Culture

Microsoft admits privacy problem, plans fix

Microsoft admits that a feature of its Windows 98 operating system can be used to trace the identity of authors of electronic documents, and vows to modify the feature.

Mike Ricciuti Staff writer, CNET News

Mike Ricciuti joined CNET in 1996. He is now CNET News' Boston-based executive editor and east coast bureau chief, serving as department editor for business technology and software covered by CNET News, Reviews, and Download.com. E-mail Mike.

See full bio

Mike Ricciuti

Jan. 2, 2002 4:43 p.m. PT

3 min read

Microsoft has acknowledged that a feature in its Windows 98 operating system can be used to collect information on authors of electronic documents without their knowledge, and has vowed to fix the problem.

Microsoft software applications such as Word and Excel, generate unique identification numbers that include information about users' personal computers that are then transmitted during the Windows 98 registration process, Rob Bennett, a Windows product manager at the company, confirmed. Bennett said the trasmittal of the information is a flaw and will be fixed.

The flaw, a potential privacy concern, was first reported by the The New York Times.

The ID number is transmitted to Microsoft whenever a customer registers his copy of Windows 98 using the automated "registration wizard" included in Windows, Richard M. Smith, a software developer who first identified the issue, told CNET News.com.

Bennett said Microsoft discovered the flaw on Friday, after Smith contacted the company. Bennett said that Microsoft will fix the problem in the next service release of Windows 98, now in beta testing and due to ship this summer. The company will also release a utility that will allow users to delete the identification information from the Windows registry.

Smith, who is president of Phar Lap Software in Cambridge, Massachusetts, said he first noticed last week that documents created using Microsoft's popular Word and Excel programs created a 32-digit number unique to his personal computer. That number is then passed on to Microsoft through the Windows 98 registration process, Smith said.

The number, called a Globally Unique Identifier, or GUID, is at least partly based on a 12-digit number unique to a computer's Ethernet network adapter, a hardware device used to link computers to local area networks and to the Internet, Smith said.

The Microsoft applications, which are part of the company's popular Office package, still generates the ID, even without an Ethernet card installed. In that case, the applications use a fictitious network address that is the same for all such machines.

Bennett said the GUID is most likely not being stored in databases at Microsoft. The company is working to identify whether the information is on file, and if it is, will cease collection, Bennett said.

The controversy comes just weeks after Intel found itself embroiled in a controversy over an ID number hardwired into its Pentium III microprocessors.

Privacy advocates have protested against the inclusion of the Pentium III serial code, arguing that the feature presents an easy opportunity for marketers or those with nefarious intentions to track a user based on his or her Web behavior.

Smith said that because of the the Pentium issue, he became curious as to whether common software applications also collect user information. "I decided to poke around in Windows to see if [it did] the same thing. That's when I came across the Ethernet adapter address showing up in some files," he said.

He then contacted a Microsoft engineer, who said the GUIDs where originally intended for use to track broken hyperlinks in Office applications. Microsoft never implemented a feature to track the broken links, however, Smith said.

Smith later discovered that the GUID, along with an identification number generated by each Office application, and a unique Microsoft identification number, are passed along to Microsoft by the Windows 98 registration process. "This is unprecidented in the computer business," Smith said. "We've never had a company do this."

Bennett said the GUID was collected along with other information on users' hardware, during the Windows 98 registration process to assist with customer support issues. He claims the Windows ID was not planned to keep tabs on users' actions. "Microsoft is in no way using that identifier, or any identifier, to track user behavior or to do any marketing," Bennett said.

"If it is a bug, and it looks like it is, we'll fix it" Bennett said.

Smith said he believes the identification scheme was originated to identify pirated copies of Microsoft software. Microsoft could match the application ID against the hardware ID to determine if a single piece of software has been installed on multiple machines.

Bennett denied that the GUID is used as part of any copy protection scheme.

The flaw affects Windows 98. Bennett said he was unsure if it also pertains to Windows 95. Windows NT does not collect user information, he said.