In the past year, regulators and privacy advocates have taken potshots at Microsoft over its data collection policies. Today, Microsoft announced some new privacy-related initiatives, including a significant change to the way Windows 10 collects telemetry data.
To address criticism from regulators and public policy groups, Microsoft is making some changes in its privacy practices.
Of all the body blows Microsoft has absorbed in the past 18 months over Windows 10, the criticisms of its privacy policies have to sting the most.
Last summer, the French National Data Protection Commission (CNIL) issued a formal notice against Microsoft, ordering that the company "stop collecting excessive data and tracking browsing by users without their consent."
The CNIL found Microsoft's collection of diagnostic information (so-called telemetry) acceptable but said that the default settings for Windows 10 go too far. The complaint singled out Microsoft's practice of collecting information about app usage as "excessive."
A month later, the Electronic Freedom Foundation took aim at Windows 10 with a signed editorial criticizing the company for "disregarding user choice" and sending "an unprecedented amount of usage data back to Microsoft...." As I noted at the time, EFF was especially critical of Microsoft's telemetry collection policies.
After months of explaining and defending its policies, publicly and in meetings with regulators, the company today announced that it's making a series of privacy-related moves. Terry Myerson, who runs the Windows and Devices Group, made the announcement in a blog post:
Many of you have asked for more control over your data, a greater understanding of how data is collected, and the benefits this brings for a more personalized experience. Based on your feedback, we are launching two new experiences to help ensure you are in control of your privacy.
First, today we're launching a new web-based privacy dashboard so you can see and control your activity data from Microsoft including location, search, browsing and Cortana Notebook data across multiple Microsoft services. Second, we're introducing in Windows 10 a new privacy set up experience, simplifying Diagnostic data levels and further reducing the data collected at the Basic level.
The changes to Windows 10 will roll out initially in an upcoming Windows Insider preview build, perhaps as soon as this week, and will reach the general public with the release of the Windows 10 Creators Update this spring.
I haven't seen these features in operation yet. The descriptions in the remainder of this post are based on what Microsoft says it plans to deliver. The broad outlines shouldn't change, but you can expect the user experience to evolve before the final release, based on feedback from Windows Insider Program participants and third parties.
Unlike its predecessors, the Creators Update will not arrive silently in the background. Instead, Microsoft plans to notify Windows 10 users that the update is available and allow them to schedule its installation. As part of the process of scheduling that upgrade, users will have the opportunity to make "explicit choices" about privacy settings in five categories.
This is the new privacy settings setup experience that will arrive soon in a Windows Insider preview build, according to Myerson:
via Microsoft
This setup screen replaces the Express Settings in current Windows 10 public releases, which requires multiple extra steps to adjust default settings in a clean installation and offers no control over privacy options during upgrades. (To make matters worse, some users have reported that Windows 10 upgrades occasionally reset custom privacy options to their default settings after an upgrade.)
The new interface for setting privacy options also includes an explanation of what happens if you turn any of those settings off or, in the case of the Diagnostics setting, adjust it from Full to Basic.
via Microsoft
All of those settings, along with more granular controls (such as setting location permissions on a per-app basis) will also be available after installation, under the Privacy heading in Settings.
The changes to telemetry settings start with the renaming of the category itself, from Diagnostic and Usage Data to just Diagnostics.
In all public releases of Windows 10 so far, non-Enterprise editions allow users and administrators to choose one of three levels to control telemetry collection: Full, Enhanced, and Basic. The changes in the Creators Update will eliminate the Enhanced level and also reduce the amount of information collected when you slide that switch to Basic.
(In Enterprise settings, administrators will continue to have an additional Security option, which eliminates virtually all telemetry collection but requires the deployment of an alternative update mechanism.)
In an interview, Microsoft Corporate Vice President Michael Fortin told me that the Enhanced level was "confusing," and "only a relatively modest number of Windows 10 users were choosing it." Most people either leave the default setting at Full or signal their preference for privacy by switching to the lowest available telemetry option, Basic, he noted.
Effective with this spring's Windows 10 feature update, telemetry information collected at the Basic level will no longer include information about app installation or usage. Instead, Myerson says, information collected at that level will focus strictly on security and reliability, with basic error reporting. That change should assuage some of the concerns of the CNIL and other regulators as well as privacy critics like the EFF.
The new Windows 10 settings are available in all installations, regardless of what type os account the user has signed in with.
The privacy dashboard is a separate feature, designed to give users of Microsoft services the opportunity to see and edit information that is collected and stored in the cloud when they are signed in with a Microsoft account.
According to Myerson, the new privacy dashboard (which will be available at https://account.microsoft.com/privacy will allow Microsoft customers, regardless of hardware platform or operating system, to review and clear data such as browsing history, search history, location activity, and Cortana's Notebook. (Note that this data is associated with a Microsoft account and is not saved in the cloud when the user browses without signing in.)
via MicrosoftBecause this dashboard is web-based, it's likely to evolve significantly over time. In an interview, Myerson told me he expects his team to iterate on that user experience in response to feedback. "What we're learning," he said, "is that people don't always understand why something is being collected and what are the implications of clearing it out. We will continuously be improving."
On paper, Redmond can make a strong case that it has an economic incentive to protect its users' privacy. As I noted last summer, privacy should be a competitive advantage for Microsoft, especially when comparing its policies and practices to those of Google, whose entire business is built on collecting data from its users and turning it into advertising profiles.
Most of Microsoft's revenue comes from selling software licenses, cloud services, and hardware. A significant share of that business is with enterprise customers and government agencies that have a profound interest in privacy and security. Indeed, Microsoft has earned generally high marks for its handling of security and privacy issues in cloud services such as Office 365 and Microsoft Azure.
Where things get somewhat murkier is with products and services aimed at consumers and small businesses. Without transparency over exactly what information is collected and how it's used, the company remains vulnerable to accusations that it's spying on customers.
As Google and Facebook have proven, the most effective way to monetize personal information is through online advertising. Microsoft once had dreams of being an advertising powerhouse, which occasionally led to struggles between product designers and ad sellers.
But the company abandoned that strategic goal five years ago when it wrote off the acquisition of aQuantive and scaled back its advertising ambitions after five years of struggling. Today, the company's advertising business is healthy but relatively small and mostly intended to monetize strategic assets such as its Bing and Cortana search tools.
In Microsoft's most recent quarter, search advertising and other forms of online ads accounted for only about 5 percent of total revenue. Contrast that with Google, which earns roughly 90 percent of its revenue from advertising and depends on collecting massive amounts of data to power the ads that pay for Google Search, Gmail, and other free products
Without Microsoft's investments in those technologies, Google's dominance in search would arguably be a monopoly.
Still, even that small-by-Redmond-standards online search advertising business brought in about $1.4 billion in revenue in its recent quarter, up 40 percent over the previous year. Microsoft's ad business might be tiny compared to its rivals, but it's big enough for regulators and privacy advocates to worry about whether the company's data collection is being driven by its ad business.
Myerson tells me that they've shared details about its data collection practices with large enterprise customers and regulators. "That dialog is taking place in every country where we do business," he said. "We believe users have a right to privacy and users should have control over their data."
For consumers and small businesses, the new privacy dashboard offers more control over online data, but you'll have to take Microsoft assurances on faith when it comes to telemetry.
I asked Myerson whether Microsoft would consider contracting with an outside group, such as the EFF, to audit its data collection policies and offer an independent report.
"That's an interesting idea," he replied. "But various countries are going farther than hiring an audit firm. They're passing laws. We're making sure we're fully compliant with laws that affect Windows users."
At the International CES mega show in Las Vegas, virtual reality hardware makers moved the needle on both consumption and creation devices for formats like VR and 360-degree video. Specifically in the area of 360 video creation technology, we saw some impressive cameras at CES.
Insta360 Pro debuted an 8K camera that can also shoot 4K video at 100 frames per second. Slow mo, high res VR, anyone? The Insta360 also employs new H.265 encoding, which can deliver better video quality at the same bitrate versus H.264 compression. The camera is priced at $3,000, which is steep, but much more competitive than the $60,000 Nokia Ozo.
Ricoh added to its lineup of cameras with the Theta R, which can livestream in 2K resolution at 30 frames per second for up to 24 hours.
At $800 the Vuze Camera will finally begin to ship in March. Its compact size and price point will be good for brands and businesses that want to dip their toes into new content
VR and 360 content can be a powerful tool for companies. For example, Delta used a 360 image to show off its new Delta Premium offering. It drove 2,700 shares and 16,000 engagements. Click on the post below to see it in 360.
The hardware for VR and 360 video is one piece, but the technical and production component is equally as important. When it comes to producing 360 video, remember:
Resolution matters. Here's how you need to think of 360 video. Imagine standing inside of a globe and looking straight ahead. You're only consuming about a quarter of what is happening all around you. If the camera produces video at full HD, then what you're seeing is below standard definition (SD). The higher the native resolution, the higher the fidelity of the 360 experience. That's why cameras that produce in 2K, 4K, and 8K will be so important.
Editing content requires new templates. When you edit 360 video, you edit the equirectangular format of it, which is analogous to the Mercator projection of a globe. That means the size and placement of text will be very important. If you put text at the top of the screen, then it will wrap around the "north pole" when it becomes 360. Experiment with text size and placement and then save it as a template to return to for future projects.
Don't obsess over VR headsets for delivery. Both Facebook and YouTube support 360-degree video and a variety of online video platforms do as well. The equirectangular video is simply injected with a bit of code that allows the video player to interpret the video as 360-degree content. We know that VR headsets are poised to grow and cheaper options will democratize them, but in the meantime, you have options available through Facebook, YouTube, and enterprise OVPs
Did any of the CES announcements entice you to explore VR and 360-degree video?
After Consumer Reports found wild variations in the new MacBook Pro's battery life, Apple blamed the problem on a Safari bug.
Apple has issued a fix to a Safari bug that it blames for problems with the new MacBook Pro's battery life.
Consumer Reports has refused to recommend the laptop to consumers after its tests showed the battery life on the machines would last anywhere from 19.5 hours to 3.75 hours.
Apple said the findings did not match the results of its own tests.
Working with CR to understand their battery tests. Results do not match our extensive lab tests or field data. https://t.co/IWtfsmBwpO
-- Philip Schiller (@pschiller) December 24, 2016
Now, after reviewing Consumer Reports' diagnostic data, the Cupertino company says the problem can be attributed to a Safari bug that was triggered by the settings Consumer Reports used.
"We appreciate the opportunity to work with Consumer Reports over the holidays to understand their battery test results," said Apple in a statement to Consumer Reports. "We learned that when testing battery life on Mac notebooks, Consumer Reports uses a hidden Safari setting for developing web sites which turns off the browser cache... We have also fixed the bug uncovered in this test."
The fix for the Safari bug is currently only available to those who sign up for the Apple Beta Software program, but it will be a part of a broader software update available in a few weeks.
Luckily for Apple, Consumer Reports says it's re-running its battery tests after downloading the software fix and will give the MacBook Pros a recommended rating if the problem is resolved.
These models were the first MacBooks to not receive recommended ratings from Consumer Reports -- and they were the only laptops out of 140 tested that demonstrated such inconsistent battery life.
Apple made it easy to pair AirPods across all of its devices in a matter of seconds. But just because AirPods are made by Apple and integrated with Apple products, that doesn't mean you can't use them as Bluetooth earbuds with non-Apple devices.
You can pair AirPods to an Android phone, a PC, or your Apple TV with the same Bluetooth pairing method we've grown accustomed to -- and grown to loathe, for that matter.
Open the Bluetooth settings screen on the device you're going to use your AirPods with.
With the AirPods in the charging case, open the lid.
On the back of the case is a small button, press and hold it for a few seconds.
Once the indicator light between the earbuds begins blinking white, let go.
The AirPods will show up in the pairing menu on your device, select them and follow any prompts.
Naturally, if you aren't using an Apple product you'll lose out on some features. You won't have the simplicity of switching between devices or a battery indicator. But they'll still do the job. When I briefly connected a pair of AirPods to an S7 Edge, a double-tap on either earbud paused and restarted the music.
Repeat this process on each device you want to use the AirPods with. If you run into issues during the pairing process, Apple suggests opening the lid and holding in the button on the back until the indicator light blinks amber. Let go of the button, close the lid, and try again.
These are the first six apps I installed on my new MacBook Pro, from a text expander to a word processor, with four useful apps in between. All are free except the first, which costs only $5 and offers a free trial. Let's take them in alphabetical order.
aText
aText is a simple, text-expansion app that lets you create abbreviations for commonly typed words and phrases. With it, for example, I can type "@@" instead of my email address. Or "ty" instead of "thank you." It offers other features but it's worth the cost simply for a handful of keyboard shortcuts that saves me time each day.
aText costs $4.99 (£4.18 in the UK and AU$7.05 in Australia) and is available from Tran Ky Nam Software. You can try aText free for 14 days.
Making your own keyboard shortcuts in aText can save so much time.Photo by Matt Elliott/CNET
Chrome
It hogs more system resources than Safari, but I need Chrome because of its little favicons that let me -- at a quick glance -- make sense out of the dozens of tabs I have open at any given moment during the day. Until Safari adds favicons to its boring and uselessly gray tabs, I'm stuck with Chrome on my Mac.
Chrome is free and available from Google.
Dropbox
Apple is making strides with iCloud Drive, but I still can't quit my Dropbox habit. It remains my preferred method for moving files between my iPhone and Mac along with sharing files from my Mac to others. The Dropbox app integrates itself into Finder and adds a helpful menu bar icon for quick access.
Dropbox is free and available from Dropbox.com.
Dropbox is still a great way to upload files to the cloud and share them with others.
Photo by Matt Elliott/CNET
Flux
If you are enjoying Night Shift on your iPhone, then you'll like Flux for your Mac. It adjusts the color temperature of your Mac's display according to the time of day. So, cooler temperatures during the day when the sun is up, then warmer colors at sunset and even warmer at bedtime.
Flux is free and available from Download.com.
Itsycal
There are more powerful calendar apps than Itsycal, but I prefer Itsycal for its simplicity. It installs an icon in the menu bar that displays the current date. You can click on the Itsycal icon to see the full month. Itsycal also lets you link to the MacOS stock Calendar app and will display upcoming appointments, but you can't schedule appointments with Itsycal. That's fine by me since I like it just to be able to glance at my menu bar to see today's date.
Itsycal is free and available direct from developer Mowglii.
Itsycal is a very simple way to see your calendar.
Photo by Matt Elliott/CNET
LibreOffice
I need to work with Microsoft Word docs on occasion, and I think LibreOffice does a better job in approximating Word than Apple's Pages app. I don't use Word enough that I need to shell out forOffice for Mac, and the free LibreOffice is a suitable stand-in for Word if you don't need it on a daily basis (that's why God invented Google Docs).
LibreOffice is free as well as open-source, and available from The Document Foundation.
The critical vulnerability left Android devices open to denial of service and privilege escalation attacks.
Symantec
Google has resolved a dangerous Android vulnerability which allowed attackers to reboot Nexus devices into custom boot modes, leading to spying and remote attacks.
Patched as part of Google's January Android security bulletin, the flaw, CVE-2016-8467, grants cyberattackers the ability to use PC malware or malicious chargers to reboot a Nexus 6 or 6P device and implement a special boot configuration, or boot mode, which instructs Android to turn on various extra USB interfaces.
According to IBM X-Force Application Security Research Team researchers Roee Hay and Michael Goberman, who revealed further details of the vulnerability in a blog post, the flaw gives attackers access to interfaces which offer additional control over a compromised device.
In particular, the Nexus 6 the modem diagnostics interface is of concern as accessing this platform gives attackers access to the modem, which compromises "confidentiality and integrity," the team says.
Once an attacker has gained access to the modem they can intercept phone calls, for example. It would also be possible to sniff mobile data packets and grab information including GPS coordinates of the device for tracking, place phone calls, steal call information and either access or change nonvolatile (NV) items or the EFS partition of a device.
IBM says that if Android Debug Bridge (ADB) is enabled on the device, PC malware or a malicious charger can boot the target device with the special boot mode configuration. Once connected, the user is forced to accept the PC or charger permanently, a few commands are issued, and the device is rebooted.
"Every future boot from this point forward will have the boot mode configuration enabled," IBM says. This means the attack is persistent and no longer requires ADB to run, although it still requires USB access."
"Therefore, the attacker only needs the victim to enable ADB once," the researchers added. "Moreover, a lucky attacker might wait for the device to be in fastboot mode, which requires no authorization from the victim. This, however, is less likely."
If attackers have physical access to the device, they can also reboot it into the custom boot mode manually.
These issues are less severe on the Nexus 6P due to firmware protections, however, a quirk in the device type means attackers can open ADB sessions even if the mode has been disabled.
In addition, due to the inclusion of additional USB interfaces in both device types, attackers can also access other interfaces to send or on SMS messages and potentially bypass two-factor authentication, escalate privileges, change radio settings and access a wide range of mobile device features.
Google has now patched the flaw by forbidding a locked bootloader to boot with the dangerous boot modes.
In December, researchers revealed that a new variant of Android malware called Gooligan was exploiting unpatched vulnerabilities to steal sensitive user data.
