Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Windows 10 Privacy Settings and "Regulated" data

From: Kevin Reedy <KReedy () EXCELSIOR EDU>
Date: Fri, 7 Aug 2015 13:21:54 -0400
An additional resource I just came across is Lifehacker's guide to exactly
what each of the settings does:
http://lifehacker.com/what-windows-10s-privacy-nightmare-settings-actually-1722267229

I think we most likely have a case of slight over reaction to the new and
unknown, mixed with a healthy dose of sensational headlines to generate
clicks. I will admit on my windows 10 machines most of these settings are
set to off, but mostly because I don't see the benefit of them.  I'm
guessing it will be an easy process for domain admins to manage as well.

I do like the ZDNet article mentioning that data collection is nothing new
in general - Google and Apple have been doing it for years:

Still not private enough for you? Then don't use Windows 10, Chrome OS,
iOS, Android, or any other system that's tied closely into the cloud.
Instead, use Linux as your desktop operating system. By default, Linux is
the only mainstream operating system that still relies primarily on true
desktop apps.


Kevin Reedy
Executive Director, Information Security
Excelsior College
(518) 464-8720


From:   randy <marchany () VT EDU>
To:     SECURITY () LISTSERV EDUCAUSE EDU,
Date:   08/07/2015 12:37 PM
Subject:        [SECURITY] Windows 10 Privacy Settings and "Regulated" data
Sent by:        The EDUCAUSE Security Constituent Group Listserv
            <SECURITY () LISTSERV EDUCAUSE EDU>



The Windows 10 privacy settings has generated a lot of discussion on
various threads lately. I'm concerned about the implications of these
setting with respect to some of the regulations that govern EDU "data" such
as FERPA, HIPAA, ITAR, PCI, etc.

Does Educause have any working groups on this topic? Any thoughts on this?
While I don't expect one on Windows 10 specifically, have there been any
discussions on regulated (FERPA, HIPAA, ITAR, etc.) to cloud providers?

BTW, a good resource for a privacy lockdown guide is at
http://www.zdnet.com/article/how-to-secure-windows-10-the-paranoids-guide/.
There's an interesting quote in this article:

--------------
"Steve Hoffenberg, VDC Research's Director of IoT & Embedded Technology
worries, for instance, that these Windows 10's "features" violate Health
Insurance Portability and Accountability Act (HIPAA) privacy requirements.
If his fears are valid, this means medical offices and health insurance
companies should turn off this Windows 10 setting.


I doubt he's right, but I'm no lawyer. Even so, were I working with
transactions that fall under Sarbanes- Oxley (SOX), Gramm-Leach-Bliley
(GLB), or HIPAA, I'd turn off this feature, and its related setting,
"Windows 10 Input Personalization." Better safe than sorry."


---------------


This quote is why I'm asking the list about this topic.


Thanks.


Randy Marchany


VA Tech IT Security Office & Lab




This message and any attachments contain confidential  Excelsior College information intended for the specific 
individual and purpose. If you are not the intended recipient, you should notify the College and delete this message. 
Any disclosure, copying, distribution or inappropriate use of this message is strictly prohibited.
Previous By Date Next
Previous By Thread Next

Current thread: