Commentary: Passport needs better privacy

By Arabella Hallawell, Gartner Analyst

Microsoft is clearly eager to assuage public concerns over privacy and security issues connected with its Passport service.

That's because Microsoft's planned shift to software-as-a-service has made Passport a core part of the company's strategy. Microsoft has repositioned Passport from a server "wallet" service--one not widely adopted by consumers--to the core authentication service for Hailstorm and .Net. With Passport's integration into Windows XP, concern that Microsoft will build a huge repository of consumer data has attracted lots of public attention.

	See news story: Microsoft defends Passport in Washington

In a partial response to those concerns, Microsoft recently announced that it would require all Web sites using Passport to subscribe to the Platform for Privacy Preferences (P3P) standard. However, Gartner believes that is a short-term solution that offers no real benefit to consumers. It is, in a sense, preaching to the choir, since Web server vendors and consumer Web site operations have largely driven the inclusion of the P3P specification in Internet Explorer 6 in an attempt to stave off privacy regulations.

Furthermore, for P3P to benefit consumers, third parties must develop tools so that consumers can create their own privacy settings and understand the privacy policies of servers. Until that happens, the complexity of setting P3P preferences in browsers will mean only a fraction of consumers will likely do so.

Even then, if merchant privacy policies don't align with consumers' preferences, consumers can accept only the lower privacy standards or go elsewhere. This is a wasted opportunity, since machine-readable privacy policies and preference settings would be more effective than today's legalistic privacy policies, with their hard-to-find opt-out clauses.

Gartner believes that Microsoft's ambitious plans for Passport will require more sophisticated security and privacy techniques than the company has used to date or required of Web sites. Hailstorm will facilitate information exchanges between Hailstorm customers and consumers. Consumers specify what information they would like shared with Hailstorm customers, rather than electing what information can be used or shared with Passport Web sites. The granular, opt-in privacy model required for Hailstorm is a far cry from what P3P has to offer today. Furthermore, Microsoft must also make sure that Hailstorm customers adhere to the consumer's privacy preferences and have implemented proper security measures.

Web sites should not assume that P3P will form the basis for Hailstorm's privacy requirements. Instead, Web site operators and services vendors should focus on how to provide more meaningful choices to consumers concerning how their information is used--for example, by providing them with different privacy policies and information-use options according to the type of service, transaction or business unit involved.

(For a related commentary on Microsoft's Passport and privacy issues, see Gartner.com.)

Entire contents, Copyright © 2001 Gartner, Inc. All rights reserved. The information contained herein represents Gartner's initial commentary and analysis and has been obtained from sources believed to be reliable. Positions taken are subject to change as more information becomes available and further analysis is undertaken. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of the information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof.