Your Windows Machines All Belong To Us
By Albert Fox Cahn & Jackie Singh
Is your computer truly yours? If you use Windows, the answer is increasingly “no.” This isn’t yet another warning about cybercriminals; it’s a threat from the very company you rely on to keep your computer safe: Microsoft. That’s because a series of changes have made it increasingly impossible to use your device on your own terms, something that will have implications for how we think about personal computers for years.
The most recent change from Microsoft was the quiet announcement that they would no longer let users create local accounts on new PCs. You may have never heard of a ‘local account’ before, but it’s almost certain that you’ve used one. This is because, for most of computing history, they were the only type of account we had. With a local account, you create a username and password that are set up and saved only on your computer, not somewhere online. They are your credentials, and yours alone.
However, with more of us spending more of our computer time on apps that live remotely, not on our own systems, Microsoft has increasingly integrated their own cloud-based accounts into Windows. These accounts can be used to access your Microsoft Outlook mail, shared files on OneDrive, or any number of other services. Up until recently, users had the option of how to set up Windows, using either their own local account or one of Microsoft’s. However, in the latest iteration of Windows, that choice disappeared. Sadly, we lost much more than that one choice.
Now, every new computer must be connected to the internet and a cloud account. Those without existing Microsoft account will be forced to hand over their information just to access the computers they own. Without the ability to create local accounts which aren’t at all connected to Microsoft’s computers in some faraway datacenter, we lose the ability to have secure, anonymous computers. Now, every computer, from day one, needs to be tied to a Microsoft account, a specific user, their hardware, and their identity. In more technical terms, this makes fully “air gapped” computing impossible.
Air gapped computing is when you use a device that has never been connected to the internet. These devices are relied upon by IT professionals, governments, journalists, democracy activists, and many others to protect their most sensitive documents and use their most secure applications. Particularly for those operating in authoritarian regimes, in conflict zones, and who are otherwise at greater risk of state-sponsored surveillance, no Internet-enabled computer can truly be trusted. As soon as a device is used to access the internet, it becomes impossible to know who is accessing it.
Most famously, when Edward Snowden reached out to journalists to reveal his historic information about classified US documents, he had Glenn Greenwald and Laura Poitras purchase air gapped computers from remote retailers to ensure their conversations were truly secure. Today, they wouldn’t have been able to, at least not with computers running the most popular operating system on the planet. And while there may be more privacy-protective alternatives to Windows, they remain beyond the technical capabilities of most users. Microsoft may provide more privacy options for big companies, but what about us regular folks?
When Windows migrates you to cloud accounts, they’re not only making it impossible for you to keep your computer unidentified, but they’re also trying to lock you into a growing set of services that are increasingly embedded into every aspect of Windows.
You want to save a file? Windows makes it harder and harder for you to save it locally. Want to chat with colleagues? Microsoft finds ever more ways to push you towards using their Teams product. Increasingly, we see Windows being transformed from the open platform where we can compute on our own terms into more of a “walled garden”, one in which we can only use our systems in a Microsoft-approved fashion.
As our computers transform from devices we own and control into portals to the Microsoft cloud, we lose a lot of our rights. With cloud-based services, it’s harder for us to keep our data private, whether it’s targeted by police, ICE, or even the IRS. When law enforcement demands our encrypted home hard drives, we must hand them over, but we don’t have to give up the encryption key. With cloud services, on the other hand, we can never even know when Microsoft has been asked for a copy of our data.
The only thing that we can know for certain: they’ll hand it over.
So what do we get in exchange for this erosion of security, privacy, and control? Nothing. We already had the choice to use a Microsoft account. We already had the option to embed cloud services. But now, our interests and desires have been made irrelevant.
We just hope that with enough public pushback, we can make Microsoft choose to give that choice back.
Cahn (@FoxCahn) is the founder and executive director of the Surveillance Technology Oversight Project (S.T.O.P.), a New York-based civil rights and privacy group, and a visiting fellow at Yale Law School’s Information Society Project.
Singh (@HackingButLegal) is the director of technology at S.T.O.P.