Windows 10's 'built-in keylogger'? Ha ha, says Microsoft – no, it just monitors your typing

YOU said it was OK when you installed that Technical Preview

Don't want Microsoft tracking you online and collecting data on your computing habits? Then you probably shouldn't install the Windows 10 Technical Preview, Redmond says.

The interwebs were abuzz on Monday over concerns about the Terms of Use and Privacy Policy of Microsoft's newly released, not-even-beta-yet OS, with some sites going as far as to claim that Windows 10 comes with a "built-in keylogger" to watch users' every move.

Turns out these Chicken Littles were right – sort of – but according to Microsoft they should have known about the data collection from the get-go, because they agreed to it.

"With Windows 10, we're kicking off the largest ever open collaborative development effort that will change the way we build and deliver Windows," a Redmond spokesperson told El Reg in an emailed statement. "Users who join the Windows Insider Program and opt-in to the Windows 10 Technical Preview are choosing to provide data and feedback that will help shape the best Windows experience for our customers."

And sure enough, although Microsoft isn't providing detailed information about what it's monitoring and how, the red flags for privacy freaks are all there in the legalese everyone breezed through before downloading the preview.

According to the Windows Insider Program's Terms of Use, "The purpose of the Program is to ... provide Microsoft with feedback and detailed usage data about all activities occurring on those devices so that Microsoft and its partners can improve their products and services."

That explicitly includes "personal information," the terms go on to say, and Microsoft might even contact program members with additional information that is personalized just for them.

The program's Privacy Statement gives a few hints about what kind of stuff Microsoft is looking for. Redmond reserves the right to collect such info as, "your name, email address, preferences and interests; browsing, search and file history; phone call and SMS data; device configuration and sensor data; and application usage."

The Technical Preview also phones home with data about the files you open and "performance or usage information," including what program features you use most often and how long the system takes to respond to clicks.

And then there's this gem, which is the one that got everyone moaning about keyloggers:

[When you] enter text, we may collect typed characters and use them for purposes such as improving autocomplete and spellcheck features.

Microsoft hasn't said just how many of those typed characters it might collect or how often, but this is in fact something that the Windows 10 Technical Preview might do.

Does this mean Microsoft is planning to use Windows 10 to swipe everyone's online banking passwords? The chances are slim to none – although if you do your online banking on a prerelease test version of Windows with an experimental build of Internet Explorer, you deserve what you get.

Microsoft does, however, seem to be getting more aggressive about the kind of user experience data collection it has been building into prerelease versions of its flagship products for several years now. (Remember all the user data that Redmond said went into crafting the Office Ribbon UI? Where do you suppose it came from?)

How much of this data-collection the shipping version of Windows 10 will do remains to be seen.

"As we get closer to a final product, we will continue to share information through our terms of service and privacy statement about how customer data is collected and used, as well as what choices and controls are available," Microsoft told The Reg.

For now, though, bear in mind that when you fire up the Windows 10 Technical Preview, you are definitely being watched. But you knew that. ®

Other stories you might like

  • Experts: AI should be recognized as inventors in patent law
    Plus: Police release deepfake of murdered teen in cold case, and more

    In-brief Governments around the world should pass intellectual property laws that grant rights to AI systems, two academics at the University of New South Wales in Australia argued.

    Alexandra George, and Toby Walsh, professors of law and AI, respectively, believe failing to recognize machines as inventors could have long-lasting impacts on economies and societies. 

    "If courts and governments decide that AI-made inventions cannot be patented, the implications could be huge," they wrote in a comment article published in Nature. "Funders and businesses would be less incentivized to pursue useful research using AI inventors when a return on their investment could be limited. Society could miss out on the development of worthwhile and life-saving inventions."

    Continue reading
  • Declassified and released: More secret files on US govt's emergency doomsday powers
    Nuke incoming? Quick break out the plans for rationing, censorship, property seizures, and more

    More papers describing the orders and messages the US President can issue in the event of apocalyptic crises, such as a devastating nuclear attack, have been declassified and released for all to see.

    These government files are part of a larger collection of records that discuss the nature, reach, and use of secret Presidential Emergency Action Documents: these are executive orders, announcements, and statements to Congress that are all ready to sign and send out as soon as a doomsday scenario occurs. PEADs are supposed to give America's commander-in-chief immediate extraordinary powers to overcome extraordinary events.

    PEADs have never been declassified or revealed before. They remain hush-hush, and their exact details are not publicly known.

    Continue reading
  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading

Biting the hand that feeds IT © 1998–2022