For the three of you out there running Microsoft's Edge browser
(kidding!), some debatable privacy
concerns have been raised into what information the SmartScreen feature is sharing (not kidding). In certain situations, Edge sends out URLs users have visited, and also their unique SIDs (Security Identifiers).
Security researcher Matt Weeks brought the issue to attention over the weekend in a Twitter post, noting the transmission of "your very non-anonymous" SID. In addition, a screenshot he posted shows a URL he visited in plain text, as opposed to being hashed.
"Edge apparently sends the full URL of pages you visit (minus a few popular sites) to Microsoft. And, in contrast to documentation, includes your very non-anonymous account ID (SID)," Weeks wrote.
The security-minded folks at Bleeping Computer
followed up on this and found the same thing. What happens with SmartScreen (which is designed to protect users from malware
) is that Edge sends a JSON encoded POST request to a Microsoft URL that includes information about the URL that is being checked.
Sending the URL in plain text is a privacy concern, as it could allow Microsoft to see a user's browsing history. However, it should be noted that Microsoft has been upfront about this in various documentation, outlining that a bunch of file information gets sent over a secure connection. It's disappointing that Microsoft is not hashing the data like Chrome does, but it's not a nefarious discovery, if you even want to call it that.
Sending SID information is a little different, though. I have not sifted through all of Microsoft's documentation, but according to Bleeping Computer, the sending of the SID does not seem to be referenced anywhere.
The good news going forward is that this behavior will change in the revamped version of Edge
that Microsoft is developing. Edge is getting an overhaul to an Chromium-based browser, which is available to preview
, and it does not send SID during a SmartScreen request.