Microsoft defends Passport in Washington

WASHINGTON--Microsoft on Wednesday descended on the nation's capital, trying to quell concerns its Passport authentication service poses a threat to consumers' privacy or security.

The Redmond, Wash.-based company is here at the behest of the Center for Democracy & Technology (CDT), a consumer advocacy group that wishes to hear directly from the software maker on its plans, said Adam Sohn, Microsoft's manager for U.S.-.Net platform strategy. The software giant may use the opportunity to talk with other groups or even some legislators. But Sohn, who spoke with CNET News.com late Tuesday, said he did not know the day's itinerary.

Microsoft may have a lot of ground to cover. Last week, nearly 15 privacy and consumer groups amended a July 26 complaint filed with the Federal Trade Commission charging that Microsoft, by offering Passport and associated services, is engaging in unfair and deceptive trade practices in violation of Section 5 of the FTC act.

Passport is Microsoft's online authentication system, which uses a single sign-in to access multiple Web services. The idea behind Passport is simple: one secure ID and password rather than the many needed to access the wide range of Web sites and services consumers use every day. Microsoft uses Passport authentication for its MSN Messenger and Hotmail e-mail services, Microsoft Developer Network online access, and Microsoft Reader e-book purchases, among other product and service offerings.

Passport also is the authentication for HailStorm, which has been billed as a way for subscribers to access their e-mail, personal contact list, schedule and other Web services--such as shopping, banking and entertainment--through a variety of devices, such as PCs, cell phones and handhelds, from any location. HailStorm is part of Microsoft's forthcoming .Net software-as-a-service strategy.

But the privacy groups have questioned whether Passport collects too much information and lacks the basic security features required to protect basic information. Some industry analysts, however, question the validity of those claims.

"There's nothing I've seen in how Passport collects information that's any different from other Web sites," said Guernsey Research analyst Chris LeTocq.

The groups, which include the Electronic Privacy Information Center (EPIC) and Junkbusters, faulted Microsoft for collecting, among other things, e-mail addresses during the Passport sign-up process.

Gartner analyst Arabella Hallawell says Microsoft's requirement that all Web sites using Passport subscribe to the P3P privacy standard is a short-term fix with no real benefit to consumers. see commentary

But this collecting of e-mail addresses is "commonplace" on the Web, LeTocq said.

For its part, the CDT wants to get information directly from Microsoft, rather than third parties.

"There is a lot of discussion among security experts and privacy groups about Passport, HailStorm, Windows XP and where it's headed," said Ari Schwartz, senior policy analyst at the CDT. "We just wanted to get a briefing on the practical side and ask some of the questions directly to Microsoft. That's the way we work. We like to talk to the company whenever an issue like this arises, work on some of the details and see where they're headed."

The CDT has gathered a number of local privacy and security experts for the Microsoft meeting. Schwartz said that at least in the CDT's briefing, no legislators would be present, nor representatives from the groups that filed the FTC complaints.

The CDT's stated mission "is to develop and implement public policies to protect and advance individual liberty and democratic values in new digital media," according to the organization's Web site.

Sohn said Microsoft's objectives for the Passport briefings are clear: "To set the record on stuff that is out there and is misrepresenting our intent. We want to give the future of where we're going, both in the near term with technologies like Passport and longer term with stuff like .Net and HailStorm."

Sohn emphasized that Microsoft is "very concerned about privacy. And we want to have a dialogue on where we're at and where we are going forward."

Still, controversy over Passport could hound Microsoft, despite recent changes designed to beef up privacy.

Several key features of Windows XP require a Passport account, causing some privacy groups, competitors and even trustbusters to cry foul. Windows Messenger--Microsoft's communications console delivering instant messaging and videoconferencing, among other features--uses Passport authentication. This has raised concerns from privacy groups and others that Microsoft plans to use Windows XP as a mechanism to drive new Passport sign-ups.

But Brian Arbogast, vice president of Microsoft's personal services and devices group, dismisses this. "In no way is Passport required to use Windows XP," he said.

Only communications features such as instant messaging and videoconferencing require Passport, Arbogast said. "Those systems only work if you have the concept of an authentication system. There needs to be a way to know users are who they say they are."

One of Passport's greatest security weaknesses may be the single sign-on process, analysts said. The single point of entry could also be a single point of failure. Since the ID is always an e-mail address, someone looking to break into an account might easily obtain half the information needed to do so.

"There is plenty of good password-cracking software out there," LeTocq said.

Microsoft is addressing this by offering additional security features for partner Web sites, such as banks, asking for additional information or a four-digit PIN (personal identification number) as a second level of authentication.

News.com's Joe Wilcox reported from Washington, and Stefanie Olsen reported from San Francisco.