534 Ways that Windows 10 Tracks You – From German Cyber Intelligence

Posted on Nov 28, 2018 by Derek Zimmer

The German Federal Cyberintelligence Agency BSI has released a report (PDF warning) (sections 1.2 and later are in English) that details the myriad ways that Windows 10 tracks users, and shows that unless you have an enterprise version of Windows, the various privacy settings make almost no difference.

Only Enterprise Versions of Windows 10 Can Shut it Off

Normal versions of Windows only have three different levels of telemetry. The BSI found that the difference between Basic and Full tracking is 503 and 534 tracking processes. The only real reduction in telemetry comes from enterprise versions of Windows which can use an additional setting, “security” for their telemetry, which reduces the number of active trackers to 13.

This is the First Deep Dive Into the Processes and Windows Registry for Telemetry

The analysis is highly detailed, and maps out the Event Tracing for Windows (ETW) system, how Windows stores the telemetry data, how and when the data is uploaded to Microsoft servers, and the difference in the various levels of telemetry settings.

It also goes as far as to show where the settings to modify the individual logging components are controlled in the Windows registry, and how they initialize in Windows.

Some interesting facts from the document:

  • Windows pushes your data to Microsoft servers every 30 minutes.
  • The size of the logging equates 12KB to 16KB per hour on an idle computer. (Which, for context, is roughly a copy Ernest Hemingway’s “Old Man and the Sea” every day, in data.)
  • It sends information to seven different locations. Including Ireland, Wyoming, and the small town of Boston, Virginia (near another famous IT place).

This is the first deep-dive I’ve seen where all of the different loggers are enumerated, as well as where the traffic goes and how often. The next logical step is to find out what is inside of those 300KB per day of data. I’d also like to see how usage of Windows Media Player, Edge, and other built-in apps impacts the data footprint and the number of active logging elements.

Mitigation is Difficult

There are endless discussions on Windows Telemetry and multiple guides on methods to fully disable it in the Sysadmin and Privacy communities.

As always, the best defense is to not use Windows. The second best defense seems to be to use Windows Enterprise where you can manually disable telemetry in an official way. The third best is to try blocking it by changing settings, registry keys, and modifying your firewalls (outside of Windows, because Windows firewall will ignore filters that block Microsoft Telemetry IPs) and also consider that it all gets switched back on with every major Windows Update.

VPN Service