Monday, 9 May 2016

Windows 10 Telemetry: What we do and don't know


Since Windows 10 rolled out many people have been shouting at the top of their voices about how Windows 10 is somehow stealing not only our data but probably our soul at the same time. The Privacy settings in Windows 10 tell Microsoft information about you specifically, so that your Windows 10 experience improves as it learns about you and can make things even more intuitive and magical for you as time ticks on. For example, they let you control what access apps get to your data and can help Cortana learn more about you. Telemetry, on the other hand, isn’t so dynamic in terms of it leaving your computer and later magically changing your Windows 10 personality overnight. It’s largely a one-way stream of information departing your computer and heading to Microsoft HQ for them to analyse. They use it to discover issues people are having with Windows 10 that they can then either fix or enhance in future updates.

It’s worth remembering that there is other software on your computer other than the actual OS collecting telemetry of varying sorts all the time. Microsoft Office has its own telemetry settings, so does Windows Update and Defender. Most 3rd party apps will send various statistics and diagnostics back to their respective HQ, although usually these apps have a setting to turn telemetry on or off.

Disclaimer: I'm only human and also dyslexic. I try my best to read and write accurately but I make mistakes and my enthusiasm can sometimes cloud fact. This is also a hobby, not a job. Please do check official documentation yourself to be sure I've got things right.

What do we know about telemetry?


  • In its documentation, Microsoft refers to a “Connected User Experience & Telemetry Component” (hereafter referred to as just the telemetry client) as the mechanism that’s used in Windows 10 to supply them with information about your device. This suggests, as one might expect, that there is a kind of client running in Windows 10 that controls all aspects of telemetry.
  • This telemetry client updates it’s settings from Microsoft. This suggests that what the client is set to do can be dynamically changed by Microsoft.
  • Reassuringly, all Telemetry data is encrypted during transfer to Microsoft.
  • There are 3 telemetry levels you can set your device to; Full, Enhanced and Basic. If you are running Windows 10 Enterprise, Education or IoT OS versions there’s also a security level, but for us consumers it’s just the three. If you’re using an insider build you are automatically locked in to the full level.
  • The telemetry client service name is called DiagTrack (Display Name = Connected User Experiences and Telemetry), so assumingly one could just turn this service off to stop telemetry?
  • The telemetry client process name is utcsvc. So if you want to monitor what goes on, this is the process to follow.
  • The telemetry client stores its data in folders under C:\ProgramData\Microsoft\Diagnosis
  • Data sent by the telemetry client is claimed by Microsoft to be about 1.2k in size.
  • On a PC running at the basic telemetry level, tests by Ed Bott suggest that data transmissions occurred 32 times in an eight hour period.
  • There’s no official off switch for the telemetry client (aside from disabling the service) but you can control the level of telemetry sent back to Microsoft by toning down the level. The telemetry level at its lowest level is “Basic”.
  • At the lowest level of “Basic” you’re still sending a lot of information about your device to Microsoft. The word “Basic” has a considerably higher baseline than it might appear. The documentation says “device info” is sent to Microsoft at this level, listing Internet Explorer/battery/networking/processor/storage attributes as examples. On top of that, info about all the applications (apps and win32 software) installed, performance and reliability data, hardware attached to your computer and information about your network and connection is sent to Microsoft. It’s highly likely that, at the very least, the sort of information you find in “System Information” (msinfo) Reliability Monitor, Resource Monitor and Performance Monitor is heading to Microsoft at this “Basic” level. 
  • In its documentation about the telemetry client Microsoft frequently makes use of the words “including”, “such as” and “some examples”, which all implies that the specific information they’ve listed as being collected by the telemetry client isn’t comprehensive or complete. There’s highly likely to be considerably more information being sent to Microsoft than what they’ve outlined.
  • At the “Enhanced” level, everything in “Basic” is sent to Microsoft as well as extra information about how you interact with the OS and apps. The wording in the documentation suggests that only specific events related to problems regarding apps, the OS and certain devices are sent to Microsoft. However, they aren’t clear on what “events” really means. They could be the frequency or the length of time you use a certain feature or app but it’s all somewhat ambiguous.
  • If the telemetry client detects a problem with an app or OS feature on your device it’s possible that the information sent to Microsoft might happen just the once at the time of the specific event, or for up to 2 weeks.
  • It’s possible that at any of the three telemetry levels, although specifically enhanced and full, that personal information might be sent to Microsoft. I.e. if the app or OS crashed whilst you had a file open or was surfing a webpage, then the telemetry client would send some of that information to Microsoft. However, any personal information will not be used to identify or contact you.
  • At the Enhanced level, insider devices will send back specific information about pre-release binary and features so Microsoft know how well those new build features are performing.
  • At the Enhanced Level, Microsoft Engineers can ask the telemetry client to run further diagnostics on your device, including gathering personal content and registry keys related to the specific problem your device reported, so they can investigate the issue.
  • All information gathered by the telemetry client has to comply with their security and privacy policies as well as laws and regulations. Only a limited number of employees at Microsoft are allowed access to telemetry info.
  • If you have set your Wi-Fi connection as a metered network then not all telemetry data will be sent to Microsoft. Diagnostic Data, Crash data and “Normal” events are specifically stated as not being sent on metered networks.
  • The telemetry client (on non-metered networks) will send real-time event information immediately but other information is normally uploaded to Microsoft every 15 minutes if you’re connected to A/C power or every 4 hours if on battery.
  • Some telemetry information is only kept by Microsoft for 30 days but there is other data that is kept longer if it’s needed to provide a service and future analysis.
  • It’s possible that telemetry data will be shared with Microsoft vendors & agents but they must abide by privacy and security policies and are not allowed to use personal data for any purposes.



What don’t we know about telemetry?

  •  How often does the telemetry client update its settings from Microsoft?
  • What information is in the settings data that the telemetry client obtains from Microsoft?
  • When and why are the settings the telemetry client is updated with changed by Microsoft?
  • How do we know when our device is sending telemetry data back to Microsoft?
  • When the telemetry client detects a problem with the OS or an app, what are the metrics used to determine how frequently the client will continue to send data to Microsoft related to that issue?
  • What’s the full list of information sent to Microsoft at each of the telemetry levels via the telemetry client?
  • What kind of the data does Microsoft retain from the telemetry client beyond 30 days?
  • What exactly does the data look like that Microsoft passes on to vendors and agents?
  • How do we know when a Microsoft Engineer is accessing our devices via the telemetry client and what they did?
  • How many employees at Microsoft can view our telemetry data? How many is a ‘limited number’?
  • Why can’t we turn off the telemetry client when most third-party applications allow you to do so? Sure, we could disable the service but there should be an official option to turn off the telemetry, plus, it's unclear what effect turning off telemetry might have on a system.

No comments:

Post a Comment