Microsoft Defends Passport To Privacy Group 250
securitas writes: "CNET reports that Microsoft is defending Passport as safe and secure in a presentation to the Center for Democracy and Technology. Other organizations such as the Electronic Privacy Information Center, Junkbusters and even the U.S. government may be lobbied by MS this week to fend off a Federal Trade Commission complaint filed by 15 consumer and privacy groups that charges unfair and deceptive practices."
Re:security and privacy a difficult issue (Score:2, Interesting)
some sites _refuse_ passport users... (Score:3, Interesting)
Aggregation is a bigger concern (Score:5, Interesting)
As a silly example, let's say you buy rat poison. No big thing, people buy it all the time.
Let's say you buy a book about "perfect murders... and how they were caught." No big deal, people buy true crime books all the time.
Now let's say you recently bought a bunch of lingerie. And had it delivered. But not to your home address. You're having an affair, sleazy, but not unheard of.
Now finally let's toss in the fact that you just consulted a lawyer. A divorce lawyer. One who specializes in breaking prenuptial agreements.
Suddenly things are much more interesting.
Most of us aren't planning to murder our spouse, or even to look like we're thinking about it. But it's certainly possible for mindless data aggregation to cause people to jump to the wrong conclusion. E.g., you bought a couple books on alcoholism, and a few cases of wine? You obviously have a problem, don't you. (Nope, the wnie is a gift to newlyweds and the book is to help me understand if my nephew needs help.) Etc and so forth.
Even with all of this information centralized with Microsoft (and make no mistake that the Passport/Hailstorm system will not collect this information), my biggest concern isn't that it will be leaked. My concern is that it will have bogus information feed into it. There's a nice market opportunity for nasty companies to put bad information into these records, then offer to clean it up for you. For a modest price, of course. All of the potential damage of a credit report, but with none of the legal safeguards.
Of course, that same problem exists today with the aggregated data provided by from credit card companies, but again it isn't a *single* point of failure. Even if you crack Citibank (still the largest CC issuer?), it does nothing about the hundreds of millions of people who don't have Citibank cards. But crack Hailstorm and you'll have information on almost everyone online.
Re:security and privacy a difficult issue (Score:2, Interesting)
I already replied to your post, but I forgot to address the above sentence.
Yahoo has already done it! A "Yahoo ID" can be used in as many places as a M$ passport, if not more.
For instance, if you setup a "Yahoo Wallet" with your yahoo id, that info (name, creditcard, and billing info) can be used on any of the thousands of independent e-stores that run their backend through store.yahoo.com. The same login/pass also works on any of the yahoo sites (stocks, chat, mail, myYahoo portal, travel, the list goes on).
I still don't think this is a good idea, but I'd rather give my info to Yahoo than M$. And no, I'm not just saying that because I hate bill gates; I've dealt with Yahoo Inc quite a bit (namely from running one of said store sites) and rather like the company.
Re:One password, multiple accounts, low security (Score:3, Interesting)
The funny thing is, I don't know if it uses some kind of mnemonic algorithm like VMS's password generator does, but I find the generated passwords to be very rhythmic and easy to remember. I'd give an example of my favorite, but then I'd have to change my credit card password :P. Of course, it may just be something peculiar about how my mind works; I've always found it very easy to remember arbitrary number sequences when they are used frequently in my daily life (phone numbers, IBM PC color codes, &c)
Re:Maryland... (Score:2, Interesting)
Its explained here [newsforge.com] to some extent. That story claims its because Maryland has a law (that microsoft helped to pass) which is incompatible with the passport legal B.S.
Re:Passport does NOT aggregate transactional data (Score:2, Interesting)
The problem with aggregagating user transactions across multiple sites is matching up user accounts on one site with user accounts on another. DoubleClick solved this by using cookies, but (at least on single user Win9x boxen) identify a machine only, not a user, i.e. they can't detect multiple users of one machine or someone who uses lots of machines.
What passport does is make people use the same account ID at all sites (i.e. their email address).
Passport sites aren't the only sites that do this, e.g. safari.oreilly.com uses your email address as the login, as does amazon. So if Oreilly and Amazon wanted to match up the userbase to see what other books safari users purchased, they could quite easily. It would be a bit harder for Oreilly and SlashDot to match users however, since the login on slashdot is NOT your email address. But slashdot, like most sites, does still collect an email so matching would still be possible.
They way passport changes things a little is that people with multiple emails are more likely to use the same address on all sites, and less likely to give bodgey email addresses. So matching will be (a little bit) more reliable.
Just a little PassPort note... (Score:1, Interesting)
Passport problems (Score:1, Interesting)
Can anyone confirm or deny these problems?
Re:Passport - Great idea, iffy implementation. (Score:2, Interesting)
Its not just a world wide identification system... passport is the first installment of Hailstorm [microsoft.com] its not just a common identification service its the first step towards common data storage that may be shared between web sites...
This is a good idea... all of you who contend otherwise are speaking purely out of emotion.
It's very clear that one of the biggest reasons for the success of windows desktop platform has been the interopability of windows applications.
It's very clear why this is a good thing for the user, what is not clear is how it might be implemented on the web whilst safe guarding peoples very basic human rights such as liberty and privacy.
I agree that this would be a huge step forward for the web, and is a step towards its ultimate evolution. Accordingly this should not be seen as something that should be crushed at all costs... it should be seen as something that needs to be debated, fleshed out and evolved. Taking a hostile approach against this is only going to see less public input put into it than might otherwise be acheived.
[OT?]Beware of who has your info (Score:2, Interesting)
Moral to the story? Basically, watch your back. If you employ an accounting firm, and they go belly up, be sure you get your records back from them. This is just one shining example I gained from experience.
Re:Selective paranoids (Score:2, Interesting)
Is this actually true? I always assumed that liquidation of assets (which unfortunately include "customer" lists) was handled by a bankruptcy court appointed "repo-man", and that the (former) owners of the company couldn't do anything at this point to decide which assets got sold to whom.
Re:security and privacy a difficult issue (Score:2, Interesting)
Comment removed (Score:3, Interesting)
Re:Multiple passwords are *not* more secure (Score:1, Interesting)
>about passwords again and again. In particular, as soon as you start forcing users
>to remember several passwords, they immediately start using obvious and easy to
>remember passwords, or writing them down in a readily accessible location. Clearly,
>this does not improve security.
Ah yes. Usability research, the great curse of the 21st century rears it's ugly head again.
And why pray tell,should we take anything that involves people stupid enough to dump hot coffee or tea in their laps seriously?
Re:Aggregation is a bigger concern (Score:3, Interesting)
But not on me or thee, I assume. So, why do we care? Let the Microserfs sign up and get raped, let M$ take the flak, then once the principle is in place, we develop an open source (security through transparency) alternative and (here's the good bit) lobby for a consortium of Big Businesses to get together and themselves lobby for the gubmint (any gubmint, heck, pick a sensible one that everybody likes like New Zealand) to take it and administrate it.