In this day, nothing is more valuable than data. Companies like Google, Facebook, Apple and even government agencies like NSA want your data. And most of these things happen under the guise of security & ‘for your own good’. Microsoft is no different in this regard.
So what’s the issue with SmartScreen?
Letting you know about the reputation of the application you’re trying to install is indeed admirable. But where Microsoft fails is by turning on SmartScreen by default in Windows 8. Say you downloaded Tor Browser Bundle or some free VPN client, the moment you open the installer, SmartScreen gathers some identifying information and sends the data to Microsoft. This is where the problem lies. Nadim makes a great point:
This is a very serious privacy problem, specifically because Microsoft is the central point of authority and data collection/retention here and therefore becomes vulnerable to being served judicial subpoenas or National Security Letters intended to monitor targeted users.
This looks like a serious privacy concern, specially considering that the users are not clearly informed of SmartScreen while installing and setting up Windows 8, even though they are given the option to disable SmartScreen. Worse still, according to Nadim, the encryption methods used to transmit the data to Microsoft and back might not be resistant to ‘man in the middle’ attacks. SmartScreen sends a hash of the app installer and its digital signature, if any. So the combination of the hash and the user’s IP address is still enough to identify that a user with “x” IP address has attempted to install “y” software.
Rafael Rivera has more details on this issue. He points out to the base64 encoded representation of the executable file name which is sent to Microsoft. But then, base64 encoding can be easily decoded. Whether Microsoft actually decodes the data or not isn’t clear yet. So those of you apprehensive about this can turn off Windows SmartScreen via Action Center -> Change Windows SmartScreen settings.
[via] Nadim Kobeissi