Software // Enterprise Applications
Commentary
10/30/2001
10:18 AM
Fred Langa
Fred Langa
Commentary
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Langa Letter: The End Of Anonymous Surfing?

Microsoft's Passport and its competitors are making it harder than ever for computer users to keep a low profile, Fred Langa says.

During the run-up to Windows XP's release, we identified two important areas for concern regarding the way XP manages--or mangles--your privacy: Windows Product Activation and Passport.

To recap: We initially focused extensively on WPA. (See Is Windows XP's 'Product Activation' A Privacy Risk? and 1,000 Posts Later: WPA Update .) After those articles were written, Microsoft "softened" WPA. The company increased the number of components that it let you change without triggering a need to reactivate and changed the time period during which system changes are tracked. If you don't change your system components too much, too fast, you can avoid many of WPA's hassles. (Alas, one exception seems to be the network interface card; many users report that any NIC change seems to trigger the whole reactivation process, even if nothing else changes.) Even this gentler, kinder WPA remains an issue, because it's a mandatory element of XP. There's no getting around it. If you don't register, your software cripples itself and reverts to a reduced functionality mode.

But the greater security/privacy issue may lie with Passport, which is a nominally optional part of XP and many other Microsoft offerings.

Passport Has Your Number
Microsoft's Passport is a centralized, cross-domain logon-automation service. (Microsoft recently changed the service's name to .Net Passport, but we'll continue using the short form of the name here.)

Passport is very aggressively pushed within Windows XP and most of Microsoft's online offerings. While you don't have to sign up for Passport to use XP itself, you'll encounter it as a mandatory element of many of Microsoft's bundled offerings such as MSN/Hotmail, MSN Messenger, and the personalized versions of MSN.com.

In Microsoft's words, Passport is:

... an online service that makes it possible for you to use your E-mail address and a single password to sign in--securely--to any .NET Passport participating Web site or service. It lets you move easily among participating sites without the need to remember a different sign-in name and password for each site. With .NET Passport you can take advantage of personalization options at many Web sites, and you can also choose to use .NET Passport express purchase to make online shopping easy and convenient. Use .NET Passport on any web-enabled device.

As of now, the central Passport site stores a limited amount of user data: birth date, country/region, state, ZIP code, gender, accessibility, time zone, and occupation. By default, signing up for Passport authorizes Microsoft to share this demographic data with its partners, although, Microsoft says, not in a way that can be associated with you in particular.

That sounds fine. It sounds even better when you see that you can inform Microsoft not to share this demographic information: Just click the opt-out check boxes on the Passport member services form.

But there's a catch, because Microsoft and its partners actually still can track you via a unique numeric identifier:

Passport associates a Passport unique identifier with every Passport account at registration. The unique identifier is a unique 64-bit number that Passport sends (encrypted) to each Passport participating site that you choose to sign in to. This unique identifier makes it possible for the site to determine whether you are the same person from one sign-in session to the next.

This gives Passport-enabled sites a way to get around some techniques used for anonymous surfing. Even if a Passport site doesn't initially know you by name, it may still know you by your Passport's persistent numeric code and thus can build an ongoing profile of you and your surfing habits on that site. More darkly, there's also no technical reason two or more Passport-enabled sites couldn't combine their information to build a highly detailed personal profile about you, using Passport's unique numeric identifier as the unifying key. And if any one site has a record of your name, E-mail, credit-card numbers, and the like, then in theory all the sharing sites could have that information simply by collating their separately gathered data via the unique identifier.

Previous
1 of 3
Next
Comment  | 
Print  | 
More Insights
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Elite 100 - 2014
Our InformationWeek Elite 100 issue -- our 26th ranking of technology innovators -- shines a spotlight on businesses that are succeeding because of their digital strategies. We take a close at look at the top five companies in this year's ranking and the eight winners of our Business Innovation awards, and offer 20 great ideas that you can use in your company. We also provide a ranked list of our Elite 100 innovators.
Video
Slideshows
Twitter Feed
Audio Interviews
Archived Audio Interviews
GE is a leader in combining connected devices and advanced analytics in pursuit of practical goals like less downtime, lower operating costs, and higher throughput. At GIO Power & Water, CIO Jim Fowler is part of the team exploring how to apply these techniques to some of the world's essential infrastructure, from power plants to water treatment systems. Join us, and bring your questions, as we talk about what's ahead.