Privacy group attacks Windows XP, Passport

Will Passport inject risk into XP? Avi Rubin, researcher, AT&T Labs

The loose affiliation of 14 groups amended an existing complaint filed in late July with the FTC. During a media event here, Marc Rotenberg, executive director for the Electronic Privacy Information Center (EPIC), said the groups had filed a 12-page supplemental complaint "alleging that Microsoft by offering Passport (authentication) and associated services is engaging in unfair and deceptive trade practices in violation of Section 5 of the FTC act."

The amended filing focused on changes the coalition said Microsoft made to Passport in response to their original complaint and also on privacy concerns regarding Kids Passport. Based on a review conducted by the Center for Media Education (CME), the groups concluded that Kids Passport does not comply with the Children's Online Privacy Protection Act (COPPA).

Passport is Microsoft's online authentication system that is used for logging in to multiple Web sites or services.

Wednesday's amended complaint drew a skeptical response from some industry analysts, who said they are not convinced that many of the groups' complaints against Windows XP and other Microsoft technologies such as Passport are warranted or that the company's privacy policies are any worse than those implemented by other companies.

"The idea that Microsoft is any worse than any other company is simply unfair," said Directions on Microsoft analyst Matt Rosoff.

Guernsey Research analyst Chris LeTocq agreed. "In what I've seen Passport do, Microsoft is not asking for any more information than any other sites."

Brian Arbogast, vice president of Microsoft's Personal Services & Devices Group, dismissed many of the privacy allegations leveled against the software giant.

"For Microsoft to be a leader in the services world, we need to be constantly gaining the trust of our partners and customers," he said. "We are very serious about privacy."

User-friendliness vs. privacy
Part of the fear surrounding online privacy is the ease with which information could be shared. But analysts warn that the threat posed by traditional companies, particularly sharing personal information without notice, is potentially greater.

"Your credit card company has access to tons and tons of information about every single purchase you make on your credit card," Rosoff said. "Yeah, they sell your address to third-party marketers. That's one of their main businesses."

Clif Holcomb, a police operations supervisor in Nashville and a Windows XP Preview Program user, isn't unduly alarmed. "Microsoft has done a lot to ensure security on the Web," he said. "The Secure Sockets Layer they use and the 128-bit (encryption) are examples. I now do all my banking online and haven't written more than 25 checks in the last four years."

Microsoft uses the Passport technology for some of its MSN Web properties, its messaging service, e-book purchases and new features found in Windows XP. Microsoft partners, such as McAfee.com and Starbucks, use Passport to authenticate some of the services and goods they offer over the Web.

The system also is the authentication mechanism for HailStorm, which has been billed as a way for subscribers to access their e-mail, personal contact list, schedule and other Web services--such as shopping, banking and entertainment--through a variety of devices, such as PCs, cell phones and handhelds, from any location. HailStorm is part of Microsoft's broader, forthcoming .Net software-as-a-service initiative.

In the original complaint, the groups alleged that "Microsoft has engaged and is engaging in unfair and deceptive trade practices intended to profile, track and monitor millions of Internet users." The complaint further alleged that Microsoft's .Net software-as-a-service initiative--including HailStorm and Passport authentication--"are designed to obtain personal information from consumers in the United States, unfairly and deceptively."

Since the filing, the groups--CME, EPIC and Junkbusters, among others--added Ralph Nader's Consumer Project on Technology to their ranks.

Jason Catlett, president of Junkbusters, faulted changes he said Microsoft made to Passport last week as "completely nonresponsive." The groups allege that Microsoft's decision to reduce the amount of information it collects when people sign up for a Passport account is inadequate because an e-mail address, country, state and ZIP code are required.

But Guernsey Research's LeTocq pointed out that the collection of this kind of information, particularly e-mail addresses, is "commonplace" on the Web.

The organizations also argued in their complaint that "XP will disable certain programs that users depend upon for privacy and security, such as (Internet firewalls) Black Ice and ZoneAlarm." Although the complaint acknowledges changes made to how software drivers work in Windows XP, it fails to note that many companies will have solved compatibility issues before the new operating system's Oct. 24 release.

According to the ZoneLabs Web site, ZoneAlarm is compatible with Windows XP.

Passport and P3P
The groups also faulted Microsoft's Passport privacy policy, but Gartner analyst Michael Silver questioned the legitimacy of the policy attacks.

"It's one thing to look at their policy and say we don't believe it," he said. "You have to have some basis for saying that. If Microsoft says they have a policy they won't collect or share certain kinds of information, you have to take it at face value."

Catlett also criticized Microsoft for requiring Passport merchants to adopt Platform for Privacy Preferences, or P3P, which lets Web users define what types of information they are willing to give, as well as whether they mind sharing that information with outside parties.

"I actually think that P3P will not enhance privacy," Catlett emphasized. In fact, EPIC and Junkbusters in June wrote a scathing indictment of P3P, "Pretty Poor Privacy: An Assessment of P3P and Internet Security."

P3P is advocated by the World Wide Web Consortium, the body responsible for setting Web standards.

Gabriela Schneider, senior policy analyst for the CME, faulted "the Kids Passport system (as) not providing the same or greater protection for children as mandated by the FTC."

The CME also concluded that Microsoft's Kids Passport policy requires the collection of more personal information than is necessary for children, "like gathering their e-mail address and sometimes prompting them to sign up for a Hotmail address, when the parents' e-mail address is already collected for the registration of the Kids' Passport," Schneider added.

In Wednesday's amended filing and the original complaint, the groups alleged many other privacy abuses, such as forced Passport account sign-up through Windows XP, product activation and customer profiling.

Analysts questioned the weight given to some of these concerns, however. Product activation, for example, is largely misunderstood because people assume Microsoft collects personal data when it does not.

In the case of product activation, Microsoft "screwed up with the interface," Directions on Microsoft's Rosoff said. During the installation process, optional registration follows product activation.

"So people are saying, 'Uh-oh. They're taking my name and address to Microsoft.' But in actuality, those are two separate processes," he said.

Holcomb, the Windows XP Preview Program participant and self-described "plain user," however, said he understands "that activation and registration are two entirely separate things. The first is anonymous, while the second is not," he said. "I was, at first, concerned about how often I would be required to activate as I regularly upgrade my system's hardware. I'm not worried now."

In mid-July, about two weeks before the groups filed their original complaint, a German copy-protection company essentially backward-engineered Microsoft's activation technology, concluding that it posed no privacy threat.

Analysts say Microsoft actually has broad incentive to ensure consumers' privacy is protected. With HailStorm, Microsoft envisions abandoning the ad-driven Web, where sites have incentive to collect and profit from personal data, in favor of paid services.

Microsoft's Arbogast said the company believes this privacy assurance and delivery of data and services to any kind of device will make HailStorm successful for itself and its partners.

"What Microsoft is saying (is), 'We're going to want you to pay us money,'" Guernsey Research's LeTocq said. "In a sense, that's probably the best guarantee of privacy that you have, because if somebody violates your privacy you have the very effective weapon of turning off the money."