With Windows 10 finally launching this week, we’re going to see a slate of articles discussing the OS’s new features and capabilities. Some of these are significant upgrades compared with what came before, while others could be potentially controversial. One new option, brought over from Windows Phone 8.1, is called WiFi Sense, but its debut on the desktop could be controversial given what the feature does.
WiFi Sense will
automatically connect you to detected crowdsourced WiFi networks,
acquire network information and provide “additional info” to networks
that require it (it’s not clear exactly what constitutes additional
info), and can be used to automatically share your WiFi password with
your contacts on Facebook, Skype, and Outlook.
That last feature is the potentially controversial one. WiFi Sense is enabled by default in Build 10240 of Windows 10;
if you choose “Express Settings,” Microsoft enables the option and
allows your device to acquire WiFi passwords from friends and shares
your password with the same group of people. If you choose to leave the
function enabled (or turn it on manually, as shown below), it will
request permission to connect to Outlook, Skype, and Facebook on your
behalf. Other users on your friends list who also run Windows 10 will
have their contact information shared with you as well, assuming they
also enable the feature.
Microsoft
claims that this feature improves security and reduces frustration.
Now, instead of painstakingly spelling or writing down passwords for
guests or friends, they can automatically acquire them as soon as they
come in-range of your home network. The company’s FAQ states:
“When
you share Wi-Fi network access with Facebook friends, Outlook.com
contacts, or Skype contacts, they’ll be connected to the
password-protected Wi-Fi networks that you choose to share and get
Internet access when they’re in range of the networks (if they use Wi-Fi
Sense). Likewise, you’ll be connected to Wi-Fi networks that they share
for Internet access too. Remember, you don’t get to see Wi-Fi network
passwords, and you both get Internet access only. They won’t have access
to other computers, devices, or files stored on your home network, and
you won’t have access to these things on their network.”
In theory, Microsoft could be right, but the company is also creating a de facto
database of WiFi information. Elsewhere in the FAQ, Microsoft notes
that if you choose to share this information, it’s sent via an encrypted
link to Microsoft, who stores the data on their own servers (again in
encrypted format). This isn’t as foolproof as it might have once seemed;
we’ve covered multiple bugs related to Internet encryption standards in
the past nine months.
The other concern we have with WiFi Sense
is that the feature has no granularity beyond the service level. I can
choose to share or not-share information with Facebook, Outlook, or
Skype, but that’s it. If you share your network information with anyone
on your Facebook friends list, you’re sharing it with everyone on your
Facebook friends list. That’s something Microsoft really ought to have
addressed when it brought the feature over from Windows Phone; just
because I want to share this kind of data with some people doesn’t mean I
want to share it with everyone.
The continued degradation of privacy
The
risk of exposing your network connection to ne’er-do-wells on Facebook
or Outlook.com is small, but it’s not zero. The bigger issue I want to
highlight, though, is how features like this indirectly erode the
concept of user privacy and the perceived need for good security
practices. This is something we’ve talked about before in relation to Apple, but it’s not just an Apple or a Microsoft problem.
On
the one hand, we tell people that they need to secure their data with
strong passwords while research shows how passwords are trivial to hack —
even many strong passwords can be cracked fairly easily. Services like
Last Pass promise to offer protection, only to fall prey to hacks in
turn. When companies get hacked, whether its Target or LastPass, the
consequences of these failures are often trivial. Even Lenovo, which
installed one of the most appalling breaches of user-security to ever ship on modern PCs, appears to have come through its Super fish debacle largely unscathed.
This
tension is at the heart of all security systems, not merely the online
ones. If designing secure systems is difficult, designing secure systems
that are both fast and easy-to-use is borderline impossible.
Nonetheless, online companies often encourage users to share information
that proper security practices say ought not be shared, while
the consequences of security breaches for the companies that breach them
are so small, it sends the message that hey — privacy and security
aren’t really things you need to care about. And it just so happens that
this relatively lax attitude towards privacy underwrites the business
model of multi-billion dollar corporations, many of whom seek ever-more
lenient rules on what they can and cannot do with your personal
information.
On a practical level, the risks from WiFi Sense are
small. But from a best-practices security standpoint, it’s far from a
great idea.
About VMGATHER
0 comments:
Post a Comment