“Here is how platforms die: first, they are good to their users; then they abuse their users to make things better for their business customers; finally, they abuse those business customers to claw back all the value for themselves. Then, they die. I call this enshittification.”
Cory Doctorow, "Too Big to Care: Enshittification is a Choice"
Since the release of Windows 11 in late 2021, Microsoft has made a series of increasingly unpopular changes to the Windows ecosystem, bringing into question the future of the operating system. In February 2023, Microsoft unveiled Copilot, a generative AI chatbot that served to replace Microsoft’s Cortana. While Microsoft previously claimed more than 150 million Windows users used Cortana, that estimate was probably more than a little optimistic.
Cortana’s deep integration into Windows 10 allowed users to more effectively perform tasks with voice commands, but it lacked a clear path to monetization; that is, Microsoft couldn’t figure out how to turn Cortana into a paid service. With Copilot’s introduction in early 2023, development of Cortana ended and Microsoft redirected its Cortana resources into Copilot. While Apple makes use of ChatGPT’s AI models for its own Apple Intelligence product, Copilot is developed by GitHub (a subsidiary of Microsoft) and is powered by OpenAI’s Codex AI model.
Having joined the big tech AI chorus, Microsoft is placing Copilot and generative AI front-and-center in its consumer-facing product portfolio. Surprisingly, Microsoft is also pushing its AI agenda in business and enterprise-focused products, like Windows Azure, Entra, and Microsoft 365 for Enterprise. Considering enterprise customers are traditionally more conservative and adhere to slower adoption and upgrade cycles, Microsoft’s aggressive AI push across all fronts seems a risky gambit.
As with other consumer-facing AI services, Microsoft has positioned Copilot as a “freemium” product, offering a free tier with more limited features and a paid tier with more advanced features. To bolster this agenda, Microsoft, following in Apple’s footsteps, revealed its plans to introduce ARM-powered Windows PCs with deep Copilot integration, under the Copilot+ moniker.
Perhaps the most controversial feature of Microsoft’s Copilot+ platform is Recall, a feature that Microsoft claimed would let you search everything on your PC using natural language, thereby removing traditional barriers to finding changes you’ve made to documents, edits to photos, and so on. It didn’t take long, however, for Recall to be skewered by security researchers as a cybersecurity nightmare; relying on an unencrypted database of screenshots, Recall actually wasn’t secure at all. Anyone with local access to the computer could easily exfiltrate this database of screenshots, containing untold troves of sensitive user data.
Privacy implications for individual users aside, more questions were raised about compliance and data security in corporate and government environments. There were too many unanswered questions about the technical implementation of Recall, how easy it would be to disable, whether it would stay disabled once turned off, or how system administrators would deal with managing it at scale. Microsoft said precious little about the issue of data security and user privacy until public backlash forced them to push back Recall’s release date until an unknown future date.
Microsoft’s obvious bungling of Recall’s technical implementation and its initial retrenchment when faced with public criticism speaks to more insidious, deeply-ingrained problems at the company.
While layoffs are common throughout the tech industry, Microsoft has often been at the fore when it comes to dismissing entire teams and divisions within the company. After finalizing its Activision-Blizzard deal in October 2023, Microsoft fired 2000 employees from its gaming division, or about 10% of all employees within the gaming unit.
During the first nine months of 2023, Microsoft reduced its workforce by 16,000, outstripping the 10,000 layoffs it forecast at the beginning of 2023. In reducing its gaming unit headcount, Microsoft shuttered multiple game studios, including Arkane Austin, Tango Gameworks, and Alpha Dog Games. Microsoft’s treatment of its gaming division is only a microcosm of the wider video game industry’s treatment of its own talent: in February 2024, Sony fired 900 employees from its Playstation division, and Take-Two Interactive (parent company of Rockstar Games) announced plans to cut its workforce by 5% and end development on several games.
None of this apparent dysfunction is really shocking, considering corporate acquisitions inevitably result in mass layoffs–roughly 30% of employees are deemed redundant when companies in the same industry merge. We can’t hold Microsoft to a separate standard for post-merger practices, considering the fetish for layoffs is one that’s shared throughout the Fortune 500. On the other hand, in spite of Microsoft’s massive war chest and their appetite for acquiring companies and intellectual property, its cybersecurity practices are in an apparent state of free-fall.
AJ Grotto, former White House cyber policy director, claims Microsoft is a “national security threat”, due to their monopoly position within the industry, especially within the realm of government IT. In June 2023, Chinese government-backed agents engaged in an attack on Microsoft Exchange Online, facilitated by Microsoft’s lackadaisical security policies, leading to the U.S. Cybersecurity and Infrastructure Security Agency to demand “fundamental, security-focused reforms” to happen immediately at Microsoft. On April 2, 2024, CISA issued an emergency directive calling for immediate remediation of a major security breach, involving Russian state actors exfiltrating data from Microsoft email systems. The CISA writes in its directive:
“The Russian state-sponsored cyber actor known as Midnight Blizzard has exfiltrated email correspondence between Federal Civilian Executive Branch (FCEB) agencies and Microsoft through a successful compromise of Microsoft corporate email accounts. The threat actor is using information initially exfiltrated from the corporate email systems, including authentication details shared between Microsoft customers and Microsoft by email, to gain, or attempt to gain, additional access to Microsoft customer systems. According to Microsoft, Midnight Blizzard has increased the volume of some aspects of the intrusion campaign, such as password sprays, by as much as 10-fold in February, compared to an already large volume seen in January 2024.”
Microsoft’s position on internal cybersecurity practices seemingly hasn’t changed, in spite of CEO Satya Nadella’s commentary on Microsoft’s broken security culture. Nadella said,
“If you’re faced with the tradeoff between security and another priority, your answer is clear: Do security. In some cases, this will mean prioritizing security above other things we do, such as releasing new features or providing ongoing support for legacy systems.”
Microsoft’s various commitments to improved security across its customer-facing products seem more like nebulous promises, while its position on internal security falls somewhere between “scattershot” and “completely undefined”. Microsoft’s massive size, knowledge siloing, and responsibility to maintain huge parcels of legacy code likely all contribute to the brokenness of its internal and external cybersecurity practices. An organization the size of Microsoft requires massive investments in cybersecurity, security-awareness training for teams across all units, and external audits to demonstrate security practices are actually being followed.
So far, though, Microsoft’s only incentive to improve security practices is the threat of losing market share to competitors; in government IT, which accounts for a significant portion of Microsoft’s revenue, there is no competition. Meanwhile, the U.S. government has proven itself toothless in handing down reprimands that actually hurt serial security and privacy offenders. Such fines are considered to be the cost of doing business for companies like Microsoft.
Let’s consider, then, the likelihood of the following two scenarios: (1). a serious competitor to Microsoft will appear within the next few years, and will force Microsoft to change its security and privacy practices, lower prices, and listen to customer feedback; (2). U.S. regulatory agencies will hand down multibillion dollar fines to companies like Microsoft that serve the purpose of substantially damaging the company’s financials if they fail to comply with industry regulations. Given the direction of our political institutions, including the Supreme Court, the odds of the U.S. government holding abusive monopolies to account seem poor.
Likewise, the odds of a serious competitor to Microsoft emerging anytime soon are remote at best. It seems obvious that we, as tech consumers, are arriving at a crossroads where we have to reconsider our relationships with companies like Microsoft. As more productivity software becomes web-based and the average person’s need for processing power and storage decline, Microsoft’s Windows hegemony appears precarious.
Microsoft is cognizant of the changing dynamics of end-user computing, of course, which is why it is positioning itself as a services company, not the boxed software outfit it used to be. The longer term strategy at Microsoft may well be to convert Windows itself into a monthly or yearly subscription, if its efforts to monetize mined data from current Windows installations don’t pay the dividends it wants.
Microsoft’s whipsawing of Windows users on the issue of local user account creation in Windows 11 ties into the general enshittification of Microsoft products. Despite some changes in its stance on the matter of local accounts versus Microsoft accounts, Microsoft’s long term strategy with Windows 11 has been to discourage users from creating local user accounts when setting up Windows. While Microsoft accounts were previously optional, they are all but mandatory now; this mandate puts users who don’t have or don’t want a Microsoft account in a compromising position.
More troublingly, Microsoft’s decision to make local user accounts optional only in more expensive (or unavailable to the general public) versions of Windows raises more questions about the company’s abuse of its monopoly position in the consumer computing space.
Previously available workarounds to avoid Microsoft’s account dictate are slowly being stamped out, leaving users with fewer options to use a local Windows account. In a disturbing twist, this online account mandate means that if a user’s computer doesn’t ship with compatible networking drivers, the machine can’t connect to the Internet during setup and a local account option is unavailable, leaving the user in a sort of Purgatory until compatible drivers can be integrated into a custom Windows image, which is far outside the average user’s technical capacity.
As things stand, a confluence of poor practices, anti-consumer policies, and monopoly abuse have put Microsoft in a position where governments and enterprises increasingly question their competency, and end users question the need for Windows at all. Microsoft may not have meaningful competition in government and enterprise IT, but its behavior will hand its competitors all the rope they need to hang Microsoft.
While Microsoft may envision a future in which it can double-dip by monetizing user data and converting its entire portfolio to monthly subscriptions (see: Adobe), it fails to properly heed the rising threats of Apple’s macOS and Google’s ChromeOS. In January 2013, Microsoft Windows maintained 91% of the desktop operating system market; in November 2023, that percentage had fallen to 72%. During that same time period, Linux’s market share has grown from less than 1% to over 4%, and ChromeOS (which is based on Linux) has become a juggernaut in educational settings.
Microsoft’s insistence on ignoring the user experience, milking its government and enterprise clients for all they’re worth, and antagonizing the federal government by failing to secure its own infrastructure is leading it, and us, down the garden path to oblivion. As enshittification within the tech space accelerates, we have to reconsider what our data security and privacy are worth. A false sense of convenience has led the average user to change the way they value ownership, security, and privacy while the stakes in cybersecurity have never been higher.
Hyper-normalization of data theft, foreign espionage, and state-backed cyberattacks have led people to expect and accept piss-poor behavior from giant tech companies at a time when these companies should be held to higher standards rather than excused from any real liability.
If you do what you’ve always done, you get what you’ve always gotten. It’s time to abandon bad platforms and reject bad policies, even if it is temporarily inconvenient. Watchdog groups are toothless, and the government certainly won’t do it for you.
Comments