Microsoft tracks Windows 7 and 8 users, harvesting more data

People Security researchers have discovered that four recent updates to the Windows 7 and 8 operating systems allow Microsoft to collect a variety of usage information.

Microsoft has already come under fire for Windows 10, whose telemetry feature by default collects usage information from basic error reporting to more enhanced data - including the frequency with which certain apps are used, the memory state of a device if and when a crash occurs, and memory snapshots.

Indeed, some users have been so concerned about privacy on Windows 10 that they have deliberately held off upgrading.

Windows 10

Now Martin Brinkmann of technology blog Ghacks.net has found that four "upgrade preparation" updates for Windows 7 and Windows 8 have activated data collection processes similar to those of Windows 10, probably in the belief that users on these systems will eventually migrate to the newer version of the OS.

The four updates are as follows:

  • 3022345: Update for customer experience and diagnostic telemetry - This update introduces the Diagnostics and Telemetry tracking service to in-market devices. By applying this service, you can add benefits from the latest version of Windows to systems that have not yet been upgraded. The update also supports applications that are subscribed to Visual Studio Application Insights.
  • 3068708: (Replaced update 3022345.) Update for customer experience and diagnostic telemetry - This update introduces the Diagnostics and Telemetry tracking service to existing devices. By applying this service, you can add benefits from the latest version of Windows to systems that have not yet upgraded. The update also supports applications that are subscribed to Visual Studio Application Insights.
  • 3075249: Update that adds telemetry points to consent.exe in Windows 8.1 and Windows 7 - This update adds telemetry points to the User Account Control (UAC) feature to collect information on elevations that come from low integrity levels.
  • 3080149: Update for customer experience and diagnostic telemetry - This package updates the Diagnostics and Telemetry tracking service to existing devices. This service provides benefits from the latest version of Windows to systems that have not yet upgraded. The update also supports applications that are subscribed to Visual Studio Application Insights.

According to The Hacker News, the telemetry services created by these updates interact with the domains vortex-win.data.microsoft.com and settings-win.data.microsoft.com.

Originally, it was believed that these domains were hardcoded, meaning that the Hosts file was automatically bypassed. However, it has since been revealed that these new connections can be blocked via the use of software firewalls.

Windows 7

In order to remove these updates, the best advice is for users to choose not to install them in the first place!

If they have all ready been installed, users can refer to this guide here.

Clearly there are advantages to sharing information with your operating system. Regularly sharing crash reports and app usage can optimize a user's desktop experience and make interacting with their device all the more personal and fluid.

However, if a user should want to opt-out of this type of arrangement, it shouldn't take a registry change to do it.

Hopefully Microsoft and other tech giants will realize this fact as privacy continues to shape users' expectations with regards to what their technology should and shouldn't do.

Tags: , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

Subscribe to the free GCHQ newsletter

, , , ,

2 Responses

  1. M. Sirell

    September 3, 2015 at 12:59 pm #

    A memory dump from my machine will quite likely contain a lot of PII, and as such this process falls under the UK Data Protection Act. Where is the mandatory clear request for consent that is required before any PII is collected? Surely Microsoft don't just assume that US law applies everywhere in the world? If so, I hope the EU Privacy Commissioner throws the book at them.

  2. Anonymous

    September 3, 2015 at 1:58 pm #

    I'm done with Microsoft.

    Thanks for including that link to undo the updates they've forced upon users.

Leave a Reply