[ISN] Microsoft to track internet use

InfoSec News isn at c4i.org
Mon Sep 12 02:22:42 EDT 2005


September 9, 2005

Microsoft Corp will soon release a security tool for its internet
browser that privacy advocates say could allow the company to track
the surfing habits of computer users. Microsoft officials say the
company has no intention of doing so.

The new feature, which Microsoft will make available as a free
download within the next few weeks, is prompting some controversy, as
it will inform the company of websites that users are visiting.

The browser tool is being called a Phishing Filter. It is designed to
warn computer users about "phishing," an online identity theft scam.  
The Federal Trade Commission estimates that about 10 million Americans
were victims of identity theft in 2005, costing the economy $US52.6
billion ($A69.11 billion).

But privacy groups are already raising questions about how this
feature will work, and some computer security experts are questioning
whether it will be effective.

Phishing fraud normally begins when computer users receive emails
appearing to be from banks, eBay or credit card companies requesting
account updates. Links are provided to websites that seem legitimate.  
Unwary users are then duped into giving up their Social Security,
credit card and banking account information.

In an effort to protect internet users, Microsoft's anti-phishing tool
is designed to verify the safety of every website, and to issue
warnings if users encounter a suspected or known phishing site.

It will use a three-step process. First, the browser will
automatically compare the address of every website a user visits to a
list of sites Microsoft has verified to be legitimate. This list will
be kept on users' computers.

If no match is found, the Phishing Filter will send the address to
Microsoft where it will be compared to a list of known phishing sites
that the company intends to update every 20 minutes. A match will
trigger a warning that will pop up within the browser.

Finally, if no match is found at Microsoft, a sophisticated filter
built into the browser will compare characteristics of the suspect
website to characteristics common to phishing sites. Under some
circumstances, this too could trigger an alert to appear.

Privacy advocates were surprised to learn that Microsoft would be
using this method in an effort to protect its customers. Kevin
Bankston, a lawyer and internet privacy expert with the San
Francisco-based Electronic Frontier Foundation, worries that this is
potentially "a wholesale handing over of one's privacy to Microsoft. I
would say, right now, definitely don't use this. If you're careful,
you don't need this."

The filter is designed as an opt-in feature. The first time computer
users attempt to visit a website that is not included on the list of
"legitimate" websites, they will be asked whether they wish to enable
the Phishing Filter.

Users will also be presented with the following on-screen notice,
"website addresses will be sent to Microsoft to be checked against a
list of reported phishing web sites. Information received will not be
used to personally identify you." Users also have the option of
turning the filter off.

What happens to data? Microsoft officials say the company has no plans
to retain information contained in those queries, which company
officials say will be encrypted and limited to the domain and path of
the website being called.

"We don't store that information," said Greg Sullivan, Microsoft
Windows group product manager. "There is no server event log, no data
base, no hosted event file."

But Bankston said the information may be too valuable for the company
to ignore in the long run. "There are clear financial imperatives for
them to choose to make use of this information in the future and start
logging it," he said. "It is not hard to imagine the gold that could
be mined out of that information."

What is unclear is just how frequently website addresses will be sent
to Microsoft. The answer appears to depend, in part, upon how often
consumers surf to sites contained in the list of legitimate websites
as opposed to sites not on that list.

Microsoft officials say the list of approved sites, which they are
referring to as "the list of highly trafficked legitimate websites,"  
will number in the "tens of thousands." Company officials declined to
provide an exact number.

Michael Aldridge, a product planner with Microsoft's technology care
and safety group, said the company would not be vetting which websites
are contained on the list. "It is based ... purely on traffic. We make
no judgments on content."

That list is being provided by Nielsen NetRatings, which measures
internet traffic. Tracy Yen, a company official, also declined to
provide the number of names on the list. ICANN, the internet
Corporation for Assigned Names And Numbers, reported in August that
there are 43 million active registered domain names worldwide.

Todd Bransford, vice-president of marketing with internet security
firm Cyveillance, referred to the Nielsen list to be used by Microsoft
as a "complete drop in the bucket."

Bransford said he believes that most internet surfing will ultimately
prove to be to sites not on the Microsoft list. That would mean those
users who opt in will be sending a majority of their surfing locations
to Microsoft.

He said the Microsoft Phishing Filter may prove ineffective and could
provide a false sense of security for many users.

"Phishers are evolving very quickly," he said, "and making sites look
different. So with this approach you have a problem where the
technology may not know what a phishing site looks like. It may miss a
lot of stuff."

A further concern is that since the list of legitimate websites is
limited, the Phishing Filter may mistakenly identify numerous safe
sites as phishing sites.

"That's definitely a worry," according to Bankston. Microsoft
officials say the Phishing Filter will contain an error reporting
link, allowing business and users to quickly inform the company of any

More information about the ISN mailing list