Windows 10, it seems, is proving a hit with both the public and the technology press after its release last week. After two days, it had been installed on 67 million PCs. Of course, sceptics may argue that this may have simply been a reflection of how much people disliked Windows 8 and the fact that the upgrade was free.
For others, though, it is the very fact that the upgrade is free that has them concerned that Microsoft has adopted a new, “freemium” model for making money from its operating system.
They argue that, while Apple can make its upgrades free because it makes its money from the hardware it sells, Microsoft will have to find some way to make money from doing the same with its software. Given that there are only a few ways of doing this, it seems that Microsoft has taken a shotgun approach and adopted them all.
Chris Capossela, Microsoft’s Chief Marketing Officer, has declared that Microsoft’s strategy is to “acquire, engage, enlist and monetise”. In other words, get people using the platform and then sell them other things like apps from the Microsoft App Store.
The trouble is, that isn’t the only strategy that Microsoft is taking. Microsoft is employing a unique “advertising ID” that is assigned to a user when Windows 10 is installed. This is used to target personalised ads at the user.
These ads will show up whilst using the web, and even in games that have been downloaded from the Microsoft App Store. In fact, the game where this grabbed most attention was Microsoft’s Solitaire, where users are shown video ads unless they are prepared to pay a US$9.99 a year subscription fee.
The advertising ID, along with a range of information about the user, can be used to target ads. The information that Microsoft will use includes:
[…] current location, search query, or the content you are viewing. […] likely interests or other information that we learn about you over time using demographic data, search queries, interests and favorites, usage data, and location data.
It was not that long ago that Microsoft attacked Google for doing exactly this to its customers.
What Microsoft is prepared to share, though, doesn’t stop at the data it uses for advertising. Although it maintains that it won’t use personal communications, emails, photos, videos and files for advertising, it can and will share this information with third parties for a range of other reasons.
The most explicit of these reasons is sharing data in order to “comply with applicable law or respond to valid legal process, including from law enforcement or other government agencies”. In other words, if a government or security agency asks for it, Microsoft will hand it over.
In June, Horacio Gutiérrez, Deputy General Counsel & Corporate Vice President of Legal and Corporate Affairs at Microsoft, made a commitment to “providing a singular, straightforward resource for understanding Microsoft’s commitments for protecting individual privacy with these services”.
On the Microsoft blog, he stated:
In a world of more personalized computing, customers need meaningful transparency and privacy protections. And those aren’t possible unless we get the basics right. For consumer services, that starts with clear terms and policies that both respect individual privacy and don’t require a law degree to read.
This sits in contrast to Microsoft’s privacy statement, which is a 38 page, 17,000 word document. This suggests that Microsoft really didn’t want to make the basic issues of its implementation absolutely clear to users.
Likewise, the settings that allow a user to control all aspects of privacy in Windows 10 itself are spread over 13 separate screens.
Also buried in the privacy statement is the types of data Cortana – Microsoft’s answer to Apple’s Siri or Google Now – uses. This includes:
[…] device location, data from your calendar, the apps you use, data from your emails and text messages, who you call, your contacts and how often you interact with them on your device. Cortana also learns about you by collecting data about how you use your device and other Microsoft services, such as your music, alarm settings, whether the lock screen is on, what you view and purchase, your browse and Bing search history, and more.
Note that the “and more” statement basically covers everything that you do on a device. Nothing, in principle, is excluded.
Privacy by default
It is very difficult to trust any company that does not take a “security and privacy by default” approach to its products, and then makes it deliberately difficult to actually change settings in order to implement a user’s preferences for privacy settings.
This has manifested itself in another Windows 10 feature called WiFi Sense that has had even experts confused about the default settings and its potential to be a security hole.
WiFi Sense allows a Windows 10 user to share access to their WiFi with their friends and contacts on Facebook, Skype and Outlook. The confusion has arisen because some of the settings are on by default, even though a user needs to explicitly choose a network to share and initiate the process.
Again, Microsoft has taken an approach in which the specific privacy and security dangers are hidden in a single setting. There is no way to possibly vet who, amongst several hundred contacts, you really wanted to share your network with.
There are steps users can take to mitigate the worst of the privacy issues with Windows 10, and these are highly recommended. Microsoft should have allowed users to pay a regular fee for the product in exchange for a guarantee of the levels of privacy its users deserve.