Security researcher and blogger Nadim Kobeissi has uncovered evidence
that Windows 8 doesn’t just keep a local log of installed programs — it phones home to tell Microsoft every time you install an application. This is a significant expansion of a technology Microsoft introduced in Internet Explorer 9, called SmartScreen. In IE9, Smartscreen was an optional feature that would warn users if they ran a program that wasn’t whitelisted/ lagged with a positive reputation according to Microsoft’s servers. It was part of a wider initiative to encourage developers to sign their code, and MS claimed that SmartScreen significantly reduced the chances of downloading and installing malicious malware.
Redmond decided to up the ante in Windows 8. SmartScreen is now a system-wide defense technology, enabled by default, and it tracks every program/application install on every PC. Since that data is sent to MS using a hashed value that contains the app installer and the code signature. Your IP information is also included, which makes it trivial for MS to trace back which IP addresses installed which software.
If the application has a high reputation, the install proceeds normally. If not, users are greeted with an explanation like this:
Or this:
If the system is offline, Smart Screen apparently tosses you a warning that gasp your machine is no longer protected, and Windows can’t – clutches pearls — help you decide if a program is safe to run!
Security advocates, thinking people, and everyone who isn’t Microsoft naturally find this troubling. For one thing, MS now has a database of what every IP is installing. Even if the company takes steps to make that information anonymous, there’s no way the government will ignore a centrally maintained database of activity once it believes it can link an IP address to particular users. Second, there’s the temptation to use this information for targeted advertising. If Microsoft sees an IP address installing video games or Xbox Live content, it know that’s probably a gamer. If you’re downloading cooking apps, you might like to see some ads for recipe websites.
This strikes at one of the problems with so-called anonymous data — it’s not actually anonymous. If I know your IP, the apps you install, and the websites you visit, I know an awful lot about you. I may not retain that data, but you can bet that governments and corporations will both want to get their hands on it. The earnings from monetizing the information, and the associated temptation, are potentially huge.
Then there’s the fact that the server Windows 8 communicates with supports an insecure version of SSL (SSLv2), the OS never warns users that SmartScreen is spying on them, and the certificate security model has some known problems and has been prominently compromised in recent memory. Even if you don’t care that Microsoft has the data, the lack of transparency is deeply troubling.
How to blow your street cred in three easy steps
Step 1: Take a principled stand for user privacy, even when that stance will anger advertisers and companies like Google.
Step 2: Stick to your guns. Declare that enabling Do Not Track by default is the best way to respect users’ right to privacy. Create perception that you are doing this on behalf of users, not because you want to screw your biggest advertising competitor and market leader.
Step 3: Blatantly ignore user privacy. Send a report of all system activity back to headquarters via IP address, possibly with a flawed cryptographic protocol. Don’t tell users what you’re doing. Imply that if they disable this service, they’ll be making a terrible mistake.
That whoosh you hear is Microsoft’s burgeoning credibility on privacy and user rights flushing down the drain. SmartScreen can be disabled in user settings, but the default implementation raises serious concerns.
Microsoft has since reached out to us with the following statement: Although Windows SmartScreen is part of the Windows 8 Express Settings during the first-run experience and we recommend it be enabled, if users are concerned about sending this data to Microsoft, they can choose to not enable the feature.
We can confirm that we are not building a historical database of program and user IP data. Like all online services, IP addresses are necessary to connect to our service, but we periodically delete them from our logs. As our privacy statements indicate, we take steps to protect our users’ privacy on the backend. We don’t use this data to identify, contact or target advertising to our users and we don’t share it with third parties.
With respect to the claims of SSL security and data interception risk posed by the SSL2.0 protocol, by default Windows 8 will not use this protocol with our service. Windows SmartScreen does not use the SSL2.0 protocol.
The one part of this statement we take issue with is the “Users can choose not to enable this feature.” At present, the W8 setup screen does not tell the user that the feature sends data to MS on every application install. The downside and privacy concerns are not presented at all. This is odd considering that MS made such a point of pushing for consumers to be notified regarding Do Not Track.