This is only true if you enable extended spell checks, which makes some sense. By default, no form data is sent to Microsoft AFAIK. Note that the same holds for Google Chrome.
Reminds me to a video I saw on YouTube from the "PC Security Channel", who was utterly flabbergasted that the Start Menu would send all keypresses inputted into its search bar to MS.
They had searching on the web enabled... Pretty hard to search the web using Bing without sending along a search term.
Stuff like that and the one you replied to are why I stopped caring. The outrage is so often complete and utter nonsense that my default response is disbelief.
It came enabled by default. It is not as if this setting was searched for, then enabled, then had some unintended consequence - taskbar searches used to not search the internet, then they did.
Which would be a perfectly fine thing to take issue with. It just also wouldn't be quite as eye-catching as misleadingly portraying the thing as now being a keylogger.
I disagree. Being covert and having access to user input are necessary criteria for a keylogger, but not sufficient. They also have to, well, log. And since keyloggers are a kind of malware, using these logs for malicious purposes is also implied, and so is that the data would be tied to your identity. They also tend to operate all the time, rather than just in specific contexts.
But the criterion of "having access to user input" is also necessary for goofy unneeded features like showing web search results in the Start Menu though, which they shove down people's throat like they do with every other feature their product team thinks is a great idea (explaining the "being covert" bit), at which point you have a complete, non-malicious explanation for the entire thing.
The reasonable thing to do then is to apply Hanlon's razor, at which point no, it's no longer reasonable to believe or portray it to be a keylogger anymore. Not essentially, not otherwise. Not only that, but the YouTuber in question made this portrayal knowing full well that it's impossible for them to actually properly demonstrate this feature doubling as a keylogger, as they have no access to the server side. They relied on people being gullible enough to simply not grasp this, and leveraged people's preexisting privacy concerns to farm views.
Having the capability to engage in crime doesn't make a criminal. Imagine if I portrayed 107M (!) of the 340M residents of the U.S. as a criminal because they own a gun, despite knowing full well that gun ownership sensibilities are just fundamentally different over there.
“if you use the windows taskbar, by default Microsoft sees your keystrokes now. Here’s how to disable it” is a completely reasonable take. Every week there’s a new announcement of a some-million-count leak of personal information. People’s privacy fears are well-founded.
Is appealing to those fears to deliver misinformation ethical? Does it help this issue or worsen it? Cause I'd say poisioning the well is not a good thing. The road to hell being paved with good intentions and all. See the effect lies like this had on the person in this very thread above us: https://news.ycombinator.com/item?id=44552625 I share in their disbelief at decent amounts by this point, too.
It's like making up a bunch of rubbish when there's a hate train going on against something or somebody just to participate. Then having all of that backfire disproportionately when the tides turn. Why make things up when reality has plenty bad enough stuff going on already that one can report on? Rhetorical question of course.
> The road to hell being paved with good intentions and all.
Why are we assuming good intentions from a company who for years has increased places and amounts of data it collects and tracks, and removed more and more ways to opt-out of this?
The intention of "search web first before searching local computer even if the user never asked for it" didn't appear from the intent of "let's create a keylogger", but it never came from a good innocent intention either.
In what world does holding the user's private data for 30 days make sense for a spell checker? Even sending the data at all is sad. We've had offline spell checking for decades.
This is often (though not always) blanket statement.
Logs are always generated, and logs include some amount of data about the user, if only environmental.
It's quite plausible that the spellchecker does not store your actual user data, but information about the request, or error logging includes more UGC than intended.
Note: I don't have any insider knowledge about their spellcheck API, but I've worked on similar systems which have similar language for little more than basic request logging.
> dear HN user who decided to silently downvote - you could do better by actually voicing your opinion
Sure, I'll bite. Let's address the obvious issue first: what you're saying is speculation. I can only provide my own speculation in return, and then you might or might not find it agreeable, or at least claim either way. And there will be nothing I can do about it. I generally don't find this valuable or productive, and I did disagree with yours, hence my silent downvote.
But since you're explicitly asking for other people's speculation, here I go. Advanced "spellchecking" necessitates the usage of AI, as natural languages cannot ever be fully processed using just hard coded logic. This is not an opinion, you learn this when taking formal languages class at university. It arises from formal logic only being able to wrangle formal logic abiding things, which natural languages aren't (else they'd be called formal languages).
What the opinion is, and the speculation is, is that this is what the feature kicks off when it sends over input data to MS's servers for advanced "spellchecking", much like what I speculate Grammarly does too. Either that, or these services have some proprietary language engine that they'd rather keep on their own premises, because why put your moat out there if you don't strictly have to.
Technologically speaking, at this point it might be possible to do this locally, on-device now. This further didn't use to be the case I believe (although I do not have sources on this), and so this would be another reason why you'd send people's inputs to the shadow realm.
It's further pretty hard to write like this, but I still prefer it over getting trivially checkmated by ill meaning people, and over being misinterpreted silently and that causing issues downstream. It's at this point an instinctual defense mechanism, that I've grown to organically develop in the low-trust environments that are forums like this.
I 100% agree with the principle, but (regrettably) in practice you can't do this in a lot of places where the community is critical (which isn't a bad thing by itself) but doesn't call out/downvote/moderate bad criticism (which is bad).
I can't count the number of times on HN that I've seen responses to posts that took advantage of the poster not writing defensively to emotionally attack them in ways that absolutely break the HN guidelines, and weren't flagged or downvoted. And on other sites, like Reddit, it's just the norm.
The defensive writing will continue until morals improve.
> By default, Microsoft Edge provides spelling and grammar checking using Microsoft Editor. When using Microsoft Editor, Microsoft Edge sends your typed text and a service token to a Microsoft cloud service over a secure HTTPS connection. The service token doesn't contain any user-identifiable information. A Microsoft cloud service then processes the text to detect spelling and grammar errors in your text. All your typed text that's sent to Microsoft is deleted immediately after processing occurs. No data is stored for any period of time.
