Langa Letter: The End Of Anonymous Surfing? - InformationWeek
Software // Enterprise Applications
10:18 AM
Fred Langa
Fred Langa

Langa Letter: The End Of Anonymous Surfing?

Microsoft's Passport and its competitors are making it harder than ever for computer users to keep a low profile, Fred Langa says.

During the run-up to Windows XP's release, we identified two important areas for concern regarding the way XP manages--or mangles--your privacy: Windows Product Activation and Passport.

To recap: We initially focused extensively on WPA. (See Is Windows XP's 'Product Activation' A Privacy Risk? and 1,000 Posts Later: WPA Update .) After those articles were written, Microsoft "softened" WPA. The company increased the number of components that it let you change without triggering a need to reactivate and changed the time period during which system changes are tracked. If you don't change your system components too much, too fast, you can avoid many of WPA's hassles. (Alas, one exception seems to be the network interface card; many users report that any NIC change seems to trigger the whole reactivation process, even if nothing else changes.) Even this gentler, kinder WPA remains an issue, because it's a mandatory element of XP. There's no getting around it. If you don't register, your software cripples itself and reverts to a reduced functionality mode.

But the greater security/privacy issue may lie with Passport, which is a nominally optional part of XP and many other Microsoft offerings.

Passport Has Your Number
Microsoft's Passport is a centralized, cross-domain logon-automation service. (Microsoft recently changed the service's name to .Net Passport, but we'll continue using the short form of the name here.)

Passport is very aggressively pushed within Windows XP and most of Microsoft's online offerings. While you don't have to sign up for Passport to use XP itself, you'll encounter it as a mandatory element of many of Microsoft's bundled offerings such as MSN/Hotmail, MSN Messenger, and the personalized versions of

In Microsoft's words, Passport is:

... an online service that makes it possible for you to use your E-mail address and a single password to sign in--securely--to any .NET Passport participating Web site or service. It lets you move easily among participating sites without the need to remember a different sign-in name and password for each site. With .NET Passport you can take advantage of personalization options at many Web sites, and you can also choose to use .NET Passport express purchase to make online shopping easy and convenient. Use .NET Passport on any web-enabled device.

As of now, the central Passport site stores a limited amount of user data: birth date, country/region, state, ZIP code, gender, accessibility, time zone, and occupation. By default, signing up for Passport authorizes Microsoft to share this demographic data with its partners, although, Microsoft says, not in a way that can be associated with you in particular.

That sounds fine. It sounds even better when you see that you can inform Microsoft not to share this demographic information: Just click the opt-out check boxes on the Passport member services form.

But there's a catch, because Microsoft and its partners actually still can track you via a unique numeric identifier:

Passport associates a Passport unique identifier with every Passport account at registration. The unique identifier is a unique 64-bit number that Passport sends (encrypted) to each Passport participating site that you choose to sign in to. This unique identifier makes it possible for the site to determine whether you are the same person from one sign-in session to the next.

This gives Passport-enabled sites a way to get around some techniques used for anonymous surfing. Even if a Passport site doesn't initially know you by name, it may still know you by your Passport's persistent numeric code and thus can build an ongoing profile of you and your surfing habits on that site. More darkly, there's also no technical reason two or more Passport-enabled sites couldn't combine their information to build a highly detailed personal profile about you, using Passport's unique numeric identifier as the unifying key. And if any one site has a record of your name, E-mail, credit-card numbers, and the like, then in theory all the sharing sites could have that information simply by collating their separately gathered data via the unique identifier.

1 of 3
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of the Cloud Report
As the use of public cloud becomes a given, IT leaders must navigate the transition and advocate for management tools or architectures that allow them to realize the benefits they seek. Download this report to explore the issues and how to best leverage the cloud moving forward.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of November 6, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll