Acer refreshes laptops and 2-in-1s with fingerprint readers

[HEXUS]

These new Windows 10 devices are priced from just $199, will be on show at Computex.

Read more.

[Saracen]

My only reservation about this (apart from, personally, refusing to use Win10) is that MS are a bit coy about exactly what data they send to themselves.

Does any of the data Windows Hello collects ever leave my device, and if so, how is it transmitted?

Your identification data – the representation of your face, iris or fingerprint that's created when you enrol – never leaves your device. To help us keep things working properly, to help detect and prevent fraud, and to continue to make improvements, Microsoft collects usage data such as which method you used to sign in (face, iris, fingerprint or PIN), the number of times you signed in, and whether or not each sign-in was successful. This data is stripped of any information that could be used to specifically identify you, and it's encrypted before it's transmitted to Microsoft.

Okay, so breaking that down ....

- actual biometric ID data, like iris scan, fingerprint or facial photos, are NEVER stored, anywhere. That's good.

- when you enrol, a "representation" of this data is stored, on the device, encrypted.

- the original biometric data cannot be recreated from the "representation". This is analagous to our password pricess here. Your password is not stored but a 'hash' of it is, and the password (with a very specific exception, sort-of) cannot be recreated from the hash. So, that's good too.

- MS do transmit and store a sort-of metadata about your sign-on activity. They specify examples of that, by the use of "such as" but do not provide an exhaustive list of what they store. Hmmm, not so good. Not necessarily bad, but .... suspicious.

- MS strip such data of anything that can be used to "specifically" identify you. Hmmm. More evasive wording. This sounds a bit like differentiating between personal information that, on it's own, identifies you and data that, when combined with other data (which, perhaps, they happen to own) can be used. That is, identifiable, rather than identifying.

- There appears to be no way to disable the transmission of such data, should you wish to.


That whole explanation of what data is sent seems to me to be deliberately vague to the point of being suspicious. It reminds me of what an estate agent (before laws changed) meant when he advertised a property as 'compact' (tiny beyond belief) or 'DIY opportunity' (falling down, so don't sneeze until after sale completion). It reeks of being very carefully written to convey one impression on a casual reading, while being capable of being interpreted very differently if anyone ever hauls it before a judge.

So really, it comes down to how much you trust MS. In my case, about as much as I'd trust an unreconstructed and unrepentent serially-convicted burglar with my house keys, alarm codes and holiday dates. Actually, I take that back. Less than I trust the burglar.


This, by the way, is a mistrust of MS, not Acer.

[miniyazz]

Windows Hello is not that secure. Particularly the way it forces you to set up a pin before you can use biometrics to log in. Ok great, now all someone needs to do is brute force a 'password' comprised of entirely numbers..