How Microsoft uses biometric profiles to track & de-anonymize Windows 10 users with various third party services

How Microsoft uses biometric profiles to track & de-anonymize Windows 10 users with various third party services

Windows 10 includes Windows Hello and Inking & typing personalization (you’ve probably heard of Windows 10 built-in keylogger) features. Windows Hello is a biometric framework built into Windows 10 that currently uses facial recognition, fingerprint identification, or iris scans to prove that you are who you say you are. Inking & typing personalization is a feature that will “personalize” your typing behavior. There isn’t way to turn this off completely.

From the Windows Hello Privacy Policy (Wayback Machine Link) we can see the following data is being collected:

we collect info about how people use Windows Hello. For example, info about whether people sign in with their face, iris, fingerprint, or PIN; the number of times they use it; and whether it works or not is all valuable information that helps us build a better product.

The following data is being collected from the typing behavior, according to the official source. Microsoft Privacy Statement (Wayback Machine Link):

The data we collect can include the following:

Information from device sensors.

Search queries and commands when you use Microsoft products with search or related productivity functionality.

Text, inking, and typing data and related information. For example, when we collect inking data, we collect information about the placement of your inking instrument on your device.

Other inputs provided when you use our products. For example, data such as the buttons you press on an Xbox wireless controller using Xbox Live, skeletal tracking data when you use Kinect, and other sensor data, like the number of steps you take, when you use devices that have applicable sensors.

Search and artificial intelligence products connect you with information and intelligently sense, process, and act on information—learning and adapting over time.

SwiftKey Keyboard and related products (collectively, the “SwiftKey Services”) process data about how you type and write, and use this data to learn your writing style and provide personalized autocorrection and predictive text that adapts to you.

SwiftKey prediction technology learns from the way you use language to build a personalized language model. This model is an optimized view of the words and phrases that you use most often in context and reflects your unique writing style.

If you choose to do so, Microsoft will collect samples of the content you type or write to improve features such as handwriting recognition, autocompletion, next word prediction, and spelling correction in the many languages used by Windows customers.

Your typed and handwritten words are collected to provide you with: a personal dictionary, better character recognition to help you type and write on your device, and text suggestions that appear as you type or write.

We collect your searches and commands to provide, improve, and develop Cortana and other products.

So what is the deal with this collection?

Microsoft has a really close partnership with Oxford Computer Group company which provides enterprise mobility, cloud & identity management solutions to the companies (mainly for the Microsoft). The company has won many of the Microsoft Partner of the Year Awards, as we can see from the Oxford Computer Group’s Partners (Archive.fo Link) website:

Microsoft is our primary technology partner. We have achieved Gold Partner status in Devices and Deployment, and Silver status in Cloud Platforms. This status guarantees that our consultants are qualified in specialist technologies.

We have won the Microsoft Partner of the Year Award numerous times, most recently three years in a row: 2013, 2014 and 2015.

Addition to this, Oxford Computer Group is partnered with Crossmatch company which provides biometric tracking technology.

Together Oxford Computer Group and Crossmatch decided to make a strategic partnership to offer biometric identity solutions to Microsoft customers (Windows 10 Hello & Inking & typing personalization as explained above). Here is the official announcement;

https://www.crossmatch.com/press-release/oxford-computer-group-multi-factor-authentication-microsoft-customers/ (Wayback Machine Link)

To make these three partnerships (Microsoft, Oxford Computer Group and Crossmatch) to work, Microsoft has begun to analyze the writing behavior of users in the background on the Windows 10 and then to send the created biometric profiles (Windows 10 Hello and Inking & typing personalization data collection as explained above) to the Crossmatch company. So Microsoft is sharing (the data is linked to an individual or it is “anonymized” data that can be easily de-anonymized with the services / companies with which Microsoft shares the profiles) customers’ biometrics profiles with these companies.

But now the things will going to be even more shady:

Crossmatch has a close partnership with BehavioSec company and they share biometrics data together, including Microsoft’s customers’ data. Here is an official announcement of the partnership:

https://www.behaviosec.com/news/crossmatch-integrates-behaviosec-behavioral-biometrics-digitalpersona-enterprise-authentication-solution/ (Wayback Machine Link)

BehavioSec is a company which is specialized to identify individuals based on how they write, how they move the mouse and move the device on their hands. They ran an study during 2012 / 2013 with Danske Bank which shown that BehavioSec could identify the user 99.7% of the time while also detecting an imposter 99.7% of the time. This is a very high level of accuracy among all types of biometrics. Here is the study:

https://www.behaviosec.com/documents/white-papers/behaviosec-in-a-real-world-e-banking-environment/ (Wayback Machine Link).

Nowadays Danske Bank implements BehavioSec’s technology on their mobile apps to verify the right customer based on how the customer types and moves the device.

More about how BehavioSec’s technology works:

https://web.archive.org/web/20151018094945/https://www.behaviosec.com/technology/

BehavioSec also cooperates with DARPA (which is one of the most intelligence agencies in the world) to develop DARPA’s Active Authentication program;

https://web.archive.org/web/20160512161757/http://www.behaviosec.com/darpa-and-behaviosec-go-beyond-passwords/

https://web.archive.org/web/20170712125714/https://www.behaviosec.com/darpa-presents-continuous-mobile-authentication/

The sole purpose of this program is to identify individuals based on their unique behavior. Also BehavioSec gets direct funding from the DARPA.

So what this means for the end-user?

All of these four companies shares data together, directly or indirectly. It’s explained in their Privacy Policies (they also creates profiles about individuals):

BehavioSec’s Privacy Policy (Wayback Machine Link):

Recipient is a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.

Third party is a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

Oxford Computer Group’s Privacy Policy (Archive.fo Link):

We will never sell, rent or otherwise disclose your personal data to any third party except where it is necessary to provide you with services you have requested, and only then for that purpose.

In this table we have set out information about how we use your personal data and the legal bases of that use:

Operating and maintaining our website, managing our relationships with customers and prospective customers.

We may disclose your personal data to our services providers and subcontractors.

We may disclose details of your event bookings to event and venue operators and to other third-party services providers.

Crossmatch’s Privacy Policy (Wayback Machine Link):

Personal Data and other aggregate information, including that from cookies, may be provided to outside vendors and service agencies that are responsible for assisting with providing our services to you.

Microsoft’s Privacy Statement (Wayback Machine Link):

These third-party sources vary over time and include:

Partners with which we offer co-branded services or engage in joint marketing activities.

With appropriate technical and organizational measures to safeguard individuals’ rights and freedoms, we use data to conduct research, including for public interest and scientific purposes.

We share your personal data with your consent or as necessary to complete any transaction or provide any product you have requested or authorized.

In addition, we share personal data among Microsoft-controlled affiliates and subsidiaries. We also share personal data with vendors or agents working on our behalf for the purposes described in this statement.

So Windows 10 users’ biometric profiles are being shared over these companies and they practice tracking & de-anonymization technology of the individuals. So your typing behavior on Windows can be used to link back to you. This is far from anonymized data collection and those companies also can easily de-anonymize Microsoft’s “anonymized telemetry” data.

Also BehavioSec is arguably sharing Microsoft’s customers’ (Windows 10) typing behavior & Windows Hello (biometric profiles) data with DARPA through profiles which Crossmatch has provided.

submitted by /u/LocalFigurez to r/privacy
[link] [comments]

top scoring links : multi

Related posts

Leave a Comment