EPIC Urges State AGs to Pursue Microsoft Passport

An anonymous submitter sent: "The Electronic Privacy Information Center has sent a letter to all state attorneys general urging them to pursue Microsoft Passport under state consumer protection laws."

Customer's Information

[jaavaaguru]

I think we need a law that forces companies to have a large checkbox in their sign-up forms saying "I don't mind having my personal information sold to other companies". This should be un-checked by default. I'm sure some countries probably have this already.

Also I object to the way this Passport is being forced upon everyone. In the UK it seems to be rather unreliable. Several times this month, I have seen MSN messenger say "The .Net passport service is unavailable". Problems like this have also affected access to hotmail, although they tend to happen at 3am when the majority of hotmail users are probably not awake.

I am not proud of having an account with them as it make me one of those statistics showing how popular they are. If it (hotmail) had been run by MS when I signed up I would never have done it.

I'm glad I gave completely bogus details since I really object to having my personal information being spread around the way MS (and other large companies) do.

I would say "oh, leave them alone" if their Passport/.NET service was reliable, since I don't care if they sell my fake information.

Re:Customer's Information

[gazbo]

The real problem here is not that Passport is evil, but that they do not trust Microsoft to be the sole Passport providers, and to not do 'unreasonable' things with the data that they could potentially collect.

I recently went to a seminar with MS's senior systems architect (UK) talking about Passport (mainly .net though). He first said that the Passport protocol should be implementable by any provider who wants to provide this service, so it need not be Microsoft authenticating details.

Even if you do not believe this, he made an excellent demonstration of the problems of trust. A member of the audience (anti MS - he was heckling throughout the seminar) raised a similar concern. I paraphrase the conversation here:

Man: 'I don't trust MS's servers to keep my data safe and not abuse it'

MS: 'Well, whose servers do you trust'

Man: [thinks] 'Mine'

MS: 'Everybody raise their hands if you trust your data on this man's server'

I thought it was a nice example anyway.

Re:Similarity

[ASyndicate]

Yes however good intentioned your post may be you are comparing two different things.

Microsoft Passport is a method of storing personal information that can potentially be used to profile your spending habits, income, lifestyle. Not to mention selling your identity by help desk personnel at microsoft.

Slashdot is an open forum that readers Willingly express their opinion. There is no reason to cancel a Slashdot account.

What if you dont want Microsoft to hold your information against your will because of a 'technical limitation' That is, frankly, bullshit.

Tried this at the National level....

[Em Emalb]

"We have repeatedly urged the Federal Trade Commission to investigate this matter in two separate filings, but the Commission has failed to act. We therefore urge you now to initiate an investigation under your statutory authority."

Ok, so what they are saying is, the FCC didn't care, so we are going to attack at a lower level. While I admire their determination/wish them luck, how much will this knowledge that the FCC didn't do anything affect them? Food for thought this AM....

Passprot Issues

[haplo21112]

The largest problem in my mind with passport and its related .NET services is the dependance on username@hotmail.com. This service first of all has never proven itself to be reliable. Second of all is the source of(or at least the visable source of) at least half the spam I recieve because they don't secure the thing properly. I would dearly love to block mail from hotmail on my domain, but with the dependance on hotmail for all things M$ related I would cut off a goodly number of people from being able to communicate. We have MCSE's working here and they need to send and recieve on hotmail because of this dependance.

Anonyimty and passport

[CDWert]

I can say, I will never use passport I made that decision a long time ago. I dont trust MS with my information anymore than the next yahooo. I have had a hotmail account since the day after they started their service to the public, they have no personal information that is accurate, nor does yahoo, nor for that matter ebay. I started in 96 with ebay. I fortunatley have been on the web long enough to have avoided confirmations and the like. When any site I got to starts requiring passport services Im history.

Staying anonymous on the web is getting tougher but not impossible, confirmed . MS cannot ENSURE privacy with the passport system this has been proven, and as such it is vunerable to state regulation.

Then again I trade grocery discount cards......

Re:Future tense

[pixel fairy]

yes, but i dont think you have anywhere near microsofts history of lying, cheating, stealing, extortion, bribery, falsifying court evidence, flagrant disregard of the law, meglomania, etc etc.

also microsoft claimed (at least according to the letter) that they want all internet users signed up.this is really scary, especially given the companies history.

granted anyone reading this probably knows better so its up to us to warn everyone else.

Opt-In vs Opt-Out vs Passport.

[Alien54]

Much of the law seems to be based on the idea of protecting people by making things "Opt-in". An extreme practical example is that, for example, youdo not have to "opt-out" of one of any number of criminal assaults for every single person that you meet coming down the road. It is assumed the you do not want to be assaulted unless you specifically "opt-in" such as in certain sexual activities.

This is easy enough to see in the case of spammers and mailing list types who want to assume that you want to get their junk unless you "opt-out". With thousands of advertisers, this quickly becomes unworkable.

Now we come to MS and Passport. With the fact of Monopoly, it is possible to enforce the sale and or acceptance of other "products" because they are "part of the whole package" I beleive that in certain states, for Certain industries, you cannot enforce the sale of product number 2 as a prerequisite to purchasing product numbr one. This varies by the product. Of course, you can always say "included free" but some things that are free are not worth the price.

In the case of a monopoly, you can enforce the acceptance of items which would not otherwise be desired, and which may be a mixed blessing to the consumer at best. I am extraorinarily wary of Paspport and the all in one wonderful world of Microsoft Productivity that it promises for people.

Stepford Nation, indeed.

Biting off more than they can chew

[Proaxiom]

While noble, this effort isn't going anywhere. The AGs probably won't take this any further than the FTC did.

They are attacking MS because they collect personal information that could be exposed through security flaws?

How many dozens of e-commerce sites could be shut down on that account? Think about it.

Or are the Attorney Generals being asked to hold Microsoft accountable for their weak security? Bruce Schneier's been trying to go there for years [counterpane.com].

Unfortunately, he could tell EPIC exactly how far this is going to go.

Privacy for dummies. Chapter 1.

[Unfallen]

I have been on the receiving end of Microsoft's "Security Policy" in the past, finding myself (accidentally or deliberately, I have no idea) subscribed to several salubrious MSN forums. After several months and few non-automated replies, I finally topped receiving the e-mails, but with neither explanation of why I got them, who had done it, nor even an acknowledgement or an apology.

Let us now put this into the context of the passport scheme - the EPIC letter states "Microsoft has indicated that the company's goal is to have every Internet user possess a Passport account", which I deem a fair summary of the situation (although, ideally, everybody would also use a Hotmail account too). Trundle along to, say, http://www.passport.com [passport.com] and look! See how you can sign up with ease! Get it now! Calooh! Callay!

Now let us try to pull the same trick that was pulled on me, and that I have fortunately not seen on any well-organised mailing list outside of Redmond. Enter an e-mail address, any e-mail address (excepting MS-specific ones such as Hotmail) - even make one up that obviosuly doesn't exist, and then... Carry On! Yes! There's still no security! At least, I guess, an e-mail gets sent to the e-mail address asking you to verify it, but this seems to be purely for service embellishment:

Please take a moment to help us verify your e-mail address. This ensures that .NET Passport can respond to you if you contact us about a service issue. In addition, some participating .NET Passport sites may require you to verify your e-mail address to take full advantage of their own services.

Using the new obviously-fake account, I can save settings, edit my MSN etc etc much as I may or may not want to. That is not the issue. What we have here is clearly a case of theft of privacy - without even trying, anyone is able to sign up anybody else's e-mail account for a passport. Who knows what havoc this could/will cause! Not being particularly au fait with MSN, I have only circumspection, but Microsoft have an epic journey to go before they reach "Trustworthy Computing [tm]" if they fail to understand the basics of privacy and intrusion, as highlighted here.

To conclude, I say get out there, fight it from the other end - the end that consumers will understand. Sign up as many fake and real accounts as you like to demonstrate just how fallible the system is. I'm off to see if they prevent scripting...

Against the law nonetheless..

[aphor]

Regardless of whether Microsoft has been proven to abuse the power, there are laws which make it illegal to posess the ability to abuse the power. The idea comes from a legal term: "conflict of interest."

When a person offers a service to another person in the financial/legal/medical world they are acting as an agent on behalf of the customer. Legally, that arragement has an implied "fiduciary responsibility" to the customer. That means if someone gives you the key to their account and you do something they wouldn't have agreed to, you are wrong and subject to criminal and civil liability. In the case of finances, there are EXTRA laws that say you are not even allowed to ofer such services to people if you have an interest in ripping them off (like other competing customers).

Bill Gates comes from a long line of lawyers: his family is a lawyer family. He knows he can flout the law wherever there is grey area because he has the money to risk. If he manages to win some small legal challenge, he has stretched the law to allow more exploitation and the windfall revenue that goes with.

When you (the US) have a big dog, you put a pinch (or shock) collar on him, and you jerk it hard (or shock him) when he *starts* to get out of line. You can let up a little, but only when he has a compelling fear of disproportionate retribution. Corporations are less like people who deserve rights, and more like dangerous, powerful animals that must be attended to with preemptive stewardship. Emotions, values, and ethics are not present in the brains of reptiles or boardrooms.

Re:Oh, Come On!

[Diabolical]

The reason why no-one is going after AOL/TimeWarner is because they don't own 90+% of the desktop which they could use to leverage their other products.. this is all about not having a choice.. MSN is tightly integrated in XP. The browser is prominently on the desktop as is the MSN messenger software. Opening Outlook Express starts a signup session with Hotmail, etc. etc. etc... Creating a Passport account is almost done automatically if you do not know better then to use what MS prescribes.

Now, í'm not a MS basher in the way most people do.. i am however VERY concerned about their growing stranglehold on consumer choice. Ever so slightly people are lured into a total MS dominance...

Ah well.. i'll keep on dreaming of the old days...

Pandora's box

[devleopard]

I know that Microsoft is everyone's favorite target, but I think the claims made, while extremely valid, are widespread problems. How many websites out there maintain account and credit card information? As a web developer, I've seen numberous systems where passwords and credit cards were stored plain text in the database. So the only "gatekeeper" was the security of the database. Heck, I've even seen some sites storing information in Access databases, which were accessible below the web root! If the various attorney generals are willing to fight this fight, they should also go after all of the incompetent IT and web developers out there. Of course, to do this they would have to evaluate these various systems, to determine that they are secure or not. (I can already hear the claims of "big brother" intrusion) Wait - the request isn't to investigate "faulty" systems - it's to investigate a system that has some potential for failure (I know that many will be quick to point out that there have been some breaches with Passport, but I'm just addresses the claims made in the letter) As such, that would ruin pretty much every web site out there that has a database, as they all have a potential for failure. Of course, this will never happen; they don't carry the same "trophy potential" as Microsoft does.

Will this be a consumer protection issue, or an opportunity to gain some political karma?

Even worse than you say...

[dpilot]

because if I understand correctly, installing and "Activating" Windows XP requires that you have a Passport ID.

Sounds to me as if they're using their OS monopoly (now a matter of Fact, and Law) to leverage a monopoly in the emerging Network Authentication industry. It gets all the worse, because there is no Network Authentication industry yet, and if MS has their way, it will never truly emerge because they'll own it from Day1.

It's a structural problem

[HiThere]

The system as designed *is* inherently evil. It is designed to implement and maintain centralized control of the user's information. Whoever the custodian is of such a system is a central point of vulnerability. WHOEVER.

The proper design of such a system would implement the exact same features, but store the information on the user's local hard drive, with the option of backing this up to a third-party site choosen by the user. Also, the user should have the ability to enhance the encryption, by adding a layer using their own preferred encryption program (pgp, gpg, etc.) to wrap the already encrypted data. (You are, after all, planning on backing up your personal data onto someone else's servers.)

The service if implemented in this way would be cheaper for the software supplier to provide. And this method has many obvious superior features. So much so, that one needs to wonder as to why it was implemented in the way that it was. It wasn't for the convenience of the users. It wasn't for efficiency of operation. It wasn't for simplicity of design. It wasn't for easy of integration. Was there a legal reason? (There sure wasn't a technical reason!)
.

Re:Customer's Information

[lynx_user_abroad]

MS: 'Well, whose servers do you trust'

Man: [thinks] 'Mine'

MS: 'Everybody raise their hands if you trust your data on this man's server'

Here we see Microsoft conveniently ignoring a relative reference.

There's no reason why you would trust your data on my server, of course.

But would you trust your data on your server?

With .NET, Microsoft has acknowledged that the money is to be made by selling services as opposed to products. Microsoft wants to be the ones who sell you that service. Of course they're not going to acknowledge that you can provide that service yourself. Their survival depends on building a business model which prevents anyone but themselves from offering this service.