Microsoft Edge Privacy Whitepaper

Topic

New Reply

Microsoft has published a very detailed whitepaper on Microsoft Edge data collection. It is very long and detailed. It explains what data is collected
[See the full post at: Microsoft Edge Privacy Whitepaper]

--Joe

4 users thanked author for this post.

abbodi86, Elly, Pepsiboy, woody

Reply | Quote

Replies

joep517 wrote:

No doubt this is a response to the article that surfaced a couple of weeks ago concerning tracking in browsers.

That Microsoft Edge Privacy Whitepaper actually predates the Trinity College Dublin Web Browser Privacy study published on 24th Feb 2020 (and updated twice during March) as it’s been there since 01/14/2020: https://web.archive.org/web/20200118181945/https://docs.microsoft.com/en-us/microsoft-edge/privacy-whitepaper

4 users thanked author for this post.

warrenrumak, Elly, Kirsty, woody

Reply | Quote

The current version was published on April 16, 2020. It contains many revisions to the original. Some of the changes are trivial others not. Thus my contention of being published in response to the other.

--Joe

Reply | Quote

What are the non-trivial changes?

Reply | Quote

[warrenrumak]

There aren’t any. 

Almost all the differences to this document since it was originally published are purely grammatical in nature — changing “doesn’t” to “does not”, “can” to “may”, and “we” to “Microsoft Edge team”.  Stuff like that.

They did add a section titled “Import Browser Data”, which describes that feature… and they removed some text about data collection related to pinned apps (you’d have to ask them why), and that that’s about it.

You don’t even need to look at the Wayback Machine to verify this… the privacy whitepaper, like all Edge documentation, is Creative Commons (CC BY 4.0 to be precise) and available on GitHub.  Its full history of changes may be observed by anyone.

• This reply was modified 5 years ago by warrenrumak.

1 user thanked author for this post.

b

Reply | Quote

The ChrEdge browser is missing one switch – Telemetry OFF. Setting this switch should automatically erase any data collected and block any data collection, forward.

Reply | Quote

On Windows, Edge uses the same telemetry settings as the rest of the OS.  Thereby, if you want it off, turn it off using the usual methods.  Yes, it honours the “Security only” diagnostic level that is available in Education/Enterprise editions… I checked this one myself.

And, like all other web browsers, there is a switch to disable the default behaviour of sending text typed in the URL bar to a search engine.

Reply | Quote

I think it is important that when Microsoft addresses ‘privacy’, especially in a detailed ‘Whitepaper’, that people realize that they spend a lot of time on everything, except an actual off-switch to continuing data collection… and that is true of the OS, Microsoft Apps, and Edge.

Microsoft seems to think that blanketing us with all sorts of reassurance about how private and secure they are, and including assurances that they are committed to data minimization, is the same as providing an off-switch. It isn’t.

The term ‘data minimization’ used with assurances about Microsoft’s commitment is now being used, since privacy advocates and people like me continue to find their data collection objectionable.

At the beginning of the paper:

Our browser privacy promise is to provide you with the protection, transparency, control and respect you deserve.

At the end of the paper:

Microsoft Edge is committed to protecting and respecting your privacy, while giving the transparency and control you deserve.

Although they detail all the ways that you can control aspects of your privacy, apparently end users do not deserve actual privacy, and the ability to opt out of data collection.

I deserve more. My family and friends deserve more. Thing is, since I like to support the people who provide products I use, if Microsoft hadn’t been so determined to use dark methods to impose W10, and marketing-speak to confuse security and privacy, while gutting the desk top operating system of end user controls that matter, in this particular area, I’d be happily using W10 and allowing data collection for the ‘improvement of their services’.

The details that matter to me, from this white paper:

– Although the Edge browser has a re-settable ID number, your W10 operating system does not. Data collection from browser use is combined with the permanent, unchanging, operating system ID.

Some diagnostic data is attached with an identifier unique to your device. Otherwise the diagnostic data is associated with a resettable identifier unique to your browser. These identifiers do not contain your personal information.

If the data being collected contains personal information, then the identifiers do not have to contain it… they are simply a ‘name’ for it. This is another example of muddying the waters. Having a unique or re-settable identifier is the issue. People wanting certain services that require an identifier could be assigned one, for the limits of a particular service. A unique identifier is not necessary to the function of an operating system, for an end user. It is only seen as necessary for a business that is determined to track and violate the privacy of its customers. Transparency, and a lot of choices, is not the same as providing actual privacy.

– The diagnostic data collection and transference that cannot be stopped by the end user is encrypted in transit, and then stored on Microsoft services in its raw form, for 30 days.

Because this diagnostic data is not collected from or stored with your Microsoft account, this diagnostic data may not be viewed or deleted from your Microsoft privacy dashboard.

BUT IT IS ASSOCIATED WITH YOUR HARDWARE THROUGH A UNIQUE IDENTIFIER…

– Part of their data minimization is reassuring us that after 30 days, it is deleted from their server. Now, think about it. How fast can a computer compute and translate things? My computer is performing what would have been miraculous processes back in the day of my slide rule use, faster than I can type. How much time the data is laying around, well, I suppose that would limit the damage from potential hacking and misuse, but give the speed of transfer, and the many ways it can be processed in a very short amount of time, the actual time is inconsequential. My issue has always been that a company committed to using dark mode techniques to prosper is not worthy of trust in the first place.

I keep up with W10, because that is what is being served up with the hardware that my friends and family buy… Microsoft and its ‘partners’ have invested a tremendous amount of time and energy trying to convince us that its data collection is acceptable, and that we should trust them… advertising, white papers, apps and app settings… everything except a way to turn it off. All those resources aren’t being utilized for no reason, when it would be a simple tech fix to have an off switch, under the control of the end user. So… why would it be so important that millions of dollars, and years of PR be spent getting people to accept data collection, transmission, and use by Microsoft.

Microsoft wants us to trust it… so provide a way to turn off data collection and transmission… something simple and end user controlled, and that is open source, so that it can be confirmed by those with the technical know how.

Simple, elegant, effective… and so much cheaper and less time consuming. Those kind of controls need to be part of every operating system and app and service that we use. I’d trust that. At this point it would take more than just that option, for me to trust Microsoft.

PS- Microsoft’s W10 whitepaper on HIPPA privacy details that there is data leakage, even using Enterprise level OS, which the normal end users, here, do not have access to. If the very best level achievable for Enterprise, with a very long list of applicable settings (no risk of making an error, given the very long list of things that must be altered?), is continued data leaks, what hope is there for the rest of us?

Non-techy Win 10 Pro and Linux Mint experimenter

6 users thanked author for this post.

Bill C., Cybertooth, Tom-R, samak, Alex5723, Bengalensis

Reply | Quote

Elly wrote:

My issue has always been that a company committed to using dark mode techniques to prosper is not worthy of trust in the first place.

And then there were the most determined conspiracy theorists of all, who were convinced that Microsoft designed the Windows 10 telemetry subsystem to Hoover all your personal information into the Azure cloud for … some nefarious purpose. Over the past five years, Microsoft has published extensive documentation of exactly what data it collects, and even rolled out a Diagnostic Data Viewer utility that lets you inspect the data for yourself.

There have been some privacy issues with Windows and Office over the past few years, most of them centered on data handling requirements related to the EU’s General Data Protection Regulation (GDPR). But on this topic, I’ll simply repeat what I said last year:

As any Sherlock Holmes fan will appreciate, the most persuasive piece of evidence here is the dog that didn’t bark. Privacy researchers have had four [make that five now – Ed] years to dig into telemetry transmissions from Windows 10, using their own tools as well as the official data viewer. So far, no privacy advocates or government agencies have come forward with any discoveries that contradict Microsoft’s insistence that telemetry data is used only for product improvement.

Windows 10 turns five

Reply | Quote

warrenrumak wrote:

On Windows, Edge uses the same telemetry settings as the rest of the OS.  Thereby, if you want it off, turn it off using the usual methods.

Not good enough. OFF is OFF not a partial “OFF”.

3 users thanked author for this post.

Cybertooth, Bengalensis, samak

Reply | Quote

I feel like if you have to have a big privacy disclaimer on your product, then you have already failed. This goes for Mozilla too, it’s the first thing they show when you start Firefox for the first time.

On the playground we used to have a saying: This is an A and B conversation, so you can C your way out. When I go to [questionable link removed], my conversation is with them, and no one else. I don’t want Facebook stalking me. I don’t need the maker of my OS or web browser stalking me, either. They have no business knowing where I am going or what I am doing, the same way the TV manufacturer has no business knowing what I am viewing.

That said, “big tech” is winning this war. Their biggest success was when they redefined “spyware” as “telemetry” in the press. Telemetry doesn’t sound anywhere near as nasty or unwelcome as “spyware”, but it’s just as bad, they still collect unique “fingerprints” from your PC and a record of every website you visit; exactly the things the public is fearful of. But, like that time you put your dog’s medicine in peanut butter in order to get him to take it, “telemetry” is the new smokescreen for “spyware”!

Moderator note Edit: for content

2 users thanked author for this post.

Bengalensis, samak

Reply | Quote

b wrote:

So far, no privacy advocates or government agencies have come forward with any discoveries that contradict Microsoft’s insistence that telemetry data is used only for product improvement.

I’m not trying to contradict that the data collection is only for product improvement. I’m saying that product improvement is not an acceptable reason for mandatory data collection, and it is morally reprehensible that Microsoft doesn’t provide a simple, total, ‘telemetry off’ choice.

Stop trying to equate me to a conspiracy theorist, as I’m not. I spent my professional life having professional boundaries when dealing with the people I cared for, especially when they were unable and/or incompetent to maintain those boundaries themselves. Boundaries are important in personal and business relationships. Healthy boundaries are important to healthy relationships… exploitation is a violation of trust, especially given the imbalance of power between a billion dollar world-wide corporation, and a non-techy end user on a limited income. I expect, and will continue to demand, that the businesses and services I frequent will not take advantage of me, or my ignorance, or my inability to provide such protections for myself… and will continue to point out their failure to do so. It isn’t as a conspiracy theorist that I remark on Microsoft’s failure. It is a simple fact of their business model, that they continue to refuse to provide such a simple and fundamental choice for their customers.

Non-techy Win 10 Pro and Linux Mint experimenter

3 users thanked author for this post.

Cybertooth, Tom-R, Bengalensis

Reply | Quote