News Windows 11 Sends Tremendous Amount of User Data to Third Parties, YouTuber Claims

[cryoburner]

And steam that gets mentioned here isn't steam, its steamcloud.blablabla.googleapis because edge is chrome and chrome is google, what is it supposed to connect to?!

This isn't exactly accurate. Just because an application is built on Chromium doesn't necessarily mean that it's utilizing Google's services. There are Chromium-based browsers with all of the integrated Google services removed, and Microsoft themselves talked about how they "removed or replaced more than 50 of Google’s services that come as part of Chromium". Microsoft obviously doesn't want to share user data with one of their biggest competitors.

Funny. I haven't received a single spam on my cell phones since my first one back in 1992. And I don't receive unwanted ads in email or pop-ups. Could it be I never click on every link that appears, or open even email? It's possey-bul.

Oh, I looked up O&O ShutUp10. They're a Gold mictosoft partner. Fascinating.

This isn't about "adware" in the traditional sense, but about operating systems and web services tracking and storing user data, that is then used for things like targeted advertising, or for selling to other companies. Your phone almost certainly does this without your knowledge.

As for O&O being a gold partner of Microsoft, that means they are an established software company that meets certain criteria and pays a membership fee in exchange for improved technical support and access to tools from Microsoft. While its possible something like that could have some influence on their software, if the utility were found to not be doing what it claimed to be doing, then someone would obviously call them out on that.

It's 2023 people, you don't want a dumb PC that shows you news about a sack of rice falling over somewhere in china...written in chinese and targeted to chinese people.

That's silly. You don't need detailed user tracking to show relevant information. The user's IP address alone should be enough to let a web site know the region they are coming from, and things like language preference are configurable in a browser's settings for that very purpose. And if a user does want more meaningful results from a particular web service, it would only take seconds to manually supply that information on an as-needed basis. Data that's collected in the background without the user's knowledge and potentially shared with third-parties generally provides little to no direct benefit to the user, but rather is done primarily to profit off of them more effectively.

Also, an article about a sack of rice falling over would probably be more worth reading than the clickbait and propaganda that the vast majority of news sources are filled with these days.

However for me what pissed me off the most is they do all this data collection and make money off my personal info and I don't get a cut of that revenue.

There needs to be an opt in and opt out and if I want in I should be getting a percentage of that money you are making selling my data.

The idea is that your payment is the "free" use of their services. So, you technically are getting something out of it, though whether it's a worthwhile trade may often be questionable. And you do have the option of "opting out" by not using those services, though in some cases there isn't a good alternative. There are often options to manually disable these things, though it would be ideal if that process were made easier without the use of third-party utilities.

Wow, that is a lot. It doesn't require nearly that much maintenance to use Linux and keep things secure.

Much of what they described is on the web-browser end. If you're using your browser without explicitly having it set up to limit tracking and block advertising, then it won't make any difference whether you are on Windows, Linux or any other OS as far as browser telemetry is concerned. And some browsers, like Chrome, track pretty much everything a person does online and sends that data to Google, one of the largest data-harvesting and targeted advertising companies out there.

 

[Unolocogringo]

We had this same discussion when win10 first came out.
All the embedded tracking and phoning home with your info that came with it.
win11 is just the upgraded version that makes it harder to turn off.

 

[palladin9479]

This is another reason I'm staying away from Windows 11 for awhile. The anti-spyware stuff for Windows 10 is already settled and easy to use, Microsoft is still playing games and changing stuff around with Windows 11.

It's actually not hard to stop all the phone home stuff, can use anything from a firewall deny to setting the DNS value in the hosts file to 127.0.0.1, just Microsoft likes to change the endpoints every few updates on it's active product.

For those asking "what's the big deal", this is serious because it's basically a way to get around your 4th, 5th and 6th Amendment rights. If, for whatever reason, you become a suspect in any police investigation, they would have to go through a bunch of legal hoops and judges to get permission to search your home and seize your computer stuff. With you being forced to agree to Microsoft / Google / etc. as a proxy agent, Law enforcement just needs to ask them and they'll disgorge all the collected details without your knowledge.

We all know our phones are collecting and sending home everything that happens on them, but very specific wiretap laws exist to require search warrants to get that data. No such requirements exist for all the data collected from your home computers as they aren't considered telecommunications devices. Imagine a police officer sitting right behind you, looking over your shoulder, writing down everything you do and say. Can anyone here say, with a straight face, that they never broken any of the 10,000+ Federal statures in the USA, much less the hundreds of thousands of State laws? They might not care for years, decades, but then the day comes when they do and suddenly you can't take back all that data they've already collected. This isn't political, but people need to protect themselves.

Recording of a lecture in a law school about why clients should never, under any circumstance, disclose information to any law enforcement officer.

View: https://www.youtube.com/watch?v=d-7o9xYp7eE&ab_channel=RegentUniversitySchoolofLaw

 

[palladin9479]

Now that the OS part is over with, for those thinking "but my browser tracks everything", not if you use the right browser. Seriously, use vivaldi.

We respect your privacy | Vivaldi Browser

vivaldi.com

I really didn't like how restricted Chrome was and was still on Firefox because it supports TreeStyleTabes on the left that let me organize my workflow of hundreds of tabs in categories. Then I found Vivaldi, its Chromium with all the spying ripped out and all the internal settings exposed via gui interface. I can set the tabs to be on the left and use Window Groups to organize my workflow. Right now I'm sitting at 67 tabs total with most organized into eight groups (closed five recently) with a dozen or so tabs left ungrouped.

 

[-Fran-]

Now that the OS part is over with, for those thinking "but my browser tracks everything", not if you use the right browser. Seriously, use vivaldi.

We respect your privacy | Vivaldi Browser

vivaldi.com

I really didn't like how restricted Chrome was and was still on Firefox because it supports TreeStyleTabes on the left that let me organize my workflow of hundreds of tabs in categories. Then I found Vivaldi, its Chromium with all the spying ripped out and all the internal settings exposed via gui interface. I can set the tabs to be on the left and use Window Groups to organize my workflow. Right now I'm sitting at 67 tabs total with most organized into eight groups (closed five recently) with a dozen or so tabs left ungrouped.

Don't forget to mention Vivaldi is from the same people that created Opera originally and it comes with mouse gestures by default

Just my extra pennies to the point 😛

Regards.

 

[TerryLaze]

This isn't exactly accurate. Just because an application is built on Chromium doesn't necessarily mean that it's utilizing Google's services. There are Chromium-based browsers with all of the integrated Google services removed, and Microsoft themselves talked about how they "removed or replaced more than 50 of Google’s services that come as part of Chromium". Microsoft obviously doesn't want to share user data with one of their biggest competitors.

Is there anyway to tell that they are sending and not receiving?!
Because if they can make google send the weather and news info and save them a lot of bandwidth...

That's silly. You don't need detailed user tracking to show relevant information. The user's IP address alone should be enough to let a web site know the region they are coming from, and things like language preference are configurable in a browser's settings for that very purpose. And if a user does want more meaningful results from a particular web service, it would only take seconds to manually supply that information on an as-needed basis. Data that's collected in the background without the user's knowledge and potentially shared with third-parties generally provides little to no direct benefit to the user, but rather is done primarily to profit off of them more effectively.

What are the signs of detailed user tracking happening here?!
How do we know if they don't just send a request for weather and news in x location without sending any other detail?!

For those asking "what's the big deal", this is serious because it's basically a way to get around your 4th, 5th and 6th Amendment rights. If, for whatever reason, you become a suspect in any police investigation, they would have to go through a bunch of legal hoops and judges to get permission to search your home and seize your computer stuff. With you being forced to agree to Microsoft / Google / etc. as a proxy agent, Law enforcement just needs to ask them and they'll disgorge all the collected details without your knowledge.

Yeah, that's not how that works.
Only your ISP has your actual name and the list of IPs you connected to and they are forced to keep logs for some time just for the reason you stated.
Google and MS only have an email and IP address that can't be connected to anybody unless they get that info from the ISP.
So stopping all the telemetry from google/ms doesn't help you there, your ISP still keeps track of what IPs you connect to.

Also the law doesn't change on the internet, if they would have to go through a bunch of legal hoops and judges to get permission to search your home and seize your computer stuff in "real life" then they have to do the exact same for internet data as well otherwise they can't use that data .

 

[Dark Lord of Tech]

Totally surprised. LOL . But it can be minimized.

 

[USAFRet]

Yeah, that's not how that works.
Only your ISP has your actual name and the list of IPs you connected to and they are forced to keep logs for some time just for the reason you stated.
Google and MS only have an email and IP address that can't be connected to anybody unless they get that info from the ISP.

Actually, Google et al probably does know your real name.
Search history can reveal a lot.

20 years ago, the search history leak from AOL...
User accounts all anonymized.
Some diligent nerds people were able to pinpoint a specific users actual name and address, simply from her search history.

Some years later, a 15 year old girl started getting snailmail ads for diapers. Addressed directly to her, from Target.
Dad was incensed.
Called corporate, "Why are you sending my teenage daughter this junk?!?"
Turns out his daughter was preggers, and her search history triggered ads for diapers and cribs.

Pulling together your phone data, Instagram/TikTok/Facebook, search history, etc, etc....they know lots.
But they really really don't care about you.

You are valuable as part of a trend.

 

[palladin9479]

Is there anyway to tell that they are sending and not receiving?!
Because if they can make google send the weather and news info and save them a lot of bandwidth...

What are the signs of detailed user tracking happening here?!
How do we know if they don't just send a request for weather and news in x location without sending any other detail?!

Yeah, that's not how that works.
Only your ISP has your actual name and the list of IPs you connected to and they are forced to keep logs for some time just for the reason you stated.
Google and MS only have an email and IP address that can't be connected to anybody unless they get that info from the ISP.
So stopping all the telemetry from google/ms doesn't help you there, your ISP still keeps track of what IPs you connect to.

Also the law doesn't change on the internet, if they would have to go through a bunch of legal hoops and judges to get permission to search your home and seize your computer stuff in "real life" then they have to do the exact same for internet data as well otherwise they can't use that data .

That is exactly how it works, MS / Google / etc.. can know who you are, where you live, your phone number, your email, bank info and any other thing you've typed into your computer. The information is stored raw, then later anonymized before handing it to third party advertisers. The important part is they do store it first and thanks to Snowden we know they hand that stuff over to any law enforcement agent that is part of the FBI's federal data sharing program. This program was created with the Patriot Act and was supposed to enable the FBI to better go after terrorists, but the language is so broad that it has since been interpreted to apply to all domestic investigations.

Your local police would definitely need a warrant to collect information on you specifically, but why bother when they can just ask Microsoft, Google / Facebook and friends for it and they will gladly hand it over as you have already agreed they could do that. It's in their mammoth TOS that you click "Agree" to. That data stored at Microsoft / Google / Facebook / etc.. is not your property and does not belong to you, it is Microsoft's / Googles / etc.. property. No warrant or pesky 4th, 5th or 6th amendment waiver needed at all.

 

[KyaraM]

Yeah, how would Valve/Steam be allowed to put anything into a clean install of Windows? I can't imagine MS wanting to give anything to Valve, considering they're a big competitor game-wise to their own store. But then again, I haven't installed Win11 - maybe MS is paid to put the Steam client into clean installs now.

It's not. I set up a brand new system with Win11 recently (due to that being the only key I had access to), and I had to install Steam manually. They do install the Disney+ app, though, even on 10. Been that way for at least a year now.

 

[TerryLaze]

Actually, Google et al probably does know your real name.
Search history can reveal a lot.

20 years ago, the search history leak from AOL...
User accounts all anonymized.
Some diligent nerds people were able to pinpoint a specific users actual name and address, simply from her search history.

Some years later, a 15 year old girl started getting snailmail ads for diapers. Addressed directly to her, from Target.
Dad was incensed.
Called corporate, "Why are you sending my teenage daughter this junk?!?"
Turns out his daughter was preggers, and her search history triggered ads for diapers and cribs.

Pulling together your phone data, Instagram/TikTok/Facebook, search history, etc, etc....they know lots.
But they really really don't care about you.

You are valuable as part of a trend.

How does that help law enforcement get your data?!
I'm sure it's possible to do it but the law won't get you that way.
They would have to get a drag net type of card blanche to connect data from a lot of systems together.

This program was created with the Patriot Act and was supposed to enable the FBI to better go after terrorists, but the language is so broad that it has since been interpreted to apply to all domestic investigations.

I'm no lawyer, what do you have to do to be hit with the patriot act?
Can law enforcement just search anybody and then AFTER THE FACT claim patriot act?! Or do they have to proof enough of a case to THEN get the go ahead with getting all the data?

If the patriot act allows that on internet data it will also allow that for your apartment and the rest of your real life.
Also what data are they going to get from a cleanly installed windows that you don't use...

 

[USAFRet]

How does that help law enforcement get your data?!
I'm sure it's possible to do it but the law won't get you that way.
They would have to get a drag net type of card blanche to connect data from a lot of systems together.

That wasn't about the law, but rather what and how much google knows about you.

 

[palladin9479]

I'm no lawyer, what do you have to do to be hit with the patriot act?
Can law enforcement just search anybody and then AFTER THE FACT claim patriot act?! Or do they have to proof enough of a case to THEN get the go ahead with getting all the data?

If the patriot act allows that on internet data it will also allow that for your apartment and the rest of your real life.
Also what data are they going to get from a cleanly installed windows that you don't use...

You aren't "hit with the patriot act", you've already been "hit".

The Patriot Act established a federal intelligence data sharing program where the various Federal authorities (FBI, CIA, DHS, etc..) would share intelligence they have gathered with each other along with local law enforcement via federal task forces. Officer Snuffy would be both a local police officer and a member of a local counter terrorism task force enabling him to act as both a local and federal law enforcement officer. Thanks to Snowden we know that the CIA and NSA have data sharing contracts with all the major tech companies where they essentially pay the tech companies for access to the raw data that you have already agreed to give them. When you put those two together, Officer Snuffy as part of the counter terrorism task force has access the raw data Microsoft / Google / etc.. have already collected on you. Officer Snuffy can see your entire search history, shopping preferences, anything the major tech companies have already collected.

They aren't collecting it from your hard disk, that would require probable cause and a warrant, they are collecting it from Microsoft, Google, Meta, Apple or Amazon. Have you ordered anything on Amazon from your home? Congrats Amazon knows your name, IP address, physical address, email address and credit card accounts, that information can then be correlated with Google's search history from that same IP address. Now that is internet stuff, but if your desktop OS is also communicating all your activities to Microsoft, then law enforcement can then use that IP address and time frame to identify the activity records and know what you were typing, clicking and anything else Microsoft telemetry was phoning home about.

Again law enforcement isn't "searching" you, they don't need to because you have already agreed to give that information to a non-privileged third party (Microsoft / etc.) and the moment that happens that information is no longer considered "yours" or protected by the 4th and 5th amendments. There is no reasonable expectation of privacy when you hand information to third party entities. Here is a case that outlines it perfectly, law enforcement want to use Alexa recordings in a trial against someone and Amazon has been forced to officially hand them over.

Alexa: Can You Keep a Secret? The Third-Party Doctrine in the Age of the Smart Home

www.law.georgetown.edu

To understand that we have to get into a really weird distinction between intelligence and law enforcement activities. Information from intelligence gathering programs is kinda useless in court as the intelligence agencies would never allow a defense team access that system, making it inadmissible (5th and 6th amendment protections). Instead when it's time for charges to be pressed, law enforcement needs to officially subpoena the tech company for the records they have already seen and then use those records as the evidence in the trial via something known as parallel reconstruction. Tech companies fight this publicly while privately taking the money from the government and providing the information to the intelligence agencies.

This is getting into a deep rabbit hole, the bottom line is that you want the minimum amount of personal information shared with third parties because anything your computer says can be used against you in a court of law.

 

[TerryLaze]

You aren't "hit with the patriot act", you've already been "hit".

Yeah, ok with the propaganda, but "the Man" doesn't spy on all of us at once, and not because they don't want to but because it would be so much effort that they would get nothing done.
At the end of the day they still need actual people to look through all of the data to determine if they should do something.

So for them to apply the patriot act to somebody they need to use some criteria.

 

[palladin9479]

Yeah, ok with the propaganda, but "the Man" doesn't spy on all of us at once, and not because they don't want to but because it would be so much effort that they would get nothing done.
At the end of the day they still need actual people to look through all of the data to determine if they should do something.

So for them to apply the patriot act to somebody they need to use some criteria.

It's not "the Man" nor propaganda, Snowden already revealed the existence of nation wide intelligence gathering programs that acquire raw data from all the major tech companies. Everything that gets sent to Microsoft, Google, Meta, Apple, Amazon, etc.. is already stored in a national intelligence database, and law enforcement officers, as members of federal task forces, already have access to this database. These are forgone conclusions.

https://www.aclu.org/fact-sheet/doc...illance-procedures-threaten-americans-privacy

The only remaining question is how much of that information is usable in a local court, since 5th and 6th amendment protections require that trials be public and that the defense team have access to all material and information from the investigation via discovery. The courts have gone back and forth on this issue for years now.

Crime, DNA, and Family: Protecting Genetic Privacy in the World of 23andMe – Arizona State Law Journal

arizonastatelawjournal.org

Parallel Construction is a known method of evidence laundering. Originally developed by the DEA as a way to use evidence from secret classified intelligence programs in public trials.

https://www.nacdl.org/Media/Parallel-Construction-Discover-Govt-Evidenc-Source

https://federalcriminallawcenter.com/2018/02/illegal-nature-parallel-construction-investigations

https://www.hrw.org/report/2018/01/09/dark-side/secret-origins-evidence-us-criminal-cases

Through a practice known as “parallel construction,” an official who wishes to keep an investigative activity hidden from courts and defendants—and ultimately from the public—can simply go through the motions of re-discovering evidence in some other way. For example, if the government learned of a suspected immigration-related offense by a person in Dallas, Texas, through a surveillance program it wished to keep secret, it could ask a Dallas police officer to follow the person’s car until she committed a traffic violation, then pull her over and start questioning her—and later pretend this traffic stop was how the investigation in her case started.

The method involves the investigator originally using material from some national intelligence problem for the investigation, then prior to charging the suspect they launder the evidence through a public warrant process where they replace the original secret evidence with publicly collected not-secret evidence. A practical example of this would be them having gained access to the contents of a defendants email account via a secret data sharing program with Google. Inside that email account are several incriminating emails. Now if they went to trial with that, they would have to not only show the existence of that secret data sharing program, but also provide the defendants legal team access to it so that they could mount a defense against the evidence collected from it. That is a non-starter, so instead I would reconstruct the chain of evidence by generating a warrant for those records and fabricate a probable cause statement saying I had received an "anonymous tip" or had some other source/reason to believe that incriminating evidence existed. Then with that warrant obtain the same records I already have and use those "new" records in the case file. It's blatantly unconstitutional but extremely hard for the defense to prove happened.

This is a massive battle going on right now across court rooms all across the USA. With rulings coming in all sorts of directions. The only real protection is to minimize the amount of information provided to third parties because once it's out of your control there is virtually no protection of it. Microsoft might keep your data out of Amazons hands, but they sure as heck won't keep it from any federal agencies.

 

[husker]

Just because a software company puts something in the Terms Of Service, that doesn't make it binding or even legal. If that were the case they could just put "By using this software you agree that we now own your house, all your cars, and your first born child."

 

[palladin9479]

Just because a software company puts something in the Terms Of Service, that doesn't make it binding or even legal. If that were the case they could just put "By using this software you agree that we now own your house, all your cars, and your first born child."

Unfortunately in this case, it's perfectly legal (in the US) because you are agreeing to give them that information as a condition for using that application. In the USA you have the right to give away whatever information you want to give away, and once given away you can't demand it be given back. From a legal point of view it's like putting a bunch of pictures on some community billboard, then demanding people not look at them and give back the copies.

 

[toadhammer]

Yeah, ok with the propaganda, but "the Man" doesn't spy on all of us at once

Um, well, yes they do. It got so successful, beyond their wildest dreams, that they had to commission new data centers about 10 years ago just to store all the stuff. Check wikipedia for the Utah Data Center. No, it probably doesn't have email content or phone audio. But it would have email addresses and phone numbers. And anything interesting google etc can hoover up. If you've ever driven 56 mph, you're guilty of something.

It came out back then they're analyzing the first 3 degrees of Kevin Bacon for anyone "of interest." So if you know someone, who knows someone, and that someone might be Bin Laden, or Martin Luther King, or John Denver, or walked into a mosque in New York, they are tracking you specifically. And even you don't fall in there, they're still hoovering it all up to analyze to see if you fit in those 3 degrees.

If the privacy aspect doesn't give you shivers, just think of all that wasted tax money. On the microsoft/google side, just think of all they're taking and not paying you for, personal data or cpu cycles.

 

[USAFRet]

Just because a software company puts something in the Terms Of Service, that doesn't make it binding or even legal. If that were the case they could just put "By using this software you agree that we now own your house, all your cars, and your first born child."

You wouldn't have agreed to such a statement.
And would be found non valid in a court of law.

What you DID agree to is far less onerous.
And especially when you use their platforms to voluntarily publish your info.

 

[USAFRet]

Here's a fun one:
https://www.nbcnews.com/tech/securi...l-health-data-was-surprisingly-easy-rcna70071

 

[killingtime]

I'm still using Windows 7 x64 as my daily. Custom firewall rule set (block in out by default) and uBlock. I 'stocked up' on Win7 computers when 8 came out (all freebies) but the writing is on the wall. Once they stop issuing MSE updates and new web browsers then it's game over. M$ should issue a version that costs more and has no spyware. Corporations would by this. I'm probably already exists, but only under volume licensing to stop the proles adopting it.

 

[Unolocogringo]

I'm still using Windows 7 x64 as my daily. Custom firewall rule set (block in out by default) and uBlock. I 'stocked up' on Win7 computers when 8 came out (all freebies) but the writing is on the wall. Once they stop issuing MSE updates and new web browsers then it's game over. M$ should issue a version that costs more and has no spyware. Corporations would by this. I'm probably already exists, but only under volume licensing to stop the proles adopting it.

You do know that user telemetry collecting was added to win7 during later updates.
So 7 is not innocent like it was in the beginning.

 

[KyaraM]

You do know that user telemetry collecting was added to win7 during later updates.
So 7 is not innocent like it was in the beginning.

At this point in time, the only innocent OS(s) is/are likely Linux distros, sadly...

 

[palladin9479]

You do know that user telemetry collecting was added to win7 during later updates.
So 7 is not innocent like it was in the beginning.

It's not "telemetry", so much as the quantity and type of data. Windows 7 is safe, Windows 10 is mostly safe after applying some configuration changes, Windows 11 currently is straight up spyware. Eventually the community will find a solid solution for making Windows 11 "safe", likely when MS stops developing on it and moves on to Windows 12. With Windows 11 the spying is built into every application, every click, every setting change, every textboxt filled out results in the system phoning home about it. Doing network capture at the router level we can actually see this happening in real time. That level of intrusion just makes it harder and more time consuming to disable, not impossible but definitely not easy. I suspect Windows 12 will require an always on internet connection to even start up.

 

[husker]

Unfortunately in this case, it's perfectly legal (in the US) because you are agreeing to give them that information as a condition for using that application. In the USA you have the right to give away whatever information you want to give away, and once given away you can't demand it be given back. From a legal point of view it's like putting a bunch of pictures on some community billboard, then demanding people not look at them and give back the copies.

You wouldn't have agreed to such a statement.
And would be found non valid in a court of law.

What you DID agree to is far less onerous.
And especially when you use their platforms to voluntarily publish your info.

I don't disagree, but my example is extreme and ridiculous simply to make the point that there is a line at which an agreement cannot be held to, even if it is agreed to. We can't decide where that line is here, I just wanted to establish that there is one and the claim "It was in the service agreement" is not the final word in a legal sense. What often seems obvious in the law can be subjected to all kinds of legal challenges and can go either way depending on what court it goes before. A lawyer might ask: Did the person fully understand the agreement as stated in the agreement? Does it use legal terms a layperson is not expected to fully understand? Is there some other privacy protection that these terms conflict with? And so on.