Mike Patterson, founder and CEO of security analytics firm Plixer, noticed that even after disabling everything he could find to stop this data transfer, some form of metadata is still sent to Microsoft every 5 minutes.
Further research found that:
The content was encrypted in a way that made it impossible to determine what was being sent. This extra effort to encrypt indicates that Microsoft not only didn’t want non-authorised users of the machine from accessing the data—they also didn’t want the end-user knowing what was being sent.
There is a group policy feature called Allow Telemetry, which is a setting that determines how many telemetry details are sent back to Microsoft.
The only way to disable this entirely, unfortunately, is to purchase an Enterprise version of Windows 10.
In addition to Microsoft Windows 10, Patterson’s research also found that antivirus firm McAfee, and electronics company Plantronics, are doing this too:
Plantronics were sending encrypted data over HTTP port 80 every minute
McAfee would send data using a DNS look-up that in many companies bypasses security mechanisms. We are confident that this is exactly why McAfee uses this tactic.
The full report is attached for your information, and an accompanying blog can be found here: https://www.plixer.com/blog/general/companies-you-trust-are-stealing-from-you/.
Rahul Kashyap, EVP and chief security architect at Bromium says: "As we move to a more interconnected world with devices (IoT); data analytics is set to become a lucrative business opportunity. The low barrier to enable logging and lack of user awareness provide a window of opportunity for ‘sneaky data mining’ of user behaviour. It’s unfortunate that many reputable brands are knowingly engaging in ‘sneaky data mining’ without providing upfront details to consumers. Moreover, it is important that users should absolutely be told - how long this data will be stored, the security of the data and what will it be used for. Failing to comply is a breach of consumer trust.
The impact of mining such user behaviour can lead to users getting targeted by ads, mails, phone calls etc and if it goes in the wrong hands – it could lead to targeted attacks. The current trend is disturbing and cyber laws need to be enforced to protect unsuspecting consumers."
Andy Green, senior technical specialist at Varonis reacts: "This is actually a widespread problem; not only with software we install, but with many free web application as well. Far too many treat your data in the same way as Plantronics and McAfee. The core issue is the Terms of Service that we robotically click on. Since few of us read the Terms of Service, we as consumers are essentially signing a contract that allows the company to access behavioural and personal data. Typically these ToS agreements say the company will not sell or share this data with third parties. That’s good. But it still means they are collecting it and there’s enough weasel language for them to get out of their claims that they restrict access. Of if you sign a ToS that allows ads, you’re now in dark area legally—you’ve essentially given up an expectation of privacy. Consumers have some legal protections here (in the US) but often the ToS is written to get around the few relevant laws."