"First of all, 602 connection attempts were to 192.168.1.255, using UDP port 137. That's the broadcast address where Windows computers on a local network announce their presence and look for other network computers using the NetBIOS Name Service. It's perfectly normal traffic.
Another 630 of those connection attempts were Domain Name System lookups to the router itself, 192.168.1.1, using UDP port 53. That address is the router itself.
Why is Windows performing those DNS lookups? One big reason is that's how Windows checks whether you have access to the Internet. If there's a problem with your Internet connection, you get a yellow overlay on the network icon down at the right side of the taskbar.
To do that test, Windows first performs a DNS lookup of www.msftncsi.com. It then makes an HTTP request to retrieve the page ncsi.txt from that site. This file is a plain-text file and contains only the text "Microsoft NCSI." (NCSI stands for Network Connection Status Icon.) Finally, it performs a DNS query for dns.msftncsi.com.
The whole procedure is extensively documented .
DNS queries aren't "spying." Neither are NetBIOS name broadcasts on your local network. So far, that's 22.3 percent of the so-called traffic that's easily accounted for as "not spying," unless you think there's something sinister about a two-word text file that has been downloaded trillions of times from that poor Microsoft server.
Next up is a staggering 1,619 connection attempts using UDP port 3544 to the address 126.96.36.199, which Mr. Crust was unable to identify, along with another five attempts using the same port to other servers.
That address does indeed belong to Microsoft. It's a Teredo server, teredo.ipv6.microsoft.com. Teredo is an Internet standard that is used to supply an IPv6 address to a PC that speaks only IPv4, making it easier to perform secure and reliable communication between two endpoints without having to worry about network translation. It's also well documented and doesn't involve any exchange of information other than IP addresses.
In short, Windows keeps trying to make a simple connection using its IPv6 capabilities, but the router keeps dropping those connection attempts. So it keeps trying again and again.
That's another 1,624 entries we can add to the "not spying" list. So far, by my tally, more than 52 percent of the connection attempts are completely harmless and involve no data collection at all.
Another three connection attempts are using port 123. That's the Network Time Protocol, which devices use to retrieve the current time from authoritative servers on the Internet. Setting the clock on your computer is not "spying."
Mr. Crust's list has another 549 connection attempts on port 80, which is plain old HTTP. Windows doesn't have a web server installed by default, so those are all incoming connections, with Windows trying to retrieve data from Microsoft's servers. They're not sending it the other direction.
Many of the addresses on the list belong to content delivery networks (CDNs) like Akamai Technologies and CloudFlare. Some of those downloads are possibly trying to refresh live tiles in the provisioned MSN apps (News, Sports, Weather, Money, and so on). There are perhaps some updates to the Windows Store in there too.
We might know more if Mr. Crust had allowed his machine to complete some of those connections so he could perform some actual traffic analysis. But he didn't, so we can't.
We can, however, safely conclude that none of those connections would involve any "spying."
Which leaves us with 2,100 connection attempts in eight hours over port 443. Those are secure (HTTPS) connections designed to exchange data so that it can't be intercepted in transit.
We have no idea how many secure connections that machine would have made in eight hours had Mr. Crust actually allowed them to complete. The number would almost certainly have been smaller, perhaps by an order of magnitude or even two.
And of course, those connections are not all about telemetry.
The most important one is the Software Licensing Service, which checks the state of Windows activation periodically. By dropping those connections, Mr. Crust is not allowing those activation and validation checks to complete. Windows gets very cranky when that happens, which could explain why there were more than 1,700 connection attempts to a handful of addresses in a single range of IP addresses managed by Microsoft.
Other content that gets delivered securely over port 443 includes Windows updates, Windows Defender updates, and updates from the Windows Store for apps that are provisioned on every Windows 10 machine. Windows 10 attempts to contact OneDrive, also securely, to see if there are any saved settings for the current user. There are lists of known malicious websites that get delivered to the SmartScreen service in a hashed and encrypted format.
And yes, there is certainly some telemetry data in there. We have no idea whether Mr. Crust changed the default Diagnostic and Usage settings to Basic. If he had, there would probably be a single ping to Microsoft's servers when the machine starts up, which would disclose what that setting was, whether Windows Defender was up to date, and whether his installation had experienced any failures in software or driver installation.
If he had kept the Enhanced or Full settings, Windows would periodically deliver a batch of anonymized usage data to Microsoft. (Of course, since he wasn't actually using the machine, there would be no data to exchange.) But we don't know, because Mr. Crust didn't actually do any traffic analysis."
Windows 10 sends questionable information to MS, which is mainly used to create marketing profile for user, but Forbes' article is just plainly wrongly and write somebody that don't seem to know what they are talking about, and in my opinion it does more damage than good as it is so easy to show that it is just hogwash.