EPIC Urges State AGs to Pursue Microsoft Passport 244
An anonymous submitter sent: "The Electronic Privacy Information Center has sent a letter to all state attorneys general urging them to pursue Microsoft Passport under state consumer protection laws."
It's a joke. Laugh. (Score:4, Funny)
...named Passport and Windows. ^_^
Anti-Linux? (Score:2)
OTOH, I believe that there is a Mac web server that has never had an effective virus attack. (I think they secured it by removing applescript from the machine, but I wasn't involved, so it might have required more.)
And it should be relatively easy to build a secure site by mounting all partitions (except
.
Customer's Information (Score:2, Insightful)
Also I object to the way this Passport is being forced upon everyone. In the UK it seems to be rather unreliable. Several times this month, I have seen MSN messenger say "The
I am not proud of having an account with them as it make me one of those statistics showing how popular they are. If it (hotmail) had been run by MS when I signed up I would never have done it.
I'm glad I gave completely bogus details since I really object to having my personal information being spread around the way MS (and other large companies) do.
I would say "oh, leave them alone" if their Passport/.NET service was reliable, since I don't care if they sell my fake information.
Re:Customer's Information (Score:4, Insightful)
I recently went to a seminar with MS's senior systems architect (UK) talking about Passport (mainly
Even if you do not believe this, he made an excellent demonstration of the problems of trust. A member of the audience (anti MS - he was heckling throughout the seminar) raised a similar concern. I paraphrase the conversation here:
Man: 'I don't trust MS's servers to keep my data safe and not abuse it'
MS: 'Well, whose servers do you trust'
Man: [thinks] 'Mine'
MS: 'Everybody raise their hands if you trust your data on this man's server'
I thought it was a nice example anyway.
Re:Customer's Information (Score:2)
I'm sure MS would like that -- if the other servers paid MS big $$$ for the software. But the fundamental security problem isn't that MS is running the servers, but that the servers are running fundamentally insecure MS software.
It's a structural problem (Score:3, Insightful)
The proper design of such a system would implement the exact same features, but store the information on the user's local hard drive, with the option of backing this up to a third-party site choosen by the user. Also, the user should have the ability to enhance the encryption, by adding a layer using their own preferred encryption program (pgp, gpg, etc.) to wrap the already encrypted data. (You are, after all, planning on backing up your personal data onto someone else's servers.)
The service if implemented in this way would be cheaper for the software supplier to provide. And this method has many obvious superior features. So much so, that one needs to wonder as to why it was implemented in the way that it was. It wasn't for the convenience of the users. It wasn't for efficiency of operation. It wasn't for simplicity of design. It wasn't for easy of integration. Was there a legal reason? (There sure wasn't a technical reason!)
.
Re:Customer's Information (Score:2, Insightful)
Here we see Microsoft conveniently ignoring a relative reference.
There's no reason why you would trust your data on my server, of course.
But would you trust your data on your server?
With .NET, Microsoft has acknowledged that the money is to be made by selling services as opposed to products. Microsoft wants to be the ones who sell you that service. Of course they're not going to acknowledge that you can provide that service yourself. Their survival depends on building a business model which prevents anyone but themselves from offering this service.
Re:Customer's Information (Score:2)
Whoever is actually the most trustworthy is mostly irrelevant to my point - perhaps the man I was talking about has the worlds most secure server, and has the most anally strict moral code. The important issue is whether the user has trust (however unfounded) in that organisation.
Despite the huge amount of bad press about Microsoft security, many people will still trust them. And who else has a system the scale of Passport, has received as many hack attempts as Passport (lots I presume), and has not been compromised?
Microsoft's security is pretty shoddy, but it is left for a 3rd party to demonstrate that their security is better, and that they will not abuse the data.
Re:Customer's Information (Score:2)
Re:Customer's Information (Score:2)
Data Protection Act in the UK (Score:4, Informative)
" I think we need a law that forces companies to have a large checkbox in their sign-up forms saying "I don't mind having my personal information sold to other companies". This should be un-checked by default. I'm sure some countries probably have this already. "
As you are from the UK, you might be interested in the things covered by the Data Protection Act (DPA). The DPA can be used in the UK to protect yourself from people misusing your personal information. A quick guide can be found here [dataprotection.gov.uk] Companies can be quized as to how they use the information and what information they hold on you. For as little as £10
In addition you have the right to sue the company for any loss resulting from faulty information they use, and you can have data removed / corrected as approriate (see here [dataprotection.gov.uk] for details)
As passport is based in the US I'm doubt you have any rights covered by this act (although you might as they are providing the service in this country). However I think this is a step in the right direction, in the UK this covers most companies and data including credit ratings. This is a brilliant set forward and offers hope to all those people who are screwed because of faulty information, or just pissed off with companies sending them letters ;)
For certain types "sensitive" of information a company will have to get your explicit permission before using your information eg. race, religion etc.
I am intending to write to the Information Commisioner to ask about Microsofts information gathering activities in this country and if they can be stopped / modified to ensure that they conform to the DPA. Maybe if enough people do this we can get a result for the UK.
Re:Data Protection Act in the UK (Score:2)
One of the consequences of the DPA is that it makes it illegal for any company to export any person's details outside of the EU without their written permission. Since it's difficult to know where, physically, these servers are and where they might be replicating the information, this could lead to trouble. It's almost tempting to get a passport account and then try and sue them.
Re:Customer's Information (Score:4, Interesting)
If a site that got my data under the license gives it out to someone else, it isn't a regrettable incident that might possibly get a brief mention on Wired or C:net, it's a legally actionable event under the same draconian IP laws that all those media companies have spent millions of dollars lobbying for. Selling a database won't just get you a bunch of angry emails from
Oh, and for the folks that would want to stick a "Gnu" in the name of the license - sorry. The whole point is that my data remains proprietary, with myself as the owner. Not all data wants to be free, my personal info likes its dark little box just fine, thank you.
-reemul
Re:Customer's Information (Score:2)
Don't forget the clause that you reserve the right to change any item of personal data without prior notice.
Credit card number, phone number, address, marital status, religion, name, race, gender, date of birth...
-
Re:Customer's Information (Score:4, Interesting)
Well, this is not correct. In at least one country (Italy), the law acts in a way that you have TWO separate agreements: one for the service, and one for spreading out your personal data. Both have the "no" option checked by default.
You have to check on the first "yes" to have the service activated, and nothing else. Checking the second "yes" will grant permission to the service provider to use your data for ads, statistics etc. Using your data without this specific agreement can cause big penalties for the companies.
Everything is explained on every form, and it's so common that everyone knows that they must check only the first answer.
Straw Poll (Score:3, Interesting)
Which state attorneys generals do you think will go for M$?
and which won't
Education and awareness (Score:3, Interesting)
deceptive trade practices (Score:5, Funny)
If that's deceptive, how about those ads claiming that Windows servers run unattended?
deceptive -- software that doesn't work / insecure (Score:3, Informative)
Re:deceptive -- software that doesn't work / insec (Score:2)
A fast skim through the article indicates that there are fundamental problems with the basic idea, aside from the MS implementation errors. The web itself is too insecure to allow running a really secure application on un-modified browsers. Passport collects the authorizations to many accounts in one place, so it ought to be more secure than is theoretically possible with the protocols used.
Holy cow (Score:4, Interesting)
Hopefully most of those accounts aren't tied to active users, because of this. But if they do really already have 200 million users, all of whom are active, then that really is scary. That's around 3% of the world's population. (If I knew what percentage of the world's population used computers on the internet regularly, this would be more meaningful, but I'll take a guess and say 33%. Then 10% of users online would have active Passport accounts!)
Re:Holy cow (Score:3, Interesting)
At least three of those passports are (were) mine. I signed up for some mailing lists, got a passport and I have no idea what random crap I pasted into the password field, deleted the crap it dumped to my hard drive and moved on. Ditto when I realised I'd missed a mailing list off the subscriptions. Plus my first attempt that barfed because my IE security settings had been customised from one of the preset defaults.
They might have 200m registrations, but how many of those became permanantly dormant the same day they were created?
Re:Holy cow (Score:2)
Now there's an interesting thought.
I have no interest in getting such a passport, but presumably if it's done on line, it can be done by some automated program. I wonder what would happen to the Passport system if it started getting (tens of?) millions of new registrations a day...
Re:Holy cow (Score:4, Interesting)
IIRC, the expected techie cities followed, but the percentages quickly dropped below 30%. Outside those areas, the percentage of adults who have internet access was much lower than that.
In industrialized nations with relatively strong economies, the average internet access rate is probably below 20%. China and India each have populations around 1 billion, but what miniscule fraction of a percentage of their citizens have internet access. Most of the world's population doesn't even have electricity.
I think the percentage of people who (1) have electricity, (2) can afford a computer, (3) have the training to use a computer, (4) and have access to the Internet is probably less than 5%. In fact, I suspect it's closer to 1%.
Still, I think Microsoft's 200 million figure is exaggerated... the result of convenient accounting. Personally, I have at least a dozen Passport accounts that MS automatically gave me when I signed up for Hotmail accounts I only used once. I have never given MS my credit card number or even my real zip code, and I never will, yet I am over a dozen Passport users. Heck, my imaginary dog has two Hotmail accounts (he complained that the first one was full of spam, so I signed him up for a second account).
Aside from users like me (and my imaginary dog), I had a friend who wrote a commercial script to log into Hotmail. To test it, he wrote another script that created thousands of Hotmail (and Passport) accounts. He did the same thing with Yahoo, and apparently this phenomenon is common enough that Yahoo now requires new users to use "Word Verification" [yahoo.com] to "prevent automated registrations."
Re:Holy cow (Score:2)
> population used computers on the internet
> regularly, this would be more meaningful, but
> I'll take a guess and say 33%.
you must be joking. about 70% of the world population can't even read and write. half of the world population is on the brink of starvation.
industry sources speak about around 600 mio. computers-in-use at the end of 2001 (c-i-a.com). that would give 10% of the world population a computer, except that it counts business machines, too, which outnumber privately-owned machines by several factors. and the vast majority of business machines will not be internet connected.
isc.org speaks of 125 mio internet connected hosts (july 2001), their definition being "hosts advertised in DNS". this may be several machines for a single DNS entry or - more likely - one or a few machines for many DNS entries (large hosting centers).
so we don't have any good figures, but I'd take bets that 33% is a tremendous exaggeration. even for the US, just over 50% of households own a PC with internet connection. in those parts of the world that contain the majority of the population, most homes don't have electricity or plumbing. I'd be surprised if 33% of the world population even knew what "the internet" is.
Re:Holy cow (Score:2)
It's actually closer to 1/4 of the world population. Most people are considered literate these days (ignoring the obvious it's/its/there/their/they're problems).
Re:Holy cow (Score:2)
Re:Holy cow (Score:2)
Similarity (Score:5, Interesting)
that Passport gives users control of their personal information. However, the most basic aspect of control--the right to take back one's
personal information--is not accommodated by the Passport system.
Note that one can't delete his Slashdot account either. which could actually be the source of some trouble as if he suddenly changes his mind about whichever opinion or way to express it he has, there'd be a way to track his former behaviour if the account he opened was named like him and we know for sure how much we change over the time (maybe from the pro-patent to anti-patent or from the extremist to the moderate).
Though I dislike to add such disclaimer in my Slashdot post, I'd like to point out that I don't want this comment to be considered as a troll neither it is off-topic.
This is just a way to point out that we should ensure that noone may reproach us with the sam ethings that are being reproached to Microsoft or whoever else.
Back to the article, now: what sort of effect does such a letter have?
Re:Similarity (Score:3, Insightful)
Microsoft Passport is a method of storing personal information that can potentially be used to profile your spending habits, income, lifestyle. Not to mention selling your identity by help desk personnel at microsoft.
Slashdot is an open forum that readers Willingly express their opinion. There is no reason to cancel a Slashdot account.
What if you dont want Microsoft to hold your information against your will because of a 'technical limitation' That is, frankly, bullshit.
Re:Similarity (Score:2)
> Yes however good intentioned your post may be you are comparing two different things.
There are certainly huge differences between what Micorsoft is proposing and what Slashdot is doing.
Nevertheless, the point is valid. Though we enjoy freedom of speech in this country, our words can still come back to haunt us.
The fact remains that information on the Internet is very easy to search and retreive. Anyone with Internet access, just about anywhere in the world, has a dizzying amount of information that can increasingly be obtained about us. Be it personal, financial, or intellectual.
Shoud we be concerned about this?
Should we try to put some limits on it?
What are the costs and the benefits to society?
Re:Similarity (Score:2)
I could easily change user names, and never look back if I didn't want something I said held against that username.
now if
It would be nice if someone could cancel there username, so someone else could pick it up, but thats another subject.
even if you could cancel your account, the posts under that username would still exist.
Re:Similarity (Score:2)
Well, possibly - if you're stupid enough to say something on Slashdot that attracts the focused interest of some very serious people with warrants in hand. AFAIK, Slashdot - like your ISP and other subscription based organizations - keeps your personal identity confidential. Unless and until presented with a valid warrant by a law enforcement agency acting within its jurisdiction.
Or, you could use your real name as your Slashdot ID and proceed to post a load of whacko ramblings. Even then, your post history wouldn't be searchable because Slashdot maintains posts in a database that's not accessible to Internet search engines. This is commonly the case at a lot of other websites where you might have a membership, too. But all bets are off if the site gets well and truly hacked, which is where Microsoft is famously vulnerable and an important part of what EPIC is complaining about to the FTC and State AGs.
Do a Google search on your own full name. You'll find your own website (if you have one) and the websites of other people who happen to have your exact same name. But you won't find your birth record, marriage/divorce (if any) data, drivers license information, traffic tickets, or credit information. However all this information is available to anyone with the time and inclination to look for it in all the right ways. And that's OK - it's all public data or information available to those who have reason to seek it (and pay the fee, in the case of a credit report).
But EPIC is concerned about Microsoft deceptively and unfairly collecting personal and financial information (credit card numbers, purchasing history, other profile data) and storing it in an inherently insecure system. Among other things.
Re:Similarity (Score:2)
I could easily change user names, and never look back if I didn't want something I said held against that username.
If you post an opinion in your newspaper, then later change your mind, should that newspaper be forced to destroy all copies of its paper? should it be forced to allow you to print a retraction? do you really thing anybody gives a damn about your opinion?
Re:Similarity (Score:2)
If an "evil hacker" took over my
Re:Similarity (Score:4, Informative)
This is wrong, if you have a passport account you can delete it. Visit the Contact Us [passport.com] help page, and select the 'delete my account' from the list of things in the I need to list. They'll then send you a mail asking for answers to the secret questions. They were very responsive when I tried.
Re:Similarity (Score:2)
Expunging all traces of information is extremely difficult at best. Your "deleted" information will probably wind up somewhere in the used disk/tape market at bargain prices.
Passport Roach Motel (Score:5, Interesting)
Now I'd like to get out of the system, because I don't trust it to be secure, but because I've forgotten my password, I can't.
Go to the Passport site (http://www.passport.com [passport.com]) and look; there's no FAQ or other document that tells you how to cancel your account. Nor is there any e-mail address of anyone who might be able to help you do it manually.
So, when you hear Passport adoption statistics, subtract at least one. I've never used my Passport a second time, but can't get rid of it, after trying for weeks.
Re:Passport Roach Motel (Score:4, Interesting)
Sure, just wait for a quantum event, like this one (from their agreement):
But you're correct that the agreement doesn't open for you, the consumer, to end the contract. Surely that must be against some contract law somewhere?
Re:Passport Roach Motel (Score:3, Interesting)
I've never been back, and I certainly don't plan to go back if I can avoid it. I hope the credit card number I used has expired by now. I wonder how many millions more Passport "users" are really just people like us, who couldn't pass up a "free" 20% gift. It's classic Microsoft, using deep pockets to buy a market.
That's the great little gotcha for Passport, once it becomes entrenched as an effective monopoly. MS can begin charging a "nominal annual fee" to maintain our Passport accounts.
All your dollars/Euros are belong to us.
Re:Passport Roach Motel (Score:2)
It's best to lock the barn before the horse gets stolen, not after.
Re:Passport Roach Motel (Score:2)
Well duh. You just stated the solution.
Just wait for the next passport exploit to show up on the web and use it to get into - and delete - your account. LOL
-
Future tense (Score:4, Interesting)
I'm on EPIC's side and I agree with most of the point of the *potential* problems with Passport but if M$ haven't done anything wrong yet ot EPIC offers no proof except the potential for harm then this isn't going to get much notice.
Kids Passport? *shiver*.
Re:Future tense (Score:3, Insightful)
also microsoft claimed (at least according to the letter) that they want all internet users signed up.this is really scary, especially given the companies history.
granted anyone reading this probably knows better so its up to us to warn everyone else.
Re:Future tense (Score:2)
Or what may be more to the point where MS is concerned: their servers have already been cracked to the point where unknown third parties could have read out just about any data they wanted from MS's network. Therefore, whether or not MS promises to keep your data private is pretty much meaningless, because that's a promise they do not know how to keep.
Re:Future tense (Score:2)
Against the law nonetheless.. (Score:5, Insightful)
Regardless of whether Microsoft has been proven to abuse the power, there are laws which make it illegal to posess the ability to abuse the power. The idea comes from a legal term: "conflict of interest."
When a person offers a service to another person in the financial/legal/medical world they are acting as an agent on behalf of the customer. Legally, that arragement has an implied "fiduciary responsibility" to the customer. That means if someone gives you the key to their account and you do something they wouldn't have agreed to, you are wrong and subject to criminal and civil liability. In the case of finances, there are EXTRA laws that say you are not even allowed to ofer such services to people if you have an interest in ripping them off (like other competing customers).
Bill Gates comes from a long line of lawyers: his family is a lawyer family. He knows he can flout the law wherever there is grey area because he has the money to risk. If he manages to win some small legal challenge, he has stretched the law to allow more exploitation and the windfall revenue that goes with.
When you (the US) have a big dog, you put a pinch (or shock) collar on him, and you jerk it hard (or shock him) when he *starts* to get out of line. You can let up a little, but only when he has a compelling fear of disproportionate retribution. Corporations are less like people who deserve rights, and more like dangerous, powerful animals that must be attended to with preemptive stewardship. Emotions, values, and ethics are not present in the brains of reptiles or boardrooms.
Re:Against the law nonetheless.. (Score:2)
Tense About the Future (Score:2)
Actually, this is exactly what would (in normal circumstances) get the attention. The wrong that MS has committed is in touting an offered service as something that it reasonably isn't. For example, I can't offer my services to the public as a bank if my vault has no lock on the door, because a reasonable customer has every right to assume that I've got physical safeguards in place if I claim to be a bank. If I purport myself as a bank, and then it's discovered that I don't have a vault, then the FTC (or the state attorneys general) can reasonably require me to stop claiming I'm a bank, or at least require me to advertise that I don't have "standard" bank security. MS purports that Passport is a secure portal time and again, and yet it's been shown to have some fairly severe security faults. That's the wrongdoing, and the EPIC letter is attempting to call attention to it through the states' AG offices since they got no joy from the FTC.
Virg
Pursuing Passport (Score:3, Funny)
EPIC: We urge you to pursue Microsoft Passport.
Unnamed State Attorney General: Thanks for recommending this great service. I transfer all my documents through Hotmail now and with Microsoft's upcoming Intellisignature Technology I can sign sign everything with just a click of my mouse.
Re:Pursuing Passport (Score:2)
USGOV: Thanks for your recommendation We are pleased to announce that Passport services will soon be fully integrated with the US Post Office [slashdot.org].
-
Tried this at the National level.... (Score:4, Insightful)
Ok, so what they are saying is, the FCC didn't care, so we are going to attack at a lower level. While I admire their determination/wish them luck, how much will this knowledge that the FCC didn't do anything affect them? Food for thought this AM....
FCC and FTC are not the same (Score:4, Informative)
The FTC is the Federal Trade Commission. They are a very different animal - for one thing, they are a hugely more powerful institution. They are the people you have to talk to if you want a dispute (like, say, MS Passport is mysteriously billing you for services you didn't buy) resolved without involving the courts; even if you are going to go to court you generally have to talk to the FTC first.
It is, perhaps unfortunately, very difficult to get the FTC's attention. I assume that the state attorneys general know this. Also, major decisions at the FTC are made by political appointees; the Bush administration has been seen by many attorneys general as being soft on MS.
Re:Tried this at the National level.... (Score:2)
Then they tried to pass it at the state level and have succeeded in several cases, including court victories that strength such laws.
Dealing with an issue such as privacy at the state level is going to have a better chance of passing because the common ideologies of the state populous will be somewhat more narrower than those of the nation as a whole. In addition, there's not as much of a lobbyist effort in state governments, because it would spread a company thin to deal with 50 + 1 governments instead of just 1. Furthermore, if a majority of states enact some regulation, other states are usually pressured into passing similar ones if only to remain sufficient consistant (Particularly if the state without such a statute is surrounded on all borders by states with such.)
Heck, look at what the vendors were trying to do with UCITA, trying to achieve a national standard by aiming at the states.
Re:Tried this at the National level.... (Score:2)
The FTC (not FCC) is a federal agency that has authority delegated to the executive by the Legislature under the Commerce Clause by the appropriately named "FTC Act," which generally governs among other things, deceptive and unfair trade practices.
Florida, and most other states, have their own versions of the FTC Act, often referred to as their "Little FTC Acts." There is even a proposed uniform act, the so called UDUTPA. Florida doesn't adopt UDUTPA, but has its own FDUTPA, the Florida Deceptive and Unfair Trade Practices Act. And yes, the act expressly defers to the construction by courts of the Federal FTC Act. But No, this does not guarantee deference to decisions of FTC administrators.
And lest anyone ask (Score:4, Informative)
Should anybody ask "How is this a bad thing?", send them to read Privacy and Power: Computer Databases and Metaphors for Information Privacy (linked to here [shu.edu]) by Daniel Solove. I personally think it is worth reading the whole thing, but it's kinda long, so maybe this NY Times article [centrexnews.com] is a better suggestion.
It basically says, "You may think Big Brother isn't interested in you, and you may be right, but there is a Big Unknown gathering so much information about you, she could come after you once you become a nuisance to her!", only in a less conspiracy-theoretical way...Passprot Issues (Score:3, Insightful)
Re:Passprot Issues (Score:2)
Sorry to hear about that, isn't their anything you can do? Maybe you could get in a pest control company?
Tripe (Score:2)
Bzzzt! Wrong! You can register any email address (it doesn't even have to be a valid one) for a passport account.
How does such uninformed tripe get moderated up?
Re:Passprot Issues (Score:2)
Re:Passprot Issues (Score:2)
Might help to delete everything after the comma...
The problem is there are Microsoft services
-
Re:It's not tied to hotmail (Score:2)
For arbitrarily broad definitions of "right".
-
Anonyimty and passport (Score:3, Insightful)
Staying anonymous on the web is getting tougher but not impossible, confirmed . MS cannot ENSURE privacy with the passport system this has been proven, and as such it is vunerable to state regulation.
Then again I trade grocery discount cards......
Re:Anonyimty and passport (Score:2)
Opt-In vs Opt-Out vs Passport. (Score:4, Insightful)
This is easy enough to see in the case of spammers and mailing list types who want to assume that you want to get their junk unless you "opt-out". With thousands of advertisers, this quickly becomes unworkable.
Now we come to MS and Passport. With the fact of Monopoly, it is possible to enforce the sale and or acceptance of other "products" because they are "part of the whole package" I beleive that in certain states, for Certain industries, you cannot enforce the sale of product number 2 as a prerequisite to purchasing product numbr one. This varies by the product. Of course, you can always say "included free" but some things that are free are not worth the price.
In the case of a monopoly, you can enforce the acceptance of items which would not otherwise be desired, and which may be a mixed blessing to the consumer at best. I am extraorinarily wary of Paspport and the all in one wonderful world of Microsoft Productivity that it promises for people.
Stepford Nation, indeed.
Even worse than you say... (Score:3, Insightful)
Sounds to me as if they're using their OS monopoly (now a matter of Fact, and Law) to leverage a monopoly in the emerging Network Authentication industry. It gets all the worse, because there is no Network Authentication industry yet, and if MS has their way, it will never truly emerge because they'll own it from Day1.
knuckle rapping (Score:2)
Unless, of course, some one else has already patented it and they are only waiting for an appropriate amount of time to go by in order to rap the microsoft knuckles for patent infringement.
Biting off more than they can chew (Score:3, Insightful)
They are attacking MS because they collect personal information that could be exposed through security flaws?
How many dozens of e-commerce sites could be shut down on that account? Think about it.
Or are the Attorney Generals being asked to hold Microsoft accountable for their weak security? Bruce Schneier's been trying to go there for years [counterpane.com].
Unfortunately, he could tell EPIC exactly how far this is going to go.
Privacy for dummies. Chapter 1. (Score:5, Insightful)
Let us now put this into the context of the passport scheme - the EPIC letter states "Microsoft has indicated that the company's goal is to have every Internet user possess a Passport account", which I deem a fair summary of the situation (although, ideally, everybody would also use a Hotmail account too). Trundle along to, say, http://www.passport.com [passport.com] and look! See how you can sign up with ease! Get it now! Calooh! Callay!
Now let us try to pull the same trick that was pulled on me, and that I have fortunately not seen on any well-organised mailing list outside of Redmond. Enter an e-mail address, any e-mail address (excepting MS-specific ones such as Hotmail) - even make one up that obviosuly doesn't exist, and then... Carry On! Yes! There's still no security! At least, I guess, an e-mail gets sent to the e-mail address asking you to verify it, but this seems to be purely for service embellishment:
Using the new obviously-fake account, I can save settings, edit my MSN etc etc much as I may or may not want to. That is not the issue. What we have here is clearly a case of theft of privacy - without even trying, anyone is able to sign up anybody else's e-mail account for a passport. Who knows what havoc this could/will cause! Not being particularly au fait with MSN, I have only circumspection, but Microsoft have an epic journey to go before they reach "Trustworthy Computing [tm]" if they fail to understand the basics of privacy and intrusion, as highlighted here.
To conclude, I say get out there, fight it from the other end - the end that consumers will understand. Sign up as many fake and real accounts as you like to demonstrate just how fallible the system is. I'm off to see if they prevent scripting...
Re:Privacy for dummies. Chapter 1. (Score:2)
This sort of thing generally goes under the name "spam".
What a bunch of bullshit (Score:2)
Have you even tried to do that? Anytime you register an email for a passport account, passport sends an email to the email address specified informing the user about the fact that the passport address was registered under that email address. So no, you can't hijack someone else's account unless you also have access to their email account.
An email address is not a security feature. The fact that I can register foo@bang.com as my passport ID means diddly squat (assuming there is no foo@bang.com) and is a great way to protect your privacy if you want to use passport features without revealing any personal information.
Re:What a bunch of bullshit (Score:2)
The access to the email account that is required is the name of the account. Semi-public info, actually.
This is preemptorially hijacking the victim's passport account knowing only the victim's email address.
Re:Privacy for dummies. Chapter 1. (Score:2, Interesting)
This is great if someone just signs you up and leaves it at that. However, the same e-mail verification process (get the sign-up statistics first, ask for validation later...) is used if you want to change your e-mail. So by the time they confirm the password reset, they're told that the account is not registered at all! If they then don't register with passport.com, there is nothing AFAICS to stop the account being pointed back at that e-mail, starting the fun and games from scratch again.
I also assume (subject to further tests) that the same mechanism is still in place for subscribing to e-mail lists and the like. We shall see...
EPIC Letter needs a proof reader (Score:2, Interesting)
remember: When giving private info (Score:5, Interesting)
You are born in 1998, your zip code is 82312, your gender is none of their buisness (and if they instist use a coin to decide). Nor is your race, religion, or the type of car you drive their buisness.
Reasons for the above: In the US only minors have privacy protection, so by putting down a birthdate of 1998 you are under those laws as far as they know. Your physical address is none of their buisness, unless you are buying something from them. (and so far I've never had a problem with the venders who I buy from though there are bad apples out there). Your gender, race, religion, etc is none of their buiseness, on the net nobody knows you are a dog! Refuse to answer, or anser randomly. Randomly means sometimes you give the right answer, because if you always gave the wrong answer that in itself would be a clue.
Remember invalid data that they have is less valiuable then not having data at all in many cases.
sure, if you don't care about accessing sites... (Score:2)
A growing number of sites deny access to users under 13, or require special parent's permission to access them. This is a result of the COPPA legislation [coppa.org]. So yes, you are right, you have more legal privacy protection then.
...but you are missing the detail that you won't be able to access a small, but well used, portion of the net, or you will have very restricted access to sites. Changing your birthdate later when you run into this isn't always possible.
Re:remember: When giving private info (Score:2)
Last night I installed some new software. The dropdown box for birthdate went up to 1999, so that's what I used
I'm under 13 (and "legally protected") until 2012!
-
I have two! (Score:2, Funny)
As for not using them, I can't. They're extremely valuable. You see - this way ALL the spam I would get in my primary account - goes to Hotmail. It's kinda fitting, don't you think?
As to why I have two? About two months ago I received almost 1,200 spam messages over a 24 hour period. that's NOT a joke. I abandoned rspy@homail.com and switched to a new one. I figure I'll give this one 6-12 months
Honestly though. There are VALID reasons for using Hotmail and other Microsoft services. This is one of them.
Oh, Come On! (Score:3, Interesting)
Does everything Microsoft does have to be under scrutiny? Personally, I think AOL/Time/Warner(/US Gov't) is more evil by far. The only reason no one ever gives them crap is because the government is a secret part of that merger!
Microsoft Passport is a good idea. Sun et. al. think so. They are coming up with Liberty, their answer to Passport.
Does Passport need work? Yes, I don't deny that. But does Passport store *everything* on the server? NO! A site that implements Passport is responsible for keeping track of their own consumer's information. This is outlined in the .NET Framework and Passport SDKs. Currently, there is no way for a site to pass infomration back to the central Passport database. The only thing Passport could know about you in that case is that you go to that site.
Get off their backs. I'm a big linux and open-source supporter but I also realize that Microsoft has better integration as a whole system. I'm getting really tired of the crap everyone on this site gives them. You could point fingers at a lot of other companies, too, not just Microsoft. For instance, anyone read the other post today? Linus is being a pain in the butt. Maybe you should scrutinize him for a while!
Re:Oh, Come On! (Score:5, Insightful)
Now, í'm not a MS basher in the way most people do.. i am however VERY concerned about their growing stranglehold on consumer choice. Ever so slightly people are lured into a total MS dominance...
Ah well.. i'll keep on dreaming of the old days...
Re:Oh, Come On! (Score:2)
People always forget that key point. Exxon is more than twice the size of Microsoft (actually, I thought it was more like 10x the size), but no one is going after them. Why? Because they don't control 90% of their market. Being big is not the issue here, being a monopoly is.
I bet... (Score:5, Funny)
So you want out ... (Score:5, Informative)
Send e-mail to the following address requesting the removal of the passport account and the information associated with it:
passport@css.one.microsoft.com
Be sure to word it strongly or you may not get a response. I ended up getting to the point where I was using curse words and basically spamming this address. I also reported this incident to my local news media (who did nothing. surprise surprise) and informed Microsoft of this.
My big beef on this whole Passport thing was that I was signed up because I am Microsoft Certified. I NEVER requested it, I never checked a box saying I wanted information or anything else from them. So I paid $100 to take a test that allowed MS to harass me.
BTW once you have a response from the above e-mail you will get a number. Be sure to include it in every e-mail you send. Go to the MS support site and start spamming them as well. Eventually they will listen. At least they did for me.
A last note. It did take me a couple weeks to rid myself of the PASSPORT, so be patient and persistent.
Good luck!!!
Re:So you want out ... (Score:2)
... or you can just do the easy thing and go to the support page and enter a request to delete your account. (Just search for delete in the help section to learn how. )
But naaah, that's obviously too easy and non-contentious...
RTFM
Re:So you want out ... (Score:2)
The first character of the directory entry was overwritten by a special character and the associated clusters added to the freelist (bitmap in FAT). That's what Microsoft calls *delete*. In fact it shouldn't be that difficult to gather info specifically from *deleted* accounts.
A Microsoft? Word? Document? (Score:2, Informative)
Disclaimer: Word?, Excel? and Windows? XP? are registered trademarks of Microsoft? Corporation. ?Copyright 2002. All rights reversed.
Pandora's box (Score:2, Insightful)
Will this be a consumer protection issue, or an opportunity to gain some political karma?
State AGs either Wimps or Resourceless (Score:2)
So why would anyone expect the state AGs to do much about something they know very little about (no disrepect, but the majority of lawyers do not have the specialized knowledge of technology as they do with law)?
Note that they haven't too much about something comparably restrictive of commercial activity that affects their citizens and about which they know much more - to wit, VISA.
Have you given much thought to how much merchants get charged for the privilage of accepting VISA cards? Of how much your ability to conduct transactions in the real world is affected by the need for you to have a VISA card?
As with the price of Windows and Office, the price of VISA service is kept just barely under the pain threshhold, where the host is not willing to make the effort to squash the parasite.
If nothing's been done about VISA, I hardly expect a snappy acknowledgement from the state AGs recognizing the similar capacity of MS Passport to obtain a stranglehold on electronic trade.
Re:State AGs either Wimps or Resourceless (Score:2)
I'd have to say Not at all since I don't have one.
Re:State AGs either Wimps or Resourceless (Score:2)
I'd have to say Not at all since I don't have one.
Good for you.
But I have to think your life is either simpler than most, or has become a battle to which you're accustomed.
Have you tried booking an airline flight lately, with a rental car at the other end? Or purchased something online?
Visa - Re:State AGs either Wimps or Resourceless (Score:2)
Visa does not have 94% market share. Neither does Mastercard, Amex, Discover, Access, Switch, Bancontact or anyone else.
Monopoly != free market capitalism
grammar error (Score:2)
it's not AGs, it's AsG
Re:grammar error (Score:2)
Even though its Attorneys General, AGs is probably acceptable.
Attention Bank One Customers!!! (Score:3, Informative)
Thank you for contacting Bank One Online(sm).
Dear Mr. XXXXXXXXXX:
In response to your letter concerning Bank One?s relationship with Microsoft, we want to assure you that Bank One rigorously screens any potential partners and continually strives to bring high-quality products and services to our customers. Bank One is constantly seeking new ways to service our customers, and we believe Microsoft has technologies and experience which can help us improve the quality of products and services that we offer. We continue to work with a wide array of technology providers in all segments of our business, and we believe Bank One customers will be well-served by our relationships with Microsoft and other technology providers. Many of our customers have been supportive of this relationship and we hope you understand that we use many technology providers.
We appreciate your business as a Bank One customer and hope you will continue banking with us. If you have any other questions regarding our products or services, please do not hesitate to contact us.
Sincerely,
Bank One Online
------
I just emailed them the letter from EPIC, and hopefully they will read it. I urge any of you who are Bank One customers (or any bank for that matter) to contact them and find out if they are planning on using .NET in the future. Send them this letter, let them know if you are opposed to your money and security being handled by MS.
Re:Attention Bank One Customers!!! (Score:2)
Aw heck, here is the text...
SEATTLE--Bank One, the nation's sixth-biggest bank holding company, has struck a $30 million deal to use Microsoft products and services, giving a boost to the software giant's emerging Internet services and business products, the companies said Friday. The three-year deal calls for Bank One to use Microsoft's .Net technology to build services that could, for example, deliver account billing or investment data to customers over a variety of devices, executives said.
Bank One also will promote Microsoft's Great Plains software for small businesses as well as its bCentral Web site that offers Internet-based services for small companies, they said.
Advertising is covered in the pact as well, with Bank One ads to appear on Microsoft's MSN family of Web sites, which include the MSN.com portal, MSNBC.com news site and MSN Money personal finance site, they said.
"It's really a groundbreaking deal and ties together the assets of MSN and Microsoft to help a business partner," MSN Vice President Rich Bray said in an interview.
For Bank One, the deal is a down payment on a strategy to deliver Web-based financial tools to its 60 million individual, business and investment customers, Chief Executive Jamie Dimon said.
The Internet services revolve around two pieces of Microsoft technology: its Passport online authentication service and .Net alerts, which are used to send messages via e-mail, instant messaging or mobile telephone.
"It's a little blue-sky right now, but built over many years it will deliver new services to customers," Dimon said in an interview. "They (Microsoft) are really committed to making .Net and Passport and all these services more and more user-friendly.''
Weak authentication makes a strong counterpoint (Score:2, Interesting)
As part of an evaluation study, I decided to create a few Passports to understand what level of authentication Microsoft was performing to bind the Passport to the user, also called 'principal.' In the security community, there are three kinds of principal authenticators, specifically, (1) something you have, (2) something you know, or (3) something you are. An "authentication factor" refers to how many of these authenticators you possess. A driver's license is a two-factor authentication system as it authenticates based on something you have (the license) and something you are (your photo). Digital signature certificates used with signing software authenticate on something you have (the private key) and something you know (the password to use the key), and are also two-factor authentication. Biometric systems can effect 3-factor authentication. There are many other examples.
Obviously, the more factors you have, the more strong the binding is between your claimed identity and your actual self.
Microsoft Passport, by experimental determination, is a single factor authentication system (knowledge of username and associated password). This, in general, is not good when it comes to things like online purchases, but it is excellent if the idea is to maintain anonymity of the principal.
Try it out. You can go to www.passport.com, and sign up for a password using a ficticious e-mail account. The e-mail address does not have to match any actual address, it just has to be in the "foo@bar.com" format. So, even though Microsoft claims to authenticate to an e-mail account, which in turn would defer authentication to the maintainer of the account (bar.com supposedly knows who user 'foo' is), it really does not. I could register a Passport in the name BGates@msn.com if I wanted to. MS would never send any note to BGates@msn.com and ask, "is this your Passport?"
Why didn't this point come up in the open letter? Well, for one, it could be that the authors did not actually experiment with Passport prior to writing; all of the Microsoft literature leads one to believe that the e-mail address is authenticated. [There are numerous e-mail authentication examples in use; join any mailing list, and you will often get an e-mail, "reply to this and you'll be added". That is at least some authentication that you can access the e-mail account that you claim is yours.] Paperware analysis could lead the authors to wrongly conclude that the e-mail is actually authenticated.
A different, more sinister and self-serving reason is that it would refute the claims of the open letter! If Microsoft does not authenticate e-mails, then one can pick any identity when registering for a Passport. If the identity on the Passport is meaningless, then the identity of the holder is meaningless, and it therefore follows that there aren't any privacy or protection issues at all. MS would essentially be tracking the surfing habits of some unknown user.
In conclusion, the issue of my post is not that Passport is evil or Microsoft is vying for a monopoly. The issue is that there is an unfounded fear and paranoia about security, privacy, tracing surfing habits, selling information and e-mail spam related to .NET Passport that really does not exist... because Microsoft does not authenticate the e-mail address used to register the Passport. Never. Nada.
Re:Will this ever end? (Score:2)
Some Points (Score:2)
Virg
Re:Will this ever end? (Score:2)
Reasoning (Score:2)
Not really. Since AG is an accepted acronym for "Attorney General" it can be used monolithically when you're pluralizing it. It's much like pluralizing LOF (Line of Fire) as LOFs, not LsOF.
Virg