By Jonathan Charles | Aug 27, 2012 12:16 PM EDT
By default, new functionality in Windows 8 called "SmartScreen" tracks apps and programs that users install, sending data to Microsoft. While the feature can be turned off, users may feel that the data monitoring is invasive.
When an app is installed on Windows 8, a warning may pop up, telling users to not run the app if a certificate is not signed, although users can click Run Anyway. This is possibly the first encounter with SmartScreen for less-informed Windows 8 users. Casual users may not know that a filename of the app is also sent to Microsoft along with a hash of the app installer and the user's IP address.
Microsoft checks software using a three-step process: users download the app or program and open the installer, and then SmartScreen gathers information on the downloaded software and sends it to Microsoft.
Nadim Kobeissi, a hacker, published a blog post revealing the information. In it, he came to the conclusion that Microsoft is tracking users' information. Kobeissi notes that Microsoft enables the feature by default and SmartScreen itself warns users continually to re-enable the feature if disabled.
Despite the ability to disable SmartScreen, users receive no warning about the functionality when setting up Windows 8. With Windows 8 now released to manufacturing, that is likely to persist for now. Whether Microsoft will clarify the issues and/or makechanges to the software is unknown.
This may be a worrisome feature for users. If downloads are intercepted, app filenames and potentially personal data could be stolen. Combine that risk with the insecurity of most Wi-Fi connections, and serious issues may arise. The privacy violation is exacerbated "when Windows 8 is deployed in countries experiencing political turmoil or repressive political situations".
The servers sending data to Microsoft support SSLv3 connections, meaning that the security concerns of SSLv2 are gone (a post-published update established this fact in the blog post). Fourteen hours after the blog post went live, the insecure SSLv2 connection references to Microsoft's servers were removed.
Windows 8 launches Oct. 26.
© 2013 Mobile & Apps All rights reserved. Do not reproduce without permission.