[IP] Microsoft anti-phishing tool sends Microsoft a list of sites visited
Begin forwarded message:
From: Lauren Weinstein <lauren@xxxxxxxxxx>
Date: September 8, 2005 9:54:29 PM EDT
To: dave@xxxxxxxxxx
Cc: lauren@xxxxxxxxxx
Subject: Re: [IP] Microsoft anti-phishing tool sends Microsoft a list
of sites visited
Dave,
I agree with EFF that the sending of user Web browsing data in this
manner is poor policy and that users would be wise not to enable
this feature. The privacy implications, both now and in the future,
are quite serious.
However, to give Microsoft their due, at least they're making a
public statement that they are not logging the data, for now,
anyway. Contrast this with Google, who has various tools that are
feeding user data back to Google HQ, with no definitive public
statements regarding Google's logging and retention policies
regarding that data.
--Lauren--
Lauren Weinstein
lauren@xxxxxxxx or lauren@xxxxxxxxxx or lauren@xxxxxxxx
Tel: +1 (818) 225-2800
http://www.pfir.org/lauren
Co-Founder, PFIR
- People For Internet Responsibility - http://www.pfir.org
Co-Founder, EEPI
- Electronic Entertainment Policy Initiative - http://www.eepi.org
Moderator, PRIVACY Forum - http://www.vortex.com
Member, ACM Committee on Computers and Public Policy
Lauren's Blog: http://lauren.vortex.com
DayThink: http://daythink.vortex.com
2005-09-07: "Lies, Damned Lies, and Politicians"
- - -
Begin forwarded message:
From: Joshua Weinberg <joshua@xxxxxxxxxxxxxxxx>
Date: September 8, 2005 5:54:57 PM EDT
To: dave@xxxxxxxxxx
Subject: Microsoft anti-phishing tool sends Microsoft a list of sites
visited
Reply-To: joshua@xxxxxxxxxxxxxxxx
Dave, for IP list if you'd like.
This article says that Microsoft's new anti-phishing filter will work
by sending Microsoft the address of every site visited that is not
already on a safe/unsafe list. It quotes the EFF worrying that this
is "a wholesale handing over of one's privacy to Microsoft."
I'm surprised I have not seen much else on this in the press or from
privacy advocates.
Thanks,
-joshua
Joshua Weinberg
joshua@xxxxxxxxxxxxxxxx
Does anti-phishing tool angle for too much data?
http://www.dallasnews.com/sharedcontent/ptech/
generalstories2/082705ccdrptechphishing.3eb9bea7.html (registration
required)
August 27, 2005
By MIKE GOLDFEIN / The Dallas Morning News
Microsoft Corp. will soon release a security tool for its Internet
browser that privacy advocates say could allow the company to track
the surfing habits of computer users. Microsoft officials say the
company has no intention of doing so.
The new feature, which Microsoft will make available as a free
download within the next few weeks, is prompting some controversy,
since it will tell the company what Web sites users are visiting.
The browser tool is being called a "phishing filter." It is designed
to warn computer users about "phishing," an online identity theft
scam.
The Federal Trade Commission estimates that about 10 million
Americans were victims of identity theft in 2005, costing the economy
$52.6 billion.
But privacy groups are already raising questions about how this
feature will work, and some computer security experts are questioning
whether it will be effective.
Phishing fraud normally begins when computer users receive e-mails
appearing to be from banks, eBay, or credit card companies,
requesting account updates.
Links are provided to Web sites that seem legitimate. Unwary users
are duped into giving up their Social Security, credit card and
banking account information.
In an effort to protect Internet users, Microsoft's anti-phishing
tool is designed to verify the safety of every Web site and to issue
warnings if users encounter a suspected or known phishing site. It
will use a three-step process.
First, the browser will automatically check the address of every Web
site a user visits against a list of sites Microsoft has verified to
be legitimate.
This list will be kept on users' computers.
If no match is found, the Phishing filter will send the address to
Microsoft, where it will be checked against a list of known phishing
sites that the company intends to update every 20 minutes. A match
will trigger a warning that will pop up in the browser.
Finally, if no match is found at Microsoft, a sophisticated filter
built into the browser will compare characteristics of the suspect
Web site to characteristics common to phishing sites. This too could
trigger an alert to appear.
Privacy advocates were surprised to learn that Microsoft would be
using this method in an effort to protect its customers.
Kevin Bankston, an attorney and Internet privacy expert with the San
Francisco-based Electronic Frontier Foundation worries that this is
"a wholesale handing over of one's privacy to Microsoft."
"I would say, right now, definitely don't use this. If you're
careful, you don't need this," he said.
The filter is designed as an opt-in feature. The first time computer
users attempt to visit a Web site that is not included on the list of
"legitimate" Web sites, they will be asked whether they wish to
enable the phishing filter.
Users also have the option of turning the filter off.
What happens to data?
Microsoft officials say the company has no plans to retain
information contained in those queries, which they say will be
encrypted and limited to the domain and path of the Web site being
called.
"We don't store that information," said Greg Sullivan, Microsoft
Windows group product manager. "There is no server event log, no
database, no hosted event file."
But Mr. Bankston said the information may be too valuable for the
company to ignore in the long run.
"There are clear financial imperatives for them to choose to make use
of this information in the future and start logging it," he said. "It
is not hard to imagine the gold that could be mined out of that
information."
What is unclear is just how frequently Web addresses will be sent to
Microsoft.
The answer appears to depend, in part, upon how often consumers surf
to sites contained in the list of legitimate Web sites as opposed to
sites not on that list.
Microsoft officials say the list of approved sites will number in the
tens of thousands. Company officials declined to provide an exact
number.
Michael Aldridge, a product planner with Microsoft's technology care
and safety group, said the company would not be vetting which Web
sites are contained on the list. "It is based ... purely on traffic.
We make no judgments on content."
That list is being provided by Nielsen NetRatings, which measures
Internet traffic. Tracy Yen, a company official, also declined to
provide the number of names on the list.
ICANN, the Internet Corporation for Assigned Names and Numbers,
reported in August that there are 43 million active registered domain
names worldwide. Todd Bransford, vice president of marketing with
Internet security firm Cyveillance, referred to the Nielsen list to
be used by Microsoft as a "complete drop in the bucket."
Potential problems
Mr. Bransford said he believes that most Internet surfing will
ultimately prove to be to sites not on the Microsoft list. That would
mean those users who opt in will be sending a majority of their
surfing locations to Microsoft.
Mr. Bransford said the Microsoft phishing filter may prove
ineffective and could provide a false sense of security for many
users.
"Phishers are evolving very quickly," he said, "and making sites look
different. So with this approach you have a problem where the
technology may not know what a phishing site looks like. It may miss
a lot of stuff."
A further concern is that since the list of legitimate Web sites is
limited, the filter may mistakenly identify safe sites as phishing
sites. "That's definitely a worry," said Mr. Bankston.
Microsoft officials say the filter will contain a link allowing
businesses and users to quickly inform the company of any errors.
-------------------------------------
You are subscribed as lauren@xxxxxxxx
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting-
people/
-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting-people/