Langa Letter: The End Of Anonymous Surfing? - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Software // Enterprise Applications
Commentary
10/30/2001
10:18 AM
Fred Langa
Fred Langa
Commentary
50%
50%

Langa Letter: The End Of Anonymous Surfing?

Microsoft's Passport and its competitors are making it harder than ever for computer users to keep a low profile, Fred Langa says.

During the run-up to Windows XP's release, we identified two important areas for concern regarding the way XP manages--or mangles--your privacy: Windows Product Activation and Passport.

To recap: We initially focused extensively on WPA. (See Is Windows XP's 'Product Activation' A Privacy Risk? and 1,000 Posts Later: WPA Update .) After those articles were written, Microsoft "softened" WPA. The company increased the number of components that it let you change without triggering a need to reactivate and changed the time period during which system changes are tracked. If you don't change your system components too much, too fast, you can avoid many of WPA's hassles. (Alas, one exception seems to be the network interface card; many users report that any NIC change seems to trigger the whole reactivation process, even if nothing else changes.) Even this gentler, kinder WPA remains an issue, because it's a mandatory element of XP. There's no getting around it. If you don't register, your software cripples itself and reverts to a reduced functionality mode.

But the greater security/privacy issue may lie with Passport, which is a nominally optional part of XP and many other Microsoft offerings.

Passport Has Your Number
Microsoft's Passport is a centralized, cross-domain logon-automation service. (Microsoft recently changed the service's name to .Net Passport, but we'll continue using the short form of the name here.)

Passport is very aggressively pushed within Windows XP and most of Microsoft's online offerings. While you don't have to sign up for Passport to use XP itself, you'll encounter it as a mandatory element of many of Microsoft's bundled offerings such as MSN/Hotmail, MSN Messenger, and the personalized versions of MSN.com.

In Microsoft's words, Passport is:

... an online service that makes it possible for you to use your E-mail address and a single password to sign in--securely--to any .NET Passport participating Web site or service. It lets you move easily among participating sites without the need to remember a different sign-in name and password for each site. With .NET Passport you can take advantage of personalization options at many Web sites, and you can also choose to use .NET Passport express purchase to make online shopping easy and convenient. Use .NET Passport on any web-enabled device.

As of now, the central Passport site stores a limited amount of user data: birth date, country/region, state, ZIP code, gender, accessibility, time zone, and occupation. By default, signing up for Passport authorizes Microsoft to share this demographic data with its partners, although, Microsoft says, not in a way that can be associated with you in particular.

That sounds fine. It sounds even better when you see that you can inform Microsoft not to share this demographic information: Just click the opt-out check boxes on the Passport member services form.

But there's a catch, because Microsoft and its partners actually still can track you via a unique numeric identifier:

Passport associates a Passport unique identifier with every Passport account at registration. The unique identifier is a unique 64-bit number that Passport sends (encrypted) to each Passport participating site that you choose to sign in to. This unique identifier makes it possible for the site to determine whether you are the same person from one sign-in session to the next.

This gives Passport-enabled sites a way to get around some techniques used for anonymous surfing. Even if a Passport site doesn't initially know you by name, it may still know you by your Passport's persistent numeric code and thus can build an ongoing profile of you and your surfing habits on that site. More darkly, there's also no technical reason two or more Passport-enabled sites couldn't combine their information to build a highly detailed personal profile about you, using Passport's unique numeric identifier as the unifying key. And if any one site has a record of your name, E-mail, credit-card numbers, and the like, then in theory all the sharing sites could have that information simply by collating their separately gathered data via the unique identifier.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Previous
1 of 3
Next
Comment  | 
Print  | 
More Insights
News
COVID-19: Using Data to Map Infections, Hospital Beds, and More
Jessica Davis, Senior Editor, Enterprise Apps,  3/25/2020
Commentary
Enterprise Guide to Robotic Process Automation
Cathleen Gagne, Managing Editor, InformationWeek,  3/23/2020
Slideshows
How Startup Innovation Can Help Enterprises Face COVID-19
Joao-Pierre S. Ruth, Senior Writer,  3/24/2020
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
IT Careers: Tech Drives Constant Change
Advances in information technology and management concepts mean that IT professionals must update their skill sets, even their career goals on an almost yearly basis. In this IT Trend Report, experts share advice on how IT pros can keep up with this every-changing job market. Read it today!
Slideshows
Flash Poll