clock menu more-arrow no yes

Filed under:

Security researcher details Windows 8 SmartScreen privacy concerns

New, 70 comments

A security researcher has detailed what he claims are "very serious privacy" problems with Windows 8's SmartScreen feature.

Windows 8 SmartScreen
Windows 8 SmartScreen

Nadim Kobeissi, a Canadian security researcher, has outlined some privacy concerns with Microsoft's Windows 8 SmartScreen technology this week. Kobeissi claims that Microsoft's filter technology, designed to prevent users from downloading or installing malicious software, sends data to Microsoft about each application that is installed within Windows 8. Microsoft's latest operating system is configured, by default, to send information about every app that is downloaded and installed — something that "Kobeissi" claims is a "big problem."

"This is a very serious privacy problem," he adds, detailing how Microsoft is the central point for data collection / retention. While the data is covered by Microsoft's privacy policy, and many users would trust the software maker to safe guard such data, Kobeissi says that "it may be possible to intercept SmartScreen’s communications to Microsoft and thus learn about every single application downloaded and installed by a target." The potential interception, which could exploit insecurities in the SSLv2 protocol used on Microsoft's SmartScreen servers, may allow a third party user to target a Windows 8 installation and discover which applications are being used.

SmartScreen is enabled by default in Windows 8 and a switch to turn off the option results in prompts to re-enable it from Microsoft's Security Center application. Windows 8 users are provided with an option to disable SmartScreen during setup, but Kobeissi claims they are not informed of the privacy implications. "This puts Microsoft in a compromising, omniscient situation where they are capable of retaining information on the application usage of all Windows 8 users, thus posing a serious privacy concern."

We have reached out to Microsoft for comment on the claims and we'll update you accordingly.

Update: Rafael Rivera, known for reverse engineering Microsoft software, has offered his own thoughts on the potential privacy concerns. "So can Microsoft track everything you download and use? No," he says. However, the data transmitted inclues an FName element which is encrypted using Base 64 — something that's easily decodable using online tools.