Rafe Hart

Thoughts on security, privacy, and building software.

Windows 10 Privacy

27 March 2017

Last week in the US the FCC privacy regulations were repealed, which, amongst other things, allows ISPs to track your internet usage and sell it to third parties. It’s a good time to think about privacy.

Windows 10 doesn’t have the best record on privacy. Most app teams need to get data about their users to improve their products, and Microsoft is no different in that respect. If you want to look deeper into the issue, you can read Microsoft’s reasoning for their data gathering, and the EFF’s criticism of it.

Improve your Windows Privacy

There are multiple tools to turn off Windows 10 telemetry, depending on what services you are prepared to go without. There is a slightly melodramatic naming convention for these tools that ever so subtly hints at what their authors might say on this topic if you got a few beers into them.

  • Destroy-Windows-10-Spying adds host entries to block telemetry servers, and shuts down a range of Windows tasks that try to report your data
  • O&OShutup10 gives you a fast way to disable all the privacy affecting settings in Windows, and provides guidance with each one. Don’t tick everything, especially the ones with red exclamation marks next to them
  • fix-windows-privacy will disable a wider range of tracking via the registry, including removing OneDrive

Remember to run these after any major Windows update, as Microsoft has turned tracking back on with some of these in the past.

If you have an NVidia card, they send telemetry home as well, but it seems to be mostly harmless so far. Instructions to turn it off are here.

Depending on where you are living, the sites you visit may also be logged by your ISP, for government use. In Australia, that metadata is held for two years, in the UK it’s 1-2 years, and if you live in the US it’s now a commercial product that can be sold to, well, anyone really.

A VPN is the only real defence against this, but it is of limited use if you still refer to your ISPs DNS for name resolution. You can lower the amount of data collected about you by selecting a DNS provider that does not keep logs, and uses the dnscrypt protocol to sign communications, making the responses harder to spoof. Note that dnscrypt does not provide privacy without a VPN.

For a simple solution, you can change your DNS servers to OpenDNS or Google DNS. Both keep logs, which isn’t ideal, but they aren’t exactly known for handing them over. A better solution is Simple DNScrypt, which gives you non-logging options, and implements the dnscrypt protocol.

Improve your browser privacy

Your browser broadcasts a lot of information. If you are signed in on Facebook, and you visit another site that has placed an link on their page, Facebook knows about it.

There is a ‘Do Not Track’ setting in most browsers these days, but the best approach is to install EFF’s Privacy Badger extension, which will detect and block sites tracking you. Privacy Badger is available for Chrome and Firefox. If you use Safari, consider installing Ghostery instead. What if you’re using IE? Stop using IE. There. I fixed it for you.

While you are there, you should install HTTPS-Everywhere and uBlock Origin (Chrome / Firefox) to remove potentially malicious ads and upgrade insecure connections where possible.

Improve your social media privacy

Make sure you are happy with the list of apps connected to each of your social media accounts, because each of them is likely to be recording as much information as possible.

And if you live in the US, I’d also recommend opting out of the various services who index information on you from publicly available records. This article eloquently explains how to do that.

The last point I’d make about privacy is that it’s something that is important to maintain, even when you have nothing to hide. If 99% of mail was postcards, envelopes would be suspicious. There plenty of people with legitimate reasons not to want their privacy invaded, and by protecting your privacy, you protect theirs.