Windows 8 privacy worry overblown, says Microsoft analyst

It sounds like a privacy hole big enough for a truckload of your personal information to be leaked to the world, but experts say a recently disclosed Windows 8 privacy issue is really a non-issue.

Microsoft's Windows 8, which connects its users with networks including Facebook, Flickr, Twitter, LinkedIn, Hotmail, Gmail, Exchange leaves a "lingering cache of automatically collected contacts [that] are stored unencrypted on a Windows 8 client," InfoWorld's Woody Leonhard reports this week.

"[Windows 8] doesn't build its Contacts list dynamically," Leonhard reports. "Instead, it keeps a cache of contacts from all of those sources stored on the machine. The cache persists even when the user logs off or the machine is turned off."

"That means anyone who can sign on to your PC with an administrator account can see all of your contacts and all of their data -- names, email addresses, pictures, telephone numbers, addresses," he writes.

Leonhard said he found out about this from a white paper by George Washington University grad student Amanda C.F. Thomson, at a blog called PropellerHeadForensics. He said while the contact information is "stored away in an appropriately obscure format, the text is in the clear and the pictures can be resurrected fairly easily. Nothing's encrypted."

Michael Cherry, lead analyst, operating systems at the analysis firm Directions on Microsoft, says he has no reason to doubt Thomson's findings. But, he says this is far from a meltdown in Microsoft's decade-long effort to improve its security and privacy.

First and most important, he says, is that this is a beta version of Windows 8 -- a release preview. While it is in wide use, "the point is that this is the kind of thing they are looking for."

"My sense is that Microsoft will take some steps to remedy any issues, but in the area of privacy, the remedy may simply be to tell people that their information is shared among the services," he told CSO Online.

Cherry says it is not just Microsoft, but all Internet services -- from e-mail services to social networking sites -- that are "standing on the dividing line of what people want -- communicating with people about who they are, but at the same time wanting to be aware when they do it."

"Operating systems cache data all the time," Cherry says. "If they had to rebuild all the time, things would run much slower, and you have to remember that in the back of [users'] minds is this impression that Windows is slower than the iPad. People want instant-on."

He also notes that those who use Apple products and have their laptops, iPads and iPods synced are putting that information into iCloud. "If you're living in this world, you're probably doing that with something," he says.

Mark Baldwin, principal researcher and consultant at InfosecStuff, says he doesn't think the risk is any greater with Windows 8 than with Windows 7. While the newer version, "is more tightly integrated with social media, it makes sense to cache that data to improve performance. As the author noted, one must have admin rights to view this data for a user other than yourself."

"And if an unauthorized person has admin rights on your machine, then you have more problems to worry about than your Facebook and email contact information," he says.

Both Cherry and Baldwin say any computer user should be very selective about who has administrator privileges on Windows. "[Administrator privileges] gives you powers that can be very dangerous," Cherry says. "Only somebody very trusted should ever be the administrator, and then only for limited things like maintenance, or to install a new version of something."

Cherry says that he chooses to operate his computer with a "user" account. "The reason is because if I do something stupid, I want it to have limited impact," he says.

If people are really concerned about their contact list, they can "flush all the caches" when they log off. "But it takes time to rebuild them all," Cherry says.

There are encryption tools available for those who desire a greater level of confidentiality, but Cherry says that is not foolproof either. "If you lose the key, it is gone forever. And encryption takes time -- when you create something, it has to be encrypted, and then decrypted."

He believes Microsoft will address this issue, but says that aside from making available tools like encryption and flushing the cache, the best thing is simply to let users know how their information is being shared.

"On many sites, you have to go through many pages and read long documents," Cherry says. "At the end of the day, it's too hard to understand. Part of the fix would be to make it really clear."

Read more about application security in CSOonline's Application Security section.

Join the CSO newsletter!

Error: Please check your email address.

More about AppleCherryFacebookHotmailMicrosoftPropeller HeadThomson

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place