Is Microsoft Stealing Your Data? What You Need to Know
Reddit users think Microsoft may be recording their activities without their permission. But the explanation may be far less sinister.
UPDATED 11:20 a.m. EST Thursday, Dec. 13, with comment from Microsoft. This story was originally published at 11:00 a.m. EST Wednesday, Dec. 12, 2018
Is Microsoft spying on Windows 10 users who don't want to be spied on? Some Reddit users think so, but there may be an innocent, if confusing, explanation.
The April 2018 build of Windows 10 introduced the Timeline, a feature that lets you pick up where you left off when switching from one Windows device to another. You can browse websites and work on documents on one machine, then move to another machine and have the same stuff cued up for you when you log in. (MacOS has has a similar feature for a few years.)
To do this, Windows 10 sends a ton of data about what you're doing to up to Microsoft's servers so that those servers can sent that "Activity History" back down to you when you log into a different Windows machine.
MORE: The Best Free Antivirus Software for Windows 7, 8 and 10 PCs
Naturally, some people find this intrusive, and they make sure that the box marked "Let Windows sync my activities from this PC to the cloud" is unchecked under Settings > Privacy > Activity History. To seal the deal, they can also uncheck the neighboring box marked "Let Windows collect my activity from this PC", which seems to be checked on by default.
Yet this past weekend, Reddit user "a_potato_is_missing" noticed that even though he (or possibly she) had unchecked both boxes on his machine's settings, he could still sign into his Microsoft account online, navigate to the Privacy Dashboard, click the tab marked, yep, "Activity History," and see that he'd been running Microsoft Office, Forza Horizon 4 and Counter-Strike Global Offensive.
Sign up to get the BEST of Tom's Guide direct to your inbox.
Get instant access to breaking news, the hottest reviews, great deals and helpful tips.
Mr. Missing Potato wrote that he was only able to stop this by using online tools to edit a Windows Registry key. That's not something we recommend your average Windows user do.
Over at our sister site TechRadar, Darren Allan was able to reproduce this issue. He noted that his Activity History remained in the online Privacy Dashboard even after he pressed the "Clear Activity History" button in his machine's Settings.
So what's going on? We don't know for sure, but Chris Hoffman at How-To Geek thinks the answer is both simple and stupid: The Windows 10 Settings Activity History isn't the same as the online Privacy Dashboard Activity History.
MORE: Windows 10 Will Show You Everything Microsoft Has on You
Hoffman points out that Windows 10 still sends Microsoft's servers telemetry data about your machine whether or not you've disabled Activity History collection in Settings. The telemetry data — how your machine is running, and so forth — is controlled by a different Settings menu, Settings > Privacy > Diagnostics and Feedback.
There are two telemetry settings. "Basic" sends Microsoft "only info about your device, its settings and capabilities, and whether it is performing properly." "Full" sends all that plus "info about the websites you browse and how you use apps and features" — which sound a lot like Activity History cloud syncing.
But it's probably not the same thing. Microsoft has a rich history of building overlapping, parallel and contradictory settings, as anyone who's tried to get a wireless headset working on a Windows conference call, or tried to get a child's Xbox Live account working properly, can testify.
Hoffman's theory is that the Activity History you're seeing in the online Privacy Dashboard is collated from the telemetry data gathered by Windows diagnostics, not from the Activity History in Settings. Anyone who's got the diagnostics set to "Full" is also sending their application usage history, which then shows up on the Privacy Dashboard.
Over at TechRadar, Darren Allan countered that his machine had diagnostics collection set to Basic, "which doesn't allow for sending info about the apps used, websites visited and so on." He implied that he was still able to see "apps used, websites visited and so on."
Is Allan right about that? In the Diagnostics menu, the explanation next to the Full option does say that information sent upstream includes "how you use apps," while Basic is supposed to "send only info about your device." But "how you use apps" may not be the same thing as "which apps you use."
From our somewhat limited experience, basic telemetry data usually includes a list of which processes are active on a device. After all, you'd want a snapshot of exactly what was running if a machine were to crash or freeze up. Those processes would naturally include applications, especially system-taxing ones like Forza Horizon 4.
That would explain why both we (using a personal Microsoft account not linked to our office work machine) and a_potato_is_missing could see a list of applications used in the online Activity History.
However, browsing history is in a different tab, the Overview, along with Search History and Location History — and, perhaps contrary to Allan's experience, there was nothing listed in any of those categories on our own account.
On an explainer page, Microsoft says that browsing history in the Overview "only appears if you enable Cortana in Windows, turn on browsing history in Cortana [and/or] enable Cortana in Microsoft Edge." We've done none of those.
It's possible Cortana (though unlikely) that is gathering Allan's browsing history without his knowledge. It's also possible that Microsoft really is hoovering up all this data without your permission.
But it's more likely that this is a typical Microsoft duplicate-settings mess, with the using accompanying explanatory language that doesn't explain enough. That would make sense — if you're Microsoft.
UPDATE: "The same term 'Activity History' is used in both Windows 10 and the Microsoft Privacy Dashboard," Microsoft said in a statement provided to Tom's Guide. "Windows 10 Activity History data is only a subset of the data displayed in the Microsoft Privacy Dashboard. We are working to address this naming issue in a future update."
The company confirmed that users concerned about privacy should not select the "Let Windows sync my activities from this PC to the cloud" option in the Activity History area in Settings>Privacy, and should make sure that diagnostic telemetry is set to Basic in Settings > Privacy > Diagnostics & Feedback.
In Activity History, you can disable both options so that both "Let Windows sync my activities from this PC to the cloud" and "Let Windows collect my activities on this PC" are simultaneously unchecked. In Windows 10 build 1809, the October 2018 update, these two options are relabeled as "Send my activity history to Microsoft" and "Store my activity history on this device".
Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.