UPDATE (Nov 19th, 12pm EST): Ed Bott emailed me to clarify a few points. First, PINs for BitLocker are not required and will not be backed up to OneDrive. I knew that PINs were not required, but I was trying to say "would there be a way that a user could use BitLocker without giving all the necessary bits to OneDrive". Apparently, using PINs is one of those ways. He also claims that you can manage your own keys by changing them and storing them locally.

He also commented on the HIPAA remark. He claims that Windows 10 is HIPAA compliant, and the reason why it was not included in the statement is because the question wasn't asked. Again, if applicable, check with your vendors and other support.

Okay so one of the major concerns with Windows 10 is how it handles your private data. I gave my thoughts on the topic a couple of weeks ago, which was a bit critical of Microsoft. I said that there are definite concerns that should be disclosed, but it is not enough of a concern to stop using it and switch to Linux or something. At least, not yet.

Image Credit: Wikipedia

Since then, Ed Bott of ZDNet discussed Microsoft's new privacy policy, which clarifies a few points. It looks like he ran the two versions of the EULA through a text-difference tool to highlight all changes, and took a few screenshots of key moments.

The foremost change is that Microsoft specified that only OneDrive, Outlook, and Skype files and content, private or public, are subject to disclosure to law enforcement. The previous wording looked like it applied to all files on Windows 10. Full access to all files sounds like something the law enforcement would want, but Windows 10 does not provide it.

Another change involves BitLocker. Recovery keys are synchronized to OneDrive “to allow recovery on personal devices”. I am not sure if this also includes PINs, for devices configured to use those, but it would be crappy if it did. Regardless, the privacy statement now says “Microsoft doesn't use your individual recovery keys for any purpose.” This raises two concerns: Why did they specify “Microsoft” and why did they qualify “recovery keys” with “individual”? My assumption is that this is just an awkward trait of the English language, but it could exempt sending batches of keys to third parties, such as governments, especially if it counts as a OneDrive personal file. Again, it is probably just an awkward wording though.

A final point for me is that Telemetry, when set to “Basic”, satisfies FINRA, SEC, and FTC regulations. Oddly they don't specify HIPAA, but you probably shouldn't be listening to tech reporters (yes including me) for advice about securing health insurance and patient data. You should have more reliable channels for that sort of inquiry.