Press J to jump to the feed. Press question mark to learn the rest of the keyboard shortcuts
219

How Microsoft uses biometric profiles to track & de-anonymize Windows 10 users with various third party services

Windows 10 includes Windows Hello and Inking & typing personalization (you've probably heard of Windows 10 built-in keylogger) features. Windows Hello is a biometric framework built into Windows 10 that currently uses facial recognition, fingerprint identification, or iris scans to prove that you are who you say you are. Inking & typing personalization is a feature that will "personalize" your typing behavior. There isn't way to turn this off easily because the data is collected through multiple services.

From the Windows Hello Privacy Policy (Wayback Machine Link) we can see the following data is being collected:

we collect info about how people use Windows Hello. For example, info about whether people sign in with their face, iris, fingerprint, or PIN; the number of times they use it; and whether it works or not is all valuable information that helps us build a better product.

The following data is being collected from the typing behavior, according to the official source. Microsoft Privacy Statement (Wayback Machine Link):

The data we collect can include the following:

Information from device sensors.

Search queries and commands when you use Microsoft products with search or related productivity functionality.

Text, inking, and typing data and related information. For example, when we collect inking data, we collect information about the placement of your inking instrument on your device.

Other inputs provided when you use our products. For example, data such as the buttons you press on an Xbox wireless controller using Xbox Live, skeletal tracking data when you use Kinect, and other sensor data, like the number of steps you take, when you use devices that have applicable sensors.

Search and artificial intelligence products connect you with information and intelligently sense, process, and act on information—learning and adapting over time.

SwiftKey Keyboard and related products (collectively, the “SwiftKey Services”) process data about how you type and write, and use this data to learn your writing style and provide personalized autocorrection and predictive text that adapts to you.

SwiftKey prediction technology learns from the way you use language to build a personalized language model. This model is an optimized view of the words and phrases that you use most often in context and reflects your unique writing style.

If you choose to do so, Microsoft will collect samples of the content you type or write to improve features such as handwriting recognition, autocompletion, next word prediction, and spelling correction in the many languages used by Windows customers.

Your typed and handwritten words are collected to provide you with: a personal dictionary, better character recognition to help you type and write on your device, and text suggestions that appear as you type or write.

We collect your searches and commands to provide, improve, and develop Cortana and other products.

So what is the deal with this collection?

Microsoft has a really close partnership with Oxford Computer Group company which provides enterprise mobility, cloud & identity management solutions to the companies (mainly for the Microsoft). The company has won many of the Microsoft Partner of the Year Awards, as we can see from the Oxford Computer Group's Partners (Archive.fo Link) website:

Microsoft is our primary technology partner. We have achieved Gold Partner status in Devices and Deployment, and Silver status in Cloud Platforms. This status guarantees that our consultants are qualified in specialist technologies.

We have won the Microsoft Partner of the Year Award numerous times, most recently three years in a row: 2013, 2014 and 2015.

Addition to this, Oxford Computer Group is partnered with Crossmatch company which provides biometric tracking technology.

Together Oxford Computer Group and Crossmatch decided to make a strategic partnership to offer biometric identity solutions to Microsoft customers (Windows 10 Hello & Inking & typing personalization as explained above). Here is the official announcement:

https://www.crossmatch.com/press-release/oxford-computer-group-multi-factor-authentication-microsoft-customers/ (Wayback Machine Link)

To make these three partnerships (Microsoft, Oxford Computer Group and Crossmatch) to work, Microsoft has begun to analyze the writing behavior of users in the background on the Windows 10 and then to send the created biometric profiles (Windows 10 Hello and Inking & typing personalization data collection as explained above) to the Crossmatch company. So Microsoft is sharing (the data is linked to an individual or it is "anonymized" data that can be easily de-anonymized with the services / companies with which Microsoft shares the profiles) customers' biometrics profiles with these companies.

But now the things will going to be even more shady:

Crossmatch has a close partnership with BehavioSec company and they share biometrics data together, including Microsoft's customers' data. Here is an official announcement of the partnership:

https://www.behaviosec.com/news/crossmatch-integrates-behaviosec-behavioral-biometrics-digitalpersona-enterprise-authentication-solution/ (Wayback Machine Link)

BehavioSec is a company which is specialized to identify individuals based on how they write, how they move the mouse and move the device on their hands. They ran an study during 2012 / 2013 with Danske Bank which shown that BehavioSec could identify the user 99.7% of the time while also detecting an imposter 99.7% of the time. This is a very high level of accuracy among all types of biometrics. Here is the study:

https://www.behaviosec.com/documents/white-papers/behaviosec-in-a-real-world-e-banking-environment/ (Wayback Machine Link).

Nowadays Danske Bank implements BehavioSec's technology on their mobile apps to verify the right customer based on how the customer types and moves the device.

More about how BehavioSec's technology works:

https://web.archive.org/web/20151018094945/https://www.behaviosec.com/technology/

BehavioSec also cooperates with DARPA (which is one of the most intelligence agencies in the world) to develop DARPA's Active Authentication program:

https://web.archive.org/web/20160512161757/http://www.behaviosec.com/darpa-and-behaviosec-go-beyond-passwords/

https://web.archive.org/web/20170712125714/https://www.behaviosec.com/darpa-presents-continuous-mobile-authentication/

The sole purpose of this program is to identify individuals based on their unique behavior. Also BehavioSec gets direct funding from the DARPA.

So what this means for the end-user?

All of these four companies shares data together, directly or indirectly. It's explained in their Privacy Policies (they also creates profiles about individuals):

BehavioSec's Privacy Policy (Wayback Machine Link):

Recipient is a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.

Third party is a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

Oxford Computer Group's Privacy Policy (Archive.fo Link):

We will never sell, rent or otherwise disclose your personal data to any third party except where it is necessary to provide you with services you have requested, and only then for that purpose.

In this table we have set out information about how we use your personal data and the legal bases of that use:

Operating and maintaining our website, managing our relationships with customers and prospective customers.

We may disclose your personal data to our services providers and subcontractors.

We may disclose details of your event bookings to event and venue operators and to other third-party services providers.

Crossmatch's Privacy Policy (Wayback Machine Link):

Personal Data and other aggregate information, including that from cookies, may be provided to outside vendors and service agencies that are responsible for assisting with providing our services to you.

Microsoft's Privacy Statement (Wayback Machine Link):

These third-party sources vary over time and include:

Partners with which we offer co-branded services or engage in joint marketing activities.

With appropriate technical and organizational measures to safeguard individuals’ rights and freedoms, we use data to conduct research, including for public interest and scientific purposes.

We share your personal data with your consent or as necessary to complete any transaction or provide any product you have requested or authorized.

In addition, we share personal data among Microsoft-controlled affiliates and subsidiaries. We also share personal data with vendors or agents working on our behalf for the purposes described in this statement.

So Windows 10 users' biometric profiles are being shared over these companies and they practice tracking & de-anonymization technology of the individuals. So your typing behavior & Windows Hello data on Windows 10 can be used to link back to you. This is far from anonymized data collection and those companies also can easily de-anonymize Microsoft's "anonymized telemetry" data.

Also BehavioSec is arguably sharing Microsoft's customers' (Windows 10) typing behavior & Windows Hello (biometric profiles) data with DARPA through profiles which Crossmatch has provided.

62 comments
98% Upvoted
What are your thoughts? Log in or Sign uplog insign up
level 1
35 points · 5 days ago

I’ve been toying with Linux lately and considering switching. This just adds more reason to. Now if only I could run the adobe suite and ms office on Linux since I need them for work.

level 2

You could use Windows in a virtual machine in Linux. Only use Windows for those programs

level 3
3 points · 5 days ago

Forgive me if this is a silly question, but can I access and edit my linux files from windows in the VM (and vice-versa)?

level 4

Depends on your configuration but you can definitely share directories and files between OS and virtual machine. IIRC this is limited to presefined paths. Don't forget that the way your drive is formatted needs to be taken into account.

level 4
2 points · 5 days ago

Yes. You can configure folders or drives to through the vm manager to mount in the virtual os as drives.

level 4

This can be configured with many major virtualization products, but general behavior is to isolate the Windows Guest VM (or any guest for that matter) from the host it runs on.

As they're both computers, there's no reason you can't set up any number of access methods between the two (networked cifs drives, SSH SCP/SFTP and many more.

That being said, what I think you're driving at is using the virtualization program to expose filesystems from the Host to the Guest, and vice versa. KVM/qemu/libvirt (linux based virtualisation software) does allow for this, but it must be configured.

Here's an example from virt-manager, a GUI front end for libvirtd.

level 4
-9 points · 5 days ago(3 children)
level 5
1 point · 5 days ago

If you install Guest Additions, you can drag and drop folders and files between host and guest.

I prefer to just have one computer with a dual boot option to windows. I have W7 and W10 options, that I can boot into on rare occasions.

level 6

my problem is that i have uefi with old bios compatibility disabled to be able (it's a requirement) to use secureboot, tpm 2.0, bitlockre.. i have tried everything and it seems that i can't use ubuntu even with the correct uefi keys... maybe because my bios uefi is set to windows instead of other os but it break windows when switching to other os setting.. any idea?

level 7
1 point · 4 days ago

I can't answer your specific situation, maybe consider using veracrypt instead of bitlocker. I had an issue setting up dual boot, because of the partitioning present. I used a bootable USB stick with Ubuntu, booted into that and installed "boot repair" it analyzed my machine and fixed it like magic, lol. Good Luck and its worth the effort, I enjoy using linux so much more in comparison to windows, Ubuntu is a good OS to start with and for long term. When I windows, I try to stay with W7, W10 makes me ill. I boot into windows, maybe once in 6 months, and do some updates.

level 3

ive been thinking about getting a decent bit of RAM for my next computer so i can run both of them comfortably.

would you still have to worry about security issues when windows is in a vm? there are things like the windows skeleton project that strips out all the windows crap using the official toolkit. it seems like a bad idea for a regular Windows computer since you have to reinstall every 6 months to get the security updates, but maybe in a vm it might not be an issue if you're only using it to run software or games?

level 4

It is very real and happens. https://www.zdnet.com/article/virtualbox-zero-day-published-by-disgruntled-researcher/

I would stick with vmware instead of virtualbox, just because of preference. I use VMware Workstation Pro, you can find keys online. It makes it easy to manage multiple vms. It can run on Linux and Windows.

level 5

yikes, ok!

level 4

It would be very rare and unlikely. The malware would have to test if it is in a virtual environment, then use a vulnerability in the VM, then attack the specific Linux distro. Probably the most likely is through the local network (worm). If the network was well secured it would be very unlikely I think.

I haven't heard of the skeleton project. It's difficult enough to get infected unless using cracks maybe. With a VM, you can save an image of the OS and reload that state if it gets infected.

level 2

Well it's a pretty hefty 'if only'. It's been the only1 obstacle for many professionals for two decades now and by the looks of it nothing is really changing so don't hold your breath just yet.

-----------

1 And no, running old versions of Photoshop or Office doesn't cut it.

level 3

What about using VM's or dual boot?

level 4

Yea, but you'd still need pay for windows licence then. Dualboot is cumbersome because when you have to use PS or Office several times a day you really don't want to reboot in between just to enjoy some quality freedome time in Linux just to reboot again to different environment 15 minutes later when your job calls for it. VMs are never native speed and require additional hw resources, mainly extra RAM to be effective. All that is additional cost or lost productivity. I mean you still want to google stuff, read your emails, chat with friends or coworkers while having your Office files open and you'll be doing that in Windows so why not use it anyway full time then?


I'm all for Linux for special cases, like developers and such, but most Office drones and creative types are still tied to Windows or OSX

level 2
7 points · 4 days ago

LibreOffice on Linux can read/edit/create MS Office files. I use LibreOffice exclusively, but my needs are simple. LibreOffice also runs on Windows so you can try it out without installing Linux.

level 3

I've been using LibreOffice at work for years and nobody has noticed. They won't buy me an MS Office license and I won't ask for one.

level 2

Manjaro ships with web apps to microsoft office suite I am pretty sure. And you mean photoshop and the like from adobe? Would gimp and inkscape fill that need?

level 2
4 points · 4 days ago

Office365 in Firefox browser. Fuck everything Adobe.

Libre Office - learn it, use it, its powerful/free Gimp - photoshop Kdenlive - amazing video editing flatpak Blender - 3d/video editing Audacity - edit audio Handbrake - video encoder virt-manager - use kvm it's native vms

Have a look at flatpak and flathub for access to some software you will miss.

level 3
2 points · 4 days ago

I feel this needs to be reiterated at the top of a mountain for the unwashed masses to finally take heed:

Fuck everything Adobe.

level 3
1 point · 4 days ago

These alternatives are excellent for personal use, but simply could not replace what I need for work where I wanna work with others and share specific file types?

level 2

Both could be used via virtual machines if you want to avoid dual booting.

But isn't their web version of their Office suit (360?) good enough?

level 2

I would switch to Linux but a lot of my games only work on Windows

level 3
3 points · 5 days ago

It’s hard to say if dual booting is worth the hassle of switching between operating system when doing different tasks.

level 4

Idk what dual booting is, is that just running a virtual machine or something else? I’m only opposed to running a virtual machine because I’m running a windows vm inside of windows. I don’t know if I’m just dumb but the screen resolution is locked at 1024x768 and I don’t care enough to change it to 1440p

level 5
3 points · 5 days ago

Dual booting means installing two operating systems directly on your computer. You select which one to load when you turn on your computer, and to switch to the other you need to reboot.

The advantage is that, since the systems are running directly on your hardware, they're as fast as can be. Obviously its less convenient.

With a VM, you can run Windows from within Linux without rebooting, but at a performance hit.

The screen resolution shouldn't be an issue if, (assuming a VirtualBox setup), you install the guest additions.

Hope that helps!

level 6

I’ll look around in my bios for dual boot and might try it out. We’ll see.

level 7

You won't find it in the bios. Just google how it's done.

level 8

👍

level 9

It's pretty easy man...you should know how to dual boot if you own a computer. These things are meant to entertain us masses after all.

level 5

Dual booting is when you have 2 operating systems installed on the same machine, and can choose which system you boot into. Right now, that's what I have: Manjaro Linux on an external drive plugged in with Windows 7 installed on the internal drive, though I'm planning to make a full switch eventually.

level 3

That's getting better. Between Lutris and SteamPlay, I'm getting a lot of my games to run on Linux (Manjaro). There are some that still need help, but I'd estimate about half will run with Wine via Lutris and/or SteamPlay (Proton).

level 3

Games can't be the only reason. And if it would be then you are in great luck as you don't have to find alternatives to things on windows as much. If your only argument for windows is games then either keep it at that or find alternative games and game producers that produce games you like on linux. Find a distribution you like by searching online or use a common one like ubuntu, debian, fedora, arch, mint, .... Just think of yourself in 5 years. Is 5 years of privacy data worth playing a few games? Are you then using linux? Have your bought new games that are at least compatible with linux and windows? Have you signaled to game developers that future games should be on linux? Steam for example sends telemetry data for game developers so they can know which platform you use. If you use windows they think they have to develop games for windows. Don't be a sheep! Just do it

https://www.reddit.com/r/linuxmasterrace/

https://www.reddit.com/r/linux4noobs/

https://www.gamingonlinux.com/ or https://www.reddit.com/r/linux_gaming/

level 2

Yeah, i just need to finish a few games that i have installed, and then i will move to linux, and will use windows for gaming only, and will cut the internet for windows.

level 2

MacOS is an option for Adobe Suite and Office. Linux for everything else. That's what I do. Linux my daily driver (Ubuntu) and MacOS when I need those suites. Hackintosh is pretty straightforward these days so you don't need to pay big $ to Apple for hardware.

level 3
1 point · 3 days ago

I didn’t have the best of luck when setting up a hackintosh.

level 4

So long as you buy hardware that's suitable (certain motherboards don't work, for e.g.) then it's actually pretty easy so long as you follow directions carefully. It's possible your hardware wasn't fully compatible when you tried. I made mine out of a 2nd hand HP Elite 8300 machine, cost me a few hundred bucks all up including a used NVIDIA GPU and runs just fine for my non-demanding workflow.

tonymacx86.com has excellent step-by-step instructions.

level 2

https://www.codeweavers.com/ 's CrossOver is the commericial product that resulted from Wine. It can run office. Should be worth your privacy but using windows applications at all makes it more reasonable to run a isolated / sandboxed enviroment like a virtual machine.

level 2
0 points · 4 days ago

Not exactly what you’re looking for, but macOS is a decent compromise between both worlds.

level 1
13 points · 5 days ago

What about ‚O&O Shut Up 10‘?

„Some services protocol your entire keyboard entries, share your WLAN access data with your facebook contacts or connect your computer without asking permission to a public – and potentially unprotected – network.“ Reference: O&O Shut Up10

„Using a very simple interface, you decide how Windows 10 should respect your privacy by deciding which unwanted functions should be deactivated.“ Reference: O&O Shut Up 10

As far as I know, it is using group policy settings to disable those things You mentioned.

level 2
Original Poster10 points · 5 days ago · edited 4 days ago

The real answer is that we can't never be sure how these tools works.

Microsoft could provide update (which they have done before) which will revert some privacy settings. Also when we are talking about closed source OS, we can't verify what those options will do. At the worse they might do nothing. Of course we could monitor network but it's quite complex thing to do. Microsoft could modify which requests sends your data (and what data) and they also frequently setup new "telemetry" domains to circumvent domain blocks. Also almost every Windows 10 "feature" update modifies telemetry services names to circumvent those privacy tools.

If you really wan't to be sure that Windows 10 isn't phoning home, you should setup an external firewall program to block all the connections and then only allow connections which you trust. The reason why I highlighted the external word is because Microsoft could modify Windows Firewall in the way that it will not block some specific domains, like they are already doing to the HOSTS file. Although firewall circumvent will not probably be the case because it would weaken the security because some security softwares rely on it.

Also I would recommend W10Privacy instead of O&O Shut Up 10. I have found it to be more efficient in my tests.

And you should read these article that how Windows 10 still sends your data to Microsoft after changing privacy settings:

https://thehackernews.com/2016/02/microsoft-windows10-privacy.html

https://arstechnica.com/information-technology/2015/08/even-when-told-not-to-windows-10-just-cant-stop-talking-to-microsoft/

level 1
18 points · 5 days ago

Well that's not good. Wouldn't this be a GDPR violation?

level 1
3 points · 4 days ago

Consider Destroy Windows 10 Spying to help eliminate this madness.

https://github.com/Nummer/Destroy-Windows-10-Spying/releases

Honestly, just install Manjaro and stop using spyware os.

level 1

Very thorough report, thank you!

level 1

When I originally looked at Win 10 telemetry in August of 2015 I made the decision to move my daily use computing to Linux.

I chose Ubuntu for simplicity.

For my main productivity programs I use open office / libreoffice.

For photo editing I use Gimp.

Calibre is an amazing manager for my ebooks.

Browsers are well supported.

For torrents I use Tixati which has some nice security features.

For increased privacy I boot to a USB with TAILS if I am browsing the dark net or on public wifi.

For gaming I use a Window 7 box that has a hard wired Net connection. This has worked well for me but I am not so much of a gamer that I know what games will work. Mine all work on Win 7.

For me it takes 2 PCs so I can do gaming on a win platform and then have a level of privacy and security.

level 2
4 points · 5 days ago

For me it takes 2 PCs so I can do gaming on a win platform and then have a level of privacy and security.

You might be able to get rid of the second PC with what /r/VFIO offers. In short: Have a Linux host with an additional gfx card dedicated to a Windows VM you boot on-demand for gaming.

I'm very pleased with my Ryzen 7 with a RX 550 for the host and a RX 580 for the (atm) Windows 7 Gaming VM. Really enjoyed The Witcher 3 on that when I finally decided to play it like a month ago.

level 3

since I have 20 or so old PCs laying around, it is better to use each PC separately and have simple setups.

level 1

Is macOS sharing data with third parties too? Is It any better for privacy than win 10?

level 2
Original Poster4 points · 4 days ago

Is macOS sharing data with third parties too?

From Apple Privacy Policy:

We may collect, use, transfer, and disclose non-personal information for any purpose

At times Apple may make certain personal information available to strategic partners that work with Apple to provide products and services, or that help Apple market to customers

Personal information will only be shared by Apple to provide or improve our products, services and advertising; it will not be shared with third parties for their marketing purposes.

Apple shares personal information with companies who provide services such as information processing, extending credit, fulfilling customer orders, delivering products to you, managing and enhancing customer data, providing customer service, assessing your interest in our products and services, and conducting customer research or satisfaction surveys. 

So yes, they share your data with third parties.

Is It any better for privacy than win 10?

Yes. The difference is like night and day. Apple still respects your privacy unlike Microsoft.

level 3

Thanks!

level 1

Libreoffice can save in office docx ect. I use it daily to collaborate with others.

level 1

Using Biometrics for authentication is such a dumb thing to do. You leave your fingerprints everywhere, they're not protected by the fourth amendment, if their digital representation gets compromised then there's no way to change them, etc.

But using them to uniquely identify and track you is great! Nobody wants to steal or mimic your prints in that scenario. And they know that it is you every single time.

level 1
-3 points · 5 days ago

Where are now those people who keep complaining that too often people suggest using GNU/Linux (or any other FOSS OS for that matter, like RedoxOS, BSD etc...) instead of Windows? Hmm....

level 2
3 points · 5 days ago

Now that you mention it:

level 2

Yeah I would like you to show me a linux OS that lets me run my DAW and use my VSTi/VST please, and one which can run any game that uses EAC. Thanks.

level 3
6 points · 5 days ago

This is r/privacy and not r/convenience. Some privacy tools may offer you some convenient features, but those have to be regarded as bonuses and we should feel happy about them. Don't you know that in life we can't get everything we want packed all in one? This is why we have priorities and this is why we have to choose what's most important for us.

level 4

So not only can you not provide any answer to that simple question, just downvote.


No, this is no longer r/privacy, this is r/linux and its been that way for a while now. Linux the OS is fine, it serves a purpose. The users are the worst, they infect everything they can and they continually lie about whatever flavor they are currently on and downvote anyone who doesnt cream over linux.

Still not seeing anyone want to actually point out which Linux OS can do those things, just downvote and avoid having to say "Yeah linux is really lacking in many of the features other OS's are able to provide..."

level 5
3 points · 4 days ago

So not only can you not provide any answer to that simple question, just downvote.

You think I downvoted you 5 times? hmm...

Linux the OS is fine, it serves a purpose. The users are the worst, they infect everything they can and they continually lie about whatever flavor they are currently on

Partially agree here with you.

Still not seeing anyone want to actually point out which Linux OS can do those things, just downvote and avoid having to say "Yeah linux is really lacking in many of the features other OS's are able to provide..."

Yeah linux is still lacking some of the features other OS's are able to provide. I said it. Done. I think this is true, at least temporarily, at least for now. Regarding which OS to choose, 90% of the time it doesn't matter. It will matter if you are looking for some specific apps which aren't compiled and/or don't offer you clear and easy instructions on how to install them on the distro you are using. Regarding DAW, have you tried searching online? https://duckduckgo.com/?q=DAW+app+linux&t=ffab&ia=web This is what I could find:

Community Details

386k

Subscribers

940

Online

The intersection of technology, privacy, and freedom in a digital world.

Create Post
r/privacy Rules
1.
closed source software
2.
VPN