Microsoft Passport And Your Privacy

An Anonymous Coward sends us this link to a prediction about Microsoft's Passport service. Probably a lot of truth in it; I'm sure Microsoft uses it as a user-tracking system more than anything else.

Re:nicknames showing your identity

[Mike A.]

Sorry about the inconsistent use of "them" vs. "we" in the above. I am, in fact, a Microsoft employee, and my project involves working very closely with Passport (though I'm not on the Passport team myself).

--

Re:Great...but can we stop it?

[thoglette]

> Opera is a great browser, but who is going
> to pay for it when you can get the others
> for free.

I'm one of those people who pays for their SW (yes, even Winzip is registered) and having tried Opera as a Netscrape-on-NT alternative I won't be spending any money.
_Out_of_the_box_ it crashed/hung more often than Win3.1 did. I don't have time to work out _why_: so it's in the bit bucket & I'm stuck with bloatscape.

Sorry, but if you can't get the sales demo version to work reliably you're going to have a hard time flogging stuff to anyone.

I don't want to pay good money to fsck up my PC when I'm quite capable of fscking it up myself.

See, I'm _trying_ to care...

[hiryuu]

...but his decidedly set tone ("Microsoft is evil") makes this hard to take a little seriously. I'm also not sure this is news, as wasn't this discussed pretty widely just about everywhere when MS first rolled out Passport? It's not like they were keeping the "central-repository-for-your-personal-data" thing a secret, since they wanted to sell it as a benefit.

Aside from which, if all you use is Hotmail, then there's pretty limited real information you hafta give them. After all, you could put "Ms. Wicked Witch, OftheEast, Oz" as name and address and still get an account.

Other solutions? use a different OS and browser (duh). Unfortunately, since most people are sheep...

nicknames showing your identity

[mephinet]

what sucks is that you can use any nickname you want when signing in at hotmail, but if you order somewhere online you have to submit your real name (fedex don't like john doe's :)) after that, passport can link your john-doe-nickname to your real name and all sites you think you entered privately by entering your nickname know you. suddenly all the information you only gave since it was 'anonymous' turns out to be directly linked to you personally. love that idea. philipp

How is that secure?

[Fon2d2]

That doesn't sound very secure at all to me. What's to prevent a malicious site from popping up claiming to be part of the Passport network when in fact it isn't. That site could duplicate the Passport sign in and trick Mr. Joe Consumer into giving away his username and password. The site could then just go access the Passport databases and take credit card numbers for themselves. This thing will be laden with security exploits. Any common sense, tech savvy user would be a fool to use Passport.

Re:Great...but can we stop it?

[GigsVT]

There is a new version of Opera out, it just got out of Beta. Its a lot better than previous versions. Still $19 for students, at least when I bought it two weeks ago.
-----------------------------

Full of holes - why even bother...

[Mark A. Rhowe]

With a privacy policy like this one [passport.com]?

I guess that Joe A. Verage internet user is going to think, "Hey! They DO have a 'Privacy Policy' so I MUST be virtually anonymous!"

Passport will become irrelevant

[Rob Kaper]

Mozilla (or someday to be NS5) and MSIE both have a passport implemention at the client side, making the passport service useless.

Yes, those password managers are not the most secure feature out there. But think about it. Do the users that currently use a server side passport implementation care? Of course not.

So, no problem here. At least not until your client side MSIE wallet is actually a server side .net wallet. :-)

Re:nicknames showing your identity

[Mike A.]

Except Passport can't do that, not the way it's currently designed.

All that is stored on Passport's servers is:

• your email address
• a nickname of your choice (optional)
• your location, but no more specific than your zip code
• your gender (optional)
• your birthdate (this is required so that we can comply with COPPA)
• preferred language (optional)
• and one more "accessibility" bit.

Note that you have the ability to not share your email address with Passport sites. And if you do not share the email address, they cannot get the information.

I'm not saying ignore Passport. It's clearly a place where massive privacy violations could be perpetrated. All I'm saying is that it's not happening now. If nothing else, Microsoft knows that if Passport gets tagged as being a privacy-violator by privacy advocates, no one's going to sign up for it - and then it's worthless to them. So we're motivated to maintain some level of privacy for our users.

To reiterate: there is presently no technological provision whatsoever for personal information that you enter at a Passport member site to filter back to the central Passport database.

--

Great...but can we stop it?

[don_carnage]

We've all sat back and watched how Netscrape has floundered in the market, giving IE even more of a consumer edge. Opera is a great browser, but who is going to pay for it when you can get the others for free.

Eventually, services like "passport" will be built into your Micro$oft browser or even operating system! Ever noticed how they're trying to integrate everything?

The "techies" will always have the privacy edge, because we know how to set up proxies and firewalls and use alternatives to popular browsers. Hell, I've even gone back to using Lynx sometimes.

The problem is this: Joe Consumer who doesn't understand computers or the internet isn't going to object to this sort of thing because it makes his/her life easier. Unfortunately, there are a whole lot of Joe Consumers out there capable of voting into law some pretty scary privacy violating legistlation.

The only thing we can do is to get involved in the technical side and help prevent stupid legistlation from interferring with our protocols and standards.

don (steps down from soapbox)

--