July 25, 2001 6:30 PM PDT
Privacy advocates take aim at Windows XP
The Electronic Privacy Information Center, a Washington, D.C.-based public-interest organization, and privacy group Junkbusters, as well as at least five other groups will ask the FTC to prevent the launch of Windows XP based on potential privacy threats arising from the operating system and Passport software, according to Marc Rotenberg, executive director for EPIC.
The groups will ask that the FTC open an investigation into Microsoft's data-collection practices with regard to Passport and Windows XP, which is scheduled for release in October.
The complaint will ask for relief under Section 5 of the Federal Trade Commission Act, which is a legal standard evaluating whether a practice is unfair and deceptive.
During a press conference Wednesday, Rotenberg said the complaint "concerns the privacy implications of the Windows XP system that is expected to become the primary means of access for consumers to the Internet." It will ask that the FTC investigate Microsoft's intention to "collect, track and profile millions of Internet users."
"Central to the scheme is .Net, which encompasses HailStorm, Passport and Wallet, and its design to gain personal information unfairly and deceptively," Rotenberg said.
Microsoft spokesman Jim Cullinan said the company could not respond in detail to the complaint as it had not been filed. But he said that privacy and security are essential to the design of Passport and the new system software.
"We believe we have designed an authentication system that is a model for the industry because it puts users in control of their own information and who is allowed access to that information."
The planned complaint comes as pressure against Microsoft is mounting on different fronts, with lawmakers and competitors scrutinizing the critical features in Windows XP.
The software giant has been promoting a service, dubbed HailStorm, that is part of its strategy to closely tie its software and Net services together. Through HailStorm, which relies on Microsoft's Passport authentication system, the company envisions connecting content delivery, shopping, banking and entertainment through a variety of devices, including cell phones, personal computers and handhelds.
But with its Passport service, Microsoft is entering one of the most hotly contested arenas on the Web. E-wallet services gather and store personal information from consumers, including passwords and credit card information, so they don't have to continually re-enter the crucial data.
But the promise of convenience may come at a heavy price if the stored information is maliciously breached or accidentally leaked. At the very least, it opens up chances for abuse. And privacy advocates say Microsoft's track record on security is cause for alarm.
"Microsoft wants to be a gateway to the Internet over the long haul--the company that holds all of consumers' personal information," said Richard Smith, chief technology officer of The Privacy Foundation. "That's a control, antitrust issue. It's like they are the one credit card company on the Internet."
But security breaches through software trigger fears that the company could wield too much power through Windows XP. Privacy advocates point to security breaches last year in Microsoft's free Hotmail e-mail program, which is a part of Passport, and a "Code Red" computer worm that recently affected more than 350,000 Microsoft Internet Information Servers.
"There are some problems here with the underlying infrastructure," Smith said. "By concentrating personal information in one place, there are a number of dangers that could arise and issues that need to be addressed."
Microsoft's Cullinan said the company has these issues in mind. "Security is a fundamental design point with all of our .Net services. We have a commitment to our users to protect the privacy and security of their data, and if we don't live up to that, they won't use the Web services."
Further illustrating Microsoft's push to convert consumers into Passport customers, the software giant already requires people to sign up for a Passport account to buy an e-book through its software, advocates say.
"If a major book publisher were to start demanding consumers produce a drivers license before reading a book, people would be outraged," said Jason Catlett, president of Junkbusters.
"Microsoft's strategic intent is plainly to be the monopoly broker of identity who takes a cut of each transaction," Catlett said. "They shouldn't be allowed to get there."
Cullinan said consumers are not required to sign up for Passport to use Windows XP. However, there are features in the system that require an authentication service, including Windows Messenger and Hotmail, he said.
Among other things, the complaint raises concerns about the tie-in between Windows XP and Passport registration; Microsoft's policies surrounding the sharing of information between company units and partners; and profiling of Internet users and the risk of exposure of consumers' Passport information to third parties, Rotenberg said.
The groups will seek to alter the registration process for Windows XP, Passport and Hotmail, as well as to ensure that Microsoft's data-collection and -sharing practices are in compliance with federal privacy laws, Rotenberg said.
EPIC has succeeded in taking similar measures to protect privacy on the Internet. Last year, the organization filed a complaint with the FTC regarding DoubleClick's plans to merge data from online consumers' habits with its offline data company, Abacus, causing the online ad network to renounce those plans.
"Because XP...is going to be persistently bugging people to sign up for a Passport account, that's unfairly using Microsoft's software monopoly to coerce personal information out of consumers," Catlett said.