Biz & IT —

Even when told not to, Windows 10 just can’t stop talking to Microsoft

It's no wonder that privacy activists are up in arms.

Windows 10 uses the Internet a lot to support many of its features. The operating system also sports numerous knobs to twiddle that are supposed to disable most of these features and the potentially privacy-compromising connections that go with them.

Unfortunately for privacy advocates, these controls don't appear to be sufficient to completely prevent the operating system from going online and communicating with Microsoft's servers.

For example, even with Cortana and searching the Web from the Start menu disabled, opening Start and typing will send a request to www.bing.com to request a file called threshold.appcache which appears to contain some Cortana information, even though Cortana is disabled. The request for this file appears to contain a random machine ID that persists across reboots.

Shown in the Fiddler debugging Web proxy, the request that the Start menu makes every time you start typing into it or boot your machine.
Enlarge / Shown in the Fiddler debugging Web proxy, the request that the Start menu makes every time you start typing into it or boot your machine.

Some of the traffic is obviously harmless. On connecting to a new network, Windows machines try to request two URLs (www.msftncsi.com/ncsi.txt and ipv6.msftncsi.com/ncsi.txt, the former over IPv4, the latter over IPv6) to ascertain whether a given network is routed to the Internet and if there is a captive portal in the way (NCSI stands for "Network Connection Status Indicator"). These requests are very bare, with no machine IDs or other data sent. If you want to turn even these off there is a way to do so, but the privacy impact is minimal.

Some of the traffic looks harmless but feels like it shouldn't be happening. For example, even with no Live tiles pinned to Start (and hence no obvious need to poll for new tile data), Windows 10 seems to download new tile info from MSN's network from time to time, using unencrypted HTTP to do so. While again the requests contain no identifying information, it's not clear why they're occurring at all, given that they have no corresponding tile.

Other traffic looks a little more troublesome. Windows 10 will periodically send data to a Microsoft server named ssw.live.com. This server seems to be used for OneDrive and some other Microsoft services. Windows 10 seems to transmit information to the server even when OneDrive is disabled and logins are using a local account that isn't connected to a Microsoft Account. The exact nature of the information being sent isn't clear—it appears to be referencing telemetry settings—and again, it's not clear why any data is being sent at all. We disabled telemetry on our test machine using group policies.

We have no idea what's going on here.
Enlarge / We have no idea what's going on here.

And finally, some traffic seems quite impenetrable. We configured our test virtual machine to use an HTTP and HTTPS proxy (both as a user-level proxy and a system-wide proxy) so that we could more easily monitor its traffic, but Windows 10 seems to make requests to a content delivery network that bypass the proxy.

We've asked Microsoft if there is any way to disable this additional communication or information about what its purpose is. We were told "As part of delivering Windows 10 as a service, updates may be delivered to provide ongoing new features to Bing search, such as new visual layouts, styles and search code. No query or search usage data is sent to Microsoft, in accordance with the customer's chosen privacy settings. This also applies to searching offline for items such as apps, files and settings on the device." This is consistent with what we saw (there is no query or search data transmitted), but also likely to run counter to most people's expectations; if Web searching and Cortana are disabled, we suspect that the inference that most people would make is that searching the Start menu wouldn't hit the Internet at all. But it does. The traffic could be innocuous, but the inclusion of a machine ID gives it a suspicious appearance.

We've argued recently that operating systems will continue to make privacy-functionality trade-offs. For many users, perhaps even the majority, these trade-offs will be worthwhile; services such as Cortana (Siri, Google Now), cloud syncing of files, passwords, and settings, and many other modern operating system features are all valuable, and many will feel that the loss of privacy is an acceptable price to pay. But the flip side of this is that disabling these services for those who don't want to use them should really disable them. And it's not at all clear that Windows 10 is doing that right now.

Listing image by Photograph by Alan Cleaver

Channel Ars Technica