Is Microsoft Integrating Windows 10–Style "Spyware" Into Windows 7 & 8?

Edward Snowden's infamous PRISM slide, showing Microsoft's collusion with the NSA starting in 2007.

by Gaius Publius

I mean that headline as a real question. Is Microsoft actually integrating Windows 10–style "spyware" into Windows 7 & 8? We've been looking (here and here) at the issue of whether Windows 10, the new Microsoft operating system ("OS" in tech-speak) is designed as spyware. I've personally concluded that it is, based on a number of reports, such as those detailed at the links above, and based on the giant holes written into their Privacy and License agreements.

After all, it looks like Microsoft is giving themselves the right to inspect your machine, all of its files, all of its peripheral hardware, watch both what you do and how you do it, and share any of what it finds about you and your data with "partners," whatever that means. Also, as quoted in the second of the articles linked above (my emphasis):

Section 7b – or “Updates to the Services or Software, and Changes to These Terms” – of Microsoft’s Services EULA stipulates that it “may automatically check your version of the software and download software update or configuration changes, including those that prevent you from accessing the Services, playing counterfeit games, or using unauthorised hardware peripheral devices.”

Does this mean it can install updates to itself to disable "unauthorized" hardware and software? In my opinion, the fact that it seems that way is concerning enough. How this gets interpreted and implemented by Microsoft, is ... well, all up to Microsoft.

The counter-argument to the Yes answer is that the Privacy agreement language is vague enough to be interpreted narrowly, and therefore less intrusively. The counter-counter-argument is, Why is the language so vague if they don't intend to take advantage of it?

As a result, I'm on the side of "I don't trust them because I don't know that I can." After all, there's that Edward Snowden PRISM slide (above), just in case you need a reminder of which side of the bread Microsoft's butter is on. (Hint: Their own. But feel free to click the links at the top and decide for yourself.)

Are Windows 7 and 8 Being "Updated" to Include Privacy Intrusion Capabilities?

As I said, this is a question that needs answering. There are just way too many reports like this one (emphasis theirs):

New Windows 7 / 8 / 8.1 updates spy on you just like Windows 10

Microsoft is pushing KB3075249 and KB3080149 updates for Windows 7 / 8 / 8.1 users which can spy on you

Windows 10 has been launched and already installed by more than 50 million users worldwide. It is now a known fact that Windows 10 user data is being reported back to Microsoft servers back in Redmond. The jury is still out whether this a good or bad practice but many of Windows 10 Apps like Cortana depend on getting your preferences correct to serve you better.

This being the case, many Windows users who are not happy with Windows 10 spying ways and have preferred to stay on with Windows 7/Windows 8 and Window 8.1 as the case might be. For these Windows 7/8/8.1 users there are a few updates which Microsoft has been pushing through last few days.

Namely, KB3075249 and KB3080149, if installed are known to report your data back to Microsoft servers.

KB3075249 update adds telemetry points to consent.exe in Windows 8.1 and Windows 7. The Microsoft support page gives following description for them :

KB3075249 “Update that adds telemetry points to consent.exe in Windows 8.1 and Windows 7 ” http://support.microsoft.com/kb/3075249

KB3080149 “This update aligns down-level devices on the same UTC binary that’s released in Windows 10. This update would enable all the down-level devices to receive the software updates, design updates, and additional power and performance tuning.” http://support.microsoft.com/kb/3080149

In simple words, both these updates, if downloaded and installed will snoop on you and report back certain data to the Microsoft servers. ...

Here's another, similar report:

The updates in question are KB3075249 and KB3080149. if installed, these updates are known to report your data back to Microsoft servers, without user interaction. KB3075249 Microsoft Update adds telemetry points to ‘consent.exe’ in Windows 7, 8 and 8.1, allowing for remote monitoring of everything that happens within the operating system. KB3080149 ensures that all “down-level devices” receive the same updates and treatment as Windows 10 boxes get.

Several words of caution:

    ▪ So far, these reports come from tech user forums, and are elevated from there to small tech-savvy (and very privacy-concerned) "geek" sites like the above. This does not guarantee their accuracy, nor their inaccuracy.

    ▪ But the number of reports is concerning. A simple web search on "KB3075249 KB3080149 spyware" produces quite a number of hits.

    ▪ Are these all echoes of a single source? It's possible. At this point, the users most concerned are the ones with most to fear — gamers with perhaps pirated software (and hacked hardware?); torrent users and sites; and, frankly, right-wing fear merchants and audiences, who are sometimes too eager to be afraid. One scary report may go through these communities like fire.

But the information in the reports above is pretty specific, and should therefore be subject to independent (i.e., not Microsoft-friendly) analysis. Does update KB3075249 add “telemetry points to consent.exe in Windows 8.1 and Windows 7"? If so, does it allow "remote monitoring of everything that happens within the operating system"? One would think those are answerable questions.

Even "Reasonable" Tech Sites Are Concerned

For an example of "reasonable" (non-fearful) tech analysis of Windows 10, consider this from ArsTechnica, which offers an even-handed exploration of Windows 10's "phone home" behavior:

Windows 10 uses the Internet a lot to support many of its features. The operating system also sports numerous knobs to twiddle that are supposed to disable most of these features and the potentially privacy-compromising connections that go with them.

Unfortunately for privacy advocates, these controls don't appear to be sufficient to completely prevent the operating system from going online and communicating with Microsoft's servers.

For example, even with Cortana and searching the Web from the Start menu disabled, opening Start and typing will send a request to www.bing.com to request a file called threshold.appcache which appears to contain some Cortana information, even though Cortana is disabled. The request for this file appears to contain a random machine ID that persists across reboots.

Some of the traffic is obviously harmless. [...]

Some of the traffic looks harmless but feels like it shouldn't be happening. [...]

Other traffic looks a little more troublesome. [...] 

Details of the deleted portions can be read at the link. The piece closes the list with this (my emphasis):

And finally, some traffic seems quite impenetrable. We configured our test virtual machine to use an HTTP and HTTPS proxy (both as a user-level proxy and a system-wide proxy) so that we could more easily monitor its traffic, but Windows 10 seems to make requests to a content delivery network that bypass the proxy.

The rest of the piece details attempts to get explanations from Microsoft. It ends this way (my emphasis):

We've argued recently that operating systems will continue to make privacy-functionality trade-offs. For many users, perhaps even the majority, these trade-offs will be worthwhile; services such as Cortana (Siri, Google Now), cloud syncing of files, passwords, and settings, and many other modern operating system features are all valuable, and many will feel that the loss of privacy is an acceptable price to pay. But the flip side of this is that disabling these services for those who don't want to use them should really disable them. And it's not at all clear that Windows 10 is doing that right now.

Again, perfectly reasonable. Would ArsTechnica or a similar site examine the Windows 7 and 8 updates listed above? I think too close an exploration of Microsoft might run counter to the financial interests of, frankly, an industry powerhouse, an 800-pound gorilla with a lot of money at stake in its just-released Windows 10. As a result, it may take awhile before this examination takes place. Stay tuned though, just in case it does.

This Brave New Tech-Friendly World

We've already entered the brave new world of what ArsTechnica calls "privacy-functionality trade-offs." Unlike voluntary use of "the cloud," Windows 10 (and 7 and 8?) now make these trade-offs at the level of the operating system, and not voluntarily, unless you volunteer not to use it at all.

How should we respond to that? What seems to be needed is:

(1) Solid exploration of the anti-privacy capabilities, not just of Windows 10, but Windows 7 and 8, as well as the next versions of Apple's iOS and Google's Android OS, as they follow close behind the Microsoft example;  

(2) Solid legal analysis of the new Microsoft Privacy statement and End User License Agreement (EULA);  

(3) A broader philosophical discussion of what commercial use this data can be put to, and the ethics of that use;  

(4) A broader discussion of the political capabilities and use of this data, since multi-billion-dollar tech companies have political objectives, not just commercial ones; and finally

(5) An examination of the role of the Pentagon's NSA in all this; by which I mean, to what degree does the NSA encourage, allow, and/or benefit from this level of high-volume user-profiling and data collection?

Until these examinations occur, we will have questions without answers — and frankly, given that we're talking about the data-hungry and money-mad tech industry, we'd be naïve not keep those questions front and center until they're answered successfully.

Side note: I'm starting to explore a switch to a Linux OS, likely Linux Mint. Linux is mature, easy to use, open source, and I'm told, can do almost everything users need done, with programs users already know, such as Firefox. More on this as it transpires; I may make these explorations public and let readers "look over my shoulder."

GP