Microsoft Edge that comes preinstalled on Windows 10 sends the full URLs of the websites you visit to Microsoft, according to a security researcher.
The data sent by the Microsoft browser includes not only the information of each page you visit, but also the SID, which means security ID, according to a Publication by researcher Matt Weeks on Twitter.
Edge obviously sends the full URL of the pages you visit (except for some popular sites) to Microsoft. And, unlike the documentation, it includes your non-anonymous account ID (SID).
Microsoft is known to use a feature called SmartScreen to protect users from potentially dangerous sites each time they load into the browser.
SmartScreen works by comparing the URL to a list of links that Microsoft has, so the page you visit is submitted to a Microsoft server to determine whether or not you are allowed to access the site.
However, Weeks found that information sent without being encrypted also included the SID.
But Microsoft mentions the following about the SID in the official documentation of the operation:
The security identifier (SID) is used to uniquely identify a security authority or security group. Security authorities can represent any person who may exist in an operating system, such as a user account, a computer account, or a link or process running within the security of a user account or computer.
Theoretically, by including the SID in the report, Microsoft can tell exactly who is visiting a website when SmartScreen is enabled in Windows 10, of course.
By default, SmartScreen for Microsoft Edge uses the "Warn" setting on Windows 10 devices.
However, Microsoft states:
When you check a file, the data for that file is sent to Microsoft. The data includes the file name, the hash of the file contents, the download location, and the digital certificates of the file.
The researcher says that this system could be improved using an approach similar to that used by other browsers.
Firefox, Chrome, and Safari do not send your browsing history to the company, as Edge does. Compare hash prefixes of 4-byte URLs with built-in malicious mailing lists.
Microsoft has not yet made an official statement.