Opinion Are you a Windows user? How many spoons do you own? Have you counted them lately? The reason we ask is due to the old adage, "the louder he talked of his honor, the faster we counted our spoons." When it comes to the tech giants, they like to talk about their commitment to data security a whole lot, but by Jiminy they like rifling through your cutlery drawer while they're doing it.

With regard to the Edge browser's potential kleptomania, if true, it would reveal a lot more than spoon-lifting, it would betray a hierarchy of horror that goes well beyond browser burglary to asking fundamental questions of Windows as a trustworthy operating system.

The basic story is bad enough. If users on multiple support threads are correct, every time Microsoft's flagship Edge browser starts up, it helps itself to open Chrome tab data and more besides. This goes well beyond the normal "Do you want to import bookmarks, history, etc?" that all browsers like to ask when you first install them on a system where another already lives. It also reportedly doesn't care what you answered to that question: this is a Microsoft package on a Microsoft operating system, and it's gonna Microsoft like it's 1999.

The data in your browser is very sensitive, be it personal, work or both, you need the freedom to move it to a competing browser, or into some useful analytic package or whatever you deem fit. You also need the freedom to keep that data safe just where it is. Without both freedoms, you are open to exploitation through lock-in or data abuse. Heck, it is data abuse, even if it never leaves the computer on which the heist is happening.

Take a step back and ask what such an action - whether deliberate or inadvertent - would tell you about Microsoft's attitude to your data on Windows. We already know that Redmond sees Windows at least in part as a vehicle to insert advertising into daily tasks and push behavioral patterns to its own advantage. Now it would appear that personal data in non-MS products might also be open to exploitation, and there's no reason to think that Edge is going to be the only time this happens. Will any Microsoft code exercise its right to exfiltrate whatever data lives from any non-MS software that's running under Windows?

There's no reason to think that a kleptomaniac caught pillaging the dining room - if that's indeed what's happening - wouldn't also take advantage of other opportunities. What makes this even worse in this instance is that the light-fingered house guest is also the person who built the house, including all the furniture, cupboards and doors, and has the keys to everything.

One of the fundamental principles of baseline security on modern systems is that processes do not have default access to the workspace of others: it's a principle that has been a long time in the making, with advances in OS design, processor architecture and application engineering all working towards the ideal. If these reports are true, Microsoft would be throwing that away for commercial advantage.

What reaction is appropriate? Do application and system designers now assume Windows is a hostile environment, like the open internet, where data security has to be the responsibility of each product and service? There are limits to how much you can do on a per-app basis; data encryption at rest and in flight makes sense, but where do you draw the line if you have to use the OS to move data between CPU and local peripherals like screen and keyboard? That may seem extreme - it is extreme - but if the OS maker appears prepared to continuously abstract information from the user, there's not much to be done.

There are enough worries and hard risk calculations to make daily data security decisions without having to assume this extra piece of coprolitic corporate behavior is taking place.

It's not as if Microsoft is engineering Windows as a window into all our data; it's that the internal structure of the company is such that it can behave this badly and seemingly not notice. At the very least, such behavior could indicate a lack of governance and focus on core principles.

In the end, it's a very poor show if a key piece of software with a major role in maintaining online security starts behaving like the malware it's supposed to guard against. Sure, don't use Edge, but what does that actually guarantee? If you want your spoons to be safe, it's not enough to buy a new kitchen cabinet. ®

https://www.theregister.com//2024/02/05/opinion_column/