Windows 10 spies on everything you do, and presumably windows 11 does to a greater degree.
Your windows photos app has over 122 tables [0] of analysis on every picture on your machine. It does facial recognition and more and likely reports a lot of this back to ms. That’s just one app!
Hm, the word “likely” is doing a lot of work there. If anything local storage of this stuff is encouraging, it suggests at least the possibility that this isn’t all living in the cloud. But it’s being interpreted as a negative with an unsubstantiated assumption about how the data is being used.
I’d also like to think we could have a better discussion on HN than “big number scary”. 122 tables sounds like a lot, sure. They could denormalise the whole dataset and keep it in one table, key/value store style. Would that be better? It’s a photo app with facial recognition. Stands to reason that it needs to store facial recognition data.
Springtime [3 hidden]5 mins ago
> Your windows photos app... does facial recognition and more and likely reports a lot of this back to ms. That’s just one app!
The link you cite though was careful to avoid making claims that couldn't be substantiated. It lists only what is in the database locally and the telemetry section doesn't include image content/metadata but user interactions with the app itself.
callamdelaney [3 hidden]5 mins ago
Yep the post is also 7 years old. I suspect there is a lot more going on now, but I haven’t investigated in a while.
madeofpalk [3 hidden]5 mins ago
> more and likely reports a lot of this back to ms
Isn’t this the literal definition of FUD? Fear, Uncertainty, and Doubt.
I would like to hope the orange site approaches this topic with more substance. Do the analysis of network traffic to see what gets sent home. Decompile the binary to check it out for these sorts of things. Don’t just write your anti-MS fanfic and pretend that it’s something meaningful.
People and object detection are pretty baseline features for a photo management app these days IMHO. I like that my photos app automatically finds all the photos of my dog.
callamdelaney [3 hidden]5 mins ago
Why would it need to be performing facial analysis and have over 120 tables of information in the first place?
madeofpalk [3 hidden]5 mins ago
Automatic albums of people is table stakes for a photo management app. Everyone has it - Apple Photos, Google Photos, Immich, etc.
That requires facial detection.
callamdelaney [3 hidden]5 mins ago
I disagree. I don’t want that feature. None of the photo apps I use by choice have it, and I’ve never once used it on iOS. It creates multiple albums for the same person anyway so it’s useless.
afavour [3 hidden]5 mins ago
You not wanting it != table stakes for a photo app.
I use it, my family uses it, my friends use it. Anecdotal data to be sure. But I think if barely anyone used it you wouldn’t see it as a base feature in almost every photo sharing app.
callamdelaney [3 hidden]5 mins ago
That’s like saying an AI co-pilot is table stakes for an operating system. It isn’t.
eurekin [3 hidden]5 mins ago
> it returned 2021.1019.1.0, whatever that means
That looks like a version number...
Would like to see more of the captured data, because a simple "about" dialog, would also need to call some server to check, if it software is in the latest version. To display the "you have the latest version" label.
Springtime [3 hidden]5 mins ago
This is a reasonable reaction to this. I pause when accusations jump immediately to spying as other explanations can exist without adding to FUD and noise online. It's not always difficult to find the purpose of something either with a bit more digging.
I've seen something similar occur for some popular Youtube videos, too. A video author will fire up some arbitrary Windows setup, which can come bundled with third-party software and use Bing for various things including weather in the taskbar and queries in the search bar, then open Wireshark to scaremonger with DNS queries, accusing Microsoft of spying just for requests made by the services/programs/features they have enabled in their install.
When often cursory lookups of the domains in search engines show what their purpose is and are contrary to such videos' alleged (and worse, guessed) purpose.
It's a problem as there are legitimate concerns with certain aspects of Windows software with non-privacy respecting defaults but for an average user it gets muddled with irrelevant/incomplete info that doesn't lead to high quality actionable results.
globalnode [3 hidden]5 mins ago
Windows is basically ad/spyware, personally I only use it under sufferance for games and while doing so I remind myself constantly that I'm being watched/recorded and my computer is out of my control. So I play games, then log to Linux if I want to do anything real. Even then, do we know some rogue process isnt vacuuming up your keystrokes? Can still get a lot done without an internet connection I guess if you plan ahead.
Eavolution [3 hidden]5 mins ago
Even with games nowadays you'd be surprised with the quality of gaming on Linux. I've got a laptop with a nvidia graphics card running linux, historically a problematic to say the least setup. I've only had one game I needed to tweak the startup settings for (other than forcing the use of proton), everything just kind of works now.
I will put a big disclaimer here that I don't play online games really and some are just fecked due to certain anti cheats.
blooalien [3 hidden]5 mins ago
Used to be that any two of those three things (Laptop, NVIDIA, Linux) together was enough to ensure endless hassle dinkin' with various things to get it all running somewhat halfway right. Nowadays it seems like most everything on Linux is pretty much real deal "plug-n-play" except the odd occasional AAA game publisher goin' all purposely anti-Linux with their DRM or anticheat.
Praise be to Valve / Steam for their massive (and ongoing) push to make gaming viable on Linux for a wider audience outside the "nerd" crowd runnin' WINE from commandline, and various "retro" / classic console emulators (and of course "indie" games). Love bein' able to click "Play" and most games these days just run (despite my bein' one of those "nerds" who ran games in WINE long before Valve ever did). :)
globular-toast [3 hidden]5 mins ago
Even installing Gentoo today feels like cheating compared to what it was like in the early 2000s. It really does mostly just work these days.
anthk [3 hidden]5 mins ago
You don't need Steam; you can just use Lutris, where you even have a Flatpak.
7speter [3 hidden]5 mins ago
Maybe you know this, but steam does more than get games playing on Linux. They (Valve?) have a group that develops drivers for AMD gpus on Linux. Their contributions still may not ve limited to just that primarily, but if there wasn’t Valve it would seem we’d have a lot less to play on Linux at the very least.
specproc [3 hidden]5 mins ago
Wanted to play Helldivers with my boys from back home. They're on Xbox, I'm on Linux, guess who could play it?
I love that Arch is a better gaming platform than Xbox these days.
ksynwa [3 hidden]5 mins ago
Online games with ring 0 anticheats not working on Linux is a feature actually
danparsonson [3 hidden]5 mins ago
Yeah Rust is non-functional for that reason sadly, but otherwise I'm loving my Linux life; most eveything else works great. Valve have done us a great service with Proton.
jstanley [3 hidden]5 mins ago
> do we know some rogue process isnt vacuuming up your keystrokes?
The standard for holding a belief isn't "can you prove it is not so?", but "on the balance of evidence, is it likely to be so?".
If you believe everything you can't disprove, you'll hold an awful lot of bizarre and contradictory beliefs.
In the past I have spent some time believing some things simply because I couldn't disprove them, it is not good for the soul.
7373737373 [3 hidden]5 mins ago
The fact that our currently popular operating systems don't enable users to trivially 'disprove' such possibilities really shows how shitty they all are
madeofpalk [3 hidden]5 mins ago
What is a way in which you could disprove this?
How could you disprove that the Ubuntu ISO doesn’t do the same thing?
ndsipa_pomu [3 hidden]5 mins ago
Well apart from monitoring network traffic, with Ubuntu you can examine the source code for anything that you don't trust or dive into what system calls an application makes by using "strace".
madeofpalk [3 hidden]5 mins ago
How is this different for Windows? Can’t you monitor Windows network traffic as well?
Does Ubuntu provide reproducible builds? How do you disprove that the source code isn’t for the thing that you’re downloading?
The (not so) revealing thing here is that this isn’t a technical problem, but that Microsoft has just completely lost the trust of people.
ndsipa_pomu [3 hidden]5 mins ago
Well you can try monitoring Windows network connections, but Microsoft do seem to love obfuscating it with connections to multiple different domains that they own.
You can't even look at the Windows source code, so your question about reproducible builds seems to be moving the goalposts somewhat.
Also, is there something like "strace" on Windows?
Numerlor [3 hidden]5 mins ago
What is Ubuntu's source code worth for when you download precompiled binaries without checking if they were built with that source code?
lyu07282 [3 hidden]5 mins ago
I think that was also the common approach to paranoia about your privacy pre-Snowden. But he kind of ended that discussion for many, although denial or ignorance is probably better for your soul indeed.
franczesko [3 hidden]5 mins ago
Playing games on Linux nowadays works like a charm. I had no issues with any Steam or Epic sore games whatsoever.
johnisgood [3 hidden]5 mins ago
Many games I would like to play are Windows-only, so that kind of sucks, but then again, I installed Windows 11 just for this purpose. So not complaining, until my programs and games will stop working when Windows 13 (or whatever) comes out. I had to upgrade from Windows 9 to 11 because it became obsolete and unsupported.
theandrewbailey [3 hidden]5 mins ago
> Many games I would like to play are Windows-only
> Proton is a new tool released by Valve Software that has been integrated with Steam to make playing Windows games on Linux as simple as hitting the Play button within Steam.
johnisgood [3 hidden]5 mins ago
But it does not offer me a clickable "Play" button for exclusively Windows games, unfortunately. Or is this something else? Or perhaps I have to do some configuration of some sort? I am really not sure. It works for games that have Windows + Proton (icon / logo), but the games I want have only windows.
Balinares [3 hidden]5 mins ago
It works out of the box here? Steam supports running most "Windows-only" games on Linux without trouble; you may just have to select the Proton version once.
I don't remember when I last encountered a game that didn't run. I'm sure those exist, mind. Perhaps I've just been lucky.
kalaksi [3 hidden]5 mins ago
It does, you'll probably have to enable proton in Steam settings. Also, in the store pages, you can see Steam Deck compatibility rating (and details about that) which means linux in practice. Some warnings regarding small text in some games don't apply to bigger displays, of course.
olddustytrail [3 hidden]5 mins ago
Right click on the game in your library and choose Properties.
Then click Compatibility and tick "Force the use of a specific Steam Play compatibility tool". Choose a recent version of Proton.
You only need to do this once and then try the game as normal. It's not guaranteed to work with everything but it's worth a shot.
kgwxd [3 hidden]5 mins ago
I was super pissed when epic announced dropping Linux support for Rocket League. Once it was done, I fell in love with Proton, it ran better than both the native Linux version, and the Windows version on Windows.
butz [3 hidden]5 mins ago
They will probably use collected telemetry data to build a third "control panel" to go along with already existing "control panels".
userbinator [3 hidden]5 mins ago
I saw this happening in 11 too, not surprisingly. It's become increasingly difficult to get Windows to stay quiet on the network, although a lot of other software is also guilty of this background noise.
red_admiral [3 hidden]5 mins ago
This sounds like standard telemetry to me, probably only ever studied on aggregate and so fairly anonymised data.
I'm not saying this is good, and I hope the EU mandates an effective OFF switch. But I don't see how Microsoft cares that you personally adjusted your screen brightness out of all the billions or so of data points they collect each day.
Maybe the NSA's permanent record programme has some use for this?
nmeofthestate [3 hidden]5 mins ago
There's a potentially interesting article here where the content of the network requests and responses is investigated to find out what's happening, but this article isn't that - it just knee-jerks into cranky allegations of sPyiNg.
alkonaut [3 hidden]5 mins ago
Apart from the reason of ”if they spy on this, who knows what else” and ”I don’t want to waste resources on telemetry” what is the reason to not allow a vendor to see which settings page you visit?
Obviously if you opt out (or rather, didn’t opt in) you shouldn’t be sending telemetry. But the line between a necessary network call and an optional one is often blurry.
triska [3 hidden]5 mins ago
As to other reasons apart from the violation of privacy: Every network call adds additional latency and slows down interactions with the OS. Every data gathering feature adds additional complexity to the implementation, takes attention away from other implementation work that could be done instead, and increases the risk of adding further mistakes to the implementation. Personally, I would like OS and application vendors to work on improving security and correctness of their programs and reducing latency instead of adding data gathering features.
> But the line between a necessary network call and an optional one is often blurry.
What would be an example of a necessary network call that an ideal OS (i.e., one that cannot be easily compromised and does not require updates around the clock to correct programming mistakes) has to perform on its own?
If a company is interested in how users use their applications and desperately need our data for it, they may be interested in funding dedicated studies and appropriately compensating users that send their data, if it is so valuable for the company.
jstanley [3 hidden]5 mins ago
> What would be an example of a necessary network call that an ideal OS [...] has to perform on its own?
Syncing the clock with NTP?
hulitu [3 hidden]5 mins ago
> Syncing the clock with NTP?
So every app, instead of querrying the OS, shall make a network call, to get the time from an NTP server ?
jstanley [3 hidden]5 mins ago
I don't understand how you got that. The question was about network calls that an OS would perform on its own.
alkonaut [3 hidden]5 mins ago
Have you developed large applications with/without anonymous usage data?
You need a good volume of data and you aren’t going to want to pay for it for one simple reason: you can get it for free and only a tiny group of users are going to be upset enough by this.
Not sure what the reference to “ideal OS” is about. I thought this was about windows in particular.
Necessary network calls would be related to updates, licensing etc. But the thing is: they would be going “home” to the exact same servers as telemetry AND they would easily contain the same payload.
hulitu [3 hidden]5 mins ago
> You need a good volume of data
it is called testing. _Testing_. But of course, testing sucks and it's expensive.
alkonaut [3 hidden]5 mins ago
Testing?
You can’t say how your users use your software through testing. Not by surveys/panels/interviews either.
But yes: alternatives are also morr expensive (which means it’s expensive for the end user). Users pay one way or another.
zbentley [3 hidden]5 mins ago
No, sorry. Testing answers “does the feature work?”. Usage telemetry answers questions like “was the feature a good idea?” and “are enough users successfully using the feature to justify the cost of creating/maintaining it?”.
Those are not questions for which pre-release testing can provide answers.
I’m not weighing in on opt-in vs opt-out, or on anonymization. Just saying that testing doesn’t cover this niche.
(Separately, I think you’re largely wrong about testing as well: crash dump collection is about finding issues that pre-release testing wouldn’t find at any price. For things like OSes especially, the permutation space of hardware * software * user behavior is too large. While I’m sure a few companies use crash reporting as a crutch to support anemic QA programs, I do not think that many do.)
AllegedAlec [3 hidden]5 mins ago
> What would be an example of a necessary network call that an ideal OS
DHCP
defrost [3 hidden]5 mins ago
Not strictly necessary though.
I grew up sans DHCP with static IP assignments per device .. and still practice that on modern home networks and production networks.
The only DHCP calls here are made by foreign devices wanting an assigned address, which gets them on a narrow range on a side net.
AllegedAlec [3 hidden]5 mins ago
In that case sure maybe not. However, most systems aren't run by deep experts but by regular users which expect a device to be plugged into a network and then have the capability to use the internet without user interference. That more or less necessitates DHCP.
defrost [3 hidden]5 mins ago
> However, most systems aren't run by deep experts ...
Luckily static IP addresses can be set up by the majority of teenagers that just want to play Doom, etc.
At least that was the case decades ago .. is this now "deep knowledge" that necessitates that OS's have to use DHCP with no other option ?
Perhaps we have different understandings of the words "necessary" and "sufficient", etc.
bboygravity [3 hidden]5 mins ago
This and also it's pretty obvious that the main goal of both Microsoft and Google is NOT to make the OS better for its users.
So the claim that telemetry is used to improve products is simply a lie IMO.
The fact that telemetry is sent at all for no apparent reason and deliberately without clear consent is an ironic example of this. The fact that it's been happening more and more over the past decades as the OS'es evolved is another confirmation of it.
danieldk [3 hidden]5 mins ago
I generally agree, though for system settings specifically, I wonder what kind of ad targeting would you get out of that?
Still think it shouldn't be there by default - it reduces privacy and is a lame excuse not to do (paid) user studies.
triska [3 hidden]5 mins ago
> for system settings specifically, I wonder what kind of ad targeting would you get out of that?
You get sensitive data out of system settings, such as for instance health data: Does the user have a vision or hearing impairment, use assistive technologies etc.?
zbentley [3 hidden]5 mins ago
> (paid) user studies
Would it count as a paid user study if enabling telemetry for Windows knocked $10 off of the price of your computer?
I can’t decide if that’s a neat idea or dystopic. Which, historically, probably means it’s dystopic and that plenty of people are already doing it.
I think “traditional” paid user studies often suffer from the same sampling problems that make political polls and behavioral paid medical studies less useful (you’re not surveying the average voter; you’re surveying the average voter who likes to answer polls). But maybe the “$10 off” idea would capture a broad enough demographic as to be more useful.
jjav [3 hidden]5 mins ago
The best way to think of it is the software must serve me, the owner of the computer, and nobody else.
Years ago when spyware was not the norm, there would be outrage if anyone caught some software sending as much as a single packet of data that was not legitimately initiated by the needs of the user/owner. We need to return to that mindset.
alkonaut [3 hidden]5 mins ago
I think this is really simple: telemetry should be opt in, anonymous, and _in_ the interest of the user in the long term by the improvement of the software. Because it’s _not_ possible to get this information any other way through user studies etc.
If it’s hard to disable, contains any PII or sensitive info (urls, file names) then it’s not OK.
userbinator [3 hidden]5 mins ago
what is the reason to not allow a vendor to see which settings page you visit?
It's all about privacy; and by privacy, I don't mean the "privacy" that often gets thrown around by Big Tech to mean "only we can see what you do". What I do on my computer is none of their business.
alkonaut [3 hidden]5 mins ago
Anonymous usage statistics means no one stores what _you_ do though. Obviously sending a url you visit or a file you open is way over the line. That’s about what you do. I think there is a difference between that and feature usage as counters only.
userbinator [3 hidden]5 mins ago
If it can be correlated (e.g. via TLS fingerprinting or other identifying information such as IP address), it's not anonymous.
alkonaut [3 hidden]5 mins ago
Yes if it can be deanonymized then it’s not anonymous. Almost a tautology that.
You can’t send the telemetry over http without revealing an ip, but obviously that ip can’t be stored as part of the telemetry data. That’s PII and not anonymous at all.
Important: if I collect anonymous telemetry you better trust me that it’s anonymous when I say it is. Because if you don’t trust me on that then you can’t run the software at all (if it’s a piece of software that relies on web requests in some form at least). Otherwise why would you even trust that my opt in is respected?
You have to trust software vendors of software that makes http requests. It’s as simple as that. You can use open source or try to inspect packets. Or firewall the software. But if it does (for example) one update check on startup which is common, then it’s almost impossible to tell whether it contains telemetry data. Because even the bare minimum request “this is FooApp 2.9.1 are there any updates” contains important usage stats: it’s +1 for the use counter and +1 for the v2.9 use counter!
pacifika [3 hidden]5 mins ago
I had written down many reasons but the onus should not be on people explaining why they don’t want to be tracked, in a society I’m happy to live in. Software is part of society.
alkonaut [3 hidden]5 mins ago
But should developers not be allowed to have it in their software? So long as it has a label “this software sends usage stats, if you don’t like it don’t use it, or don’t opt in” should that be banned? Or is that acceptable?
timeon [3 hidden]5 mins ago
> in their software?
I made mistake thinking it was user's software.
alkonaut [3 hidden]5 mins ago
If the user develops something they can do it however they want. It’s not “theirs” because it’s installed on their machine. They can’t even control how it runs on their machine short of sandboxing it. They can choose to run it as the developer wanted or not at all.
You didn’t answer the question: should it be somehow banned?
qmr [3 hidden]5 mins ago
> what is the reason to not allow a vendor to see which settings page you visit?
Because it's not their fucking computer!
Nothing about this is necessary.
Nothing here is "blurry".
alkonaut [3 hidden]5 mins ago
The shitty thing isn’t phoning home, the shitty thing is doing what’s not described on the label.
If a piece of software says “this will do X if you run it” and then it does X then I don’t see the complaint (yes I realize lots of software uses dark patterns or doesn’t say what it does, especially windows, but _in principle_ I don’t think anonymous telemetry with good clear opt out/in is evil).
AllegedAlec [3 hidden]5 mins ago
Hey, while you're not at home I'm actually using your house as a bachellor pad. Since you're not in, it doesn't affect you, so why complain about it?
alkonaut [3 hidden]5 mins ago
I think I’m going to opt out
kotaKat [3 hidden]5 mins ago
Sorry, we didn't give you those options. You get to choose "yes" or "maybe later", but we're 100% going to be using your property. Love, Microsoft, Google, and every other tech company who thinks this is the proper form of consent <3
alkonaut [3 hidden]5 mins ago
For the sake of argument, the only interesting discussion about telemetry is about whether it’s ok when done right.
I don’t think anyone thinks it’s ok when it’s not done right (not anonymous, dark patterns for opt in/out, etc).
So it’s not a very interesting discussion to have since there is no one arguing for it.
Instead my argument is: when done right, anonymous telemetry isn’t “evil”. To be fair I don’t know if many argue it is either.
There are a few absolutists that think not even opt-in telemetry is acceptable and that developers should do more expensive studies to find how their software is used. It’s really only those I disagree with.
barrkel [3 hidden]5 mins ago
The usual reason for this kind of telemetry is to figure out which features users are using and which they aren't. That guides decisions about what to invest in, what can more or less safely deprecated, and can even help with promotions.
axitanull [3 hidden]5 mins ago
And with all kinds of telemetry they collected, they managed to create the pinnacle of UI/UX redesign, as shown in the Settings Panels in Windows 11, right?
superjan [3 hidden]5 mins ago
No, that statement was not about Windows, but about the argument for telemetry in general.
mindok [3 hidden]5 mins ago
Is it still like the archeological dig that was Windows 10 settings?
tonyhart7 [3 hidden]5 mins ago
settings panel is great, its modern and easy to use
pathartl [3 hidden]5 mins ago
People are weirdly attached to Control Panel. What's better: Control Panel -> Network and Internet -> Network and Sharing Center -> Change Adapter Settings -> Properties on selected NIC -> IPv4 -> Properties to set a static IP or Settings -> Network and Internet -> Ethernet -> IP Assignment
People got used to where things were. That does no indicate good UX/UI.
keyringlight [3 hidden]5 mins ago
I'm not sure that's directly on control panel so much as which windows version you pick to look at, over the years it's changed as they try to make it friendly to different audiences. In win2k it's not very deep to get at, by default there's network places on the desktop you can right click to skip a few steps. Similarly they could improve the win8+ settings app but presumably they think win11's version is the best they can offer.
tonyhart7 [3 hidden]5 mins ago
out of touch from reality
people that use windows want simplicity (kids, old people, office worker that want get the job done etc)
Yeah the new settings is not advance but that's the point
bboygravity [3 hidden]5 mins ago
So you're saying that decades of telemetry have shown to Microsoft that users increasingly want MORE and more telemetry and no way to turn it off?
I find that hard to believe.
And that users would like the start button to move to the center, the settings config GUI to change completely on every OS release and settings to be in 4 different places and that users don't want more than 1 taskbar row (win 11)? lol, yeah nahhh...
hulitu [3 hidden]5 mins ago
> to figure out which features users are using and which they aren't
Like resizing windows ? Scrollbars ? Title bars ?
A big window telling you that office needs to update when you have work to do (it cannot wait till end of the day).
They rounded the buttons and the windows' corners some months ago, so it must be some use to this "telemetry".
NitpickLawyer [3 hidden]5 mins ago
I have a similar anecdote about android. I was trying to change some setting, but my android phone has like 3 different places where settings can hide (the settings app, google settings app and vendor settings app). So anyway, I open one, search, open the other and so on. I must have opened and switched about 4 times, went through lots of menus, back and forth until I eventually found what I was looking for and changed the setting.
After finishing, like ~10-15 seconds later a "feedback gathering ..." alert popped up, and it was gone in like 5 more seconds. My complete guess is that the constant going back and forth between settings menus and apps triggered something and something got sent to goog. I don't know how I feel about it, but I think I'm mostly fine with that? It sounds like the kind of thing I'd want my products to improve on. In an ideal world I'd get a quick report about what was gathered, and have an option to accept/deny but... Dunno.
qwertox [3 hidden]5 mins ago
I wouldn't be surprised if they periodically collect a list of all the window titles.
Devasta [3 hidden]5 mins ago
Just like with IE, Microsoft will lose domination in the OS space for no other reason than it just gave up.
It's maddening that they is a really capable OS sitting right underneath the layers of crap we have to deal with.
keyringlight [3 hidden]5 mins ago
I'd love to have the inside insight on how MS see WINE and related products and how that compares to how they saw chromium versus Trident/EdgeHTML. I really wonder if windows by itself is a loss leader to other areas where they do make money and would love to stabilize the desktop side and outsource/"contribute" that to others to maintain, just so long as they could keep money coming in from office, user administration, support contracts, alongside the services side.
On a tangent I wonder a similar thing about nvidia/AMD carrying around decades worth of tweaks and fixes for old games within their GPU drivers (and matching that is a cost for entry for intel), could they shed a burden by opening that to projects like DXVK.
CommanderData [3 hidden]5 mins ago
I wish there was a law which mandated update, service and telemetry servers were on different cidrs.
There are frequently updates lists Windows telemetry IPs you can block using ipsets. But a Microsoft always seem to mix these IPs with legitimate services.
djfivyvusn [3 hidden]5 mins ago
How to tell if Microsoft has changed their ways or if they're just playing a long game of embrace extend extinguish.
davydm [3 hidden]5 mins ago
Considering the domains this is likely a network test, though it may be reporting the results of the connection to bing.com to cxcs, which apparently collects telemetry.
On one hand, I get it - a lot of us ping google.com to quickly check the network - doesn't mean we're sending spy data to Google. On the other hand, it would be nice if this was more transparent, perhaps asking if it can perform the test.
charcircuit [3 hidden]5 mins ago
It's normal for programs to reach out to the internet for purposes other than spying on the user. Microsoft is a trustworthy company that wouldn't deploy spyware within an app included in the OS.
eps [3 hidden]5 mins ago
That's sarcasm, HN. That's how sarcasm looks like.
Wobbles42 [3 hidden]5 mins ago
This is true. It can't be considered spyware as long as the beneficiary is publically traded.
ndsipa_pomu [3 hidden]5 mins ago
You must not be aware of the long history of Microsoft being very untrustworthy and lying about how their software behaves.
Is this intentional devils advocacy for the sake of balancing an expected narrative? Outside of the rarely normative definition threshold as to what constitutes spyware or not, on what data / references (if any) do you base your impression on?
And how does a perception of company trustworthiness correlate with telemetry ethics that don't infringe in some way on 'basic digital human rights' (as defined by GDPR et al, say)?
charcircuit [3 hidden]5 mins ago
>for the sake of balancing an expected narrative?
Yes, because there are many people on this site who also believe a packet being sent to microsoft = spying. A lot of these people grew up with or were influenced by people who grew before the prevelance of the internet when software engineering was still immature when programs typically didn't communicate with the internet on their own.
>do you base your impression on?
My impression is based off the employees who work there who I would trust wouldn't add things like taking webcam screenshots and sending them back to Microsoft to look at.
>how does a perception of company trustworthiness correlate with telemetry ethics
Consumers and businesses will lose trust in a business if the telemetry data is not anonymized properly and put under strict privacy controls.
userbinator [3 hidden]5 mins ago
Consumers and businesses will lose trust in a business
I think you're really taking the piss now. Guess how much people trust MS (and the rest of Big Tech) these days.
kekebo [3 hidden]5 mins ago
Overton window calculation usually starts at a minimum of two inputs without proximity requirements (except technical requirements like linguistics/ functional semantics)*
[ * Only because an opinion may appear too far removed from a given perceived spectrum-threshold for 'reasonable reasoning'.. should not necessitate collapsing the contrasting input to some purely sarcastic/humorous telos, especially when this stochastically undermines one's own chances for being afforded the inversely congruent gesture]
lurk2 [3 hidden]5 mins ago
I’m not asking this rhetorically: Are you being sarcastic?
charcircuit [3 hidden]5 mins ago
No. Deploying spyware would break the trust that consumers and businesses have with Microsoft.
notrealyme123 [3 hidden]5 mins ago
I am not sure if this is sarcasm.
But personal information leaving my private computer without my knowledge would be very close to to spyware.
Edit: Maybe I am to blind for sarcasm.
k4rli [3 hidden]5 mins ago
Tbf you installed it so you've consented to it. It's like installing a security camera in your own bathroom and then complaining about privacy.
fuzzfactor [3 hidden]5 mins ago
More like a plumber tasked with "modernizing" your bathroom, who as part of the process installs the camera surreptitiously precisely so you won't complain about compromised privacy.
In any event it looks like that bridge is no longer for sale whole-hog. There were some fairly high bidders. A whole lot more people can enjoy the opportunity to participate through timesharing now though than ever before :)
HN.zip
Your windows photos app has over 122 tables [0] of analysis on every picture on your machine. It does facial recognition and more and likely reports a lot of this back to ms. That’s just one app!
[0] https://www.reddit.com/r/Windows10/comments/8zk1yy/a_simple_...
I’d also like to think we could have a better discussion on HN than “big number scary”. 122 tables sounds like a lot, sure. They could denormalise the whole dataset and keep it in one table, key/value store style. Would that be better? It’s a photo app with facial recognition. Stands to reason that it needs to store facial recognition data.
The link you cite though was careful to avoid making claims that couldn't be substantiated. It lists only what is in the database locally and the telemetry section doesn't include image content/metadata but user interactions with the app itself.
Isn’t this the literal definition of FUD? Fear, Uncertainty, and Doubt.
I would like to hope the orange site approaches this topic with more substance. Do the analysis of network traffic to see what gets sent home. Decompile the binary to check it out for these sorts of things. Don’t just write your anti-MS fanfic and pretend that it’s something meaningful.
People and object detection are pretty baseline features for a photo management app these days IMHO. I like that my photos app automatically finds all the photos of my dog.
That requires facial detection.
I use it, my family uses it, my friends use it. Anecdotal data to be sure. But I think if barely anyone used it you wouldn’t see it as a base feature in almost every photo sharing app.
That looks like a version number...
Would like to see more of the captured data, because a simple "about" dialog, would also need to call some server to check, if it software is in the latest version. To display the "you have the latest version" label.
I've seen something similar occur for some popular Youtube videos, too. A video author will fire up some arbitrary Windows setup, which can come bundled with third-party software and use Bing for various things including weather in the taskbar and queries in the search bar, then open Wireshark to scaremonger with DNS queries, accusing Microsoft of spying just for requests made by the services/programs/features they have enabled in their install.
When often cursory lookups of the domains in search engines show what their purpose is and are contrary to such videos' alleged (and worse, guessed) purpose.
It's a problem as there are legitimate concerns with certain aspects of Windows software with non-privacy respecting defaults but for an average user it gets muddled with irrelevant/incomplete info that doesn't lead to high quality actionable results.
I will put a big disclaimer here that I don't play online games really and some are just fecked due to certain anti cheats.
Praise be to Valve / Steam for their massive (and ongoing) push to make gaming viable on Linux for a wider audience outside the "nerd" crowd runnin' WINE from commandline, and various "retro" / classic console emulators (and of course "indie" games). Love bein' able to click "Play" and most games these days just run (despite my bein' one of those "nerds" who ran games in WINE long before Valve ever did). :)
I love that Arch is a better gaming platform than Xbox these days.
The standard for holding a belief isn't "can you prove it is not so?", but "on the balance of evidence, is it likely to be so?".
If you believe everything you can't disprove, you'll hold an awful lot of bizarre and contradictory beliefs.
In the past I have spent some time believing some things simply because I couldn't disprove them, it is not good for the soul.
How could you disprove that the Ubuntu ISO doesn’t do the same thing?
Does Ubuntu provide reproducible builds? How do you disprove that the source code isn’t for the thing that you’re downloading?
The (not so) revealing thing here is that this isn’t a technical problem, but that Microsoft has just completely lost the trust of people.
You can't even look at the Windows source code, so your question about reproducible builds seems to be moving the goalposts somewhat.
Also, is there something like "strace" on Windows?
Mine too, but I'll let you in on a secret:
https://www.protondb.com/
> Proton is a new tool released by Valve Software that has been integrated with Steam to make playing Windows games on Linux as simple as hitting the Play button within Steam.
I don't remember when I last encountered a game that didn't run. I'm sure those exist, mind. Perhaps I've just been lucky.
Then click Compatibility and tick "Force the use of a specific Steam Play compatibility tool". Choose a recent version of Proton.
You only need to do this once and then try the game as normal. It's not guaranteed to work with everything but it's worth a shot.
I'm not saying this is good, and I hope the EU mandates an effective OFF switch. But I don't see how Microsoft cares that you personally adjusted your screen brightness out of all the billions or so of data points they collect each day.
Maybe the NSA's permanent record programme has some use for this?
Obviously if you opt out (or rather, didn’t opt in) you shouldn’t be sending telemetry. But the line between a necessary network call and an optional one is often blurry.
> But the line between a necessary network call and an optional one is often blurry.
What would be an example of a necessary network call that an ideal OS (i.e., one that cannot be easily compromised and does not require updates around the clock to correct programming mistakes) has to perform on its own?
If a company is interested in how users use their applications and desperately need our data for it, they may be interested in funding dedicated studies and appropriately compensating users that send their data, if it is so valuable for the company.
Syncing the clock with NTP?
So every app, instead of querrying the OS, shall make a network call, to get the time from an NTP server ?
You need a good volume of data and you aren’t going to want to pay for it for one simple reason: you can get it for free and only a tiny group of users are going to be upset enough by this.
Not sure what the reference to “ideal OS” is about. I thought this was about windows in particular.
Necessary network calls would be related to updates, licensing etc. But the thing is: they would be going “home” to the exact same servers as telemetry AND they would easily contain the same payload.
it is called testing. _Testing_. But of course, testing sucks and it's expensive.
You can’t say how your users use your software through testing. Not by surveys/panels/interviews either.
But yes: alternatives are also morr expensive (which means it’s expensive for the end user). Users pay one way or another.
Those are not questions for which pre-release testing can provide answers.
I’m not weighing in on opt-in vs opt-out, or on anonymization. Just saying that testing doesn’t cover this niche.
(Separately, I think you’re largely wrong about testing as well: crash dump collection is about finding issues that pre-release testing wouldn’t find at any price. For things like OSes especially, the permutation space of hardware * software * user behavior is too large. While I’m sure a few companies use crash reporting as a crutch to support anemic QA programs, I do not think that many do.)
DHCP
I grew up sans DHCP with static IP assignments per device .. and still practice that on modern home networks and production networks.
The only DHCP calls here are made by foreign devices wanting an assigned address, which gets them on a narrow range on a side net.
Luckily static IP addresses can be set up by the majority of teenagers that just want to play Doom, etc.
At least that was the case decades ago .. is this now "deep knowledge" that necessitates that OS's have to use DHCP with no other option ?
Perhaps we have different understandings of the words "necessary" and "sufficient", etc.
So the claim that telemetry is used to improve products is simply a lie IMO.
The fact that telemetry is sent at all for no apparent reason and deliberately without clear consent is an ironic example of this. The fact that it's been happening more and more over the past decades as the OS'es evolved is another confirmation of it.
Still think it shouldn't be there by default - it reduces privacy and is a lame excuse not to do (paid) user studies.
You get sensitive data out of system settings, such as for instance health data: Does the user have a vision or hearing impairment, use assistive technologies etc.?
Would it count as a paid user study if enabling telemetry for Windows knocked $10 off of the price of your computer?
I can’t decide if that’s a neat idea or dystopic. Which, historically, probably means it’s dystopic and that plenty of people are already doing it.
I think “traditional” paid user studies often suffer from the same sampling problems that make political polls and behavioral paid medical studies less useful (you’re not surveying the average voter; you’re surveying the average voter who likes to answer polls). But maybe the “$10 off” idea would capture a broad enough demographic as to be more useful.
Years ago when spyware was not the norm, there would be outrage if anyone caught some software sending as much as a single packet of data that was not legitimately initiated by the needs of the user/owner. We need to return to that mindset.
If it’s hard to disable, contains any PII or sensitive info (urls, file names) then it’s not OK.
It's all about privacy; and by privacy, I don't mean the "privacy" that often gets thrown around by Big Tech to mean "only we can see what you do". What I do on my computer is none of their business.
You can’t send the telemetry over http without revealing an ip, but obviously that ip can’t be stored as part of the telemetry data. That’s PII and not anonymous at all.
Important: if I collect anonymous telemetry you better trust me that it’s anonymous when I say it is. Because if you don’t trust me on that then you can’t run the software at all (if it’s a piece of software that relies on web requests in some form at least). Otherwise why would you even trust that my opt in is respected? You have to trust software vendors of software that makes http requests. It’s as simple as that. You can use open source or try to inspect packets. Or firewall the software. But if it does (for example) one update check on startup which is common, then it’s almost impossible to tell whether it contains telemetry data. Because even the bare minimum request “this is FooApp 2.9.1 are there any updates” contains important usage stats: it’s +1 for the use counter and +1 for the v2.9 use counter!
I made mistake thinking it was user's software.
You didn’t answer the question: should it be somehow banned?
Because it's not their fucking computer!
Nothing about this is necessary.
Nothing here is "blurry".
If a piece of software says “this will do X if you run it” and then it does X then I don’t see the complaint (yes I realize lots of software uses dark patterns or doesn’t say what it does, especially windows, but _in principle_ I don’t think anonymous telemetry with good clear opt out/in is evil).
I don’t think anyone thinks it’s ok when it’s not done right (not anonymous, dark patterns for opt in/out, etc).
So it’s not a very interesting discussion to have since there is no one arguing for it.
Instead my argument is: when done right, anonymous telemetry isn’t “evil”. To be fair I don’t know if many argue it is either. There are a few absolutists that think not even opt-in telemetry is acceptable and that developers should do more expensive studies to find how their software is used. It’s really only those I disagree with.
People got used to where things were. That does no indicate good UX/UI.
people that use windows want simplicity (kids, old people, office worker that want get the job done etc)
Yeah the new settings is not advance but that's the point
I find that hard to believe.
And that users would like the start button to move to the center, the settings config GUI to change completely on every OS release and settings to be in 4 different places and that users don't want more than 1 taskbar row (win 11)? lol, yeah nahhh...
Like resizing windows ? Scrollbars ? Title bars ?
A big window telling you that office needs to update when you have work to do (it cannot wait till end of the day).
They rounded the buttons and the windows' corners some months ago, so it must be some use to this "telemetry".
After finishing, like ~10-15 seconds later a "feedback gathering ..." alert popped up, and it was gone in like 5 more seconds. My complete guess is that the constant going back and forth between settings menus and apps triggered something and something got sent to goog. I don't know how I feel about it, but I think I'm mostly fine with that? It sounds like the kind of thing I'd want my products to improve on. In an ideal world I'd get a quick report about what was gathered, and have an option to accept/deny but... Dunno.
It's maddening that they is a really capable OS sitting right underneath the layers of crap we have to deal with.
On a tangent I wonder a similar thing about nvidia/AMD carrying around decades worth of tweaks and fixes for old games within their GPU drivers (and matching that is a cost for entry for intel), could they shed a burden by opening that to projects like DXVK.
There are frequently updates lists Windows telemetry IPs you can block using ipsets. But a Microsoft always seem to mix these IPs with legitimate services.
On one hand, I get it - a lot of us ping google.com to quickly check the network - doesn't mean we're sending spy data to Google. On the other hand, it would be nice if this was more transparent, perhaps asking if it can perform the test.
e.g. funding SCO to pursue a campaign against Linux users and threatening to take them to court for using Linux: https://www.cnet.com/tech/tech-industry/fact-and-fiction-in-...
e.g. DOS ain't done til Lotus won't run: https://www.proudlyserving.com/archives/2005/08/dos_aint_don...
and many, many more: https://en.wikipedia.org/wiki/Criticism_of_Microsoft
And how does a perception of company trustworthiness correlate with telemetry ethics that don't infringe in some way on 'basic digital human rights' (as defined by GDPR et al, say)?
Yes, because there are many people on this site who also believe a packet being sent to microsoft = spying. A lot of these people grew up with or were influenced by people who grew before the prevelance of the internet when software engineering was still immature when programs typically didn't communicate with the internet on their own.
>do you base your impression on?
My impression is based off the employees who work there who I would trust wouldn't add things like taking webcam screenshots and sending them back to Microsoft to look at.
>how does a perception of company trustworthiness correlate with telemetry ethics
Consumers and businesses will lose trust in a business if the telemetry data is not anonymized properly and put under strict privacy controls.
I think you're really taking the piss now. Guess how much people trust MS (and the rest of Big Tech) these days.
[ * Only because an opinion may appear too far removed from a given perceived spectrum-threshold for 'reasonable reasoning'.. should not necessitate collapsing the contrasting input to some purely sarcastic/humorous telos, especially when this stochastically undermines one's own chances for being afforded the inversely congruent gesture]
But personal information leaving my private computer without my knowledge would be very close to to spyware.
Edit: Maybe I am to blind for sarcasm.
In any event it looks like that bridge is no longer for sale whole-hog. There were some fairly high bidders. A whole lot more people can enjoy the opportunity to participate through timesharing now though than ever before :)