In this day, nothing is more valuable than data. Companies like Google, Facebook, Apple and even government agencies like NSA want your data. And most of these things happen under the guise of security & ‘for your own good’. Microsoft is no different in this regard.

Nadim Kobeissi, a Montreal based independent computer security researcher and hacker, has uncovered a questionable security/privacy policy in Windows 8 RTM, where a feature called Windows SmartScreen is turned on by default. As the name suggests, SmartScreen app “screens” every single application you try to install from the Internet in order to inform you whether it’s safe to proceed with installing it or not. Considering how unsafe the web has become, Internet security is of paramount importance. Windows SmartScreen tries to keep you secure by letting you know about what Microsoft calls ‘Application Reputation‘.


So what’s the issue with SmartScreen?

Letting you know about the reputation of the application you’re trying to install is indeed admirable. But where Microsoft fails is by turning on SmartScreen by default in Windows 8. Say you downloaded Tor Browser Bundle or some free VPN client, the moment you open the installer, SmartScreen gathers some identifying information and sends the data to Microsoft. This is where the problem lies. Nadim makes a great point:

This is a very serious privacy problem, specifically because Microsoft is the central point of authority and data collection/retention here and therefore becomes vulnerable to being served judicial subpoenas or National Security Letters intended to monitor targeted users.

This looks like a serious privacy concern, specially considering that the users are not clearly informed of SmartScreen while installing and setting up Windows 8, even though they are given the option to disable SmartScreen. Worse still, according to Nadim, the encryption methods used to transmit the data to Microsoft and back might not be resistant to ‘man in the middle’ attacks. SmartScreen sends a hash of the app installer and its digital signature, if any. So the combination of the hash and the user’s IP address is still enough to identify that a user with “x” IP address has attempted to install “y” software.

Rafael Rivera has more details on this issue. He points out to the base64 encoded representation of the executable file name which is sent to Microsoft. But then, base64 encoding can be easily decoded. Whether Microsoft actually decodes the data or not isn’t clear yet. So those of you apprehensive about this can turn off Windows SmartScreen via Action Center -> Change Windows SmartScreen settings.

[via] Nadim Kobeissi

Also Read:

Raju is the founder-editor of Technology Personalized. A proud geek and an Internet freak, who is also a social networking enthusiast. You can follow him on Facebook and on Twitter. Mail Raju PP. Follow rajupp