Every few months some clueless online rag does some FUD article claiming that Microsoft is spying on you, I can’t speak for all of the examples they commonly quote but I can talk about a few of the ones I know how work and can say that if the rest are like these then this is total FUD.
This morning I ran across one of these articles on SoftPedia (Forget about the WGA! 20+ Windows Vista Features and Services Harvest User Data for Microsoft), lets walk through some of the “features” in Windows they say are “Harvesting User Data”:
Windows Update, Web Content, Digital Certificates, Auto Root Update, Windows Media Digital Rights Management, Windows Media Player, Malicious Software Removal/Clean On Upgrade, Network Connectivity Status Icon, Windows Time Service, and the IPv6 Network Address Translation (NAT) Traversal service (Teredo) are the features and services that collect and deliver data to Microsoft from Windows Vista. By using any of these items, you agree to share your information with the Redmond Company. Microsoft says that users have the possibility to disable or not use the features and services altogether. But at the same time Windows update is crucial to the security of Windows Vista, so turning it off is not really an option, is it?
OK lets start at the top Windows Update, first you must opt into this, but what does it really do? Well if you choose this option what your saying is you want Windows to determine what patches are appropriate for you machine and download them and possible install them to keep your PC “up to date and healthy”. What this means is that catalogs will be downloaded to your PC that can be used to determine which files to download, one can infer (with poor resolution) whats on your machine from this activity, Duh; No one is sending “User Data” at least not using any definition that a user would use.
How about Web Content and Media Player, when you go to www.unmitigatedrisk.com dozens of files are downloaded, there is the CSS, images, possibly some javascript, cookies amongst other things but your browser only did a HTTP GET of /, that returned a document that referred to all of these other things and the browser presumes that your goal of doing that GET was to get a page that displayed as rendered as the author intended so it gets the content the author specified, you can discreetly turn off these settings but you end up with a crummy web experience (essentially the same description holds true of Media Player, think of Playlists as the coralary). There are other examples here too, for example when you go to https://www.verisign.com before you download the document at / you actually establish a SSL/TLS session but that web server might only send you its certificate and not the other material (revocation information, intermediate certificates, etc) that are necessary to validate the servers certificate the browser must work with the OS to “discover” this information or you can’t tell if someone is pretending to be Verisign or not; once again no "User Data" here the best one can do is infer affiliation based on what content is being downloaded but this isnt a Microsoft thing its a web thing.
What is auto-root update? Well this is more certificate stuff, the way X.509 certificates work is that credentials are issued by credential issuers, these credential issuers can delegate the right to issue credentials; the validation of credentials requires the “discovery” (as discussed previously) of all elements involved in the issuance of the end credential all of this must be rooted in a “root certificate authority”. The thing is that there are a fair amount of these root certificate authorities out there, the common example is VeriSign but the real issue is that there are over 177 sovereign nations out there each with their own ideas of who should be issuing credentials for their communities so you don’t just get to say oh its this entity for the world this is why Microsoft has the Microsoft Root Certificate program for which a fixed set of requirements have been published (Microsoft Root Certificate Program Requirements) which tell these issuers what the requirements are for participating (BTW MSFT uses the strictest requirements in the industry) and publishes the current membership of the program (Microsoft Root Certificate Program Members). To complicate things more this list of issuers is not static, which means there is a need to manage that list of issuers and that’s the Auto-Root update feature, again this can be disabled but if you do so you won’t be able to browse the web securely unless you decide to evaluate each and every issuer, its practices and manually provision these root certificates to your machines; once more no "User Data" here just potential to infer afliliation but practically the data is so abstract here that that no data of use could really be found.
How about the Network Connectivity Status Icon, who doesn’t want to be able to figure out if they have connectivity to the internet? Well that’s all this connects to a known address on the internet to see if there is a network connection; again this can be turned off if you don’t want this but I personally find it invaluable when trying to connect to a wireless network. Where is the privacy implication here? I see no "User Data" being exposed in a transaction like this, and I dont even see the ability to infer affiliation since this is the moral equiv. of a ping.
Maybe my favorite is the Windows Time service, since many protocols require time to be within some tolerance to facilitate secure communication (Kerberos for example) in todays world having a means to synchronize your clock automatically is a requirement; again you can turn this off but why would you all that happens is your PC does a NTP request for the current time? What good is a $1000 pc that can’t even tell you what time it is? What "User Data" is exposed in this transaction, that you care about having a acurate clock?
I only talked about a few of these items; there are simply too many to comment on right now but I do think the ones I picked all represent the spirit of these “connect back” cases; although the uber geek might be willing and/or happy to deal with these problems on their own “normal” users would not, nor would they have sufficient understanding of the purpose of the security related ones to understand the implications of their actions.
It’s also important to understand that EVERY OS and application with similar features have similar features/capabilities for the very same reasons; the thing is that they do not go out of their way to write down all of the connect back cases so unless you’re a uber geek inspecting network traffic you don’t even know that these things are going on.
This, in my humble opinion is yet another example of Microsoft being vilified for doing what’s right, when it should instead be held up as a example of how things should be done. Now don’t get me wrong I am not suggesting that we “do no evil” as Google suggests they do (to be clear I am not saying we do evil either) but I am just tired of uniformed FUD.