August 15, 2001 5:00 PM PDT

Privacy group attacks Windows XP, Passport

Click here to Play

  Will Passport inject risk into XP?
Avi Rubin, researcher, AT&T Labs
WASHINGTON--A group of privacy organizations on Wednesday renewed their attacks on Microsoft's Passport authentication service and Windows XP, asking the Federal Trade Commission to mandate changes in Microsoft's new operating system.

The loose affiliation of 14 groups amended an existing complaint filed in late July with the FTC. During a media event here, Marc Rotenberg, executive director for the Electronic Privacy Information Center (EPIC), said the groups had filed a 12-page supplemental complaint "alleging that Microsoft by offering Passport (authentication) and associated services is engaging in unfair and deceptive trade practices in violation of Section 5 of the FTC act."

The amended filing focused on changes the coalition said Microsoft made to Passport in response to their original complaint and also on privacy concerns regarding Kids Passport. Based on a review conducted by the Center for Media Education (CME), the groups concluded that Kids Passport does not comply with the Children's Online Privacy Protection Act (COPPA).

Passport is Microsoft's online authentication system that is used for logging in to multiple Web sites or services.

Wednesday's amended complaint drew a skeptical response from some industry analysts, who said they are not convinced that many of the groups' complaints against Windows XP and other Microsoft technologies such as Passport are warranted or that the company's privacy policies are any worse than those implemented by other companies.

"The idea that Microsoft is any worse than any other company is simply unfair," said Directions on Microsoft analyst Matt Rosoff.

Guernsey Research analyst Chris LeTocq agreed. "In what I've seen Passport do, Microsoft is not asking for any more information than any other sites."

Brian Arbogast, vice president of Microsoft's Personal Services & Devices Group, dismissed many of the privacy allegations leveled against the software giant.

"For Microsoft to be a leader in the services world, we need to be constantly gaining the trust of our partners and customers," he said. "We are very serious about privacy."

User-friendliness vs. privacy
Part of the fear surrounding online privacy is the ease with which information could be shared. But analysts warn that the threat posed by traditional companies, particularly sharing personal information without notice, is potentially greater.

"Your credit card company has access to tons and tons of information about every single purchase you make on your credit card," Rosoff said. "Yeah, they sell your address to third-party marketers. That's one of their main businesses."

Clif Holcomb, a police operations supervisor in Nashville and a Windows XP Preview Program user, isn't unduly alarmed. "Microsoft has done a lot to ensure security on the Web," he said. "The Secure Sockets Layer they use and the 128-bit (encryption) are examples. I now do all my banking online and haven't written more than 25 checks in the last four years."

Microsoft uses the Passport technology for some of its MSN Web properties, its messaging service, e-book purchases and new features found in Windows XP. Microsoft partners, such as and Starbucks, use Passport to authenticate some of the services and goods they offer over the Web.

The system also is the authentication mechanism for HailStorm, which has been billed as a way for subscribers to access their e-mail, personal contact list, schedule and other Web services--such as shopping, banking and entertainment--through a variety of devices, such as PCs, cell phones and handhelds, from any location. HailStorm is part of Microsoft's broader, forthcoming .Net software-as-a-service initiative.

In the original complaint, the groups alleged that "Microsoft has engaged and is engaging in unfair and deceptive trade practices intended to profile, track and monitor millions of Internet users." The complaint further alleged that Microsoft's .Net software-as-a-service initiative--including HailStorm and Passport authentication--"are designed to obtain personal information from consumers in the United States, unfairly and deceptively."

Since the filing, the groups--CME, EPIC and Junkbusters, among others--added Ralph Nader's Consumer Project on Technology to their ranks.

Jason Catlett, president of Junkbusters, faulted changes he said Microsoft made to Passport last week as "completely nonresponsive." The groups allege that Microsoft's decision to reduce the amount of information it collects when people sign up for a Passport account is inadequate because an e-mail address, country, state and ZIP code are required.

But Guernsey Research's LeTocq pointed out that the collection of this kind of information, particularly e-mail addresses, is "commonplace" on the Web.

The organizations also argued in their complaint that "XP will disable certain programs that users depend upon for privacy and security, such as (Internet firewalls) Black Ice and ZoneAlarm." Although the complaint acknowledges changes made to how software drivers work in Windows XP, it fails to note that many companies will have solved compatibility issues before the new operating system's Oct. 24 release.

According to the ZoneLabs Web site, ZoneAlarm is compatible with Windows XP.

Passport and P3P
The groups also faulted Microsoft's Passport privacy policy, but Gartner analyst Michael Silver questioned the legitimacy of the policy attacks.

"It's one thing to look at their policy and say we don't believe it," he said. "You have to have some basis for saying that. If Microsoft says they have a policy they won't collect or share certain kinds of information, you have to take it at face value."

Catlett also criticized Microsoft for requiring Passport merchants to adopt Platform for Privacy Preferences, or P3P, which lets Web users define what types of information they are willing to give, as well as whether they mind sharing that information with outside parties.

"I actually think that P3P will not enhance privacy," Catlett emphasized. In fact, EPIC and Junkbusters in June wrote a scathing indictment of P3P, "Pretty Poor Privacy: An Assessment of P3P and Internet Security."

P3P is advocated by the World Wide Web Consortium, the body responsible for setting Web standards.

Gabriela Schneider, senior policy analyst for the CME, faulted "the Kids Passport system (as) not providing the same or greater protection for children as mandated by the FTC."

The CME also concluded that Microsoft's Kids Passport policy requires the collection of more personal information than is necessary for children, "like gathering their e-mail address and sometimes prompting them to sign up for a Hotmail address, when the parents' e-mail address is already collected for the registration of the Kids' Passport," Schneider added.

In Wednesday's amended filing and the original complaint, the groups alleged many other privacy abuses, such as forced Passport account sign-up through Windows XP, product activation and customer profiling.

Analysts questioned the weight given to some of these concerns, however. Product activation, for example, is largely misunderstood because people assume Microsoft collects personal data when it does not.

In the case of product activation, Microsoft "screwed up with the interface," Directions on Microsoft's Rosoff said. During the installation process, optional registration follows product activation.

"So people are saying, 'Uh-oh. They're taking my name and address to Microsoft.' But in actuality, those are two separate processes," he said.

Holcomb, the Windows XP Preview Program participant and self-described "plain user," however, said he understands "that activation and registration are two entirely separate things. The first is anonymous, while the second is not," he said. "I was, at first, concerned about how often I would be required to activate as I regularly upgrade my system's hardware. I'm not worried now."

In mid-July, about two weeks before the groups filed their original complaint, a German copy-protection company essentially backward-engineered Microsoft's activation technology, concluding that it posed no privacy threat.

Analysts say Microsoft actually has broad incentive to ensure consumers' privacy is protected. With HailStorm, Microsoft envisions abandoning the ad-driven Web, where sites have incentive to collect and profit from personal data, in favor of paid services.

Microsoft's Arbogast said the company believes this privacy assurance and delivery of data and services to any kind of device will make HailStorm successful for itself and its partners.

"What Microsoft is saying (is), 'We're going to want you to pay us money,'" Guernsey Research's LeTocq said. "In a sense, that's probably the best guarantee of privacy that you have, because if somebody violates your privacy you have the very effective weapon of turning off the money."

1 comment

Join the conversation!
Add your comment
my microsoft digust
I would greatly appreciate if people take the time to read a response I submitted to an article relating to some of microsofts practices and their xp pro activation system

------my submission
Hi initially i must say that I think your article is very good ......and it shocked me to find the methods microsoft are using for the activation such as checking hardware configurations .......the minute I was read this I thought OMG what if i want to do some major upgrade on my machine and then offcourse I read the next few questions and find the article author obviously realised this as well.

Now to my situation.......I am passionate about PCs and I live in my house with my 2 parents who are pensioners ......anyway I was using windows millinium and I decided to buy a legitamate copy of xp pro oem for home use for myself and also put it on my parents machines , I assumed everything would be ok(silly me should have read the small print) and my computer with windows millinium on it was running fine so I decided to install xp pro on my fathers machine as it needed some maintenance after being running sometime ......anyway I installed it on my machine today and got the activation screen so I thought I would go through the process and it would be fine but to my utter disgust I only have a 30 day trial.......anyway one of my parents phoned up the support line while I got my installation id and he explained to them that theres just the 3 off us in the house and were all home users with no bussiness and the persons attitude was terrible .......they basically tried to say that it was for the benefit of customers(ME and others like me :-) )and to help prevent piracy .....hmm kind of stupid considering we explained we have a legitamate copy......I then took the phone and became extremely angry ........basically microsofts solution is for people who are in low paid jobs or unemployed to purchase 1 copy per machine .......hence I was expected to buy 3 copys (HOW RIDICULOUS) which would total approximately £255 ....... At the end of the day we are a family who are FAR from rich as emplied we dont get lots of cash; we all chip in together to make ends meet and it is unrealistic to expect anyone other than the extreme rich or software pirates to be able to use microsoft windows......the ironic thing is I have in the past said to people that microsoft isnt that bad.......that is until they have brought out this activation crap whos only purpose is to line the pockets of the microsoft directors. I personally will be more motivated to port to a linux flavour now and I also feel that it is about time users started boycotting the companies that quite frankly are treating users like thieves who are also severely dumb. One final thing .......I realise I made a mistake purchasing the oem version but the standard version was way out of my price range and is not worth the hefty price tag.........a more potent issue than that is the fact that microsoft are checking a systems spec and using it against legitamate users in a way that feels like spyware to me.

------my submission end
Posted by redwingdw (1 comment )
Reply Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.