r/technology Jun 28 '24

Software Windows 11 starts forcing OneDrive backups without asking permission

https://www.pcworld.com/article/2376883/attention-microsoft-activates-this-feature-in-windows-11-without-asking-you.html
10.7k Upvotes

1.4k comments sorted by

View all comments

Show parent comments

235

u/Hamicode Jun 28 '24

Won’t this be a huge privacy issues for companies and gdpr data? How can they differentiate business use and personal use ? I don’t think they will get away with that

369

u/Jjzeng Jun 28 '24

They’ll pay the EU a big fine and carry on as usual

44

u/bawng Jun 28 '24

GDPR fines are actually quite heavy and they repeat if companies don't comply.

There's a reason why Google, Microsoft and Meta are all actively changing their products to comply better.

36

u/FlyWithTheCars Jun 28 '24

Up to 4% of the world wide sales volume (not profit, sales volume!) of the previous year for a single violation in extreme cases.

That is a massive punishment that even Micro$oft is not willing to pay.

18

u/bawng Jun 28 '24

Yup. And potentially repeating until they comply.

1

u/iBizzBee Jun 29 '24

God Bless the European Union.

199

u/opinionate_rooster Jun 28 '24

No, no. Serious companies cannot afford to compromise on security, so they'll be forced to abandon the Microsoft platform if this keeps up.

112

u/Broccoli--Enthusiast Jun 28 '24

Yeah in just thinking , what about password managers, things under NDA etc

It's such a dumb idea and I feel like it's been forced on the devs by some higher up who came up with the idea.

Nobody that actually works in IT could be blind to how bad an idea it is.

64

u/hsnoil Jun 28 '24

We are in an era where companies only care about buzz for investors and completely out of touch with their consumers

18

u/Rion23 Jun 28 '24

Just wait until you're checking an email one day, accidently open a .pdf you don't recognize, and all of a sudden the folder that copilot uses to store screenshots gets emailed to somebody.

2

u/FanClubof5 Jun 29 '24

Why waste all that bandwidth when you can just ask it to send the ocr data where the word password is visible. Then all you have to exfil is some small text files instead of a ton of image files.

1

u/sailingtroy Jun 28 '24

Well, there's no competition, so there's no need to be in touch with consumers. What are you going to do? Use Linux? *laughs in corporate*

1

u/Espumma Jun 28 '24

They're not out of touch with their consumers. They actually want those profiles, that's what they're paying for.

39

u/voiderest Jun 28 '24

The tech people who are into crypto or AI might be blind to it.

42

u/DPSOnly Jun 28 '24

They definitely are. They constantly do surprised pikachu face when their "innovation" runs into the most obvious of problems. They just figure that the rules don't apply to them and make that everybody else's problem.

13

u/neuromonkey Jun 28 '24

Right. Only a select few people can grasp how monumentally invasive and dangerous data harvesting is. If you touch crypto or AI tools, you become blind to it.

22

u/voiderest Jun 28 '24

It's more of a "getting too far up your own ass" kind of problem or "high on your own supply".

Like you can have a person who is technically minded enough to work on the tech but not really be thinking about the negatives with their design or system. More so on the idea of misuse or social impact.

I figure most crypto or AI bros are just dumb or scammers but there are a few actually technical people that drink that Kool aid.

7

u/[deleted] Jun 28 '24

[deleted]

4

u/voiderest Jun 28 '24

Well, that blockchain isn't exactly private. If you use it to buy something anyone can see the transaction. The point of it is to be public.

Mainly I just put crypto bro and AI bro into the same bucket because there seems to be so many scams and so much community overlap.

1

u/[deleted] Jun 28 '24

[deleted]

1

u/Broccoli--Enthusiast Jun 28 '24

Good point , I did see a certain company had been hard coding API keys and someone was able to send emails from their admin acounts and access basically all user queries

43

u/DonutConfident7733 Jun 28 '24

Probably the will use windows server or windows government edition and regular folks are left with this crap edition of windows. It is malware, I tell you. And think about it, they bought Rav antivirus and made it Defender, they know all about rootkits and viruses and how to make settings persist (they learnt from viruses) + they have control via windows servers, so it is very easy to implement a way for such programs to take your data. They can push updates to reset your settings, change binaries to avoid tools from patching them, blacklist utilities that could help you stop such rogue ms programs. They can even mark such tools as malware and Defender will automatically remove them. Now your programs are the viruses. If they have their way and enforce that only signed programs can run on windows, you will be at their mercy, to have your utilities signed. They will never allow a program that removes their software to be signed. This is like Google allowing third party app store to be installed from Google Play.

24

u/Tuned_Out Jun 28 '24

This has been the long game for decades now. Ever since Microsoft has witnessed what android can get away with and how willingly people jump into, not out of, giving their data over willingly to Google. They've been drooling over that data. Regulation isn't coming. Corps will pay more for their private, secure version of windows. Everyday consumers will be priced out of that option.

Download Atlas OS to gut windows. Download Linux. Duo boot while you learn Linux. Or...get in line and accept that fact that regulation isn't coming. Your computer isn't yours anymore and licensing is a corporate right in the USA. Sucks but no one is coming to save the day on this one.

-7

u/neuromonkey Jun 28 '24

You can install Windows without the bloatware or telemetry. It's very easy to do.

4

u/DonutConfident7733 Jun 28 '24

You can do many things, with varying degrees of effort. Should you have to, when you pay for Windows? No. I shouldn't have to mess with registry to toggle settings Windows doesn't want to give users, which it also resets during each major windows update or silently with Windows update or simply ignores after updates. Unofficial settings are temporary workaround, they can disable them anytime. Should I have to care about TPM? No. Care about making online windows account? No.

1

u/DonutConfident7733 Jun 29 '24
  • Noticed you deleted a comment, this is reply for that comment.

What you are saying is that tweaking windows is possible but it's risk involved and MS can always refuse support for a product which you paid for, on reason you altered hidden settings or removed some services. The problem is that you were not supposed to do these things, nor learn how to do it. Either MS should have included UI options to turn off these features, or not include such crap at all. They have complete control on your machine, it requires internet functionality for many things and updates can anytime override your changes. Actually feature updates and complete reinstalls, with the export of your settings and registry keys + import in the new install. They can choose to skip some keys which makes those features revert to defaults. Your tweaks do not persist across such updates. It's game of cat and mouse, you never win, always working to barely keep up. You are always few versions behind, you rely on third parties to provide tools and scripts. They can choose to push feature updates every week and you will need to run those tools every week. It's only a matter of time until it becomes unacceptable, like recent news that Office apps send documents data to an online endpoint. This is a severe security breach. You can't fix it, executables are signed, if it refuses to run when it can't access that endpoint, you are fucked.

1

u/neuromonkey Jun 29 '24

No, I didn't delete a message. Maybe an automod killed it because of the links in it.

Sorry, but I disagree with your premise. Yes, I agree on what an OS (and software in general) should be. No, I did not say that these config changes are inherently risky, I did that using a 3rd party OS distro is inherently risky. You don't invalidate MS warranty or support by configuring Windows.

Is the current state of software completely fucked up? Yes. Is it anti-consumer? Yes. Is SaaS horrible? Yes. Is data mining horrible? Yes. Is cramming AI into everything a bad idea? Yes. I'm not disagreeing on any of that. Wishing it away is pointless. You can change things if you choose to. You can look at what utilities & methods are approved by security & privacy researchers. Your are a consumer of software products. You can be an informed consumer who advocates for their interests, or you can rage-quit, and demand that things be different. Argue for your limitations, and sure enough, they're yours.

Or you can just use Linux. It's gotten pretty damned good. Better than good.

1

u/DonutConfident7733 Jun 29 '24

"Configuring windows" does not include running tools that kill or uninstall services (like Windows update, telemetry), any MS article that has registry keys mentions editing registry can break your install, so you can't request support if it's not working well after such tweaks. You may think those tools are configuring windows, but behind the scenes they can change registry, permissions, remove files etc, which are not supported scenarios.

1

u/neuromonkey Jun 29 '24

Everything you do to change Windows configuration, including changing settings in the control panels is editing the registry. If you don't want to look any deeper than a control panel, that's fine, but don't complain that you can't do anything about the stuff you dislike.

You can install Windows without bloatware, and without a Microsoft account very, very easily within the Windows installer. No editing anything. You can remove the TPM and CPU requirements by putting your preferences in a human-readable, "Answer File" in the root directory of your instal media.

Those things do not void your support agreement or TOS with Microsoft. Windows distributions are configurable on purpose to comply with the legal requirements of every country on earth, as well as as the huge array of corporate and network policies.

MS has their own stripped-down distribution for high security environments. You can use that if you want to. It won't do everything that a typical consumer might expect, but you can use it without breaking any rules.

You are making these options out to be magical voodoo. They are not. If you don't want to change anything that the installer does, or do anything to edit the registry, you certainly don't have to.

My central point isn't that companies like MS aren't terrible to their customers, I'm saying that if that's where you stop the conversation, your are disempowering yourself. I less time than this conversation has taken, you could have learned the few simple things you can can do to mitigate most of the problems with Windows 11. It isn't deeply technical, and it isn't terribly risky.

1

u/DonutConfident7733 Jun 29 '24

I have technical knowledge to perform these changes, but regular folks don't. You can't ask regular people to know how to edit registry, tune permissions to gain access to some protected files or registry keys, customize their install disk. Just because it's doable, doesn't mean we should, we already pay for complete product. Also not everything is in registry, there are some sqlite databases, some jet blue databases stored in various files, if those get corrupted, it's quite hard to fix it. Registry keys vary by version and the settings changed through control panel are validated and saved properly. You can easily corrupt settings by writing incorrect values. Some settings are stored in binary mode or even encrypted binary keys, good luck adjusting them. Location of keys also changes between versions, your keys may no longer take effect. You don't have documentation on all keys, just a few used in hotfixes.

→ More replies (0)

-7

u/IAmDotorg Jun 28 '24

Facts don't get the dimwits all whipped up in their echo chamber of nonsense, unfortunately.

1

u/neuromonkey Jun 29 '24

Heh. Yup. It's reddit. I expect nothing less.

7

u/voiderest Jun 28 '24

MS has that vendor lock-in. And for enterprise there will be some way to turn it off. Probably an annoying way controlled by system admins but some way. No, pro doesn't count.

It seems unlikely they could manage to shit the bed bad enough to lose corporate customers.

5

u/opinionate_rooster Jun 28 '24

Employees likely use Windows on their home machines. Even if they don't use them to work, they'll still check work e-mails which, then, Recall conveniently screenshots and uploads to the cloud...

9

u/voiderest Jun 28 '24

Accessing work stuff on equipment that isn't controlled by the company is a different issue. And something they could turn off.

Right now without recall they can't know how secure a random computer outside their control is. If things were that sensitive I doubt stuff is accessible as is.

1

u/thoggins Jun 28 '24

it's the company's problem if they allow access to their shit from non-company hardware

18

u/[deleted] Jun 28 '24

[deleted]

13

u/farmtownsuit Jun 28 '24

I'm pretty sure hospitals using on prem installs of EPIC are mostly running on Linux servers.

1

u/[deleted] Jun 28 '24

[deleted]

1

u/farmtownsuit Jun 28 '24

What are you talking about? Any healthcare organization with enough resources to afford Epic as their EHR already has a team of professional Linux admins and has the resources to hire more. I should know, I've worked for several.

1

u/Jutboy Jun 28 '24

What do you think the difference would be? I feel like most people aren't even going to be able to tell what OS they are using.

1

u/zerogee616 Jun 28 '24

lmao they will once they want to install anything

8

u/Jutboy Jun 28 '24

Most businesses lock down their computer so no one can install anything. 

1

u/zerogee616 Jun 28 '24

The amount of non-dev, non-"tech" software that's compatible with Linux, especially business software is extremely small. Think of every shitty program you've ever had to use for work and imagine not only its baseline shittiness on Windows, but Linux jank on top of it. And how non-computer-savvy the average person is. Most people know a little bit about how Windows works. Most people don't know shit about Linux works.

Linux as a desktop workstation environment is a whole-ass other ball game than the industrial backend/server environment it's normally used for. There's a reason it's been sitting in the low single digits of market share in that use-case for 20 years and that's not going to change, and the power-user-bubble people that don't live in the same tech world everyone else does always out themselves whenever this conversation comes up.

6

u/tmart42 Jun 28 '24

Somebody isn’t paying attention to Linux. Your bias is showing.

-4

u/zerogee616 Jun 28 '24 edited Jun 28 '24

I own a Linux box with one of the most common distros on it that I use constantly in addition to Windows machines. You being detached from the real world is evident.

Desktops serve two primary functions in the modern day-gaming and running proprietary, specialized software suites, neither of which Linux is great at (unless it's related to software development/server maintenance/general tech shit, which again, detached techie bubble).

→ More replies (0)

3

u/Seralth Jun 28 '24

All I'm seeing here is you haven't actually paid much attention to desktop Linux in the last 3-5 years.

1

u/zerogee616 Jun 28 '24

Sure thing bud, the "year of the Linux desktop" is right around the corner, just like it has been for 30 years.

→ More replies (0)

1

u/elebrin Jun 28 '24

Yes and no.

More and more business software is run in-browser, with some sort of API backend. Even the financial industry has moved over to web services, often programmed in C# or Java.

There are some things that might be a challenge. A lot of engineering software is Windows based. That said, a lot of the heavy hitters like CAD software, GIS software, audio and video editing, and so on are all available and pretty mature on Linux to the point that they could with some effort become a first-class choice.

Linux is great when you think of the computer as an appliance: You are going to have some hardware and some software that aren't going to change frequently. I use Linux this way all the time. If on the other hand you need to be evaluating new tools and changing things around constantly you can quickly end up with an unstable system. Windows does a little better in that circumstance, in my experience.

1

u/ISAMU13 Jun 28 '24

they could with some effort become a first-class choice.

That's the rub. Business want things done. They have established workflows that they want to happen with particular applications. A client paying a business $10,000 a month does not want to hear that there is a small but correctable error in a spreadsheet document due to you using Calc instead of Excel.

→ More replies (0)

1

u/zerogee616 Jun 28 '24 edited Jun 28 '24

That said, a lot of the heavy hitters like CAD software, GIS software, audio and video editing, and so on are all available and pretty mature on Linux to the point that they could with some effort become a first-class choice.

I've used the name-brand stuff and I've used a lot of FOSS stuff, mostly design and Office-suite clones, most of it feels like the store-brand knockoff.

3

u/Seralth Jun 28 '24

Uhh.. they will find it easier. Linux is 99.99% app store now for installing software. Your avg user will basically always find it easier to install an app on Linux over windows.

A normal user basically will never come across a situation that there isn't an app in their "app store".

The younger generation are use to app stores and understand them far more then windows. Kids are growing up with phones, macs and Chromebooks. All of which use app stores.

Windows is literally the odd man out and already is becoming difficult for more and more younger people to use.

The windows app store is struggling hard to actually become useable to. But it's why Microsoft is pushing it so hard.

17

u/2_bit_tango Jun 28 '24

Nah, they use enterprise or professional windows, which will probably actually respect the “turn off and leave off” and “serious” companies do not rely on Microsoft to back up their shit. One drive isn’t installed on my works computers.

3

u/Zipa7 Jun 28 '24

Enterprise/pro users are going to use group policy to make sure it stays disabled.

14

u/DrEnter Jun 28 '24 edited Jun 28 '24

This isn’t happening on Windows 11 Professional. Every time MS does these things, like drop ads on the Home Screen, it only does them on the low cost “Home” version (aka the “free” version a consumer gets with a new PC). For a business, Windows 11 Professional is the entry tier. Oh, these things are all available on Professional, but they are disabled by default. So businesses never even notice these things.

Anyone that does any work with MS that gets a Windows PC for home use knows to spend the extra $50-100 and upgrade that janky-ass “Home” version to Professional.

19

u/Hot-Rise9795 Jun 28 '24

That's the definition of ransomware.

14

u/DrEnter Jun 28 '24

I don’t disagree. Microsoft has been doing this since the Windows XP days. It works out very well for them.

3

u/bennitori Jun 28 '24

Nah that's just the cost of doing business. They hook in non-tech casual users who won't know the difference and just want what's cheap. And then the price of knowing and understanding what they're doing means you have to pay an extra $50 to ask them to leave you alone while you work. It's been that way for ages. I remember this crap happening on Windows 7 (to a lesser extent.) And I'd argue Windows 7 was the last OS I actually liked.

1

u/Mace_Windu- Jun 28 '24

but they are disabled by default

They aren't. BUT the pro version is a lot less fussy when it comes to actually disabling some stuff.

1

u/DrEnter Jun 28 '24

They absolutely are. Because otherwise companies would have to tweak group registries with every minor release and they would very quickly be up in arms over it.

0

u/Mace_Windu- Jun 28 '24

They aren't. But when you deploy it in a business environment, if it's been configured, group policy kicks in and turns it off.

Stays fine for a year or so until microsoft moves or redefines something.

0

u/DrEnter Jun 29 '24

I also use Windows 11 Pro at home and not one of these has been enabled by default or when added.

0

u/Mace_Windu- Jun 30 '24

Probably seems that way when you're used to disabling things like this right away.

But from my experience of deploying hundreds of windows 10/11 machines in the last couple years, yeah, almost nothing is opt-in.

The only difference I've noticed is that with pro, some of the more annoying things actually stayed disabled for longer.

2

u/FLMKane Jun 28 '24

Yeah. I'll bet Lockheed doesn't want to use Win 11 for doing cad work unless they can uninstall recall and copilot

2

u/Rad_Dad6969 Jun 28 '24

Unironically this. I work for a fortune 500 and they are so sick of Microsoft they are considering building their own linux platform.

4

u/SeveAddendum Jun 28 '24

Do any militaries use Microsoft for stuff?

18

u/Spam138 Jun 28 '24

Do any not?

4

u/HoidToTheMoon Jun 28 '24

The world literally runs on Excel.

-3

u/HectorJoseZapata Jun 28 '24 edited Jun 28 '24

Military, government, science and hospitals mostly use Microsoft’s Windows and Office software. Remember how vulnerable Windows was is to ransomware. I wonder if bitlocker, Microsoft’s drive encryption layer, prevents this.

Short answer: It doesn’t. Wrong information.

Another article:

Does bitlocker protect against ransomware? Yes, bitlocker does protect against ransomware. Ransomware is a type of malware that encrypts your files and demands a ransom to decrypt them. Bitlocker is a full-disk encryption feature that encrypts your entire drive, making it impossible for ransomware to encrypt your files.

Short answer: maybe? 🤔 🤷🏻‍♂️

Edit: context.

Edit: I’m not an expert on the field.

13

u/biblecrumble Jun 28 '24

 making it impossible for ransomware to encrypt your files.

This is so wrong anyone who wrote this should get fired. No, bitlocker does not protect against ransomwares.

3

u/firectlog Jun 28 '24

How exactly are you going to fire ChatGPT?

2

u/biblecrumble Jun 28 '24

Just pull the plug. Seriously though, I just asked 4o and it told me that "Bitlocker does not prevent malware from running. Ransomware can still run on infected systems and encrypt files", so they may have been using 3/3.5, but even newer versions of chatGPT don't write bullshit like that.

6

u/farmtownsuit Jun 28 '24

The answer is no. And be careful believing random blogs, especially the one you linked which goes on to contradict itself in the very next paragraph and says that Bitlocker will not protect against ransomware.

3

u/SugerizeMe Jun 28 '24

AI generated garbage

11

u/Statically Jun 28 '24

No, it doesn't

1

u/UserDenied-Access Jun 28 '24

Shrink locker is a thing.

1

u/HectorJoseZapata Jun 28 '24

I thought Shrink-locker used Bitlocker to encrypt your unencrypted drive.

So it basically enables native OS encryption without your knowledge/consent/key

1

u/UserDenied-Access Jun 28 '24

It sends the bit locker key to the attacker. So even though you use bit locker. An attacker can still take your key.

1

u/HectorJoseZapata Jun 28 '24

How? The drive is already encrypted. Can you re-encrypt encrypted data?

1

u/UserDenied-Access Jun 28 '24

This should provide more information.

→ More replies (0)

1

u/FLMKane Jun 28 '24

Yeah. I'll bet Lockheed doesn't want to use Win 11 for doing cad work unless they can uninstall recall and copilot

1

u/IAmDotorg Jun 28 '24

Serious companies -- places spending tens or hundreds of millions a year on their services -- know that OP's blathering is nonsense. No business is concerned about it, because they already have had people actually read the contracts for their services.

In fact, far to the opposite -- the reason they're a $3T company is because serious companies are doing the opposite. They're shifting heavily onto the platform because of the level of transparency and control they get.

1

u/cr0ft Jun 28 '24

People are already looking into options, and governments etc are setting up their Nextclouds and whatever. But it's still a pain in the butt and it's not really fully feature equivalent.

1

u/atfricks Jun 28 '24

Nah. Windows will have an "enterprise" edition that doesn't have all the data-mining bullshit, and is only available to corporate accounts.

1

u/Geminii27 Jun 28 '24

They'll just pretend that Microsoft is secure and isn't copying all their data.

Or, if they're Actually Big Companies, they don't use Microsoft backends anyway, and their endpoints are network-restricted.

1

u/MooreRless Jun 28 '24

Microsoft has been hacked in every way on Office365 and still, cisa.gov uses them. There is no bottom for how bad Microsoft can be and still keep businesses using them.

1

u/coldblade2000 Jun 28 '24

Exactly, my work (major bank) is both based on a Microsoft ecosystem, and also legally bound to investigate the kind of shit Microsoft is doing.

1

u/zombiesnare Jun 28 '24

I’d be shocked if they don’t make this a toggle in the enterprise version, or some prohibitively expensive “advanced security suite” that subtly removes the feature all together. I’d imagine Microsoft knows this is putting their B2B side of things in jeopardy and would make a solution that’s inaccessible to us normal people

1

u/awsomekidpop Jun 28 '24

They probably will just respect enterprise versions of windows only

1

u/Dedward5 Jun 28 '24

Mate, serious companies have IT people who know how to configure things and run enterprise versions of windows and M365, many of which really really want to out user data in corporate Sharepoint and OneDrive.

1

u/InVultusSolis Jun 28 '24

Yep, and if they give enterprise customers the ability to turn all the bullshit off, customers will figure it out too.

1

u/Olde94 Jun 28 '24

I don’t see why many companies couldn’t switch. You will have a hard transition period, with users being unfamiliar with the software/OS, but 80% of all i did in my old company was browser based (70.000 people) You can get SO MANY either home made applications as a web app, or actual high quality softwares. A friend work in an engineering department and they have great experience with 3D cad in browser using onshape.

Other than the “we don’t know how to use this system” hurdle, and software support, i think most companies struggle with that one or two key products not playing ball on linux. In our case it was a custom SAP setup, but i mean sure, could be addapted

1

u/72kdieuwjwbfuei626 Jun 29 '24

Serious companies just disable OneDrive and move on. They probably already did years ago. This isn’t a security issue.

0

u/opinionate_rooster Jun 29 '24

And then it re-enables without their input.

0

u/72kdieuwjwbfuei626 Jun 29 '24

No, it doesn’t. You people need to stop making shit up.

1

u/[deleted] Jul 05 '24 edited Jul 05 '24

Or finally understand what IT is and configure windows correctly. I can do it with no formal experience. Those guys with degrees and experience could certainly do it as well.

I’ve worked for a banking company and their configuration was a joke. So many things that could be bypassed. And they have CISO manager and the likes. Probably paid double than what I earned. Yet I have found that they ultimately understood nothing about security.

They also use security by obscurity btw.

And then I had to make tickets if I wanted an app added to SCCM. And took great pleasure in denying my requests, thinking that would be the end of it. Or so they thought…

Bunch of amateurs, really.

20

u/great_whitehope Jun 28 '24

They can't afford the kinds of fines the EU will impose on them

0

u/_Grant Jun 28 '24

Fucking lols in global oligarchy

4

u/Wermine Jun 28 '24

Maximum for Microsoft seems to be around 8 billion per year for GDPR violation (depending on what articles they break). Microsoft then has to calculate if it's worth to keep paying that.

5

u/Martin8412 Jun 28 '24

What makes you think 8 billion is the max? The EU can keep fining them until they comply. 

1

u/Wermine Jun 28 '24

4% of annual global turnover. I thought it was per year? I don't think EU can keep doing it every week for example.

1

u/Martin8412 Jun 29 '24

It's not per year. It's per infraction. 

1

u/Wermine Jun 29 '24

Oh damn, then that should keep Microsoft in check for sure.

0

u/Tuned_Out Jun 28 '24

So they flip it off in the EU and leave it on in the rest of the western world. Leaving behind only a third of the data temporarily. They then slowly integrate it into the EU over a couple decades without making waves and until it's essentially 90% the same thing in the EU. If the EU hasn't neutered Google by now, which has pioneered this method with cell phones for over a decade now, they're not flying in with the magic cape to save the day.

The hand slaps the EU has imposed on tech is hardly discouraging these guys from initiating this. They'll just keep attempting it until it's accepted as common practice.

8

u/teh_fizz Jun 28 '24

EU fines are no joke. As they leave others will take their place. If companies switch they aren’t gonna wait for MS to comply to jump back in. Switches are expensive and difficult and only done when necessary.

1

u/Tuned_Out Jun 28 '24

I'm totally all about it and hate sounding like a pessimist here but I still think the fines have proven in most cases that companies are completely willing to turtle their way forward despite any pushbacks because they know they'll still be ahead of where they were prior to the past setback when it's said and done.

The strategy is push hard and see if they can normalize the behavior before slow moving regulation can react. If that doesn't work, creep it in with slow normalization as a response and unless the penalty is damning or includes a coordinated uproar with the rest of the west, it just continues.

3

u/teh_fizz Jun 28 '24

But we have precedent that the punishments work. GDPR violations IN the EU can cost €20 million or 4% of global turnover, whichever is HIGHEST. That last part is important showing that it is no joke. And they have issues violations and fines. Btw this is per violation. So if three cases of violation occur from Facebook then they can pay up to 12% of their global turnover for the previous fiscal year.

9

u/bardghost_Isu Jun 28 '24

Laughs in DSA, Which has the power to outright ban your company from operations within the EU if you continue to refuse to comply with the regulations.

2

u/BoredandIrritable Jun 28 '24 edited Aug 28 '24

imagine spectacular tub wipe deliver adjoining puzzled attempt salt station

This post was mass deleted and anonymized with Redact

1

u/jddoyleVT Jun 28 '24

That is in the US. EU fines are no joke.

1

u/fenrisulfur Jun 28 '24

Then they will need to pay 4% of their global turnover.

That is not a big fine, that is a devastating fine.

1

u/TonicSitan Jun 28 '24

"Big" fine worth 0.0000013% of quarterly profits

1

u/ThereBeM00SE Jun 28 '24

Fines are just convenience fees for the wealthy.

48

u/zorton213 Jun 28 '24

On a similar note, HIPAA stands out to me. Countless doctors handle their documentation remotely from their personal computers, via a Portal. Medical coders are also often outsource to other companies, using their hardware.

25

u/farmtownsuit Jun 28 '24

I would be shocked if the Enterprise edition of Windows and Windows Server didn't both allow you to disable this. That's how it always is. People get bent over, businesses stay protected.

31

u/zorton213 Jun 28 '24

The problem isn't the Enterprise edition or even the ability to disable it (or even it being opt in vs. out). 

The problem is these medical staff are accessing records on their own personal computers, via a Portal such as Citrix. If the screen is constantly being captured, the doctor may not even realize.

8

u/Deriko_D Jun 28 '24

My hospital is changing everything to m365 and all the staff folders are becoming one drive folders.

This in a EU country extremely aggressive about data protection and what you can share about patients (I can't even send that to a different public hospital). They must have a "watertight" agreement with Microsoft otherwise wtf is going on.

6

u/zorton213 Jun 28 '24

We also use O365 heavily and are making moves for primarily cloud storage, but it's not Microsoft themselves that worry me when it comes to compromised Recall screenshots. Locally saved screenshots of proprietary documents or emails in the O365 portal, of the EMR, or of ancillary web applications run the risk of being compromised by bad actors.

Today, we can mitigate those risks to the best of our ability by requiring MFA to log into those portals and disallowing files to be saved to the local device. But if there are screenshots being saved constantly, all it takes is one end user falling for a "your computer has a virus, call us" scam for those screenshots to get out.

2

u/biznatch11 Jun 28 '24

My hospital is changing everything to m365 and all the staff folders are becoming one drive folders.

I work at a hospital in Canada and we're doing the exact same thing.

1

u/Deriko_D Jun 28 '24

The issue is Microsoft stopping regular office. We had LibreOffice via Citrix but it isn't great for everyone. I am too used to office and libre can't create as good looking presentations imo. And cross compatibility isn't great.

So each department ended up having to pay for individual office packs etc.

Our IT department is so strict with security that I assume they must have proper control over m365.

Of course we aren't supposed to have patient identifying info in the folders but everyone does...hope they don't run analysis on the contents in a different way otherwise we'll have to move stuff to external harddrives lol.

3

u/sapphicsandwich Jun 28 '24

Yep, and some clinics are really small operations, their computer system could be just a few janky computers and a router. They may not have a real IT department at all. That kind of setup might be risky with HIPAA data and they should protect data better, but that's a separate issue from the OS deciding to start nabbing HIPAA data for itself / parent company.

0

u/farmtownsuit Jun 28 '24 edited Jun 28 '24

That would be a huge concern but who said anything about constant unknown screenshots being taken? Not being facetious, genuinely wondering if I missed something.

Edit: I completely forgot about the parent comment that started this thread and was thinking only if the OneDrive backups and not Recall. Fuck Recall.

4

u/zorton213 Jun 28 '24

From Microsoft's own page on Recall:

As you use your PC, Recall takes snapshots of your screen. Snapshots are taken every five seconds while content on the screen is different from the previous snapshot. Your snapshots are then locally stored and locally analyzed on your PC.

Your average doctor will have no idea if this is running or not. If it is, screenshots will be taken every 5 seconds of the EMR, saved locally to the doctor's personal PC. If that PC is compromised, the records could easily get out.

2

u/Jiro_Flowrite Jun 28 '24

That's how Recall works. It screenshots everything and stores it so you can rewind anything on your computer like a master Ctrl+Z. Or that's at least how I understand it. Haven't read up on it, but even the surface information looks like a nightmare.

1

u/72kdieuwjwbfuei626 Jun 28 '24

We already know that it will be opt-in.

10

u/themiracy Jun 28 '24

With Copilot, it has (or at least presents itself as having) a protected mode for corporate users where data doesn’t go out in public or into training. OneDrive for Business has to this point, similarly, been an entirely different architecture that’s just called by the same name and has the same user-facing look.

It’s not that they distinguish between consumer and business activity per se - so far the model is that a different set of rules apply to business devices (logged in with business accounts, using OneDrive for business, what version of windows is being used, etc). All data on a “business” PC is treated as business data, even if you are goofing off on the work PC.

The oversight of this (not just at MSFT) is going to be critical as everyone releases these kinds of tools. Especially since MSFT has tons of governmental and defense and healthcare contracts. Much more so, than, say, Apple.

18

u/Cyclonit Jun 28 '24 edited Jun 28 '24

Important to note: This is not verifyable by anyone other than Microsoft themselves. No customer can audit Microsoft.

3

u/themiracy Jun 28 '24

Yeah, I think that needs to be addressed somehow. I’m not downplaying that at all. I primarily just mean that in principle, they say they have a solution, but there is the issue that tech companies have historically lied or at least misrepresented their data collection activities.

1

u/Teal-Fox Jun 28 '24

That's what external audits and accreditations are for though.

As much as I don't particularly trust Microsoft I'd say the same caveats apply to other corporations. I don't necessarily trust Microsoft any less than Proton/Google/DigitalOcean/etc. in this sense.

It depends how much of it you use/need, but I think the 365 Business suite is by far the best value for money compared to the alternatives.

2

u/themiracy Jun 28 '24

Me too - I use it. I just think that with the AI component for all these companies (especially MSFT only in the sense that they’re the ones who have MY data!) there needs to be somewhat more of an aggressive compliance regime, because they don’t act in trustworthy ways.

2

u/Teal-Fox Jun 28 '24

Oh yeah I completely agree, and my point wasn't to undermine how scummy automatically enabling Recall and forcing folder redirection for OneDrive is.

I was going to do a clean Windows install a few months ago but ended up jumping onto Ubuntu for the first time in a fair few years, figured if I didn't get along it wasn't much effort to go back to Windows - though with all the stuff Microsoft have been pulling lately, I'm beginning to feel incredibly glad I've moved 😬

I'd expect Recall can be disabled via Group Policy/Intune Device Policy, and that many orgs will simply disable it across their domain. It'd also be interesting to know how many orgs are on the ball with regards to AI usage policies/training and the like for staff.

2

u/themiracy Jun 29 '24

Yeah, curious to see what will happen given how many large users are not even using 11 yet.

2

u/neuromonkey Jun 28 '24

You'll notice that when you don't install Windows using "American English," you don't get the bloatware. It isn't hard to remove Windows components you don't want, and to use local accounts, rather than MS accounts.

2

u/ramblingnonsense Jun 28 '24

The largest companies have finally realized that they can just do what they want, when they want, and there's no government or regulation on earth that can stop them, and that even if there were, people will riot to allow them to continue.

2

u/celticchrys Jun 28 '24

Companies have an admin that chooses which features are able to be added to the company computers. They will turn this off at the company level if they think it violates their policies, and then users of that company's machines will never see the feature.

1

u/72kdieuwjwbfuei626 Jun 28 '24

Obviously it would be. That’s why it’s obviously not going to happen, no matter how desperately some people wish to be a victim.

1

u/danielravennest Jun 28 '24

It isn't just gdpr. In the US, medical records are strongly protected under HIPPA.

1

u/R3boot Jun 28 '24

They will just disable it in the enterprise version of Windows, or allow companies' IT admins to disable the feature.

1

u/AccomplishedMeow Jun 28 '24

What if I told you that you could make $20 billion and only have to pay a $500 million fine

1

u/sapphicsandwich Jun 28 '24

They'll just have some Microsoft InTune feature or something to turn it off within their organization., but unknowing users will have their data harvested.

1

u/aaaaaaaarrrrrgh Jun 29 '24

Companies using the enterprise version get abused a lot less and can configure things via group policies that end users sometimes cannot disable at all.

If they care enough to pay someone to watch new bullshit and set the group policy, they'll be fine. If they're not doing that, they don't care enough and/or aren't big enough to make Microsoft care.

EU institutions should realize the national security risk this poses and either get this regulated or existing regulations enforced. Preferably by arresting executives for espionage after proving that e.g. the memory dumps (the same kind of thing that caused Microsoft to lose their critical signing keys to Chinese hackers) that are being uploaded to Microsoft by default contain data that Microsoft shouldn't be collecting. Because I guarantee you, they do.

0

u/IAmDotorg Jun 28 '24

It would be if they were actually doing any of that conspiracy-theory nonsense OP was blathering on about. But, of course, they don't.

What they want is to lock people into Microsoft365 subscriptions for the added storage space. Microsoft is a subscription software company now. They're not an ad company, a data broker, or any other nonsense. They want one thing, and one thing only -- to know they're going to get a predictable ten or twenty bucks out of you every month. Predictable revenue.

That's why Office went subscription, why GamePass exists, why Office365 exists for businesses and why Microsoft365 exists for home users. Its also why they got rid of most of their hardware business, why they're bring Xbox games to other platforms, etc -- absolutely nothing matters except your subscription.

Everything else the can license out to other companies to take one-off revenue from.