EPIC Urges State AGs to Pursue Microsoft Passport 244
An anonymous submitter sent: "The Electronic Privacy Information Center has sent a letter to all state attorneys general urging them to pursue Microsoft Passport under state consumer protection laws."
Straw Poll (Score:3, Interesting)
Which state attorneys generals do you think will go for M$?
and which won't
Education and awareness (Score:3, Interesting)
Holy cow (Score:4, Interesting)
Hopefully most of those accounts aren't tied to active users, because of this. But if they do really already have 200 million users, all of whom are active, then that really is scary. That's around 3% of the world's population. (If I knew what percentage of the world's population used computers on the internet regularly, this would be more meaningful, but I'll take a guess and say 33%. Then 10% of users online would have active Passport accounts!)
Similarity (Score:5, Interesting)
that Passport gives users control of their personal information. However, the most basic aspect of control--the right to take back one's
personal information--is not accommodated by the Passport system.
Note that one can't delete his Slashdot account either. which could actually be the source of some trouble as if he suddenly changes his mind about whichever opinion or way to express it he has, there'd be a way to track his former behaviour if the account he opened was named like him and we know for sure how much we change over the time (maybe from the pro-patent to anti-patent or from the extremist to the moderate).
Though I dislike to add such disclaimer in my Slashdot post, I'd like to point out that I don't want this comment to be considered as a troll neither it is off-topic.
This is just a way to point out that we should ensure that noone may reproach us with the sam ethings that are being reproached to Microsoft or whoever else.
Back to the article, now: what sort of effect does such a letter have?
Passport Roach Motel (Score:5, Interesting)
Now I'd like to get out of the system, because I don't trust it to be secure, but because I've forgotten my password, I can't.
Go to the Passport site (http://www.passport.com [passport.com]) and look; there's no FAQ or other document that tells you how to cancel your account. Nor is there any e-mail address of anyone who might be able to help you do it manually.
So, when you hear Passport adoption statistics, subtract at least one. I've never used my Passport a second time, but can't get rid of it, after trying for weeks.
Future tense (Score:4, Interesting)
I'm on EPIC's side and I agree with most of the point of the *potential* problems with Passport but if M$ haven't done anything wrong yet ot EPIC offers no proof except the potential for harm then this isn't going to get much notice.
Kids Passport? *shiver*.
Re:Holy cow (Score:3, Interesting)
At least three of those passports are (were) mine. I signed up for some mailing lists, got a passport and I have no idea what random crap I pasted into the password field, deleted the crap it dumped to my hard drive and moved on. Ditto when I realised I'd missed a mailing list off the subscriptions. Plus my first attempt that barfed because my IE security settings had been customised from one of the preset defaults.
They might have 200m registrations, but how many of those became permanantly dormant the same day they were created?
Re:Passport Roach Motel (Score:4, Interesting)
Sure, just wait for a quantum event, like this one (from their agreement):
But you're correct that the agreement doesn't open for you, the consumer, to end the contract. Surely that must be against some contract law somewhere?
Re:Passport Roach Motel (Score:3, Interesting)
I've never been back, and I certainly don't plan to go back if I can avoid it. I hope the credit card number I used has expired by now. I wonder how many millions more Passport "users" are really just people like us, who couldn't pass up a "free" 20% gift. It's classic Microsoft, using deep pockets to buy a market.
That's the great little gotcha for Passport, once it becomes entrenched as an effective monopoly. MS can begin charging a "nominal annual fee" to maintain our Passport accounts.
All your dollars/Euros are belong to us.
EPIC Letter needs a proof reader (Score:2, Interesting)
Re:Customer's Information (Score:4, Interesting)
Well, this is not correct. In at least one country (Italy), the law acts in a way that you have TWO separate agreements: one for the service, and one for spreading out your personal data. Both have the "no" option checked by default.
You have to check on the first "yes" to have the service activated, and nothing else. Checking the second "yes" will grant permission to the service provider to use your data for ads, statistics etc. Using your data without this specific agreement can cause big penalties for the companies.
Everything is explained on every form, and it's so common that everyone knows that they must check only the first answer.
Re:Holy cow (Score:4, Interesting)
IIRC, the expected techie cities followed, but the percentages quickly dropped below 30%. Outside those areas, the percentage of adults who have internet access was much lower than that.
In industrialized nations with relatively strong economies, the average internet access rate is probably below 20%. China and India each have populations around 1 billion, but what miniscule fraction of a percentage of their citizens have internet access. Most of the world's population doesn't even have electricity.
I think the percentage of people who (1) have electricity, (2) can afford a computer, (3) have the training to use a computer, (4) and have access to the Internet is probably less than 5%. In fact, I suspect it's closer to 1%.
Still, I think Microsoft's 200 million figure is exaggerated... the result of convenient accounting. Personally, I have at least a dozen Passport accounts that MS automatically gave me when I signed up for Hotmail accounts I only used once. I have never given MS my credit card number or even my real zip code, and I never will, yet I am over a dozen Passport users. Heck, my imaginary dog has two Hotmail accounts (he complained that the first one was full of spam, so I signed him up for a second account).
Aside from users like me (and my imaginary dog), I had a friend who wrote a commercial script to log into Hotmail. To test it, he wrote another script that created thousands of Hotmail (and Passport) accounts. He did the same thing with Yahoo, and apparently this phenomenon is common enough that Yahoo now requires new users to use "Word Verification" [yahoo.com] to "prevent automated registrations."
remember: When giving private info (Score:5, Interesting)
You are born in 1998, your zip code is 82312, your gender is none of their buisness (and if they instist use a coin to decide). Nor is your race, religion, or the type of car you drive their buisness.
Reasons for the above: In the US only minors have privacy protection, so by putting down a birthdate of 1998 you are under those laws as far as they know. Your physical address is none of their buisness, unless you are buying something from them. (and so far I've never had a problem with the venders who I buy from though there are bad apples out there). Your gender, race, religion, etc is none of their buiseness, on the net nobody knows you are a dog! Refuse to answer, or anser randomly. Randomly means sometimes you give the right answer, because if you always gave the wrong answer that in itself would be a clue.
Remember invalid data that they have is less valiuable then not having data at all in many cases.
Re:Customer's Information (Score:4, Interesting)
If a site that got my data under the license gives it out to someone else, it isn't a regrettable incident that might possibly get a brief mention on Wired or C:net, it's a legally actionable event under the same draconian IP laws that all those media companies have spent millions of dollars lobbying for. Selling a database won't just get you a bunch of angry emails from
Oh, and for the folks that would want to stick a "Gnu" in the name of the license - sorry. The whole point is that my data remains proprietary, with myself as the owner. Not all data wants to be free, my personal info likes its dark little box just fine, thank you.
-reemul
Re:Privacy for dummies. Chapter 1. (Score:2, Interesting)
This is great if someone just signs you up and leaves it at that. However, the same e-mail verification process (get the sign-up statistics first, ask for validation later...) is used if you want to change your e-mail. So by the time they confirm the password reset, they're told that the account is not registered at all! If they then don't register with passport.com, there is nothing AFAICS to stop the account being pointed back at that e-mail, starting the fun and games from scratch again.
I also assume (subject to further tests) that the same mechanism is still in place for subscribing to e-mail lists and the like. We shall see...
Oh, Come On! (Score:3, Interesting)
Does everything Microsoft does have to be under scrutiny? Personally, I think AOL/Time/Warner(/US Gov't) is more evil by far. The only reason no one ever gives them crap is because the government is a secret part of that merger!
Microsoft Passport is a good idea. Sun et. al. think so. They are coming up with Liberty, their answer to Passport.
Does Passport need work? Yes, I don't deny that. But does Passport store *everything* on the server? NO! A site that implements Passport is responsible for keeping track of their own consumer's information. This is outlined in the .NET Framework and Passport SDKs. Currently, there is no way for a site to pass infomration back to the central Passport database. The only thing Passport could know about you in that case is that you go to that site.
Get off their backs. I'm a big linux and open-source supporter but I also realize that Microsoft has better integration as a whole system. I'm getting really tired of the crap everyone on this site gives them. You could point fingers at a lot of other companies, too, not just Microsoft. For instance, anyone read the other post today? Linus is being a pain in the butt. Maybe you should scrutinize him for a while!
Weak authentication makes a strong counterpoint (Score:2, Interesting)
As part of an evaluation study, I decided to create a few Passports to understand what level of authentication Microsoft was performing to bind the Passport to the user, also called 'principal.' In the security community, there are three kinds of principal authenticators, specifically, (1) something you have, (2) something you know, or (3) something you are. An "authentication factor" refers to how many of these authenticators you possess. A driver's license is a two-factor authentication system as it authenticates based on something you have (the license) and something you are (your photo). Digital signature certificates used with signing software authenticate on something you have (the private key) and something you know (the password to use the key), and are also two-factor authentication. Biometric systems can effect 3-factor authentication. There are many other examples.
Obviously, the more factors you have, the more strong the binding is between your claimed identity and your actual self.
Microsoft Passport, by experimental determination, is a single factor authentication system (knowledge of username and associated password). This, in general, is not good when it comes to things like online purchases, but it is excellent if the idea is to maintain anonymity of the principal.
Try it out. You can go to www.passport.com, and sign up for a password using a ficticious e-mail account. The e-mail address does not have to match any actual address, it just has to be in the "foo@bar.com" format. So, even though Microsoft claims to authenticate to an e-mail account, which in turn would defer authentication to the maintainer of the account (bar.com supposedly knows who user 'foo' is), it really does not. I could register a Passport in the name BGates@msn.com if I wanted to. MS would never send any note to BGates@msn.com and ask, "is this your Passport?"
Why didn't this point come up in the open letter? Well, for one, it could be that the authors did not actually experiment with Passport prior to writing; all of the Microsoft literature leads one to believe that the e-mail address is authenticated. [There are numerous e-mail authentication examples in use; join any mailing list, and you will often get an e-mail, "reply to this and you'll be added". That is at least some authentication that you can access the e-mail account that you claim is yours.] Paperware analysis could lead the authors to wrongly conclude that the e-mail is actually authenticated.
A different, more sinister and self-serving reason is that it would refute the claims of the open letter! If Microsoft does not authenticate e-mails, then one can pick any identity when registering for a Passport. If the identity on the Passport is meaningless, then the identity of the holder is meaningless, and it therefore follows that there aren't any privacy or protection issues at all. MS would essentially be tracking the surfing habits of some unknown user.
In conclusion, the issue of my post is not that Passport is evil or Microsoft is vying for a monopoly. The issue is that there is an unfounded fear and paranoia about security, privacy, tracing surfing habits, selling information and e-mail spam related to .NET Passport that really does not exist... because Microsoft does not authenticate the e-mail address used to register the Passport. Never. Nada.