Is FireEye getting access to all Win10 telemetry data?

Topic

New Reply

Martin Brinkmann on gHacks is quoting a report from an Australian news magazine ARN that says: FireEye has recently struck a deal Microsoft, designed
[See the full post at: Is FireEye getting access to all Win10 telemetry data?]

Reply | Quote

Replies

This doesn’t surprise me. This is usually what telemetry data is used for. Being shared with outside organizations. The problem is, is that most people either don’t know how this telemetry data is being used or they just don’t care. This is why I ABSOLUTELY refuse to put Windows 10 on any of my machines unless it’s a VM. A lot of people don’t think where all this stuff will be in like 10-20 years.

Reply | Quote

This is one of the few advantages of being old I wont be around to experience that future.

Reply | Quote

Coincidentally, I was just reading that article on Ghacks.net when you posted this here.

I’ll be glad to read what folks here think about this development — it sounds worrying to me, but I don’t know much about this area.

By the way, Martin also linked to a Nov. 3 press release about this from FireEye. I don’t know whether it provides you technical folks with any more info or not:
http://investors.fireeye.com/releasedetail.cfm?ReleaseID=997536

Reply | Quote

@Woody,

I am not sure, but I think in your blogpost you might have misunderstood a sentence of the ARN article.

I don’t think that ARN was saying that the vendor has backtracked on the FireEye information,

I think they were saying that Microsoft has backtracked on their goal to have one billion devices running Windows 10 by 2019.

—
The paragraph just above the “backtracking” paragraph appears to set out the context of what the “backtracking” is about:

“Widening the security scope further, Microsoft previously intended to have one billion devices running Windows 10 by 2019.

While the vendor has since backtracked on this statement – stating that the process would take longer than originally predicted – the direction of travel is clear.”

I think that they are saying that Microsoft has conceded that it will take them longer than they originally planned to have one billion devices running Windows 10.

One reason I think this way is because the FireEye tie-up announcement didn’t have any particular predicted date attached to it, so it wouldn’t make sense for the author to say that the FireEye process would take longer than predicted.

Reply | Quote

If this true, this is just one more reason to abandon Microsoft Windows. Why are we hanging on to this nightmare?

Reply | Quote

I simply can’t believe it’s true.

Maybe I’m naive, but this is a new low in Microsoft snooping.

Reply | Quote

That may well be. I have a million questions about the article, and I’ll try to get some answers shortly.

Reply | Quote

It has been suggested that perhaps this was the main reason for which M$ wanted people to “upgrade” to Windows 10 for “free”. I guess now this theory is “officially” confirmed.

Reply | Quote

They are bound to get dinged (at least by EU) for their monopolistic tendencies. This should add more fuel to Kaspersky’s complaint.

Even so, I see where France has extended the deadline for MS to cease excessive data collection until Jan 2017. And they’re the only ones to take action so far. I doubt the US will even acknowledge same.

Will anyone stop this train??!!!

Reply | Quote

+1

Reply | Quote

What do you think FireEye knows about me via Windows 10?

More than Google via Chrome?

Reply | Quote

@ Woody, I think that our email discussion on the article that I sent you has more merit than was thought. MS’s intentional bad updates,future involvement with the new cyber company, our own countries super-cyber intrusion; we don’t stand a chance. That’s only my opinion.

Reply | Quote

Mash it together with LinkedIn and you’ve got something.

Reply | Quote

I suppose there are quite a few third parties that are buying telemetry data from MS that we do not know about. A third party is not necessarily an MS business partner, it is more likely a business customer.

We can only assume that advertisers are included in the ‘business customer’ list.

Companies like Intel and some OEMS are designated ‘business partners’. MS discloses the names of all their Business Partners and the MS EULA (Privacy statement) states that they ‘share’ telemetry data with them.

The OEM hardware vendors that are designated MS business partners do their own data gathering on their devices so the ‘shared’ data must be what they can not get access to with their own spy programs. That specific MS data would be very useful to them but also possibly their ‘business customers’. Do they sell it on?

A lot more transparency would allay many user concerns on this, but MS is as mute as a fish. We can therefore surmise that some telemetry is being used as a revenue generator for MS and that there is possibly trickle down profit mongering to boot.

Reply | Quote

If true, this concerns me greatly but doesn’t surprise me in the least.

From the very moment MS announced that Windows 10 would be free for its first year the writing was on the wall – they need revenue and have to get it from somewhere, so if it isn’t from the users (whether by initial purchase or annual licence) then it has to be from advertisers or other outside interest groups.

Plus, all their snooping and forced upgrading these days goes far beyond any reasonable requirements for optimising product maintenance and enhancement.

Reply | Quote

Incidentally, if MS were to pass any telemetry details onto a third party without obtaining a UK user’s express content they would fall foul of the Data Protection Act and be liable to prosecution.

Reply | Quote

Perhaps that’s what Ms wants — to be left only with w10 users who they can exploit to the max wout them caring and nobody else.

Reply | Quote

No, not at all.

But folks who bought Win7 have a right to be hopping mad right now. They didn’t sign up to have their personal data sold to a third party.

Win10 – that’s a different discussion.

Reply | Quote

I never doubted it.

Reply | Quote

The scary part is what restrictions are placed on FireEye (any other 3rd party) to not share the data. This has the potential to leak data so badly it makes a sieve look water tight.

Reply | Quote

It is all about the “other outside interest groups”. Microsoft and Google and Facebook and other technology companies are only the “middle men”.
Blocking certain patches or services or Scheduled Tasks does very little in that sense.

Reply | Quote

Wow, that’s a heck of an insight… Some people would rather die than have to live through the future Microsoft is wreaking.

The thought that we’re witnessing the end of an era has crossed my mind. And I’m not sure I like the sound of the “next” era much either.

-Noel

Reply | Quote

I expect we’ll be seeing a lot of new lows from them in the months and years to come. Well, at least those of us in the home/SOHO market will, a market I’ve previously hypothesized is something MS would like to jettison (I didn’t come up with the idea, though; I think it was a post on InfoWorld that made the light bulb go on).

Microsoft’s enterprise clients get the version that has an ‘off’ switch for the spying, for the ads, for the unwanted downloads of Candy Crush and whatever other things MS thinks you should have, and for the Windows Store. The enterprise clients also got a pass on the forced upgrades and adware.

MS is not so dumb that they don’t know how outraged their non-enterprise customers are getting. If they wanted to keep that market, it seems they’d back off on the abuse and spying, but they have done just the opposite… almost as if they’re _trying_ to alienate us.

Is there any other explanation that makes sense? How dumb would they have to be to think this kind of abusive behavior is going to do anything other than chase people away?

Reply | Quote

Genesis 3:19 – “By the sweat of your face you shall eat bread, till you return to the ground, for out of it you were taken; for you are dust, and to dust you shall return.”
Yeah, dust, not data.

Reply | Quote

+1

I wouldn’t say “dumb.” I would say “tone deaf.” But other than that, yeah.

Reply | Quote

The last statistics on 10 usage was holding steady ~400 million. Assuming about 20 million new PCs are sold every month, mostly replacing worn out kit, 10 seems to bleeding about 20 million users every month. I have not seen any figures that say Apple or Chromebooks have sold an extra 20 million units per month. So where they going? Some probably back to previous versions of Windows and some probably to Linux. Even 80/20 back to a previous version means Linux is getting about 4 million new users every month. The last number, while not huge now, means that in few years most will know a couple people (non IT types) who are regular Linux users and will have seen it in use. The danger to MS is when most users realize they have viable non Windows alternatives at a competitive price point.

Reply | Quote

sorry fp

https://www.youtube.com/watch?v=e7qQ6_RV4VQ

Reply | Quote

Obviously this means win 7&8 too since most unsuspecting sheep would have installed this telemetry there also

Reply | Quote

Another explanation to consider: Having run out of ideas of real value, M$ is exploiting a dying franchise.

They are not deliberately alienating the individual customer base, but instead milking the franchise without regard for the reaction, because if the franchise is dying anyway, who cares?

Reply | Quote

+1+1+1+1…..

Reply | Quote

+1

Reply | Quote

Please pardon my stupid question.

Are the W7/8.1 Windows Defender (WD) safe to have its definition updated? Is there any change in the WD for W7/8.1 recently? Is there any problem for WD and MB similar to MSE and MB conflict?

Thank you.

Reply | Quote

Dying franchise is an interesting concept. OSes and general purpose applications are mature products. For many, the only reason to get a new version is no vendor support or the old hardware has died. I can not think of a compelling feature for Windows or Office that would make me need to get the latest version. This has been true for at least 10 years.

All the features touted for 10 are meh. If 7 or 8.1 are working fine, why switch?

Reply | Quote

That’s the problem (for them). So now they want to make it my problem as well.

Reply | Quote

A non-techie question —
if a computer’s Windows Defender has always been turned off because the computer uses a third-party security program, does that mean that MS wouldn’t have any Windows Defender data from that computer to pass on to FireEye and the like?

Reply | Quote

A more accurate comment can not be made! Bravo!

Reply | Quote

Apparent denial from Microsoft…?

the following is from: https://winbuzzer.com/2016/11/24/microsoft-share-windows-10-telemetry-data-fireeye-security-company-xcxwbn/

Note:
As far as I can see, this article does not give a source for the denial from Microsoft, oddly enough.
I have entered the Microsoft statement’s wording into a search engine but do not see any links for it.

——-
“Microsoft Says It´s Not Sharing Windows 10 Telemetry Data with FireEye

According to a report, Microsoft will offer access to Windows 10 telemetry data to cyber security firm FireEye on a subscription basis. The company has denied those claims and says the deal does not include telemetry data from Microsoft.

By Ryan Maskell –
November 24, 2016 2:02 pm CET
[UPDATE 25.11.206 – 21:50 CET]

According to a Microsoft Spokesperson, the deal with FireEye does not include telemetry data as had been reported by ARN.

Here is their official statement:
“The nature of the deal between Microsoft and FireEye is to license threat intelligence content from FireEye iSIGHT Intelligence. This additional layer of intelligence includes indicators and reports of past attacks collected and edited by FireEye and enhances detection capabilities of Windows Defender Advanced Threat Protection (WDATP). The deal does not include the sharing of Microsoft telemetry.”

Reply | Quote

This appears to point to where that Microsoft denial originated…

it was apparently issued by an unnamed MS spokesman who was communicating with the author (Wayne Williams) of the following article:

“Update: Microsoft says that the deal with FireEye doesn’t involve the sharing of telemetry data.
A Microsoft spokesman tells me:
‘The nature of the deal between Microsoft and FireEye is to license threat intelligence content from FireEye iSIGHT Intelligence. This additional layer of intelligence includes indicators and reports of past attacks collected and edited by FireEye and enhances detection capabilities of Windows Defender Advanced Threat Protection (WDATP). The deal does not include the sharing of Microsoft telemetry.’ ”

from:
http://betanews.com/2016/11/24/microsoft-shares-windows-10-telemetry-data-with-third-parties/

Reply | Quote

Thanks for the reference!

So shoot me, but I think Microsoft’s right. When they issue an official statement, you have to read it very, very carefully – but it’s been vetted by both PR and legal.

Reply | Quote

Good question – and I don’t know the answer.

Reply | Quote

The problem is proving it.

From memory MS claim it’s anonymised so the DPA would not apply if that’s the case. Of course no one can prove it either way as MS keep what they collect secret.

I suspect little will happen with the DPA as there may be party political interests involved (as there is with Google) and I doubt if the ICO even has the resources to take on a corporation the size of MS.

It’s much easier for the ICO to “look the other way” but hopefully something useful will come from the French investigation, particularly as the GDPR will become a part of UK law initially.

Reply | Quote

@Woody:

I mentioned in a previous post that the most recent updates for MSRT as well as the Definition for Windows Defender are “HUGE” compared to what they were until now.

In October 2016 the MSRT size was 3.5 MB

November size is: 47.4 MB
***********************

The Win Defender Def Update for October was 1.6 MB

November 2016 Defender Def Update size is 39.6 MB

Is this not considered significant? Just
wondering about the increase in size of these two. Perhaps “nothing”??

Is there a method to disable the MSRT & Windows Defender?

Thank you for your thoughts on this?

Reply | Quote

Nothing wrong as far as I know.

Yes, go ahead and install them.

Reply | Quote

+1, MS is trying to tie new features to the OS when they should be Windows version agnostic at a minimum if not completely OS agnostic. They have a tendency to tightly couple features to the OS release when they should be loosely coupled. For example with 10 you get Cortana which is not all that useful for many on a desktop. But it is baked into 10 and not easily removed. A better solution would be to have Cortana as an optional feature that can added and removed by the user without affecting the underlying OS. But Cortana, for all the hype, is not feature users are salivating over and will rush out to get 10.

Reply | Quote

MS is blundering by not explaining the nature of the deal. The first announcement sounded as if FireEye was getting telemetry data in some form for its analysis not the other direction. There is no good reason why this, if true, should not have been in the original release. Then it is yawner of a story.

Reply | Quote

I didn’t see anything in the FireEye press release that said that they would be receiving telemetry from all of Microsoft’s customers.

The ARN article seemed to be adding 2 and 2 together to get 5 (or 75!)

The situation it described is certainly not outside of the realm of possibility though (now or in the future), so it’s not a bad thing that there’s been a scare about it which has drawn more people’s attention to this kind of telemetry and these sorts of powerful corporations that are collecting it, analyzing it, pinpointing individuals from it, and storing it forever.

Reply | Quote

A large amount of spatial data analysis is outsourced by large organisations when they don’t already have the capability, or to take advantage of what dedicated geostatistical analysis organisations can offer. Microsoft may quite possibly use other services to look at different data sets.

Geostatistical Analysis can provide an information rich map of activity around a companies stores and it’s competitor’s stores. This includes where their customers and competitor’s customers might live in surrounding areas, purchasing habits, and movements in relation to local stores.

five I’s might also get a look in as many participating countries have vague data collection laws in affect or expanding in deployment, and are well positioned for international communications interception.

Terms like meta-data are vague and could include a wide range of data passing between systems on a network. Meta-data contains information that can be used to further analyse user activities. Depending on security and privacy measures, much more than websites visited and how the content was accessed can be discovered. Meta-data can provide continuing automated updating of a users profile, with customisable key word and subject targeting.

Even innocent data collection can be misused if not well secured. Often a simple and easy to make mistake, such as exposing databases to the web, is a result of misconfiguration.

FireEye provides some pretty detailed information, and if combined with law enforcement and military fireeye datasets it can provide relationships and movements of entire communities.

Reply | Quote

It would come under some NDA anyway. Information of previous fireeye deployment and partnerships can be found on the web.

Reply | Quote

So, if a third party AV was installed at the time of the Windows 10 installation, and you were online at the time, is this particular telemetry active anyway? (And how about if you were offline during the initial Windows 10 installation?) Or is it too turned off when Windows defender is turned off?

Reply | Quote

I don’t think it was a provocative headline by Woody,

he didn’t publish it as a “journalistic” story to the general public (such as on InfoWorld or ComputerWorld) but rather as a blogpost on his personal blog that hundreds of people rather than hundreds of thousands probably had even read (that particular blogpost),

it was a decent question to ask on his own blog,
it was based on a report on Ghacks.net which was based on a very bold article published by IDG, which appears to be a mainstream IT publishing firm (they publish PCMag or something like that).

Woody was only mentioning the existence of those other articles, for the general knowledge of his blog participants (who are interested in this kind of thing).

He wasn’t fanning the flames of a false news story. He wasn’t using it to get “clicks” or further notoriety.

Woody said it might not be true, he said that he was seeking clarification and had put some questions to whomever and would know more later.

Woody’s original blogpost didn’t end oddly, it was a normal thing to say. His blog is a place where he writes with a conversational style.

Ed “please kill me” Bott is being a bit over-dramatic in his piece, in my view.

Many of the commenters on Woody’s blogpost mentioned that the story was not proven, and then some of them mentioned some ramifications of it and their likely reactions — if it might, in fact, turn out to be true, which it did not turn out to be (apparently).

IDG isn’t a fly-by-night publishing presence on the internet, so their fact-checking and extrapolations, and their belatedness in revising the story and in responding to the furore they whipped up, CAN all be squarely criticized.

Microsoft isn’t a lily-white adherent to both the letter and the spirit of their past user agreements, so just because something was not explicitly stated in one of their past user/customer/subject agreements is not reason enough in itself to assume that Microsoft must be completely innocent of any improprieties or overstepping of bounds.

If I recall correctly, Martin Brinkmann of GHacks was cautious about fully believing the story, Woody was even more cautious about taking it as gospel, and most of Woody’s commenters (who are the people he was having a “conversation” with on his personal blog about the IDG claims) did not automatically assume that the IDG claims were true, but were conjecturing about “what if”.

FireEye probably would be interested in that kind of data, it is naive to say that they would not value it or would not want it if they could get it.

Sadly, the chances are that Microsoft IS doing unethical stuff with telemetry / customers’ personal information and behaviors, even if it’s kept and shared only amongst their own companies (such as LinkedIn, Bing, Skype, etc.)

Sure, bad reporting, terrible fact-checking, exaggerating, misreading situations: good journalists should aim higher.
But don’t cast aspersions on people like Martin and Woody who were just letting people know about the article (that appeared in what seems to be a legitimate source); they were not _vouching_ for the content and claims of the article, nor were they stirring up their blog readers’ reactions to those way-out claims.

Reply | Quote

For those of you who missed it, Ed Bott took me to the woodshed this morning on ZDNet for “fake news.”

I think poohsticks here is 100% correct. But then I’m a bit biased.

Ed and I go way back…

By the way, I wanted to clarify my “I can’t imagine that it’s true, but the report’s scary” comment.

The reason why the report (which I debunked last week) is scary has to do with Microsoft’s contractual obligation to their customers, covering information they discern by telemetry/snooping. I’m not aware of any obligation that Microsoft has to keep data acquired by Windows to itself.

This isn’t a tinfoil hat exercise. It’s a very real concern. Those who use Win10 should realize by now that their Win10 activities are being logged. But those who bought Win7 didn’t sign up for this scraping stuff.

Reply | Quote

In any event, to the extent possible, I would now avoid Windows Defender and use third party AV. Not just because of this kerfuffle, but there are performance (detection) issues with WD which still persist, vs. other free solutions.

Reply | Quote

You’ve twice mentioned Win7 in relation to this non-story. Why?

Reply | Quote

Windows 10 customers should realize that they’re subject to a great deal of telemetry/snooping. Windows 7 customers have seen the game change without an opportunity to bail out, without adequate notification.

Reply | Quote

Re: What does Windows 7 have to do with the public’s concerns about what Microsoft is doing with customer data?

Windows 7/8 customers

are experiencing increased telemetry being pushed onto their machines without having a chance to understand it or to decline it,

have been forced to move to a new Windows-10-like Windows updating system that takes away a lot of the control they’ve always had in the past,

and this past summer they were being strong-armed into accepting an “upgrade” to Windows 10 on their machines beyond any reasonable use of encouragement/persuasion/tricks.

Reply | Quote

+1

Reply | Quote

You were correct, Woody, to point to the lack of protections covering the data that M$ collects.

Truth is, there exists no real obligation to users that we can rely on and enforce.

Reply | Quote

If my above post looks kind of strange on its own, it was written in response to the Ed Bott article, which had been more apparent in an earlier iteration of the flow of the thread, but Woody had to delete a spammer’s post for site security, and he kindly moved my post so that it wouldn’t be lost in the shuffle.

Reply | Quote

Yep. Sorry about that. You were replying to a “pingback” which is an automated notification from the blog software, saying a link to one of AskWoody blog posts has appeared on a different site. It’s very helpful for me, but disruptive to everybody else. I routinely delete them, but if you’re quick (or subscribe to a thread) you may see them briefly.

Reply | Quote

Tonight I thought I’d look up the ARN article to see if it had been modified since the original brouhaha, and it appears to have been.

I don’t exactly remember how it was before, but there seem to be some later insertions:

“Sources close to ARN… claim that the terms of the deal could see FireEye gain access to telemetry from every device running Windows 10….
a Microsoft spokesperson told ARN[,] “…The deal does not include the sharing of Microsoft telemetry.”
Despite the flat denial from Microsoft, the agreement offers many plus points for FireEye….
Despite denials, ARN sources believe security teams are also able to access the telemetry via a subscription billing model.”

So they’ve toned it down, but they aren’t saying that their first report was wholly wrong.

Reply | Quote

Interesting.

I originally posed the article as a question, concluding “I can’t imagine that it’s true, but the report’s scary.”

Three days later, I posted Microsoft’s denial.

Two days after that, Ed’s article appeared on ZDNet.

Reply | Quote

From the edits, it sounds like the journalist has sources he trusts who cannot be named but who are certain that Win 10 device telemetry will be accessible to FireEye.

Reply | Quote

It was obvious that you were simply mentioning to the readers of your personal blog a surprising story that had been published by an organ of an established IT publishing company and which was already reverberating around the IT community.

It was illogical to try to tar a straightforward, open-minded blogpost on your modestly-presented personal blog with the brush of the “fake news” phenomenon.

Reply | Quote