http://www.theage.com.au/news/technology/microsoft-to-track-internet-use/2005/09/08/1125772633503.html Washington September 9, 2005 Microsoft Corp will soon release a security tool for its internet browser that privacy advocates say could allow the company to track the surfing habits of computer users. Microsoft officials say the company has no intention of doing so. The new feature, which Microsoft will make available as a free download within the next few weeks, is prompting some controversy, as it will inform the company of websites that users are visiting. The browser tool is being called a Phishing Filter. It is designed to warn computer users about "phishing," an online identity theft scam. The Federal Trade Commission estimates that about 10 million Americans were victims of identity theft in 2005, costing the economy $US52.6 billion ($A69.11 billion). But privacy groups are already raising questions about how this feature will work, and some computer security experts are questioning whether it will be effective. Phishing fraud normally begins when computer users receive emails appearing to be from banks, eBay or credit card companies requesting account updates. Links are provided to websites that seem legitimate. Unwary users are then duped into giving up their Social Security, credit card and banking account information. In an effort to protect internet users, Microsoft's anti-phishing tool is designed to verify the safety of every website, and to issue warnings if users encounter a suspected or known phishing site. It will use a three-step process. First, the browser will automatically compare the address of every website a user visits to a list of sites Microsoft has verified to be legitimate. This list will be kept on users' computers. If no match is found, the Phishing Filter will send the address to Microsoft where it will be compared to a list of known phishing sites that the company intends to update every 20 minutes. A match will trigger a warning that will pop up within the browser. Finally, if no match is found at Microsoft, a sophisticated filter built into the browser will compare characteristics of the suspect website to characteristics common to phishing sites. Under some circumstances, this too could trigger an alert to appear. Privacy advocates were surprised to learn that Microsoft would be using this method in an effort to protect its customers. Kevin Bankston, a lawyer and internet privacy expert with the San Francisco-based Electronic Frontier Foundation, worries that this is potentially "a wholesale handing over of one's privacy to Microsoft. I would say, right now, definitely don't use this. If you're careful, you don't need this." The filter is designed as an opt-in feature. The first time computer users attempt to visit a website that is not included on the list of "legitimate" websites, they will be asked whether they wish to enable the Phishing Filter. Users will also be presented with the following on-screen notice, "website addresses will be sent to Microsoft to be checked against a list of reported phishing web sites. Information received will not be used to personally identify you." Users also have the option of turning the filter off. What happens to data? Microsoft officials say the company has no plans to retain information contained in those queries, which company officials say will be encrypted and limited to the domain and path of the website being called. "We don't store that information," said Greg Sullivan, Microsoft Windows group product manager. "There is no server event log, no data base, no hosted event file." But Bankston said the information may be too valuable for the company to ignore in the long run. "There are clear financial imperatives for them to choose to make use of this information in the future and start logging it," he said. "It is not hard to imagine the gold that could be mined out of that information." What is unclear is just how frequently website addresses will be sent to Microsoft. The answer appears to depend, in part, upon how often consumers surf to sites contained in the list of legitimate websites as opposed to sites not on that list. Microsoft officials say the list of approved sites, which they are referring to as "the list of highly trafficked legitimate websites," will number in the "tens of thousands." Company officials declined to provide an exact number. Michael Aldridge, a product planner with Microsoft's technology care and safety group, said the company would not be vetting which websites are contained on the list. "It is based ... purely on traffic. We make no judgments on content." That list is being provided by Nielsen NetRatings, which measures internet traffic. Tracy Yen, a company official, also declined to provide the number of names on the list. ICANN, the internet Corporation for Assigned Names And Numbers, reported in August that there are 43 million active registered domain names worldwide. Todd Bransford, vice-president of marketing with internet security firm Cyveillance, referred to the Nielsen list to be used by Microsoft as a "complete drop in the bucket." Bransford said he believes that most internet surfing will ultimately prove to be to sites not on the Microsoft list. That would mean those users who opt in will be sending a majority of their surfing locations to Microsoft. He said the Microsoft Phishing Filter may prove ineffective and could provide a false sense of security for many users. "Phishers are evolving very quickly," he said, "and making sites look different. So with this approach you have a problem where the technology may not know what a phishing site looks like. It may miss a lot of stuff." A further concern is that since the list of legitimate websites is limited, the Phishing Filter may mistakenly identify numerous safe sites as phishing sites. "That's definitely a worry," according to Bankston. Microsoft officials say the Phishing Filter will contain an error reporting link, allowing business and users to quickly inform the company of any errors. _________________________________________ Attend ToorCon Sept 16-18th, 2005 Convention Center San Diego, California www.toorcon.org
This archive was generated by hypermail 2.1.3 : Sun Sep 11 2005 - 23:37:06 PDT