Windows 8 Tells Microsoft About Everything You Install 489
musicon writes "According to Nadim Kobeissi, Windows 8 is configured by default (using a new featured called Windows SmartScreen) to immediately tell Microsoft about every app you download and install. This is a very serious privacy problem, specifically because Microsoft is the central point of authority and data collection/retention here and therefore becomes vulnerable to being served judicial subpoenas or National Security Letters intended to monitor targeted users. This situation is exacerbated when Windows 8 is deployed in countries experiencing political turmoil or repressive political situations."
While SmartScreen is enabled by default, it's possible for users to turn it off. Also, it's worth noting that Microsoft is hardly alone in this regard, given the rise of app stores over the past several year. (Not that it exculpates this behavior.)
Re:Does Windows 8 have an opt-out feature? (Score:5, Informative)
At the rate Microsoft is going, they might as well add a "Windows 8 opt-out feature."
I know this is a joke, but yes, they do, It's called "downgrade rights"
Don't use IE (Score:3, Informative)
It seems from the MSDN link this can be avoided by simply not using Internet Explorer, as if you needed another reason not to
The actual tracking... (Score:5, Informative)
There's no indication that Microsoft themselves keeps track of which individuals downloaded/installed which programs.
The issue this article seems to propose is that somebody could sniff the network traffic between yourself and Microsoft to grab the SmartScreen data and see what you'd installed when Windows contacts MS to see if the file is marked as safe/unsafe/unknown.
If they're in a position to do that, wouldn't they theoretically be in a position to have potentially snooped on the download of the software which is triggering the SmartScreen traffic? (Depending of course, on where in the network their sniffer is at.)
The only valid complaint seems to be that Microsoft is using a known-insecure version of SSL for the website all this data is sent to. If they fix that, I'm not sure what reasonable issue would be there.
I would argue that for the average user, SmartScreen is a useful feature and having it turned on by default (assuming MS is tracking individual user downloads of software for some nefarious purpose) is a good thing.
Re:Wow... (Score:5, Informative)
Did you check if it doesn't run with wine? You'd be surprised how much it has improved recently.
Re:So? (Score:2, Informative)
The first one is a poor comparison. Outside is not a private space in the same way that your computing hardware should be.
Re:Wait... (Score:5, Informative)
How do you people thing virus scanners work?
Erm, by checking against a local signature database of known viruses or running local heuristic checks?
Re:Wow... (Score:3, Informative)
Steam is configured to report back to Valve about every app you download+install on it, and every time you launch an app, and there's NO way to opt out. (Well, you can switch it to offline mode, but that will prevent multiplayer and updates).
Re:Don't use IE (Score:4, Informative)
It seems from the MSDN link this can be avoided by simply not using Internet Explorer, as if you needed another reason not to
This was IE only in Windows 7 with IE9, but it's built into Windows 8 now [msdn.com]
and applies to all applications marked as downloads.
So, if you download something from Firefox, then attempt to run it, data about it is sent to Microsoft.
Re:So? (Score:2, Informative)
Hello Mr. Strawman.
Don't want to use a product that invades your privacy in some way? Don't use a product that does that, or use it but turn off that "feature", or firewall it.
No need to go from there to 'Don't go to a doctor'.
Re:Not Windows 8, Internet Explorer 9+ (Score:4, Informative)
Um, check the date on that blog post. March 22nd, 2011.
This was a feature added, by default, to Internet Explorer 9.0. It is a part of the browser. If you are running Windows 7 and have updated to Internet Explorer 9.0 then it is already doing this. All Windows 8 does is have Internet Explorer 10 installed by default.
Yes, this article [msdn.com] is the one they should have linked to.
Scroll down to the part labeled "Microsoft SmartScreen for Internet Explorer and now for Windows too."
Total Bullshit Article. (Score:4, Informative)
This is an IE9 feature, which would not be a huge surprise to find is still there in IE10. TFS links to an 18-month-old article talking about it in IE9. Not Windows 8. There is nothing to back up the wording used in TFS or TFA. It's a good feature I have enabled on my parent's machines for their protection, as it's one more layer against malware downloads.
The ONLY things this feature touches is executables which are downloaded from the Internet using IE. Install from a DVD? Download using Chrome/Firefox? USB drive? Copied from another disk? Compiled yourself? None of those things gets "sent to Microsoft".
Just someone (successfully) using a combination of inflammatory wording and gullible/lazy
Re:Opt-in vs opt-out (Score:5, Informative)
No, it's that it's opt-out and they don't tell you what they're sending.
I take this back. I just checked the windows install process, and on the page where you choose "Use Express Settings" or "Customize" there are two options to "Learn more about express settings" and "Privacy Statement" where Microsoft details each feature, what data they collect, and how they use that data.
For Smartscreen the text reads:
What this feature does
Windows SmartScreen helps keep your PC safe by checking files and apps with Microsoft to help protect you from potentially unsafe files and apps. Windows will ask you what you want to do if the file or app is unknown or potentially unsafe before it's opened"
Information collected, processed, or transmitted
If you choose to use this feature, information about some of the apps you use and some of hte files you download from the Internet will be sent to Microsoft. This information may include a file name, file ID ("hash"), and digital certificate information along with standard PC information and the Windows SmartScreen filter version number. To help protect your privacy, the information sent to Microsoft is encrypted.
Windows SmartScreen randomly generates a number called a GUID that is sent to Microsoft with your SmartScreen usage data. The GUID lets us determine which data is sent from a particular PC over time. The GUID does not contain any personal information.
Use of Information
Microsoft uses the information described above to provide warnings to you about potentially unsafe files and apps. We also use the information to analyze performance of the feature to improve the quality of our products and services. We use the GUID to determine how widespread the feedback we receive is and how to prioritize it. For example, the GUID allows Microsoft to distinguish between one computer experiencing a problem one hundred times and one hundred customers experiencing the same problem once. Microsoft doesn't use the information to identify, contact, or target advertising to you.
Choice and control
If you choose express settings while setting up Windows, you can turn on Windows SmartScreen. If you choose to customize settings, you can control Windows SmartScreen by selecting Use Windows Smartscreen Filter to Check Files and Apps with Microsoft under Help protect your privacy and your PC. After setting up windows, you can change this setting in Action Center in the Control Panel.
Re:Wow... (Score:3, Informative)
The major difference it the "start screen" takes up the whole screen instead of 1/8 of the screen. You can still hit start and then start typing, etc... And you can use Tablet apps on your desktop if you like them. Some of the apps from the App Store are games, etc... SoulCraft actually lets you use the 360 gamepad, etc...
Watch: http://www.youtube.com/watch?v=t4ooYKE4F-c&feature=player_embedded [youtube.com]
Re:Does Windows 8 have an opt-out feature? (Score:4, Informative)
I hope so, but it's ready today and has been so for at least two or three years.
Re:Does Windows 8 have an opt-out feature? (Score:5, Informative)
I don't see why you don't just get a system built by newegg, or ncix, or whoever. Choose some quality components (or have them choose some for you), and don't buy and OS. It's not like it's hard.
Re:Does Windows 8 have an opt-out feature? (Score:5, Informative)
The 'warnings' and 'lies' you describe have yet to be seen by me..
Here, let me Google that for you [google.com]. Amusingly Google autocompleted that for me from "app is d," so it's not exactly an uncommon error. Generally speaking, the app is not damaged when you get that error - it just isn't Apple-blessed. If you try and run it through the command line, it'll run just fine.
Which kind of disproves the idea that Gatekeeper is about security, if all it takes to bypass it is fork() and exec().
Re:Does Windows 8 have an opt-out feature? (Score:5, Informative)
Re:Does Windows 8 have an opt-out feature? (Score:5, Informative)
Congratulations on focusing on half the post. The other half is about the "usage and diagnostic data" that Mac OS X sends to Apple - which does contain information about what applications you have installed, and has since whenever they added that feature.
Exactly what data does Apple get? Well, according to Apple themselves, they collect "[u]sage information (for example, data about how you use Apple and third-party software, hardware, and services)." What does that mean? Who knows.
The bottom line is that if you don't want some company to know what third-party software you're using on "their" computer, you don't want to go Apple.
And congratulations to you for ignoring the summary. Windows 8 has this on BY DEFAULT and you have to turn it off. Mac OS asks you if you want usage data sent before it ever does it.