Windows 8 to Tell Microsoft About Everything You Install?

A recent scare piece by Cryptocat developer Nadim Kobeissi over on Gizmodo alleges that Windows 8 will tell Microsoft everything the user installs into the new OS.

The reveal is based on the RTM version of Windows 8 which offers a new feature called Windows SmartScreen. This feature is turned on by default, and is the culprit behind what Microsoft reportedly knows about the installed programs. According to the report, Windows SmartScreen is merely supposed to "screen" every application the user installs from the Internet, and inform the user if it's safe to proceed, or too evil to install.

But there's more to it than that. Kobeissi provides an example of installing the Tor Browser Bundle. Once the installer is opened, Windows SmartScreen gathers information about the application and sends it to Microsoft. If the company responds saying that it doesn't have the proper certificate, then the user gets an error like the one seen here (jpg).

"There are a few serious problems here," Kobeissi writes. "The big problem is that Windows 8 is configured to immediately tell Microsoft about every app you download and install. This is a very serious privacy problem, specifically because Microsoft is the central point of authority and data collection/retention here and therefore becomes vulnerable to being served judicial subpoenas or National Security Letters intended to monitor targeted users. This situation is exacerbated when Windows 8 is deployed in countries experiencing political turmoil or repressive political situations."

Even worse, it may be possible to intercept SmartScreen's communications to Microsoft and learn about every application downloaded and installed by a target. Adding to that, this information could be sold to third parties who would then send tailored spam to the targeted user. Even Microsoft's sever, which received the SmartScreen data, was reportedly found to support SSL v2 which is known to be insecure and susceptible to interception.

"I haven't checked whether Windows SmartScreen does in fact use SSLv2, but the fact that the Microsoft servers support it is concerning. Furthermore, SmartScreen is not easy to disable, and Windows will periodically warn users to re-enable it should they attempt to disable it," he writes.

Microsoft actually revealed SmartScreen back in March 2011. The company claimed the service sends a hash of the app installer and its digital signature. But as Kobeissi points out, the hash and user IP combined together is enough to identify that a specific address tried to install a specific application. Can this be connected to the user's Windows account? It's possible. Will Microsoft track everything its Windows 8 users install? Probably not.

"Armed with file names, Microsoft could — in theory — be building a database matching IP addresses to files downloaded/run, but let’s be real — it’s Microsoft. This is the same company that’s scared to fart in fear of litigation," writes another researcher who has thus changed his tune since the Gizmodo piece went live.

Windows 8 RTM users can turn off Windows SmartScreen via Action Center -> Change Windows SmartScreen settings. Users can also turn off annoying Action Center warnings by clicking Turn off messages about Windows SmartScreen in the same window.

To read the full report, head here.

 

Contact Us for News Tips, Corrections and Feedback

Create a new thread in the US News comments forum about this subject
This thread is closed for comments
79 comments
    Your comment
    Top Comments
  • Over my dead body those fockers will know what i install....its incredible the amount of violations against our privacy that some companies commit
    38
  • Oh F*UNK. That's it, Micro$oft. You're done if you'll do that. You're done. Yes. YOU'RE DONE.

    A Bad DayI do recall there is an open source software that uses other computers to assist in encrypting and transferring messages. The more computers that are connected to the encryption network, the harder it is to trace the origin or the receiver of the message. However, the key feature is that it allows the computers to be anonymous.


    TOR? :\
    19
  • master_chenYou forgot one major thing:NO. ONE. USES. IE.NOBODY.NEVER.EVER.Guess why, huh?


    It's not because of SmartScreen. FYI, I myself use Chrome.
    17
  • Other Comments
  • I do recall there is an open source software that uses other computers to assist in encrypting and transferring messages. The more computers that are connected to the encryption network, the harder it is to trace the origin or the receiver of the message. However, the key feature is that it allows the computers to be anonymous.

    Windows 8 would be a huge threat to that encrypting software.
    -7
  • Over my dead body those fockers will know what i install....its incredible the amount of violations against our privacy that some companies commit
    38
  • Time to put that tin foil hat on, eh, Kobeissi? Windows 8 is evil!
    -5