Privacy groups turn up heat on Windows XP, Passport
Published: 16 Aug 2001 08:50 BST
A group of privacy organisations on Wednesday renewed their attacks on Microsoft's Passport authentication service and Windows XP, asking the Federal Trade Commission to mandate changes in Microsoft's new operating system.
The loose affiliation of 14 groups amended an existing complaint filed in late July with the FTC. During a media event here, Marc Rotenberg, executive director for the Electronic Privacy Information Center (EPIC), said the groups had filed a 12-page supplemental complaint "alleging that Microsoft by offering Passport (authentication) and associated services is engaging in unfair and deceptive trade practices in violation of Section 5 of the FTC act."
The amended filing focused on changes the coalition said Microsoft made to Passport in response to their original complaint and also on privacy concerns regarding Kids Passport. Based on a review conducted by the Center for Media Education (CME), the groups concluded that Kids Passport does not comply with the Children's Online Privacy Protection Act (COPPA).
Passport is Microsoft's online authentication system that is used for logging in to multiple Web sites or services.
Bran Arbogast, vice president of Microsoft's Personal Services & Devices Group, dismissed many of the privacy allegations levelled against the software giant. "For Microsoft to be a leader in the services world, we need to be constantly gaining the trust of our partners and customers," he said. "We are very serious about privacy."
Wednesday's amended complaint drew a sceptical response from some industry analysts, as well, who said they are not convinced that many of the groups' complaints against Windows XP and other Microsoft technologies such as Passport are warranted or that the company's privacy policies are any worse than those implemented by other companies.
"The idea that Microsoft is any worse than any other company is simply unfair," said Directions on Microsoft analyst Matt Rosoff.
Guernsey Research analyst Chris LeTocq agreed. "In what I've seen Passport do, Microsoft is not asking for any more information than any other sites."
Part of the fear surrounding online privacy is the ease with which information could be shared. But analysts warn that the threat posed by traditional companies, particularly sharing personal information without notice, is potentially greater.
"Your credit card company has access to tons and tons of information about every single purchase you make on your credit card," Rosoff said. "Yeah, they sell your address to third-party marketers. That's one of their main businesses."
Microsoft uses the Passport technology for some of its MSN Web properties, its messaging service, e-book purchases and new features found in Windows XP. Microsoft partners, such as McAfee.com and Starbucks, use Passport to authenticate some of the services and goods they offer over the Web.
The system also is the authentication mechanism for HailStorm, which has been billed as a way for subscribers to access their email, personal contact list, schedule and other Web services--such as shopping, banking and entertainment--through a variety of devices, such as PCs, cell phones and handhelds, from any location. HailStorm is part of Microsoft's broader, forthcoming .Net software-as-a-service initiative.
In the original complaint the groups alleged "Microsoft has engaged and is engaging in unfair and deceptive trade practices intended to profile, track and monitor millions of Internet users." The complaint further alleged that Microsoft's .Net software-as-a-service initiative--including HailStorm and Passport authentication--"are designed to obtain personal information from consumers in the United States, unfairly and deceptively."
Since the filing, the groups--CME, EPIC and Junkbusters, among others--added Ralph Nader's Consumer Project on Technology to their ranks.
Jason Catlett, president of Junkbusters, faulted changes he said Microsoft made to Passport last week as "completely nonresponsive". The groups allege that Microsoft's decision to reduce the amount of information it collects when people sign up for a Passport account is inadequate because an email address, country, state and ZIP code are required.
But Guernsey Research's LeTocq pointed out that the collection of this kind of information, particularly email addresses, is "commonplace" on the Web.
The organisations also argued in their complaint that "XP will disable certain programs that users depend upon for privacy and security, such as (Internet firewalls) Black Ice and ZoneAlarm." Although the complaint acknowledges changes made to how software drivers work in Windows XP, it fails to note that many companies will have solved compatibility issues before the new operating system's 24 October release.
According to the ZoneLabs Web site, ZoneAlarm is compatible with Windows XP.
The groups also faulted Microsoft's Passport privacy policy, but Gartner analyst Michael Silver questioned the legitimacy of the policy attacks. "It's one thing to look at their policy and say we don't believe it," he said. "You have to have some basis for saying that. If Microsoft says they have a policy they won't collect or share certain kinds of information, you have to take it at face value."
Catlett also faulted Microsoft for requiring Passport merchants to adopt Platform for Privacy Preferences, or P3P , which lets Web users define what types of information they are willing to give, as well as whether they mind sharing that information with outside parties.
"I actually think that P3P will not enhance privacy," Catlett emphasised. In fact, EPIC and Junkbusters in June wrote a scathing indictment of P3P, "Pretty Poor Privacy: An Assessment of P3P and Internet Security."
P3P is advocated by the World Wide Web Consortium, the body responsible for setting Web standards.
Gabriela Schneider, senior policy analyst for the CME, faulted "the Kids Passport system (as) not providing the same or greater protection for children as mandated by the FTC."
The CME also concluded that Microsoft's Kids Passport policy requires the collection of more personal information than is necessary for children, "like gathering their email address and sometimes prompting them to sign up for a Hotmail address, when the parents' email address is already collected for the registration of the Kids' Passport," Schneider added.
In Wednesday's amended filing and the original complaint, the groups alleged many other privacy abuses, such as forced Passport account sign-up through Windows XP, product activation and customer profiling.
Analysts questioned the weight given to some of these concerns, however. Product activation, for example, is largely misunderstood because people assume Microsoft collects personal data when it does not.
In the case of product activation, Microsoft "screwed up with the interface," Directions on Microsoft's Rosoff said. During the installation process, optional registration follows product activation.
"So people are saying, 'Uh-oh. They're taking my name and address to Microsoft.' But in actuality, those are two separate processes," he said.
In mid-July, about two weeks before the groups filed their original complaint, a German copy-protection company essentially backward-engineered Microsoft's activation technology, concluding that it posed no privacy threat.
Analysts say Microsoft actually has broad incentive to ensure consumers' privacy is protected. With HailStorm, Microsoft envisions abandoning the ad-driven Web, where sites have incentive to collect and profit from personal data, in favour of paid services.
Microsoft's Arbogast said the company believes this privacy assurance and delivery of data and services to any kind of device will make HailStorm successful for itself and its partners.
"What Microsoft is saying (is), 'We're going to want you to pay us money,'" Guernsey Research's LeTocq said. "In a sense, that's probably the best guarantee of privacy that you have, because if somebody violates your privacy you have the very effective weapon of turning off the money."
See the Surveillance News Section for the latest headlines.
See the Software News Section for full coverage.
Have your say instantly, and see what others have said. Click on the TalkBack button and go to the ZDNet news forums.
Let the editors know what you think in the Mailroom. And read other letters.
Did you find this article useful?
26 out of 55 people found this useful
- Share this article:
