The PC Security Channel (TPSC) analyzed Windows 11 and found it sends massive amounts of user data to Microsoft, as well as third-party ad companies.
TPSC is a YouTube channel dedicated to cybersecurity and privacy. The channel took a brand-new laptop that had never been used and used Wireshark to monitor the computer’s traffic, starting from the moment it was booted up.
Unsurprisingly, the computer immediately connected to a number of Microsoft services, including Bing, MSN, and the Windows Update service. While it’s not surprising a Windows machine would connect to Microsoft, it is surprising that the Bing traffic was happening without the web browser ever being opened or used.
Even more surprising, Windows 11 also connected to McAfee, Steam, and Comscore’s ScorecardResearch.com, to name just a few. The last one is particularly alarming, as it is an ad-tech company. In fact, when TPSC first tried going to the website to see what ScorecardResearch.com was, the channel’s browser adblocker would not even load the page since it is a known ad and tracking domain.
To make matters worse, Microsoft connects and sends data to these servers without expressly asking the user’s permission. Instead, the company relies on a vague clause in the Microsoft License Terms to constitute permission.
Privacy; Consent to Use of Data. Your privacy is important to us. Some of the software features send or receive information when using those features. Many of these features can be switched off in the user interface, or you can choose not to use them. By accepting this agreement and using the software you agree that Microsoft may collect, use, and disclose the information as described in the Microsoft Privacy Statement (aka.ms/privacy), and as may be described in the user interface associated with the software features.
Tom’s Hardware reached out to Microsoft and was given the following statement:
“As with any modern operating system, users can expect to see data flowing to help them remain secure, up to date, and keep the system working as anticipated,” a Microsoft spokesperson said. “We are committed to transparency and regularly publish information about the data we collect to empower customers to be more informed about their privacy.”
A legitimate case can be made for Windows 11 connecting to Microsoft services, but there is absolutely no valid justification for connecting to and sending telemetry to an ad-tech company.
Interestingly, TPSC ran the same test with Windows XP and found that it only connected to Microsoft update servers, greatly undermining Microsoft’s claim that Windows 11’s connections to third parties were necessary to “remain secure, up to date, and keep the system working as anticipated.”
As we have stated at WPN many times, there is NO EXCUSE for a company that charges handsomely for a product to then turn around and try to monetize its customers’ data, let alone try to do so without express and explicit permission. And no, a couple of sentences buried in a long, legalese licensing document that few people will ever read does not count as express and explicit permission.
Microsoft should be ashamed of itself for this behavior, and one can only hope this revelation will put the companies in the crosshairs of the EU’s GDPR.
In the meantime, TPSC’s question, “Has Windows become spyware?” is one that deserves an answer.