Microsoft gives third-parties access to Windows 10 Telemetry data

Microsoft struck a deal with security company FireEye recently according to a report on Australian news magazin Arn which gives FireEye access to all Windows 10 Telemetry data.

The report states that FireEye in return will provide Microsoft with the company's iSIGHT Intelligence software for Windows Defender Advanced Threat Protection on Windows 10 devices.

FireEye iSIGHT Intelligence is a proactive, forward-looking means of qualifying threats poised to disrupt business based on the intents, tools and tactics of the attacker.

Windows Defender is built-in to Windows 10 and enabled by default unless other security software is recognized by the operating system.

Pro and Enterprise customers may upgrade to Windows Defender Advanced Threat Protection featuring endpoint behavioral sensors, cloud security analysis and threat intelligence.

The news article suggests that the partnership benefits Microsoft, and specifically the reputation and credibility of the commercial version of Windows Defender.

A press release by FireEye on November 3, 2016 provides additional details on the deal. The company's iSIGHT Intelligence software is available through Windows Defender Advanced Threat Protection (WDATP) but not the free version of Windows Defender.

WDATP customers gain access to several technical indicators that are provided by the software. These include the main motivation of the attacker, related tools, information about target sectors and geographies, and a description of the actor and operation.

According to the report on ARN, security teams may also get their hands on Windows 10 Telemetry data via subscription billing models.

Third-parties will get access to telemetry data of all Windows 10 devices. An overview of what that may include is provided on this Technet page.

Neither FireEye, Microsoft or ARN reveal details on the range of Telemetry data that FireEye gains access to.

Windows 10 Telemetry data is loosely sorted into the four groups security, basic, enhanced and full.

Tip: you can check the Telemetry level on any Windows 10 device by using Windows-I to open the Settings app, and checking the "Diagnostics and usage data" value under Privacy > Feedback & Diagnostics.

Security level

The Security level gathers only the telemetry info that is required to keep Windows devices, Windows Server, and guests protected with the latest security updates.

Data gathered at this level includes the Malicious Software Removal Tool reports, information that Windows Defender and Endpoint Protection require to function.

This includes anti-malware signatures, diagnostic information, User Account Control settings, UEFI settings, and IP address.

No user content, such as user files or communications, is gathered at the Security telemetry level, and we take steps to avoid gathering any information that directly identifies a company or user, such as name, email address, or account ID

Basic Level

The Basic level gathers a limited set of data that’s critical for understanding the device and its configuration. This level also includes the Security level data.

Basic device data such as attributes, Internet Explorer version, hardware information, operating system information, network attributes and more are collected at this level.

Collected data includes app usage data, Internet Explorer add-ons, driver data, system data, Windows Store activity and more on top of that.

Enhanced Level

The Enhanced level gathers data about how Windows and apps are used and how they perform. This level also includes data from both the Basic and Security levels.

Operating system events, app events, device specific events and "some" crash dump types are included at this level.

Full Level

The Full level gathers data necessary to identify and to help fix problems, following the approval process described below. This level also includes data from the Basic, Enhanced, and Security levels.

Microsoft may pull additional information from a device if the diagnostics request is approved by Microsoft’s privacy governance team, including privacy and other subject matter experts.

Closing Words

Terms of the deal are not known so that we don't know whether FireEye gets access to all Telemetry data or only to a snapshot.

That Telemetry data is offered to third-parties is quite problematic however if true. While it seems unlikely that Microsoft would provide third-parties with all data, it would be reassuring to Windows 10 users if Microsoft would reveal the data that it shares with third-parties.

Now You: What's your take on this?