RealTime IT News

Privacy Groups Request Injunction Against Windows XP

Trouble began brewing on another front for embattled Microsoft Corp. Wednesday when a group of public interest and advocacy groups -- including the Electronic Privacy Information Center (EPIC), Junkbusters Corp. and the Privacy Foundation, among others -- said they will file a formal complaint with the Federal Trade Commission (FTC) on Thursday alleging that the Windows XP operating system steers users to sign up for Microsoft's Passport authentication system -- something the group said constitutes an unfair and deceptive practice.

The group said it will ask for an injunction, preventing Microsoft from shipping Windows XP until the FTC investigates the complaint. The group said it will also ask for an investigation and other relief.

Microsoft is scheduled to ship Windows XP on Oct. 25 of this year.

Passport is a 'sign-in once and go' system, which gives a user a single log-in and password which can be used to enter a host of Microsoft and Microsoft partner sites. The system stores user information, including credit card and other personal data, allowing a user to utilize features like the Passport Digital Wallet, which automatically enters that information into an e-commerce form when the user goes shopping on the Internet.

The system has been in use for some time by the 100+ million subscribers to Microsoft's Web-based Hotmail e-mail service. But the company is hoping its importance will skyrocket next year when it rolls out its Hailstorm services. Hailstorm is an integral component of the company's guiding .NET strategy, designed to free users from reliance solely on the PC as a way to access the Internet. Hailstorm's part on the .NET stage is that of an enabler. It allows users to access their information in the same way through a PC, a PDA or a smart phone.

From Microsoft's description: "Based on the Passport user authentication system, HailStorm permits applications and services to cooperate for the user's benefit, as well as allowing users, groups, and organizations to share and collaborate. For instance, with HailStorm services, booking a flight using an online travel reservation service becomes much simpler because with the user's consent, the travel service automatically access the user's preferences and payment. If you're traveling on business, and your company has travel policies you need to adhere to, your individual affiliation with your company's HailStorm group identity will make it possible for the travel service to automatically show you only the choices that meet both your preferences and your company's requirements. Once you've chosen your flight, the travel service can use HailStorm, with your explicit permission, to figure out which calendaring service you use and automatically schedule the itinerary onto your calendar, automatically updating that itinerary and notifying you if your flight will be late. And through HailStorm, you can share that live flight itinerary with whomever youre going to visit so that they will also know when and where to expect you. The information in your HailStorm-enabled calendar can then be accessed through your PC, someone else's PC, a smart phone, a PDA, or any other smart connected device."

All the information gathered through Passport (and presumably Hailstorm, when it's launched) is stored on a Microsoft database, which the group argues puts Microsoft at the center of a great deal of e-commerce and other online activity. Even if Microsoft does not use that information itself or share it with third-parties, as the company claims, the group said privacy is still a major concern because Microsoft has been hacked a number of times.

"It has never been or view that the Microsoft .NET platform and associated services [like Passport, Digital Wallet and Hailstorm] is a privacy-friendly platform," said Marc Rotenberg, executive director of EPIC.

Jason Catlett, president of Junkbusters, noted that in August 1999, when Hotmail was added to the Passport system, security was such that it was fairly easy for someone to log-in to Hotmail and read any other Hotmail user's e-mail.

"There's a claim that Microsoft makes when it's collecting personal information for Passport that 'any information provided to Microsoft remains secure and private,'" Catlett said. "That simply does not stand up."

And in the complaint, the group said it will claim that the way Passport has been bundled with Windows XP is designed to goad people into signing up for the service. When computers running Windows XP first log onto the Internet, XP tells users that they need a Passport to utilize some of XP's new Internet communication features like Windows Messenger. XP then prompts the users to sign up for one.

"It is Microsoft's monopoly power in the operating system market that allows it to coerce, from consumers, personal information that the consumers would not otherwise volunteer," Catlett said.

He continued, "The other information aggregators have to get the consumer to sign up for the service on the merits of the service, but Microsoft is able to coerce the consumer."

He added that many consumers have signed up with Passport in order to get access to Hotmail, and, "Suddenly, without many of them noticing, they have Passport accounts and are part of this database." At that point, he said, the information is able to be used by a great number of other parties.

Microsoft could not be reached for comment as of this writing. However, it maintains that its Passport feature enhances consumer privacy rather than endangers it. The second of its Passport Privacy Principles is "Member Control, Choice and Consent."

"You are in complete control of which Web sites receive the Personal Information in your Passport profile and Passport wallet," the principles state. "Your Personal Information and accompanying profile information, is not given to a Web site unless you explicitly choose to provide it by clicking the Passport sign-in or express purchase/wallet link on that site or as referenced above. Your email address will be shared with Microsoft and with the Web site you are registering from, and you can choose to share with other Passport web sites when you choose to sign into those web sites. Microsoft will not share, sell, or use your Personal Information in any way not described in this privacy statement without your consent."

The policy goes on to say, "From time to time, Passport will report average age, gender, and other aggregate membership statistics to our participating sites. These reports will not include Personal Information that identifies you or allows others to contact you."