Users have raised privacy concerns over the behavior of Microsoft’s EdgeHTML browser. The conversation originated from security researcher Matt Weeks, who revealed that its SmartScreen filter sends the full URL of sites to Microsoft.
As well as the URL, Weeks pointed to a piece of information he claims is the security identifier (SID) – a unique ID created when a user creates a Windows account. For the unfamiliar, SmartScreen is an Edge service that attempts to prevent users from visiting malicious sites. It does so by checking it against a list of known scam websites. It can be disabled in settings.
As pointed out by former Microsoft network, privacy, and security principle PM Eric Lawerence, the disclosure of URLs isn’t something Microsoft hides. It explained how the feature works several times, at SmartScreen’s release and beyond.
“When the user visits an Internet site, the URL of the site is compared against a list of high traffic websites that is built into SmartScreen Filter,” reads a web page. “If the URL matches a site on the list, no further checks occur. If the URL does not match a site on the list[…]SmartScreen Filter sends a query to the Microsoft SmartScreen URL reputation service.”
//twitter.com/scriptjunkie1/status/1152280517972299777
Microsoft says information may include the URL, software version information detailed URL information, downloaded file information, operating system version, and more.
How About the SID?
The sending of unhashed browsing habits to a tech giant is bound to make user’s uncomfortable, but it’s hard to argue that Microsoft hasn’t been upfront. It’s been using similar security techniques for over a decade in various forms and has disclosed it. The advantage of this method is a timely check against current information.
More concerning are the claims that this information includes a user’s SID. As well as Weeks, this information has been confirmed by BleepingComputer and CERT/CC vulnerability analyst Will Dormann.
“A security identifier (SID) is a unique value of variable length used to identify a trustee. Each account has a unique SID issued by an authority, such as a Windows domain controller, and stored in a security database,” explains Microsoft’s documentation.
The sending of the SID does not seem to be referenced in SmartScreen documentation. If leaked or examined by a malicious employee, the SID when tied to searches could build a comprehensive picture of a single user’s browsing even without knowing their Windows account name. For example, the user could visit the websites of businesses close to their location, about specific illnesses they have, or their own personal site.
In response to the concerns, Lawrence says “The data protection requirements around SmartScreen are… draconian, to put it mildly. I have some amusing stories in that regard someday. Suffice it to say that attempts to use this data for other purposes never go anywhere[…] It’s not at the discretion of Microsoft, there are documented data policies that regulators are very interested in”.
An investigation by BleepingComputer indicates that Microsoft’s new Chromium Edge doesn’t currently exhibit this behavior. Though it continues to send unhashed URLs, there’s no SID included.
