Researcher claims Windows 8 SmartScreen leaves user data exposed

Most of the attention being paid to Windows 8 has been on its jazzy new interface, but security researcher Nadim Kobeissi says that Microsoft should focus more on the operating system’s security holes.

The core of his concern is SmartScreen, the name for the software Microsoft uses to ensure that Windows users don’t install malicious software. While the functionality is a big help,  Kobeissi alleges that it could also allow Microsoft to know the names of all the applications users install on their systems. The bigger problem, he says, is that this could also allow law enforcement to subpoena Microsoft for any of the data that it collects.

Perhaps more worrying, Kobeissi alleges that Microsoft’s use of a vulnerable security protocol could allow bad guys to intercept connections to Microsoft servers, allowing them to know exactly what Windows 8 users have been downloading as well. Some may say this sounds innocuous, but Kobeissi disagrees. “This allows them to profile the user and decide how to best exploit their personal selection of applications and their computing habits,” he claims.

We’ve reached out to Microsoft on the claims and will update when the company responds.

Kobeissi’s claims have two issues, though.

One, it’s likely that Microsoft strips any traces of users’ IP addresses from data it might collect, making it useless for law enforcement. And two, the bad-guy-data-interception situation Kobeissi proposes is as unlikely of a scenario as they come, and this sounds more like fear-mongering than the refection of any real danger.

And then there’s this: While SmartScreen is turned on by default, Microsoft does give Windows 8 users the straightforward option of turning it off. While this may not fix any of the alleged security holes, it should assuage the fears of those who are highly worried about them.