Microsoft: Windows 8 SmartScreen Does Not Breach User Privacy

Microsoft has responded to our inquiry regarding the research made by Nadim Kobeissi – the developer of Cryptocat – on the Windows 8 SmartScreen Application Reputation service and the potential privacy risks that come with it.

“Windows SmartScreen Application Reputation is a file-reputation service that helps users make safer decisions about the programs they download and run. In order to deliver file reputation, information about the files is sent to our reputation services,” a Microsoft spokesperson told Softpedia via email.

“This feature has been extremely successful in helping users make better trust decisions and protect their privacy by helping to prevent inadvertent installation of malware. We are committed to protecting users’ privacy while also helping protect them from online threats,” they added.

“Although Windows SmartScreen is part of the Windows 8 Express Settings during the first-run experience and we recommend it be enabled, if users are concerned about sending this data to Microsoft, they can choose to not enable the feature.”

Kobeissi claimed that SmartScreen could pose a serious privacy breach because the service sends back details of the installed applications back to Microsoft’s servers. The Redmond company’s representatives state that the information that’s sent back to them is not utilized to build a historical database of program and user IP data.

“Like all online services, IP addresses are necessary to connect to our service, but we periodically delete them from our logs. As our privacy statements indicate, we take steps to protect our users’ privacy on the backend. We don’t use this data to identify, contact or target advertising to our users, and we don’t share it with third parties,” the spokesperson explained.

Another aspect highlighted by the security expert is the fact that the SSL2.0 protocol might be utilized, possibly exposing the data to malicious third parties. As it turns out, the known-to-be-vulnerable SSL2.0 protocol is not used in this case.

Microsoft said, “With respect to the claims of SSL security and data interception risk posed by the SSL2.0 protocol, by default Windows 8 will not use this protocol with our service. Windows SmartScreen does not support the SSL2.0 protocol.”

Add me on Google+

Via: Microsoft: Windows 8 SmartScreen Does Not Breach User Privacy