Should You Enable Error Reporting in Windows?
Error reporting is a feature used by Microsoft in Windows operating systems and is enabled by default. Some people like to turn on error reporting to do Microsoft a favor, while others prefer not to enable error reporting. I have been telling my students for years that they should disable error reporting on every computer they ever use. I say that not just to avoid annoyance, but from security perspective. Error reporting sends Microsoft computer and program errors. Microsoft can use this information to track and fix the errors with the operating system or applications. According to Microsoft “all error reports are confidential and anonymous”, as mentioned in the Microsoft Knowledge Base Article 310414.
However, I have several major problems with error reporting feature from the security perspective. I also believe that Microsoft cannot guarantee that the information you provide will stay “confidential” and “anonymous”, as the Knowledge Base article 310414 claims.
1. The Microsoft Online Crash Analysis privacy statement clearly states that “If you use automatic reporting, you are not prompted to review the information in a report before it is sent.” That is not very comforting.
2. If you send the report automatically then your personal information may be sent without your knowledge so Microsoft warns you that “If you are concerned that a report might contain personal or confidential information, you should not send the report.”
3. Microsoft can share the information they collect from you with lots of other people. According to Microsoft “Microsoft employees, contractors, vendors, and partners may be provided access to information collected by the reporting service.” In addition “The vendor may provide the information to sub-vendors and partners.” I don’t know about you but I trust Microsoft. I don’t believe that they would have any reason to violate anyone’s privacy intentionally. However, I am not so sure that all the vendors and sub-contractors around the world in different countries will be as committed to safeguarding people’s privacy when they don’t have stringent privacy laws as we do in United States. It’s not that they are dishonest, it’s because their concept of privacy may be different.
4. Microsoft may store the information it collects from you in other countries where they may not have strict privacy laws. According to Microsoft “Information that is collected by or sent to Microsoft may be stored and processed in the United States or any other country in which Microsoft or its affiliates, subsidiaries, or agents maintain facilities.”
5. Microsoft assures us “For example, reports are sent to Microsoft from your computer using encryption technology. The information is then stored on computer servers with controlled access.” I was personally told by one of the top security experts at Microsoft a few years ago at the MVP Global Summit in Seattle (and definitely after the privacy policy was published in 2005) that the information sent by error reporting is NOT ENCRYPTED and that for security reasons one should not enable error reporting.
I stated earlier that I don’t believe that Microsoft can guarantee that the information you provide will be “confidential” or “anonymous.” Guess what I discovered one day while looking closely to the description of a Microsoft update. I found out that Error Reporting may have been sending some information about application errors to Microsoft without your knowledge so Microsoft issued a patch to fix the bug. Keep in mind that the reports may have included confidential information. Yet another reason why I am not a big fan of Error Reporting.
According to Microsoft Online Crash Analysis privacy policy, Microsoft may collect the following information from you.
- Files that help describe the problem.
- Basic software and hardware information (such as operating system version and language, device models and manufacturers, or memory and hard disk size)
- Your Internet Protocol (IP) address is also collected because you are connecting to an online service (web service) to send error reports.
- Reports might unintentionally contain personal information.
- A report that contains a snapshot of memory might include your name and part of a document you were working on.
- Data that you recently submitted to a website.
[I think I’ll let you imagine what this might include…..ZA]
By now it should be obvious to you what I think about enabling error reporting.
You Should Never Enable Error Reporting in Windows.
In Windows XP and Windows Server 2003, it is relatively easy to disable Error Reporting through Control Panel, System, Advanced tab, Error Reporting. Microsoft knows that. In the newer operating systems Microsoft developers have placed the option to disable error reporting in a much hidden place so most people won’t be able to easily find it. In fact, it’s far too obvious that they have cleverly (or deceptively, you make the call) place the options in places where consumers would get tricked in enabling the feature. For example, after you install Windows 7, you are given the option to help improve windows automatically. While you may think that you are improving performance, actually that means that you are agreeing to send Microsoft information so they can improve Windows operating system using your error reports. The information is cleverly disguised and the words “error report” are never used. However, if you use the “Use recommended settings” option you are not only enabling Automatic Updates you are also enabling error reporting.
To turn off the option in Windows 7 you have to go to Control Panel, System and Security, Change Action Center Settings, Problem Reporting Settings. The title is cleverly disguised as “Choose when to check for solutions to problem reports.” All four options that you can select give you the impression that you are looking for solutions. Well, technically you are but depending on the option you select, you may also be reporting information to Microsoft, which is the equivalent of error reporting. Here’s what the screen looks like.
It is rare that you will ever find a solution if you check for solutions. I prefer to use either third or fourth option.I also recommend that on the Change Action Center Settings page you should ensure that the Customer Experience Improvement Program is set to disabled. In other words, select the option “I don’t want to participate in the program”, as shown below.
Copyright ©2009 Zubair Alexander. All rights reserved.
Zubair, I went to your Blog, its very helpful. Keep up the good work.
Thanks Mahmoud. I am glad you find my blog useful.
Where exactly within Vista and Windows 7 is the error reporting option? It’s unclear in your last paragraph where MS has hidden this stuff.
Thank you, Tom
Tom,
I no longer have a Vista on any of my computers but I have updated the article to show you where exactly you have to go in Windows 7.