Skip navigation

Microsoft Passport in Privacy Controversy

As Microsoft's latest OS, Windows XP, rolls toward completion, an interesting array of competitors and special-interest groups are attacking the company and its new product in attempts to prevent XP's October release. Also caught up in the turmoil is Microsoft .NET Passport, the core component of the company's .NET strategy, which so far hasn't been a particularly compelling consumer service. However, with XP, Microsoft has tied users' Windows logon information to Passport accounts, which makes the technology more pervasive. That change, combined with feelings that the service is too invasive and insecure, has privacy groups petitioning the government to stop Microsoft.

How can so many people loathe something so clearly designed for consumer convenience? Remember that Microsoft designed Passport to overcome an obvious limitation of e-commerce and other Web sites—users have to enter or update their personal information (e.g., name, address, phone number, credit card information) at each site they visit. For some people, entering or updating this information isn't a problem. But for people who turn to the Internet regularly to buy groceries, books, music, electronics, and other items, Passport could be a gift from above.

Let's say that you frequently visit 8 or 10 sites. When you move, replace a credit card, or change any other personal information, you need to remember to visit each Web site individually and update your personal information. At each site, you potentially have a different username and password. Although the information you're changing is largely identical for each site, you must make the changes separately each time. Passport eliminates this extra work: You can store your information in a central location; Passport-enabled sites simply use the new information the next time you visit them. Of course, Passport is key to accessing future .NET services.

The security problems inherent in the Passport plan, however, are obvious. For example, what happens if an intruder attacks the Passport user database? Microsoft says that such an attack isn't possible and can offer technical reasons for their confidence. However, the company's response to another key concern is largely a matter a trust: What if Microsoft, as the sole owner of the servers on which this information resides, decides to betray the public trust and sell users' buying habits?

To answer complaints against Passport, Microsoft has subtly changed both the service and the types of information required when a user signs up for Passport in XP. These changes include the separation of payment information from billing information on Passport servers, less user data gathering on initial signup, and requirements that Passport-enabled sites use the new secure Platform for Privacy Preferences (P3P) technology that's in Microsoft Internet Explorer (IE) 6.0. However, these changes haven't mollified privacy groups, who've asked the Federal Trade Commission (FTC) to investigate Passport and XP.

Microsoft says that these groups misunderstand how Passport works. The company says that there are three separate databases—one each for billing, user profiles, and authentication—and that information from the three can't be combined to develop aggregated customer histories. In addition, with new sign-ups, Passport requires only the users' name, email address, and password. Previously, Passport had required users' address, state, and ZIP code. With the groundswell of anti-Microsoft actions this summer, it will be interesting to see whether the FTC decides to take action against Microsoft and investigate Passport. After all, the company is faring poorly in its antitrust case, and there's a general perception that Microsoft is vulnerable.

And speaking of attempts to stop Microsoft, online giant AOL announced recently that it would fight Passport with a similar authentication service of its own code-named Magic Carpet. The company says that it will release Magic Carpet sometime in the next 6 months and will provide presence, identity, and relationship storage information for consumers visiting e-commerce sites.

You can easily imagine that Microsoft and AOL will butt heads in the online space, especially given the way these companies' strategies are beginning to overlap, but AOL's move seems more like a desire simply to copy Microsoft rather than to provide services that its customers are asking for. As Magic Carpet nears completion and more information becomes available, I'll take a closer look at this technology to understand where it stands compared to Passport and Microsoft's other plans for .NET.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.