Microsoft anti-phishing tool sends Microsoft a list of sites visited

[David Farber <dave () farber net>]

Begin forwarded message:

From: Lauren Weinstein <lauren () vortex com>
Date: September 8, 2005 9:54:29 PM EDT
To: dave () farber net
Cc: lauren () vortex com
Subject: Re: [IP] Microsoft anti-phishing tool sends Microsoft a list  
of sites visited



Dave,

I agree with EFF that the sending of user Web browsing data in this
manner is poor policy and that users would be wise not to enable
this feature.  The privacy implications, both now and in the future,
are quite serious.

However, to give Microsoft their due, at least they're making a
public statement that they are not logging the data, for now,
anyway.  Contrast this with Google, who has various tools that are
feeding user data back to Google HQ, with no definitive public
statements regarding Google's logging and retention policies
regarding that data.

--Lauren--
Lauren Weinstein
lauren () pfir org or lauren () vortex com or lauren () eepi org
Tel: +1 (818) 225-2800
http://www.pfir.org/lauren
Co-Founder, PFIR
  - People For Internet Responsibility - http://www.pfir.org
Co-Founder, EEPI
  - Electronic Entertainment Policy Initiative - http://www.eepi.org
Moderator, PRIVACY Forum - http://www.vortex.com
Member, ACM Committee on Computers and Public Policy
Lauren's Blog: http://lauren.vortex.com
DayThink: http://daythink.vortex.com
  2005-09-07: "Lies, Damned Lies, and Politicians"

 - - -


> Begin forwarded message:
>
> From: Joshua Weinberg <joshua () theWeinbergs com>
> Date: September 8, 2005 5:54:57 PM EDT
> To: dave () farber net
> Subject: Microsoft anti-phishing tool sends Microsoft a list of sites
> visited
> Reply-To: joshua () theWeinbergs com
>
>
> Dave, for IP list if you'd like.
>
> This article says that Microsoft's new anti-phishing filter will work
> by sending Microsoft the address of every site visited that is not
> already on a safe/unsafe list.  It quotes the EFF worrying that this
> is "a wholesale handing over of one's privacy to Microsoft."
>
> I'm surprised I have not seen much else on this in the press or from
> privacy advocates.
>
> Thanks,
> -joshua
>
> Joshua Weinberg
> joshua () theWeinbergs com
>
>
>
> Does anti-phishing tool angle for too much data?
> http://www.dallasnews.com/sharedcontent/ptech/
> generalstories2/082705ccdrptechphishing.3eb9bea7.html (registration
> required)
>
> August 27, 2005
>
> By MIKE GOLDFEIN / The Dallas Morning News
>
> Microsoft Corp. will soon release a security tool for its Internet
> browser that privacy advocates say could allow the company to track
> the surfing habits of computer users. Microsoft officials say the
> company has no intention of doing so.
>
>   The new feature, which Microsoft will make available as a free
> download within the next few weeks, is prompting some controversy,
> since it will tell the company what Web sites users are visiting.
>
> The browser tool is being called a "phishing filter." It is designed
> to warn computer users about "phishing," an online identity theft  
> scam.
>
> The Federal Trade Commission estimates that about 10 million
> Americans were victims of identity theft in 2005, costing the economy
> $52.6 billion.
>
> But privacy groups are already raising questions about how this
> feature will work, and some computer security experts are questioning
> whether it will be effective.
>
> Phishing fraud normally begins when computer users receive e-mails
> appearing to be from banks, eBay, or credit card companies,
> requesting account updates.
>
> Links are provided to Web sites that seem legitimate. Unwary users
> are duped into giving up their Social Security, credit card and
> banking account information.
>
> In an effort to protect Internet users, Microsoft's anti-phishing
> tool is designed to verify the safety of every Web site and to issue
> warnings if users encounter a suspected or known phishing site. It
> will use a three-step process.
>
> First, the browser will automatically check the address of every Web
> site a user visits against a list of sites Microsoft has verified to
> be legitimate.
>
> This list will be kept on users' computers.
>
> If no match is found, the Phishing filter will send the address to
> Microsoft, where it will be checked against a list of known phishing
> sites that the company intends to update every 20 minutes. A match
> will trigger a warning that will pop up in the browser.
>
> Finally, if no match is found at Microsoft, a sophisticated filter
> built into the browser will compare characteristics of the suspect
> Web site to characteristics common to phishing sites. This too could
> trigger an alert to appear.
>
> Privacy advocates were surprised to learn that Microsoft would be
> using this method in an effort to protect its customers.
>
> Kevin Bankston, an attorney and Internet privacy expert with the San
> Francisco-based Electronic Frontier Foundation worries that this is
> "a wholesale handing over of one's privacy to Microsoft."
>
> "I would say, right now, definitely don't use this. If you're
> careful, you don't need this," he said.
>
> The filter is designed as an opt-in feature. The first time computer
> users attempt to visit a Web site that is not included on the list of
> "legitimate" Web sites, they will be asked whether they wish to
> enable the phishing filter.
>
> Users also have the option of turning the filter off.
>
> What happens to data?
>
> Microsoft officials say the company has no plans to retain
> information contained in those queries, which they say will be
> encrypted and limited to the domain and path of the Web site being
> called.
>
> "We don't store that information," said Greg Sullivan, Microsoft
> Windows group product manager. "There is no server event log, no
> database, no hosted event file."
>
> But Mr. Bankston said the information may be too valuable for the
> company to ignore in the long run.
>
> "There are clear financial imperatives for them to choose to make use
> of this information in the future and start logging it," he said. "It
> is not hard to imagine the gold that could be mined out of that
> information."
>
> What is unclear is just how frequently Web addresses will be sent to
> Microsoft.
>
> The answer appears to depend, in part, upon how often consumers surf
> to sites contained in the list of legitimate Web sites as opposed to
> sites not on that list.
>
> Microsoft officials say the list of approved sites will number in the
> tens of thousands. Company officials declined to provide an exact
> number.
>
> Michael Aldridge, a product planner with Microsoft's technology care
> and safety group, said the company would not be vetting which Web
> sites are contained on the list. "It is based ... purely on traffic.
> We make no judgments on content."
>
> That list is being provided by Nielsen NetRatings, which measures
> Internet traffic. Tracy Yen, a company official, also declined to
> provide the number of names on the list.
>
> ICANN, the Internet Corporation for Assigned Names and Numbers,
> reported in August that there are 43 million active registered domain
names worldwide. Todd Bransford, vice president of marketing with

> Internet security firm Cyveillance, referred to the Nielsen list to
> be used by Microsoft as a "complete drop in the bucket."
>
> Potential problems
>
> Mr. Bransford said he believes that most Internet surfing will
> ultimately prove to be to sites not on the Microsoft list. That would
> mean those users who opt in will be sending a majority of their
> surfing locations to Microsoft.
>
> Mr. Bransford said the Microsoft phishing filter may prove
> ineffective and could provide a false sense of security for many  
> users.
>
> "Phishers are evolving very quickly," he said, "and making sites look
> different. So with this approach you have a problem where the
> technology may not know what a phishing site looks like. It may miss
> a lot of stuff."
>
> A further concern is that since the list of legitimate Web sites is
> limited, the filter may mistakenly identify safe sites as phishing
> sites. "That's definitely a worry," said Mr. Bankston.
>
> Microsoft officials say the filter will contain a link allowing
> businesses and users to quickly inform the company of any errors.
>
>
>
> -------------------------------------
> You are subscribed as lauren () pfir org
> To manage your subscription, go to
>   http://v2.listbox.com/member/?listname=ip
>
> Archives at: http://www.interesting-people.org/archives/interesting- 
> people/


-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/