RealTime IT News

Microsoft Said to Have New Security Plans

UPDATED: Microsoft's next operating system, code-named Longhorn, will feature a new personal data repository, according to a news report Monday.

The service, called Info-cards, would reside on the user's PC and aggregate personal information like names, credit card numbers and mailing addresses, and will allow people to use them when they shop or conduct business online, Microsoft executives said in a Wall Street Journal report.

Users will be able to create unique cards for certain types of transactions, such as one for shopping online and another for filling out an online application. They all use an encrypted format to foil information theft and technology like digital certificates to curb phishing attacks.

According to Microsoft officials in the report, some of them named and others anonymous, the technology will be built using open technology protocols to allow the Info-card service to run in a non-Windows environment, like Linux, as well as interoperate with federated identity management software like those created through the Liberty Alliance.

Microsoft officials were not available for comment at press time. A beta version of Longhorn is expected in June, with a final release sometime in 2006.

John Pescatore, vice president and research fellow at Gartner Research, said the Info-card service sounds like a variation of Microsoft's digital wallet product under Hailstorm and Passport, where the browser securely stored user data and sent it to Web sites if it chose to do so.

Hailstorm was originally launched in March 2001 as a software-as-a-service (SaaS) play, a set of user-centric Web services designed to meet the needs and usage patterns of the individual.

The difficulty in Microsoft's plans for a safe Info-card, Pescatore said, will be getting the Web browser to identify when a user is visiting a site that's legitimate or a site harvesting personal data for criminal use.

"How can I be really sure that I'm at a Web site I can trust? How do I fight phishing before I decide to exchange these secure credentials or allow this information out?"

The answer goes beyond mere digital certificates, which don't do the trick, Pescatore said, because if the phisher can fool a person into visiting citibank3.com, it's an easy enough process to get a digital certificate to verify they are really visiting citibank3.com. What Microsoft needs, he said, is something like the technology provided by WholeSecurity, which scans a Web site's HTML for clues into the site's purpose.

Microsoft already has business dealings with the company. Last month, the company was identified as one of the initial participants in WholeSecurity's Phish Report Network, a database containing reported and known phishing sites.

Outside security concerns, Pescatore said the Info-card launch will face some hesitation from developers and users who still remember the security vulnerabilities associated with Passport. He said that at least the Info-card doesn't require people to store their information on Microsoft servers. But people are still going to take longer to trust first-generation Microsoft products.

He expects it to take a year for people to give the rumored Internet Explorer (IE) 7 time to showcase the technology, around the time Longhorn shows up.

"Give this Info-card approach a year or so for people to bang on it and see if there are going to be problems found in it like Passport before anybody leaps on it," he said.

The news comes at a time when the concerns over personal information security are on the minds of consumers.

Data broker ChoicePoint admitted earlier this year that the credit reports, addresses and Social Security numbers of as many as 145,000 people might have been compromised in an ID theft criminal ring.

Another data broker, LexisNexis, reported earlier this month a similar database breach at one of its subsidiaries, Seisint.

And in February, Bank of America reported it lost one of the data tapes used to store personal information, affecting 1.2 million federal employees.

The Redmond, Wash., company has dabbled in personal information repositories for some time, notably through Passport. Similar to the Info-card concept, Passport was designed to be a federated identity management solution to its users, allowing single sign-on authentication through merchant sites worldwide.

The technology in time drew 14 million users to its service, but privacy groups and analysts soon came out against the service, which stores the personal information on Microsoft servers rather than within the user's computer.

Numerous vulnerabilities were discovered over the years, which ate away at the credibility of the system, prompting research firm Gartner to state in 2003 that Passport couldn't be trusted for use at financial institutions and businesses.

Privacy advocates like the Electronic Privacy Information Center and the Center for Media Education filed a complaint against Microsoft's service to the Federal Trade Commission in 2001.

The groups claimed Windows XP encouraged people to sign up for the Passport service, which they stated in the filing was an unfair and deceptive practice.

Microsoft cut a deal with the FTC the following year, agreeing to 20 years of independent, third-party audits of its Passport technology to assuage privacy and security concerns. In December 2004, online auctioneer giant eBay announced it was dropping Passport.