Earlier this week, Nadim Kobeissi posted a report that claimed the SmartScreen feature in Windows 8 allows Microsoft to see every application that is installed by a user and that Microsoft could be collecting that information into one large database. Furthermore, Kobsissi said that SmartScreen uses an “outdated and insecure” security system that could allow a hacker to intercept that data.
Microsoft has now responded to Kobeissi’s allegations and, as you might expect, claims that his findings are inaccurate. The Register reports that, according to Microsoft’s statement.
We can confirm that we are not building a historical database of program and user IP data. Like all online services, IP addresses are necessary to connect to our service, but we periodically delete them from our logs. As our privacy statements indicate, we take steps to protect our users’ privacy on the backend. We don’t use this data to identify, contact or target advertising to our users and we don’t share it with third parties.
As far as the security issue, Kobeissi said that the SmartScreen communications to Microsoft are using a server based on SSLv2.0, which he said is “known to be insecure and susceptible to interception.” Microsoft told The Register that it does not in fact use SSLv2.0 and Kobeissi’s blog has now been updated to state that Microsoft’s servers have now been changed to support the SSLv3 protocol.
Even with this change, Kobeissi still seems to be concerned about Windows 8 and its SmartScreen security features. In a post on his Twitter page, he states, “Dear Microsoft: If you don’t want someone to seriously, seriously exploit your SmartScreen security, please contact me right now.”