"Microsoft officials say the company has no intention" of tracking users' surfing habits. Of course, who says they won't change their mind?

Does anti-phishing tool angle for too much data?

August 27, 2005

By Mike Goldfein, The Dallas Morning News


Microsoft Corp. will soon release a security tool for its Internet browser that privacy advocates say could allow the company to track the surfing habits of computer users. Microsoft officials say the company has no intention of doing so.

The new feature, which Microsoft will make available as a free download within the next few weeks, is prompting some controversy, since it will tell the company what Web sites users are visiting.

The browser tool is being called a "phishing filter." It is designed to warn computer users about "phishing," an online identity theft scam.

The Federal Trade Commission estimates that about 10 million Americans were victims of identity theft in 2005, costing the economy $52.6 billion.

But privacy groups are already raising questions about how this feature will work, and some computer security experts are questioning whether it will be effective.

Phishing fraud normally begins when computer users receive e-mails appearing to be from banks, eBay, or credit card companies, requesting account updates.

Links are provided to Web sites that seem legitimate. Unwary users are duped into giving up their Social Security, credit card and banking account information.

In an effort to protect Internet users, Microsoft's anti-phishing tool is designed to verify the safety of every Web site and to issue warnings if users encounter a suspected or known phishing site. It will use a three-step process.

First, the browser will automatically check the address of every Web site a user visits against a list of sites Microsoft has verified to be legitimate.

This list will be kept on users' computers.

If no match is found, the Phishing filter will send the address to Microsoft, where it will be checked against a list of known phishing sites that the company intends to update every 20 minutes. A match will trigger a warning that will pop up in the browser.

Finally, if no match is found at Microsoft, a sophisticated filter built into the browser will compare characteristics of the suspect Web site to characteristics common to phishing sites. This too could trigger an alert to appear.

Privacy advocates were surprised to learn that Microsoft would be using this method in an effort to protect its customers.

Kevin Bankston, an attorney and Internet privacy expert with the San Francisco-based Electronic Frontier Foundation worries that this is "a wholesale handing over of one's privacy to Microsoft."

"I would say, right now, definitely don't use this. If you're careful, you don't need this," he said.

The filter is designed as an opt-in feature. The first time computer users attempt to visit a Web site that is not included on the list of "legitimate" Web sites, they will be asked whether they wish to enable the phishing filter.

Users also have the option of turning the filter off.

What happens to data?

Microsoft officials say the company has no plans to retain information contained in those queries, which they say will be encrypted and limited to the domain and path of the Web site being called.

"We don't store that information," said Greg Sullivan, Microsoft Windows group product manager. "There is no server event log, no database, no hosted event file."

But Mr. Bankston said the information may be too valuable for the company to ignore in the long run.

"There are clear financial imperatives for them to choose to make use of this information in the future and start logging it," he said. "It is not hard to imagine the gold that could be mined out of that information."

What is unclear is just how frequently Web addresses will be sent to Microsoft.

The answer appears to depend, in part, upon how often consumers surf to sites contained in the list of legitimate Web sites as opposed to sites not on that list.

Microsoft officials say the list of approved sites will number in the tens of thousands. Company officials declined to provide an exact number.

Michael Aldridge, a product planner with Microsoft's technology care and safety group, said the company would not be vetting which Web sites are contained on the list. "It is based ... purely on traffic. We make no judgments on content."

That list is being provided by Nielsen NetRatings, which measures Internet traffic. Tracy Yen, a company official, also declined to provide the number of names on the list.

ICANN, the Internet Corporation for Assigned Names and Numbers, reported in August that there are 43 million active registered domain names worldwide. Todd Bransford, vice president of marketing with Internet security firm Cyveillance, referred to the Nielsen list to be used by Microsoft as a "complete drop in the bucket."

Potential problems

Mr. Bransford said he believes that most Internet surfing will ultimately prove to be to sites not on the Microsoft list. That would mean those users who opt in will be sending a majority of their surfing locations to Microsoft.

Mr. Bransford said the Microsoft phishing filter may prove ineffective and could provide a false sense of security for many users.

"Phishers are evolving very quickly," he said, "and making sites look different. So with this approach you have a problem where the technology may not know what a phishing site looks like. It may miss a lot of stuff."

A further concern is that since the list of legitimate Web sites is limited, the filter may mistakenly identify safe sites as phishing sites. "That's definitely a worry," said Mr. Bankston.

Microsoft officials say the filter will contain a link allowing businesses and users to quickly inform the company of any errors.

main page ATTRITION feedback