There was a time when Microsoft had a monopoly, with Internet Explorer aggressively precluding any competition in the web browser market. Fast forward to today, and there’s hardly anyone who prefers to use Internet Explorer for surfing the web anymore.
Having been knocked out of the competition by superior web browsers like Firefox, Chrome, and Opera, the latest reincarnation of Internet Explorer, Microsoft Edge, has significantly improved in all departments. One might argue it even gave users better privacy controls through tracker blocking.
Almost. But not quite.
Cybersecurity researcher Matt Weeks recently discovered that Microsoft Edge sends full, unaltered, naked, URLs of webpages users visit to Microsoft. There is absolutely no reason why it should be this way, opening up questions about the commitment that the multi-billion tech company has towards user privacy.
How Microsoft Edge Tracks Browsing History
Researcher Weeks pointed out on Twitter that “Edge apparently sends the full URL of pages you visit (minus a few popular sites) to Microsoft. And, in contrast to documentation, includes your very non-anonymous account ID (SID).”
It turns out that Edge is not only guilty of relaying your URLs to Microsoft, but also your unique SID (security identifier) which is created for every individual Windows user, and thus can be used to identify a person.
Although Microsoft has been quite clear about its privacy policies since the 2015 launch of Windows 10, the inclusion of SIDs in the information being sent to Microsoft isn’t something explicitly mentioned in the documentation.
To be fair, the sending of URLs is just a necessary part of how the SmartScreen feature (which is enabled by default in Edge) works, which is something like this:
SmartScreen checks the websites you visit through Edge against a list of suspicious URLs maintained by Microsoft. If there is a match, then SmartScreen can protect users from visiting the harmful page by denying access.
That much has been disclosed by Microsoft in their official SmartScreen related documentation. But the contentious issue is the undocumented sending of user SIDs, which can reveal a lot about a user’s online activities such as their browsing habits.
At the same time, it is unclear why in the availability of better techniques that do not require the disclosure of complete URLs, Edge still persists with sending unencrypted information back to Microsoft.
In a subtweet, Weeks also explained that “Firefox, Chrome, and Safari do not send your browsing history to their cloud overlords like Edge does.”
The upcoming Chromium-based Edge doesn’t have the problem of sending user SIDs, but the URLs will continue being sent unencrypted, which still makes zero sense.
Privacy Implications
The problem with the way Edge’s SmartScreen behaves is twofold: first, it completely disregards the use of hashed prefixes (which encrypts information) before sending the URLs to Microsoft; and second, the data being sent include users’ SIDs.
Other than the obvious fact that Microsoft can track every individual Edge user’s browsing activities if they wanted to, the poor handling of URLs this way also exposes our information to a security risk from cybercrime groups.
Even though Microsoft relays all this information over a secure network, hackers could still deploy a man-in-the-middle attack to intercept this data. With our browsing activities lying revealed along with our SIDs in the wrong hands, we are entirely at the mercy of the extent of ill-intent harbored by cybercriminals.
Although tools such as VPNs can help enhance your privacy on the web, there is little that you can do if your private information is already in the hands of some malicious agency along with your SID (which is what Edge currently seems to be doing).
Nonetheless, if you are careful and take some simple measures to protect your privacy online, VPNs can be quite valuable. If you are Windows user, these VPNs are some of the widely used tools that many privacy-conscious users are turning to for better online privacy.
Again, these measures are part of a broader strategy to strengthen your online privacy. As far as the problem of naked URLs being collected and sent over to Microsoft via Edge is concerned, the only real solution available right now is to shift to more secure browsers that ensure user privacy in a better way.
Microsoft and Privacy Policies
Microsoft has generally been quite upfront about their terms of use and privacy policy. That, in itself, is commendable in an era where repeated scandals such as Facebook’s make rounds in the news in a new form every year.
But where Facebook has ironically tried to present itself as a privacy-conscious company, Microsoft has always shown better transparency when it comes to their terms of services.
For instance, here’s a statement from Windows 10’s mammoth-sized 45-page privacy policy:
“We will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders), when we have a good faith belief that doing so is necessary to protect our customers or enforce the terms governing the use of the services.”
Uhhh, what?
Good faith belief can mean any number of things. Things that many of us probably will never willingly consent to being accessed, disclosed, or preserved by any party other than us.
If Microsoft deserves praise for the transparency in their privacy, they also deserve criticism for why the company is forgoing the use of techniques that obviate direct access to personal user information.
Matt Week’s revelation about the sending of unencrypted URLs by Edge, something that Firefox, Chrome, and Safari avoid, gives Microsoft the impression of a perverse convict who owns up to his sins but shows no intent for making amends by adopting more privacy-sensitive solutions.
And that is a problem that Microsoft shouldn’t continue to ignore, especially in a time when the average user is much more aware and sensitive about their online privacy.