A very interesting find by a researcher called Nadim Kobeissi.
He found that a Microsoft application called Smartscreen will by default, inform Microsoft of every app downloaded and installed by every user.
He claims that users are not informed about this even though they are given the option to disable SmartScreen (which is enabled by default.)
Smartscreen (to recap) is Microsoft’s application that proactively monitors your downloads to verify that they are not malicious before they get to your desktop. This is a good thing.
From Kobeissi:
Windows 8 appears to send this information to Microsoft to a server that relies on Certificate Authorities for authentication and supports an outdated and insecure method of encrypted communication.
It is possible that these insecurities could allow a malicious third party to target a Windows 8 user and learn which applications they are using. This allows them to profile the user and decide how to best exploit their personal selection of applications and their computing habits.
I find Microsoft’s decision to design SmartScreen in such a privacy-free fashion to be a very bad choice, and I really hope that these concerns regarding SmartScreen will be addressed in near-future updates.
He attached an image:
Smartscreen encryption
I have no doubt that Microsoft is analyzing how serious this is and if necessary will roll out a patch or update to fix.
I can’t imagine that this will be too hard to take care of.
As Rafael Rivera says:
But look, you have the power of choice. You can turn off Windows SmartScreen via Action Center -> Change Windows SmartScreen settings, and subsequently turn off annoying Action Center warnings by clicking Turn off messages about Windows SmartScreen in the same window.