The new SmartScreen feature in Windows 8 supposedly tells Microsoft about the application you're installing along with your IP address.
A recent scare piece by Cryptocat developer Nadim Kobeissi over on Gizmodo alleges that Windows 8 will tell Microsoft everything the user installs into the new OS.
The reveal is based on the RTM version of Windows 8 which offers a new feature called Windows SmartScreen. This feature is turned on by default, and is the culprit behind what Microsoft reportedly knows about the installed programs. According to the report, Windows SmartScreen is merely supposed to "screen" every application the user installs from the Internet, and inform the user if it's safe to proceed, or too evil to install.
But there's more to it than that. Kobeissi provides an example of installing the Tor Browser Bundle. Once the installer is opened, Windows SmartScreen gathers information about the application and sends it to Microsoft. If the company responds saying that it doesn't have the proper certificate, then the user gets an error like the one seen here (jpg).
"There are a few serious problems here," Kobeissi writes. "The big problem is that Windows 8 is configured to immediately tell Microsoft about every app you download and install. This is a very serious privacy problem, specifically because Microsoft is the central point of authority and data collection/retention here and therefore becomes vulnerable to being served judicial subpoenas or National Security Letters intended to monitor targeted users. This situation is exacerbated when Windows 8 is deployed in countries experiencing political turmoil or repressive political situations."
Even worse, it may be possible to intercept SmartScreen's communications to Microsoft and learn about every application downloaded and installed by a target. Adding to that, this information could be sold to third parties who would then send tailored spam to the targeted user. Even Microsoft's sever, which received the SmartScreen data, was reportedly found to support SSL v2 which is known to be insecure and susceptible to interception.
"I haven't checked whether Windows SmartScreen does in fact use SSLv2, but the fact that the Microsoft servers support it is concerning. Furthermore, SmartScreen is not easy to disable, and Windows will periodically warn users to re-enable it should they attempt to disable it," he writes.
Microsoft actually revealed SmartScreen back in March 2011. The company claimed the service sends a hash of the app installer and its digital signature. But as Kobeissi points out, the hash and user IP combined together is enough to identify that a specific address tried to install a specific application. Can this be connected to the user's Windows account? It's possible. Will Microsoft track everything its Windows 8 users install? Probably not.
"Armed with file names, Microsoft could — in theory — be building a database matching IP addresses to files downloaded/run, but let’s be real — it’s Microsoft. This is the same company that’s scared to fart in fear of litigation," writes another researcher who has thus changed his tune since the Gizmodo piece went live.
Windows 8 RTM users can turn off Windows SmartScreen via Action Center -> Change Windows SmartScreen settings. Users can also turn off annoying Action Center warnings by clicking Turn off messages about Windows SmartScreen in the same window.
To read the full report, head here.