Looking At Windows 10 Privacy

A lot has been made of Win10’s supposed privacy issues. On one extreme you’ve got folks claiming Microsoft is outright spying on you and even making claims it is a government spy tool. On the other extreme you have the Microsoft fanbois claiming everything is above-board, harmless, and for your own good. Me. I’m somewhere in between.

Before we get into this, I don’t care if Google, or Apple, or Ubuntu, or anyone else is doing it. It’s irrelevant to the argument.

I don’t like Windows Update being forced on us (without a hack). I don’t like the idea of my computers becoming part of Microsoft’s botnet, or torrent network, or whatever you want to call it. I don’t like that almost everything in the Privacy settings is on by default. I don’t like even the idea of Cortana. There is something, well, creepy about a machine watching, listening, learning about me. Oh, and to the naysayers who claim that the Speech, inking, & typing Privacy setting isn’t a keylogger, see here. Fortunately this is off by default.
This week Microsoft finally entered the discussion. Their two main points:
1 – Windows 10 collects information so the product will work better for you.
2 – You are in control with the ability to determine what information is collected.
In addition they claim they all data sent is anonymous, “doesn’t include any of your content or files” and “neither Windows 10 nor any other Microsoft software scans the content of your email or other communications, or your files, in order to deliver targeted advertising to you.”
At the same time they state that they need “Personalization Data” to “deliver a delightful and personalized Windows experience to you, which benefits from knowing some things about you to customize your experience.” Think Cortana, News app, Weather app, etc.

I’ll accept point one. I get it.

As for point 2 and beyond…

Microsoft, you burned up any chance of me trusting you with the GWX stunt you pulled. It was beyond arrogant. You had a chance to save face. You could have apologized and pulled the offending updates but nooooooo.

So, it’s time for a little examination. Let’s break out Wireshark.
***Fair warning. I am NOT a security or Wireshark expert.
***Also, sorry for the lack of screen shots but I’m not showing my network data to the internet.

I only ran Wireshark for about an hour on each rig. I may let it run overnight at some point.

Since I’ve seen multiple forum posts on what networks Win10 is accused of secretly connecting to I combined a couple of lists and the modified them. After my test I edited out the Windows Update connections (see below). Here is my filter list:
host cs1.wpc.v0cdn.net or host df.telemetry.microsoft.com or host i1.services.social.microsoft.com or host oca.telemetry.microsoft.com or host oca.telemetry.microsoft.com.nsatc.net or host pre.footprintpredict.com or host reports.wes.df.telemetry.microsoft.com or host sqm.telemetry.microsoft.com or host sqm.telemetry.microsoft.com.nsatc.net or host statsfe1.ws.microsoft.com or host telecommand.telemetry.microsoft.com or host telecommand.telemetry.microsoft.com.nsatc.net or host telemetry.appex.bing.net or host telemetry.urs.microsoft.com or host vortex-sandbox.data.microsoft.com or host vortex-win.data.microsoft.com or host vortex.data.microsoft.com
or host watson.telemetry.microsoft.com or host redir.metaservices.microsoft.com or host choice.microsoft.com or host reports.wes.df.telemetry.microsoft.com or host wes.df.telemetry.microsoft.com or host services.wes.df.telemetry.microsoft.com or host sqm.df.telemetry.microsoft.com or host telemetry.microsoft.com or host watson.ppe.telemetry.microsoft.com or host telemetry.appex.bing.net or host telemetry.urs.microsoft.com or host settings-sandbox.data.microsoft.com or host survey.watson.microsoft.com or host watson.live.com or host watson.microsoft.com or host statsfe2.ws.microsoft.com or host corpext.msitadfs.glbdns2.microsoft.com or host compatexchange.cloudapp.net or host cs1.wpc.v0cdn.net or host a-0001.a-msedge.net or host diagnostics.support.microsoft.com or host corp.sts.microsoft.com or host feedback.windows.com or host feedback.microsoft-hohm.com or host feedback.search.microsoft.com or host rad.msn.com or host preview.msn.com or host dart.l.doubleclick.net or host ads.msn.com or host a.ads1.msn.com or host global.msads.net.c.footprint.net or host az361816.vo.msecnd.net or host reports.wes.df.telemetry.microsoft.com or host df.telemetry.microsoft.com or host i1.services.social.microsoft.com or host ssw.live.com or host statsfe1.ws.microsoft.com or host msnbot-65-55-108-23.search.msn.com or host a23-218-212-69.deploy.static.akamaitechnologies.com

Laptop
I’ve got Win10 Insider build 10547 running at default settings and Microsoft account. This means most Privacy settings are at minimum and telemetry is WFO. This will be my baseline. I loaded the filters and fired up Wireshark immediately after boot. Holy…wow… you wouldn’t believe the number of connections, the amount of data being sent, and how often.

My Machine
Local login. All privacy options turned off. I rarely use IE or Edge (and did not before or during this capture). I do not nor has this machine ever used the Microsoft Store. All uninstallable Metro/Windows apps have been uninstalled. Cortana is disabled.
Hmmmm…
In this test Win10 only made one connection. It was to 2606:2800:11f:179a:1972:2405:35b:459 (93.184.215.200) mscrl.microsoft.com. Near as I can tell it was for SSL keys?

So…

Since the machine had already checked for updates today I manually ran Windows Update. It connected to:

2a01:111:f307:1794::a01
ip whois:
fe2.update.microsoft.com.akadns.net
fe1.update.microsoft.com.akadns.net
fe2.update.microsoft.com
fe1.update.microsoft.com

Manually ran Windows Defender Update. It connected to 2a01:111:f307:1794::a01
ip whois:
fe2.update.microsoft.com.akadns.net
fe1.update.microsoft.com.akadns.net
fe2.update.microsoft.com
fe1.update.microsoft.com

Opened Windows Media Player. It connected to 191.238.35.163:
IP Lookup Result for 191.238.35.163
IP Address: 191.238.35.163
Organization: Microsoft Azure
ISP: Microsoft Corporation

I’ve no idea why WMP needed to connect to anything.

Manually launched Windows Feedback. It connected to 131.253.61.98, 23.13.171.27, and 23.13.168.70
I did not proceed and did not log in.

IP Lookup Result for 131.253.61.98
IP Address: 131.253.61.98
Organization: Microsoft Corp
ISP: Microsoft Corp

IP Lookup Result for 23.13.171.27
IP Address: 23.13.171.27
Host of this IP: a23-13-171-27.deploy.static.akamaitechnologies.com
Organization: Akamai Technologies
ISP: Akamai Technologies

IP Lookup Result for 23.13.168.70
IP Address: 23.13.168.70
Host of this IP: a23-13-168-70.deploy.static.akamaitechnologies.com
Organization: Akamai Technologies
ISP: Akamai Technologies

Windows Feedback also made DNS queries for: login.live.com.nsatc.net, login.live.com, ocsp.ws.symantec.com.edgekey.net, e8218.ce.akamaiedge.net, ocsp.verisign.com, evsecure-ocsp.verisign.com

 

---

*UPDATE 0612hrs 30SEP2015
Overnight my computer exchanged 43550 bytes of info with:
65.52.108.29 (sqm.telemetry.microsoft.com) ipwhois = bingbot
65.55.252.93 (sqm.telemetry.microsoft.com) ipwhois = bingbot
2606:2800:11f:179a:1972:2405:35b:459 (cs1.wpc.v0cdn.net) ssl keys?

 

---

Conclusion

From the points above:
– Right now it looks as if Microsoft’s point 2 from above “You are in control with the ability to determine what information is collected” is mostly correct.
– We have no idea if Microsoft actually anonymizes our data and AFAIK no proof to the contrary.
– At default settings we have no idea if Microsoft “scans the content of your email or other communications, or your files” and AFAIK no proof that it does. I’ve seen no evidence that it is with all my Privacy settings locked down.

The aim of this post was not to convince anyone of anything but to pass on my observations.

As far as I can see the level of privacy you have with Win10 is on you. If you trust Microsoft…