back to article That's not the web you're browsing, Microsoft. That's our data

Are you a Windows user? How many spoons do you own? Have you counted them lately? The reason we ask is due to the old adage, "the louder he talked of his honor, the faster we counted our spoons." When it comes to the tech giants, they like to talk about their commitment to data security a whole lot, but by Jiminy they like …

  1. Tubz Silver badge

    You don't have to do anything to Windows or Microsoft Apps, you just slap Microsoft with multiple Billions of £$€ fines for a deliberate global mass breach of data protection, decimate their profits and share value for a year for the shareholders and you can guarantee they will be coding their little backsides off to remove offending code across all their apps, even if some of the apps have yet to show dodgy doings and the upside is also the other Mega Corps start panicking and start cleaning up their houses ! Time to stop treading softly for these serial offenders, as they don't learn, it's just business to them !!!

    1. elsergiovolador Silver badge

      Who wins?

      a) you just slap Microsoft with multiple Billions of £$€ fines for a deliberate global mass breach of data protection

      b) a fat brown envelope for regulator

      1. Rafael #872397
        Devil

        Re: you just slap Microsoft with multiple Billions of £$€ fines

        It looks like you're writing a lawsuit. Would you like help? I have all the information that is required...

    2. hoola Silver badge

      I think that is is even worse than that.

      Microsoft (along with Google and other big tech outfits) are heavily investing and pushing "AI". This is all being developed with data that has been harvested over the last 10 years at the very least (maybe more). That data has mostly been collected without consent and stored for future use. We now have the compute resources available to turn that data into money.

      The entire AI thing is totally depending on training the model on data that has been scraped from any source, with or without consent. The horse bolted long ago when they data first started being collected.

      Almost all main-stream applications now have some kind of reporting and even if they do not, the OS (Windows & Apple - yes I don't trust then either) will be collecting stuff, even if it is just keystrokes.

      AI is the bandwagon where all the money is going because it is a arms race between the big tech companies. That it adds almost no value to most people is irrelevant, it is about control.

      Whoever holds the data, controls access to the data or the decision making software that uses it is in a position of power.

      1. Michael Strorm Silver badge

        And, of course, it's been proven that LLMs can be tricked into regrugitating the data they were trained on.

        Which one this case would include business and/or personal info you thought was confidential because you weren't even aware it had been slurped.

    3. Charlie Clark Silver badge

      In theory, yes, but it will take time. And in the meantime Microsoft will continue to steal the data and hope that any processes take long enough for it not to matter any more.

      1. Anonymous Coward
        Anonymous Coward

        > Microsoft will continue [and] hope that any [legal] processes take long enough for it not to matter any more

        Not like drag-it-out-into-irrelevance would be a new tactic for MS or numerous other companies in a similar boat.

    4. Version 1.0 Silver badge
      Windows

      I'm a Windows User, but Microsoft hates me because I'm still using Windows 7 everywhere - using Windows 7 and Office 2010 gets everything done quickly and easily and no bloody adverts and data theft doesn't even exist. The laptop boots up fully function in a few seconds with no half hour waits for crappy updates.

      1. K

        But that's not sustainable, even in the short term... you'll eventually run a foul of some exploit, bug, or need some feature...

      2. Ramis101

        Me too kinda

        I stuck with Office 2003. It does everything i need and the buttons/menus are where they should be and intuitive. and yea, most of my machines are still W7.

    5. Colin Miller

      justice delayed is…

      They'll get fined for this, no doubt. $1 million, in 10 year's time

  2. Pete 2 Silver badge

    If

    > If users on multiple support threads are correct ...

    A good question. But one the article fails to answer. And until someone who knows, does so this is just a long piece of suppository supposition

    The great thing about FOSS is that it is at least possible for independent operators to answer such questions.

    1. Charlie Clark Silver badge

      Re: If

      A network-traffic observer should be able to demonstrate this fairly easily.

      1. jezza99

        Re: If

        Not if the data is transferred within the computer, and then encrypted before it hits the wire.

        1. yetanotheraoc Silver badge

          Re: If

          Ha, no wonder Windows Update takes so long.

    2. dkloke

      Re: If

      Hoping you're not a windows user, since Microsoft Edge is easily seen in the Task Manager app. By calling up Task Manager immediately on startup (Ctrl-Shift-Esc) one can see msedge.exe (Microsoft Edge) starting as a console process from explorer.exe (the Windows file manager app).

      Knowledge is developed from observations, so without looking, one will not see what there is.

    3. Rich 2 Silver badge

      Re: If

      "The great thing about FOSS is that it is at least possible for independent operators to answer such questions"

      The thing is, and this has been pointed out many times in the past, in theory FOSS code is there for anyone to scrutinise.

      ...but almost nobody bothers. Ever.

  3. Magani
    Happy

    Keeps one on Edge.

    :"...every time Microsoft's flagship Edge browser starts up, it helps itself to open Chrome tab data..."

    I knew there was a reason I only opened Edge in the Sandbox (There are some sites that don't like Brave).

    1. Mage Silver badge
      Facepalm

      Re: Keeps one on Edge.

      I wonder why anyone installs Edge on Linux?

      Microsoft Edge browser is now based on the open source Chromium browser and available on Linux. Learn how to download and install it on Ubuntu, Fedora, and other Linux distributions using .deb or .rpm files, or via command line. Find out the advantages and benefits of using Edge on Linux.

      I use Chromium if Firefox doesn't work.

      1. Greybearded old scrote

        Re: Keeps one on Edge.

        And go through the preferences switching off all the 'phone home' features I can find. On both.

      2. Yankee Doodle Doofus Bronze badge

        Re: Keeps one on Edge.

        I use Edge in Linux for work, which amuses me every time I launch it (Flatpak version only, so I can sandbox it to some extent). I manage a Windows-based network and Microsoft 365 tenant, and the integration of some 365 stuff into Edge can be helpful at times. For anything personal I'm a Firefox user, or in cases where a Chromium-based browser is needed, I'll use Ungoogled Chromium. This arrangement also helps me keep work and personal stuff separate.

      3. imanidiot Silver badge

        Re: Keeps one on Edge.

        I've usually decided a site is not worth it if it doesn't work in Firefox.

      4. Ethan Strongtower

        Re: Keeps one on Edge.

        Unfortunately, I use Edge on Ubuntu due to the intersection of text to speech and shared history, favorites, etc. across devices. As far as I know, the text to speech capability of Edge is unsurpassed on mobile. On desktop, there are text to speech options in other browsers, but I would lose the shared history, favorites, etc. with my iPhone. Moreover, even though Microsoft removed Edge’s integrated TTS on its Linux version some time ago, the API is still present and accessible via extensions that produce more realistic speech than in Chrome or Firefox.

        If there is a better approach, I would be grateful to learn it because I would love to escape the thrall of Microsoft.

  4. thondwe

    Big Problems?

    Given that you've got a OS full of Apps that can do all sorts of queries of the data stored/used by the user, (see the MS 365 portal!) would think that a bit of tab sharing is the least of the problems - if you want properly isolation use a sandbox, separate machine etc.

  5. andy the pessimist

    does this only occur within the same account?

    Within the same account/directory this probably OK. If this is global/multiple accounts then it is wrong.

    I prefere firefox.

    1. BenDwire Silver badge

      Re: does this only occur within the same account?

      I prefer Firefox too, but more and more sites don't work correctly with it, especially banking ones (e.g. Barclaycard)

      I resort to using Brave on those sites, but have no intention of letting Edge near my Debian box ...

      1. Ayemooth

        Re: does this only occur within the same account?

        I realise I'm just a sample of just one, but the Barclaycard site works fine for me on Firefox.

        I'm not sure I'd pick Brave as my backup browser, more likely Vivaldi.

        1. BenDwire Silver badge

          Re: does this only occur within the same account?

          Interesting, thanks. I'll have to have a dig around and see what's playing up then. Most of it works, but for some reason I haven't been able to download a .csv of my transactions for months now.

          1. Sudosu Bronze badge

            Re: does this only occur within the same account?

            I use QubesOS for most of my web browsing now (though I still have a Windows box just for gaming only)

            You can fire up one disposable VM , do your Amazon , fire up another to do your banking, fire up yet another to do general surfing.

            None of them will share data with each other and when you close a VM's window, it is gone for good along with any cookies or downloads.

            Its a bit of a different mind set but once you get used to how things work its very simple to operate.

        2. Anonymous Coward
          Anonymous Coward

          Re: does this only occur within the same account?

          Urgh Vivaldi. On Android no way to get rid of the bottom bar.

          As a long time Firefox user, have to agree more sites do not work, and a second browser on hand is required.

      2. Ramis101

        Re: does this only occur within the same account?

        I use Firefox and visited Barclaycard only the other day. It was fine. What is broken for you?

        I'm currently using 102.9.0esr (64-bit), as updates are so frequent and bloody annoying i disabled them & only update FF when something breaks...

      3. Rich 2 Silver badge

        Re: does this only occur within the same account?

        I don't think I ever have any issues using Firefox. And I have all sorts of anti-crap plugins running

  6. Andy The Hat Silver badge

    At what point does the license agreement for the suspected update (perpetrator of this behaviour) state that this is a valid thing to do - not only where in the agreement but at what point in time is it presented to the user? Would that be a "fair" or legitimate clause in law? After all, if I wrote a clause for a package that, half way through the "essential security update" said in paragraph 7.6 of a linked license agreement "I will take any data I want from any apps on your machine and save it to my remote server" I believe (and hope) it would be thrown out of court as "unfair terms and conditions" at the very least, a potential violation of the Computer Misuse Act, or GDPR at worst (as I wasn't clearly consenting to that behaviour).

    Be an interesting one ... do I feel a visit to an Irish Court coming on?

    1. Greybearded old scrote

      Yeah, right

      Good luck with that.

      1. Necrohamster Silver badge

        Re: Yeah, right

        Look at any industry regulator in Ireland and you'll see the same blend of incompetence and disregard (some might say contempt) for the best interests of the public.

        Criminals must be drooling at the thought of the EU Anti-Money Laundering Authority being located in Dublin.

    2. IGotOut Silver badge

      EULA's cannot override the law in any, shape or form in the EU, despite what they may pretend.

      It's now different to the extend warranty scams that just cover your normal rights.

      Now the USA .....

  7. Neil Barnes Silver badge
    Big Brother

    Remind me again

    why any OS anywhere needs access to user data, be it browser history or documents or anything?

    1. theOtherJT Silver badge

      Re: Remind me again

      Well, the OS is responsible for managing that data. It opens and closes file handles if nothing else.

      Now, if what you mean is "Why is it parsing that data?" there might be legit reasons for that. Search indexes for one. The problem here is that we just don't trust Microsoft to take proper care of the data that it has visibility of. The OS is a bit like a sysadmin. You would not believe the power a sysadmin has in most places if you've never been one. Your OS can go poking through your data, it can arbitrarily move things. It can erase the logs that it ever did anything wrong.

      It's a huge amount of power and requires a great deal of trust. Once that trust is broken, you have to fire your sysadmin.

      ...or get a new OS.

    2. I could be a dog really Silver badge

      Re: Remind me again

      Did you miss the memo about us users being the product now - ripe for monetising. Everything now is about stiffing the users in order to benefit the corporate bottom line.

      The thing is, I think many people now (and more as they wake up to the reality some of us have been predicting for a loooong time) would be prepared to pay to opt out* of all this. But the corporates are abusing their market power by removing these options. On that, Adobe led the way by removing all perpetual licensing and hence forcing creatives onto the subscription treadmill. Microsoft has a de-facto monopoly on business desktops and supporting services - and has been using that power to shove everyone onto subscription. And of course, FaecesBorg has led the way in "free but we'll sell you into digital slavery" making Google look like amateurs.

      But if these outfits did offer a paid for, slurp free, option - how on earth could we trust them when we keep hearing how they say one thing, offer switches to turn stuff off but actually still do it, and generally use every trick in the book (and some more that haven't been written about yet I imagine) to slurp our private data regardless of our wishes ?

      * Not that having to opt out should be the default position.

      1. Greybearded old scrote
        Linux

        Re: Remind me again

        You don't even need to pay, except in time to relearn. Mostly that is, there are some use cases that the free world doesn't cover yet.

        1. I could be a dog really Silver badge

          Re: Remind me again

          Everything needs to be paid for somehow.

          Unless it's something that someone is happy to pay for out of a sense of public spirit*, then it needs paying for either directly or indirectly. At present, the indirect route (advertising and mining your personal information) is in fashion as too many people have fallen for the "everything is free" view of the internet.

          * I have a small website, low traffic, that I started as a source fo information in a particular field when it was hard to find and guarded by the trade who wanted you to be reliant on buying services from them. It doesn't cost much, I have no advertising on it, so I pay that cost.

          1. Greybearded old scrote
            Facepalm

            Re: Remind me again

            You've not heard of any Free (both Libre and Gratis) operating systems then?

            You can find a whole bunch reviewed on a site not a million miles away.

            1. I could be a dog really Silver badge

              Re: Remind me again

              You've not heard of any Free (both Libre and Gratis) operating systems then?

              Yes, and I use some of them, and applications. But what you are missing is that they did not create themselves out of nothing - it comst people time to create them, it costs (in real money) to have the infrastructure available to get copies of the bits from them to me, and so on. Way back, user groups used to have libraries - you posted in floppy disks (with return postage), they copied stuff onto them and posted them back. It cost the volunteers time and money (e.g. in having the computer available, wear and tear on it, electricity to run it) to do that.

              As I said, there really isn't much, if anything, that is actually totally free - as in "no-one anywhere had to pay anything whatsoever". Where it is really free to the end user, it's either because someone pays for it out of a sense of public spirit, or it's being paid for in some other way (such as mining your data and selling you to advertisers).

          2. Necrohamster Silver badge
            Windows

            Re: Remind me again

            "Everything needs to be paid for somehow."

            You paid for your copy of Windows when you bought your computer (or your employer did as part of a volume licensing deal).

            As far as I'm concerned, Microsoft isn't entitled to any extra compensation in terms of data/money/firstborn child/etc after the initial purchase (or outside of your employer's licensing deal).

    3. Ken Hagan Gold badge

      Re: Remind me again

      Where does the OS come into it? The article claims that one instance of Chromium (branded Edge) is trawling the open tabs (each of which is a separate process) in another instance of Chromium (branded Chrome).

      I wouldn't be at all surprised if there was a Chromium mechanism for trawling "all open tabs" and not terribly surprised if it can't distinguish between Edge and Chrome. That would make this a legitimate trawl implemented carelessly.

      1. Necrohamster Silver badge

        Re: Remind me again

        "...I wouldn't be at all surprised if there was a Chromium mechanism for trawling "all open tabs" and not terribly surprised if it can't distinguish between Edge and Chrome. That would make this a legitimate trawl implemented carelessly."

        I know that Hanlon's Razor says we should never attribute to malice that which is explained by stupidity, but when it comes to Microsoft and Google collecting user data we should assume they're working with self-serving motives unless the opposite is proven.

  8. theOtherJT Silver badge

    "Hostile Environment"

    Do application and system designers now assume Windows is a hostile environment, like the open internet, where data security has to be the responsibility of each product and service?

    Yes. Yes they do. And they have for a while.

    1. OhForF' Silver badge

      Re: "Hostile Environment"

      As other commentards already have pointed out there is not you can do to secure data in the application if you can't trust the OS.

      The only meaningful thing to stop the OS from snooping you can do as an application developer or system designer is not asking for any data you do not absolutely need for your use cases - unfortunately even that is not happening all that much.

  9. Snake Silver badge

    Not just a Microsoft problem

    If the industry is going to address this issue then (we) need to go beyond just yelling about Microsoft and actually call it out wherever it occurs.

    For example: Edge on Android attempts to contact over 15 different websites and IP addresses upon activation and each use. Yet Brave, a browser that claims "privacy!", contacts Wikimedia, Yahoo, Amazon AND Facebook's Instagram on EVERY restart, leaking at *minimum* your IP address and therefore your rough geolocation to these people without your consent.

    So stop yelling "wolf!" just at MS and really target the topic industry-wide as it should be.

    1. Knightlie

      Re: Not just a Microsoft problem

      I'm constantly baffled as to why people use - and shill - Brave as much as they do.

      1. Snake Silver badge

        Re: Not just a Microsoft problem

        I'm trying Brave (from FF) and have the attempted contacts I listed firewalled from the app. Still, any alternative recommendations would be appreciated!

      2. 43300 Silver badge

        Re: Not just a Microsoft problem

        Probably because it's the best of the main Chromium-based browsers (often needed given that a lot of websites and SaaS services are clearly not tested in anything else).

        Which certainly doesn't mean it's perfect of course. Can anyone recommend one which is better on privacy?

  10. MtK

    Is it something more benign like behaviour within Chrome/Chromium itself? From what I remember latest Edge is based on Chromium.

  11. Bitsminer Silver badge

    Coprolitic

    A new word every day.

    1. Munehaus

      Re: Coprolitic

      It's a perfectly cromulent word.

      1. HuBo Silver badge
        Holmes

        Re: Coprolitic

        Fossilized enshitification ... a great find on the prehistoric behavior of a corporate dinosaur!

    2. Pomgolian
      Holmes

      Re: Coprolitic

      No shit!

  12. Anonymous Coward
    Anonymous Coward

    This is not the first, or the worst they've been caught being grabby, even recently.

    read all your email from third party services

    https://www.heise.de/en/news/Microsoft-lays-hands-on-login-data-Beware-of-the-new-Outlook-9608798.html

    (and a litany of others left out, but e.g. practically forcing Microsoft accounts on most users to link data, `telemetry', et al)

    Is it detestable behaviour, of course; but this is a tech site, not the Guardian, and everyone here are all capable of using today's alternatives. I've played a regrettable part in that, though I also need a paycheque and at least for now that's through a -1.0% R&D MSP barely capable of thinking anything not a default.

    But to those who can, and if you don't like it, and won't change anything for yourself, and keep enabling them (or google, s/facebook/ et al), then sorry but don't expect the Hungary of data protection commissions (Ireland) to set any protection standards for the consumer. Some things are your own responsibility, and opting out of that is a checking in of your adult card. Perhaps you think that's fine, but then, someone else gets to make the decisions for you.

    And If you don't think that's fine, I'm not saying exactly you need to think different (they're only a drop in share price from being the same), but it is time to think.

    1. I could be a dog really Silver badge

      Ah yes, SWMBO uses Windoze and it's recently "upgraded" her to Outlook - though to be fair, a slate tablet would be an upgrade from the old Mail. But one of her accounts didn't work and popped up a message - basically "allow us to slurp everything" - and if you don't agree, the account doesn't work. AFAIK, this is expressly illegal under EU and UK law. Not that I expect our ICO watchpuppy to do anything about it. And the EU regulators may well do something, but will take a decade to do anything which in the meantime means MS can carry on regardless.

  13. Bebu
    Big Brother

    Well now I know....

    Never seem to have enough teaspoons...

    Now I know who is responsible for their disappearance.

    Who would have thought MS was wall to wall koutaliakleptics.*

    *I hope this isn't a word. What a world we live in if it is!

    1. collinsl Silver badge

      Re: Well now I know....

      > koutaliakleptics

      Currently you're the only google result for this word so it looks like it isn't.

  14. DS999 Silver badge

    Imagine if this was allowed with no consequences

    What would stop them from next grabbing your tax data from Intuit or Quicken? Or the fact you are scheduled for a cancer procedure from your calendar? Your operating system is exposed to a lot of personal information.

    And Windows isn't even the biggest source. If Microsoft can get away with it, what stops Google from doing it next? Imagine the troves of data contained within your phone's social media app, your banking apps, your health related apps. I'm sure they'd love to poke around in that, and Microsoft getting a pass on this would be a big step down the path of regulators looking the other way at Google doing even worse.

    1. Benny Cemoli
      Big Brother

      Re: Imagine if this was allowed with no consequences

      ". . . what stops Google from doing it next?"

      And how do we know that Google doesn't do the same thing already but doesn't give the game away by stupidly opening your Chrome browser with updated Edge bookmarks and tabs.

  15. Rol

    MS ready! Apple set! Google go! Queue Arnold! And action!

    Remember the bit in Terminator 3 where they hunker down in a nuclear bunker that is splattered with really aged computers safe from the menacing AI that wants to kill them.

    Well, get prepping kids, 'cos the only safe computer is the one not connected to the internet, so load up on all the games and stuff you need to see yourself through to retirement and beyond now, and then pull the Lan cable out for good.

    Sure, have a kamikaze PC/ phone to keep accessing the internet, but keep that a million miles away from your treasure trove of distractions crucial to your sanity.

    1. druck Silver badge

      Re: MS ready! Apple set! Google go! Queue Arnold! And action!

      BBC Micro's at the ready, sir.

  16. Ian Mason

    Anyone who needs to ask the question "is Microsoft Windows a trustworthy operating system?" clearly hasn't been paying attention. That question was answered in the negative a long time ago.

    1. Knightlie

      Microsoft have NEVER been trustworthy. Anyone who has read about or lived through their history and paid a lick of attention knows this. Gates and Ballmer were car salesmen, not tech luminaries.

  17. The Central Scrutinizer

    , it would betray a hierarchy of horror that goes well beyond browser burglary to asking fundamental questions of Windows as a trustworthy operating system.

    No shit. Since when has Windows ever been a trustworthy operating system?

  18. Innique

    I don't think anyone cares, but the amount of insider information I had on an account say an AWS or Google account was aniticompetitive, I am talking way beyond Hard Hanks, Rainmakers, Star Reports. It's all about data and that data is for sale and MS can afford it even if they don't have it in house. You want to break in an account use your ownership in Linkedin and hire the guy that has the connections. Goes way deeper on the anti competitive level that the customer has no idea about. You think that is the reason why the CEOs of Tesla and Google aren't on Linkedin....asking for a friend.

  19. yetanotheraoc Silver badge

    Updated punctuation - FTFY

    That's not the web you're browsing. Microsoft: That's our data

  20. AlexanderHanff

    I don't use Windows but...

    If Microsoft are indeed hijacking data from other Browser this would be a breach of Articles 5(1) and 5(3) of 2002/58/EC (also Regulation 6 of the UK's PECR and Section 3 of the UK's Investigatory Powers Act). So in the UK someone should file a criminal complaint for the breach of IPA and a complaint with ICO for the breach of PECR, in the EU someone would need to complain to the competent supervisory authority for 2002/58/EC which will either be the same Regulator responsible for GDPR or the Telecoms Regulator, depending which Member State the person is in.

    Sadly, because I do not use Windows, I do not have standing to file the complaint myself.

  21. Anonymous Coward
    Anonymous Coward

    With so many corporations dumping their secrets onto Sharepoint, honestly, who would be surprised if MS is attempting to mine that content to play the stock market.

    After all, anything flagged as Highly Confidential immediately highlights which files are of interest.

    Integration has it's place but there are reasonable limits.

    1. 43300 Silver badge

      In the M365 licensing options, a new tick box has recently appeared: 'Commercial data protection for MIcriosoft Copilot'.

      Whether ticking this means that they won't slurp data to train their models...

      Interestingly, this one was unticked by default, unlike most of the crap they add in the licensing options periodically - they are normally is auto-enabled.

  22. HenryCrun

    Edge has been harvesting for some time

    A while ago I watched Edge using Wireshark as on loading it queried my LAN and reported home upon every device connected. Considering that the default settings includes "let edge pre-load to make your life super wonderful" (or something like that) the spying is starting the minute you boot up.

  23. Alan Mackenzie

    Inadequate snail's pace regulation.

    The problem here is that any regulatory activity to quash Microsoft et. al's antisocial behaviour happens at a snail's pace. On some complaint being made on, say, data protection or competition law, it takes 3 years to "investigate" it, followed by another 3 years of "enforcement" attempts, by which time the original complaint has long lost relevance.

    What is needed is for the regulators to be able to issue orders for immediate cessation of the the alleged breach, and THEN for the 3 year investigation to begin. If the regulator loses the case, no compensation should be due to Microsoft, etc.

    Then, I think, we'd see at lot less of what goes on today.

  24. imanidiot Silver badge

    Time to break out the 4% of revenue ruling of GDPR and start slapping Microsoft where it hurts (their bottom line). This is a very clear and unambiguous violation of EU GDPR rules

  25. Innique

    What the industry is doing essentially with the insider or access to massive amounts of data amounts to price fixing.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like