Microsoft Reveals The Data Windows 10 Actually Collects

Image: Supplied

In a bid to stem the tide of criticism against Windows 10's approach to data collection, Microsoft has come out and published an explanation showing more precisely the kinds of data it collects from users' PCs.

In a post on Microsoft's Technet, the company has outlined specifics about the types of information Windows 10 collects from your system. Windows breaks things up into two general categories: the Basic level, which the OS maker argues "can identify problems that can occur on a particular device hardware of software configuration", and the full set of diagnostics.

Most diagnostic events will collect a header of what Microsoft calls "common data". Here's what that encompasses:

• Information that is added to most diagnostic events, if relevant and available:
• OS name, version, build, and locale
• User ID — a unique identifier associated with the user's Microsoft Account (if one is used) or local account. The user's Microsoft Account identifier is not collected from devices configured to send Basic diagnostic data
• Xbox UserID
• Environment from which the event was logged — Application ID of app or component that logged the event, Session GUID. Used to track events over a given period of time such the period an app is running or between boots of the OS.
• The diagnostic event name, Event ID, ETW opcode, version, schema signature, keywords, and flags
• HTTP header information including IP address. This is not the IP address of the device but the source address in the network packet header received by the diagnostics ingestion service.
• Various IDs that are used to correlate and sequence related events together.
• Device ID. This is not the user provided device name, but an ID that is unique for that device.
• Device class — Desktop, Server, or Mobile
• Event collection time
• Diagnostic level — Basic or Full, Sample level — for sampled data, what sample level is this device opted into

The clarity comes ahead of the full launch of the Windows 10 Creators Update next week, which you can download early via this link from the Microsoft website. In a separate blog post, Microsoft added that they had "reduced the number of events collected and reduced" at the Basic diagnostics level by approximately half.

That same post added that Windows 10 would be clarifying its descriptions and options around privacy settings, giving users the option to disable speech recognition (bye Cortana), location services, targeted ads, "tailored experiences" and whether to enable only a Basic or Full level of diagnostics.

Image: Microsoft

For those going through a clean installation of Windows 10 post-Creators Update, here's what you'll see during the setup process:

Image: Microsoft

The options and new descriptions will be rolled out to Windows 10 Mobile as well, for those still wedded to that system. Microsoft added that they will also including the data picked up by Cortana to the Microsoft Privacy Dashboard, an online tool that lets you review and delete information that Windows 10 has attached to your Microsoft account in the cloud.


    $5 say they rename the Telemetry service again so people can't disable it.

    Seriously, Microsoft, you owe it to yourself; listen to your customers when they say 'No' to being monitored.

    Windows is the product; not the end user.

      As they say: If you are not paying for the product, then you are the product.
      And they did give out Win 10 upgrades for free....

        Actually, I did pay for the product; when I bought the thing in full on a USB.

        Updates are not a product on their own, they are continuation of maintenance of the product after sale.

        So nope, that claim in this regard is not valid.

          It shouldn't be valid, but I'm not sure Microsoft agree.

          Indeed, but, I do have to say regardless of the free thing (which I don't agree with), there's definitely terms and conditions there, which probably say in there "Each night we're going to break in and practically shove a satellite up your ass Cartman style..."

            For Windows 7, the terms and conditions didn't exist until Microsoft attempted to force the reality of telemetry onto these users, so its not something that was accepted before using the OS.

          @jocon and @weresmurf: Here's the thing, this telemetry has nothing to do with keeping the OS maintained and easier to find bugs as Microsoft claim.

          It is there as an anti-piracy measure.

          Pretty rich considering how the main protection measure, Windows Activation which started in Windows XP, was something Microsoft basically stole called UniLoc.

            That's not true. I did extensive wireshark testing before and after Windows 10's release to examine what data was being transmitted at different levels. All of it has a use and almost all of it can be switched off.

            Basic-level telemetry is the minimum telemetry on Home and Pro editions and the only telemetry that can't be switched off. It's required for Windows Update to function correctly, it's used in particular to select hardware-specific security updates and verify they were applied correctly. Security-level fails to transmit necessary information on the success or failure of security updates. Basic telemetry only captures hardware attributes (eg. CPU, RAM, HDD used/free), Internet Explorer version, number and speed of network adapters, IMEI (if applicable), OS version and virtualisation state. None of it is personally identifiable and the OS doesn't require any response - you can block the URLs where telemetry is sent and your OS will work just fine, there's no anti-piracy behaviour associated with it.

            Side note, you can't get security-level telemetry (setting 0) on non-enterprise versions, 0 behaves the same as 1 (basic) on Home and Pro editions. This registry hack is widespread but doesn't do anything.

              Sorry, Zombie, I was thinking more of there so called "Connected Desktop Experience and Telemetry" service.

              Was this on at all when you tried WireShark?

              Regardless there was a point when Windows 10 did try to even track what applications one had installed.

              Based on you have said, it looks like they have stopped playing Eric Blare to some degree.

              One last note; yes, I knew that the lowest level in the home/pro editions.

                I don't remember if the service was called that at the time but pretty much yes. A list of applications installed is part of the Enhanced and Full telemetry levels I believe, it's mainly intended for analysing battery usage on mobile devices (laptops included) and whether apps are properly transitioning into sleep states.

                It's not a critical service, for maximum privacy I definitely recommend setting telemetry to basic. You'll be prompted to choose your telemetry settings again when you install the Creator update, just set everything to off/minimum and only the stuff I mentioned above will be sent back, once a day.

                I'm not sure you can view the Wireshark traffic, I haven't heard of anyone being able to view the telemetry because its encrypted and stored on the PC before being sent to Microsoft.

                How would you get the key to decrypt telemetry files? No one has access to it.

              "I did extensive wireshark testing before and after Windows 10's release to examine what data was being transmitted at different level"

              I'd be interested in how you read the ENCRYPTED telemetry using Wireshark. Microsoft uses double encryption. The telemetry is encrypted on your hard drive so it can't be examined and then it is sent using encrypted transmission.

              It is possible to read the encrypted transmission since it uses a symmetric encryption key, but all you will see is encrypted information that represents the encrypted hard drive file.

              Microsoft will almost certainly use an asymmetric encryption key to encrypt the files on your hard drive (so you absolutely wont have access to the decryption key that only Microsoft has).

              Really interested in how you are reading this telemetry that not a single security expert has reported being able to read.

                It wasn't file-encrypted in the fast ring prerelease versions, just XML data compressed and TLS encrypted which is easy to break. I compared file sizes once that stopped working. I'm not the only one who analysed this traffic, you can probably still find articles on it from 2014-15.

                By the way, you should be careful running multiple accounts here (admin777, user777), sockpuppeting is against the community guidelines. Just a heads up.

              Not one expert has stated that they have decrypted the telemetry.

              Last edited 08/04/17 12:03 pm

            It has nothing to do with anti-piracy. WGA checks etc are trivial. If it was used as an anti-piracy measure, we'd see a lot less piracy of Windows over the years.

            Hell, you might as well claim Steam is spying on you...

              You mean they're not?

              As I just posted to Zombie Jesus, this is based on at one point the telemetry tried to track even what applications were installed.

              During the preview rereleases where was even a key logger.

              It looks like this may have changed since then but as my past post shows I'm like a revenant; I don't forgive and never let up in being a reminder in what some have done wrong.

                The keylogger, as much as it is one, is still there. It's bundled as part of the speech, ink and typing service that uses cloud resources for handwriting analysis, intention analysis and the cloud typing dictionary (basically this shares your custom dictionary entries across devices).

                This is in my opinion the least justifiable telemetry item (it should be split into three separate items). They don't transmit everything you type, just dictionary hits/misses and dictionary entries, but I'd very much prefer that setting was separated from cloud voice processing because switching this off stops you using voice with Cortana. It's not a grievous privacy breach but unless you use Cortana I do recommend switching it off. It's under System settings > Speech, inking and typing privacy settings (I'm sure you know this wisehacker, but just in case anyone else reads it).

                  Will double check anyway; don't remember that settings and given I work with medical data it is better safe than sorry.

                  Not to get too far off topic, but this does make me wonder if the term PC is more a misnomer these days.

    i cant wait till directx is a thing of the pass and openGL API take over , hello linux.

Join the discussion!

Trending Stories Right Now