Windows 10: Telemetry and Data Protection (1)
Every time you use Windows 10 you reveal a large number of data and telemetry information. There is no official way to completely stop this data transfer to Microsoft and third-party.
This has been discussed since Windows 10 was released. Microsoft invested for their new operating system a lot of effort in functions collecting usage and telemetry data of the user. This way, very huge quantities of data are transferred at the start already, but particularly at the shut-down, to different servers at Microsoft and third-party. Microsoft explains that they want to get to know the user behavior in order to be able to improve the usability of the entire system.
Since the millennium change, we are supporting companies in the installation and operation of big operation system environments. From Windows 2000 over Windows Vista (see video Heidelberger Druckmaschinen on YouTube), and Windows 7 to Windows 8 and Windows 10, we are intensely concerned with the respective frame conditions to be able to advise and assist our clients at the best.
Therefore we have made a few examinations to take a closer look at the telemetry aspect of Windows 10: Which data are transferred, when and where to?
In order to be able to read the Windows 10 data traffic, we have chosen an analysis approach similar to a so-called "Man-in-the-Middle" attack: The attacker or rather the reader is in this case between two network participants and can see and read all information as he likes it. Both parties are made to believe that the reader is the respective communication partner.
A short glance at the data stream already unveils interesting results. We first took a look at the traffic Windows 10 generates at the start, the opening of the start menu, the plug-in of USB devices and the click on the Windows Explorer. For the installation of the reference PC, we used the standard settings:
- During start and shut-down, there are transferred around 22 Mbyte of data.
- Altogether there are established connections to approximately 21 different servers. The number varies from start to start. Only 3 DNS targets are registered on Microsoft, 11 servers are registered on American market search companies.
- The selection of any drive in the Windows Explorer generates about 80 KByte of data that are directly transferred.
- Most transfers use HTTPS as basis. How well these data can be encoded is still under examination. It is, however, striking that the degree of protection of these connections varies and that different data can be intercepted by a third party directly in the company network – even without the just mentioned Man-in-the-Middle scenario.
Frankly spoken, these results have alarmed us a bit. In particular, because the transfer of the telemetry data cannot completely be switched off. Under Windows 10 Home and Pro, the data transfer can only be switched to "simple". Only Windows 10 Enterprise allows a nearly complete disabling – except for a small HTTPS UDP data stream which needs to be examined closer.
We will continue our investigations and analyze the results in detail and take comparative measurements on the platforms Windows 7 and Mac OS X as well as on the different releases of Windows 10.
Links to further information