← Antivirus
D

Windows Defender

Serious concerns
Microsoft · 🇺🇸 United States
PolicyApp PermissionsNetwork TrafficFirmwareRegulatory
Technical details
Manufacturer: Microsoft

The bottom line

Defender sends every website and download to Microsoft -- the first company in the NSA's PRISM program, with 801 advertising partners. Microsoft lets you flip a switch to stop collection, then quietly flips it back. Try harder and your computer might crash.

Legal jurisdiction
🇺🇸 United States (headquarters)
CLOUD Act read more →
US govt can demand your data from this company even if stored overseas
FISA §702 / PRISM read more →
NSA collects stored emails, photos, messages without individual warrants
Geofence warrants read more →
Police can demand location data for everyone near a crime scene
Spying
1/4 LOW
Is someone spying on me?
Data Sharing
2/4 MODERATE
Who gets my data?
Security
1/4 LOW
Is it actually secure?
Honesty
3/4 HIGH
Can I trust what they say?
CONFIGURE High-risk areas that can be partially mitigated with settings changes.
5Contradictions
0Critical
3High
2Medium
2Sources
Findings by concern
Spying 1/4 LOW 1 finding
⚫ mediumfirmware analysis vs policy claims
Windows Defender's Enhanced Phishing Protection monitors your keystrokes at every password field — watching what you type to check if you're entering credentials on a suspicious site. Microsoft's security software is reading your passwords as you type them. The data supposedly stays on-device, but Defender reports telemetry to Microsoft that includes which websites triggered phishing alerts. Microsoft knows which sites you entered passwords on.

What they claim: Enhanced Phishing Protection keeps passwords safe.

What we found: Monitors password entry across the system -- watches keystrokes at password fields. Enabled by default. Sends phishing data to Microsoft.

Data Sharing 2/4 MODERATE 2 findings
⚡ highfirmware analysis vs policy claims
Defender sends every website and download to Microsoft -- the first company in the NSA's PRISM program, with 801 advertising partners.

What they claim: SmartScreen protects users by checking files and URLs.

What we found: Every URL and file hash sent to Microsoft. PRISM participant since 2007. 801 ad partners (Outlook). URLs can contain personal info. Different collection in EU vs elsewhere.

⚫ mediumpolicy claims vs regulatory findings
Windows Defender works well and costs nothing extra — genuinely one of the best free security products. The catch: it cannot be fully removed from Windows, and all telemetry feeds into Microsoft's broader data ecosystem (the same one connected to 801 advertising partners). An entire industry of third-party tools like O&O ShutUp10 exists specifically to disable the data collection that Microsoft builds into its "free" security product.

What they claim: Free, effective security for all Windows users.

What we found: Good detection rates, no upselling, no crypto miners, no data selling. But: can't remove, feeds into telemetry infrastructure, different privacy by jurisdiction, part of extensive data monetization company.

Honesty 3/4 HIGH 2 findings
⚡ highfirmware analysis vs regulatory findings
Microsoft lets you flip a switch to stop collection, then quietly flips it back. Try harder and your computer might crash.

What they claim: Users can control Defender's data collection.

What we found: AllowTelemetry=0 silently overridden to 1 on Home/Pro. Aggressive disabling triggers BSODs, breaks signatures. Telemetry 'deeply interwoven' with updates. EU gets different defaults. Cannot uninstall.

⚡ highpolicy claims vs firmware analysis
Microsoft says Defender data is for security only, but it flows into the same systems powering their ads and AI. No wall between security data and everything else.

What they claim: Defender data collection is strictly for security.

What we found: Same infrastructure processes Defender data, DiagTrack, Outlook ads, Recall screenshots, Copilot AI. No technical separation demonstrated. One privacy statement covers all.

What happened to real people
Documented incidents involving Microsoft products and user data.
First PRISM participant (2007). 31% of US legal demands come with secrecy orders — 1,974 gag orders in H1 2025 alone. Users never told their data was demanded. [source]
Storm-0558: Chinese hackers used a stolen Microsoft signing key to access US government officials' email accounts. Microsoft's own infrastructure was the attack vector. [source]
What your data is worth to governments
Microsoft complied with 6,288 government data requests in H1 2025. That's 31% of demands include secrecy orders. Microsoft has been a confirmed PRISM participant since 2007. Under this programme, the NSA collects stored communications. The company is legally prohibited from telling you. Jurisdiction: US (CLOUD Act, FISA Section 702, Patriot Act).
Documented: First PRISM participant (2007). 31% of US legal demands come with secrecy orders — 1,974 gag orders in H1 2025 alone. Users never told their data was demanded.
Documented: Storm-0558: Chinese hackers used a stolen Microsoft signing key to access US government officials' email accounts. Microsoft's own infrastructure was the attack vector.
What is PRISM? · What is the CLOUD Act? · Transparency report
Sources