August 9, 2001 10:50 AM PDT

IE 6 central to Passport privacy boost

By Joe Wilcox and Wylie Wong
Staff Writers, CNET News

• Share
  • Digg
  • Del.icio.us
  • Reddit
  • Facebook
• Email
• Print

Microsoft executives said on Wednesday that the company's Passport authentication service will soon support an emerging privacy standard called Platform for Privacy Preferences, or P3P. The standard is advocated by the World Wide Web Consortium, a Web standards body, and was adopted by Microsoft in June for use in its software.

P3P allows Web users to define what types of information they are willing to give, as well as whether they mind sharing that information with outside parties. Internet surfers will receive a warning before visiting sites that go beyond the stated level. P3P is "a good thing, because it establishes a set of standards and guidelines vendors have to comply with" regarding privacy, said David Smith, an analyst with Gartner. "More privacy is always a good thing, and Microsoft is offering more privacy."

But the P3P features can work only if consumers have installed IE 6, said Brian Arbogast, a vice president of Microsoft's Personal Services Division. In negotiating contracts with new partners, Microsoft is requiring companies that plan to use the Passport service to support P3P, he added.

Microsoft has built P3P into its own Web sites and will support it in IE 6, said Adam Sohn, product manager for Microsoft's .Net strategy. "The W3C is evangelizing this, and we're evangelizing it," he added. "It's good for consumers to manage their privacy."

Passport is a key component of Microsoft's upcoming .Net and HailStorm Web services initiatives and is required for using some of Windows XP's newest features, such as Windows Messenger, a communications console featuring instant messaging, videoconferencing and application sharing.

IE 6 is integrated into Microsoft's forthcoming Windows XP operating system, and it will soon be available as a download from Microsoft's Web site for users of older versions of Windows and other supported operating systems.

Because Passport authentication is done using a Web browser, people using competing products, such as AOL's Netscape 6.1 or Opera, would not be able to use the enhancements unless those browsers are also made P3P-compliant. The same restriction would apply to older versions of Internet Explorer.

Microsoft and rival AOL Time Warner are battling for control of technology such as Passport that makes it easier to navigate the Web and make purchases online. AOL's recent $100 million investment in online retailer Amazon.com was seen as a deal aimed at boosting AOL's own "e-wallet" technology and as a direct means of competing against Passport, according to sources.

Restricting the use of the new security and privacy features to IE 6 users "would be a mistake," said Guernsey Research analyst Chris LeTocq. "It doesn't make sense for Microsoft to shut out the largest part of its installed base from Passport services."

Long arm of the law
Increasing Passport's reliance on Microsoft's latest Web browser, which is in turn tied to its latest operating system, could also increase the legal groundswell building around the authentication service--and Microsoft's overall product strategy--despite what Microsoft claims is a sound technological justification for the move.

In June, a federal appeals court found Microsoft guilty of anti-competitive behavior by its commingling of IE and Windows code. The IE 6 requirement with Passport is "likely to give people the message that Microsoft hasn't changed its behavior one iota on account of being found guilty by the Court of Appeals--same old full speed ahead," said Bob Lande, a professor at the University of Baltimore School of Law.

Microsoft's interest in P3P predates the antitrust case originally brought by the Justice Department and 20 states--it was one of the company's interests in its April 1998 acquisition of Firefly Network. Although Microsoft shuttered Firefly in August 1999, many developers remained onboard to work on Passport.

The Redmond, Wash.-based software giant officially launched the authentication service in March 1999, later requiring its use in MSN Messenger, Microsoft Reader e-books and access to paid Microsoft Developer Network online services, among other places.

More than 200 companies have signed on to the Passport service, including Starbucks, RadioShack, Blue Nile, 1-800-Flowers.com, Office Depot, Office Max, Victoria's Secret and Hilton.com, as well as all of Microsoft's MSN properties and its travel site, Expedia, Microsoft said. Passport facilitates some 2 billion authentications a month, Microsoft claims.

Microsoft's competitors and trustbusters started attacking Passport even before the U.S. Court of Appeals for the District of Columbia Circuit upheld eight separate antitrust violations against the company.

Passport is one of several technologies--including media-player software and instant messaging--under fire because they are integrated into Windows XP. In an interview last month, Iowa Attorney General Tom Miller said the "integration restricts what OEMs (original equipment makers) can do" in customizing Windows XP for their customers.

In another attack, a group of 10 privacy organizations in July asked that the Federal Trade Commission delay Windows XP's scheduled Oct. 25 launch. The groups argued that Passport and other technologies that are part of Microsoft's .Net software-as-a-service strategy violate individuals' privacy.

Passport has also come under fire from privacy experts. Part of the technology's allure is its single sign-on method. Passport uses one e-mail address and password to authenticate users and give them access to a variety of Web-based services--some delivered by Microsoft and others from third parties, such as American Express Blue Card.

The potential for failure
But that single point of access also has the potential to be a single point of failure. Privacy experts warn that someone obtaining a Passport user's e-mail address and password could access all of that user's services.

In an indictment of Passport's security, AT&T Labs researchers David Kormann and Aviel Rubin faulted Microsoft's decision to convert Hotmail user IDs and passwords into Passport credentials. "Any compromised account, and for that matter any future compromise of Hotmail, could result in abuse of their account at these other merchants," they wrote in their report.

Kormann and Rubin also faulted other aspects of Passport's single sign-on approach, including its use of encryption keys and the ability of bogus merchants to set up phony Web stores.

Microsoft hopes to quell some of these criticisms by offering additional security features for its partner Web sites, such as banks, whose security needs are more stringent, Arbogast said. The new security features "offer a second level of authentication," he explained. "It can prompt you for a four-digit PIN (personal information number) or ask you a set of three different questions you have to answer."

Arbogast reiterated Microsoft's contention that the company is concerned about security and privacy. Microsoft's Passport is not collecting user information, and the company's Passport partners are not sharing Passport user information with Microsoft, he said.

Microsoft is relying heavily on Passport for its forthcoming new Web services strategy called HailStorm, which has been billed as a way for subscribers to access their e-mail, personal contact list, schedule and other Web services--such as shopping, banking and entertainment--through a variety of devices, such as PCs, cell phones and handhelds, from any location.

In addition to the P3P support slated for later this year, Arbogast said Microsoft later this month will add support for Passport use on cell phones and personal digital assistants that offer Internet service through WAP (wireless application protocol), a technology used to help cell phone users view Web pages.

When HailStorm services are available, people with new cell phones will be able to upload their contact list into their new phones without having to program each name and number, said Chris Payne, also a vice president of Microsoft's Personal Services Division.

Microsoft will provide tools that will allow its Passport partners to sign on people to the Passport service, Sohn said. For example, when a service provider signs on a new cell phone user, it can now give the customer a Passport account as well, Sohn said.

Later this year, Passport users will also be allowed to change their member name, according to Microsoft's Arbogast. In the past, people who wanted to change their member name had to re-register, and all their previous information was lost. Now they can switch member names but still have their information stored, Arbogast said.

In the future, Microsoft will add Passport to smart-card technology as well as to biometrics, an emerging technology by which people are identified based on their physical characteristics or movements. It will also support digital certificates, Microsoft executives said.

Most Popular

Latest tech news headlines

• Google upgrades Gmail for IE 6 users

  Posted in Webware by Stephen Shankland

  September 7, 2008 10:07 PM PDT

• TI does energy efficiency on a chip

  Posted in Green Tech by Martin LaMonica

  September 7, 2008 9:00 PM PDT

• Intel ships low-power chips for servers

  Posted in Nanotech: The Circuits Blog by Brooke Crothers

  September 7, 2008 9:00 PM PDT