But wait, you might say, doesn't the use of the Passport centralized service imply that there's a centralized, consistent privacy policy across all the Passport sites?

In a word, no. In fact, Microsoft's Passport FAQ clearly states that, although it expects its member sites to behave properly:

...the privacy practices of Passport participating sites will vary. Therefore you should carefully review the privacy statement for each Passport participating site you sign in to, in order to determine how each site or service will use the information it collects.

Wow! Think about what that means. Passport users are not only subject to the same site-by-site vagaries of privacy policy as any other users, but they also arrive at each site dragging Passport's persistent tracking number with them. So, ironically, logging on to a site via Passport may actually make you less secure than if you went in on your own, because with Passport, you can't be fully anonymous from session to session.

And there actually are many other ways that Passport information could be abused. One scenario is spelled out in some detail by Joel Spolsky in Does Issuing Passports Make Microsoft A Country?

If Joel's page is too informal for your tastes, try this white paper from AT&T researchers: Risks Of The Passport Single Signon Protocol, or see the additional references at the end of this article.

Crackers' Paradise?
One also can ask legitimate questions about the inherent safety of the Passport central database because Microsoft has a spotty record of managing its online services. See, for example, any number of reports about Hotmail outages, or Messenger woes cast cloud over Hailstorm. Although the Passport central site doesn't gather extremely sensitive data by default, it can do so optionally. If you also choose "make your shopping easier" with the Passport Wallet, your Passport login can be associated with your credit-card numbers and such. The potential for trouble is obvious, so the site is likely to become a prime target for crackers.

While the skills needed for a frontal assault on the full Passport database might be formidable, it probably won't be very hard at all to crack many individual accounts, because each Passport depends on each user choosing a good password.

IT administrators know how hard it is to get users to pick difficult-to-guess passwords. A good password is a mix of characters, numbers, and punctuation at least six elements in length, such that the password will not be found in any dictionary; it should not comprise easy-to-guess items such as names of children, pets, etc. Ideally, a good password is one that's as close to incomprehensibly random as possible, while still being able to be memorized without writing down.

But most users pick much simpler passwords, and that means that many Passport accounts may be trivially easy to crack. Because a single name/password can protect a user's online identification at many sites, a breach of a Passport account may have an unusually large ripple effect.

To help overcome some of this fundamental insecurity, just a few weeks ago Microsoft revealed a newer version of Passport that will eventually rely on the P3P (Platform for Privacy Preferences) open standard; but this is of little help today because the standard is still only in working draft form. (See P3P: Protector Of Consumers' Online Privacy for an early analysis.)

Thus, even if P3P eventually helps improve Passport security, it's of no use right now to the millions of people exploring XP and being enticed to sign up for the current version of Passport.