of service by sending reports on how your software is running. This voluntary service is under your control, and only human-readable summaries will be sent, which you can inspect before they are sent. Do you wish to participate? Cancel/Allow"

Instead we get something like: "MS reserves the right to monitor your computer and transmit information to MS HQ. We can change these terms at our leisure. By using any of these features, you implicitly agree to this monitoring."

This is not an act of charity on MS's part. This is part of a plan to obtain information that they want, without customers noticing it is happening. That can only be a bad thing.

Re:

[voice_of_all_reason]

Same issue with the google cookie. The machine sends the data with a unique ID for your machine. As long as they can match your name once to the ID, it's good for tracking all transmissions. Stuff like Error Reporting send a dump of whatever document/webpage you're running at the time, that can certainly be enough. And don't you have to give your name when you activate it in the first place?

Re:Nothing new

[PhysicsPhil]

X-ray machines, Jet engines, and more all report operating conditions and usage information back to the manufacturer. Microsoft is doing this anonymously to improve the products. I have no problem with this. They aren't sending back any "personal information" like credit card numbers or even identification information.

There are plenty of reasons you still don't want this happening. Consider...the war on terror continues and somebody gets caught up in the Feds dragnet. They press charges, but don't quite have the evidence they need. The defendant's lawyer (and the ACLU) is probably going to get him to walk unless they can find something. Little known to all, the President (or these days, the VP) issues a secret Executive Order that strips "terror suspects" of the right to attorney-client privilege. The Feds show up at Microsoft's door with several court orders. They order the tracking of the suspect, and they provide the IP addresses of computer in the offices of the defendant's attorney and the ACLU and demand that Microsoft install a backdoor patch to download documents off that computer. Of course the download will be indiscriminate...maybe this lawyer will also have you as a client, and your files will go to the Feds also.

Far-fetched? Perhaps, but certainly plausible. Suppose it's not the American government, but the Chinese looking for a few journalists or Falun Gong members. Still far-fetched? Which way do you think Microsoft will go when the choice is a few journalists in prison or losing access to the Chinese market?

Privacy is always good.

Re:

[value_added]

X-ray machines, Jet engines, and more all report operating conditions and usage information back to the manufacturer.

And X-ray machines and jet engines are multi-purpose devices that store gobs of personal information?

They aren't sending back any "personal information" like credit card numbers or even identification information.

I'd like to know how you've achieved that conclusion given the fact that you and just about everyone outside of Microsoft lacks meaningful information as to what *is* being sent, in

Comment removed

[account_deleted]

Comment removed based on user account deletion