Privacy Groups Request Injunction Against Windows XP

Trouble began brewing on another front for embattled Microsoft Corp.
Wednesday when a group of public interest and advocacy groups — including
the Electronic Privacy Information Center (EPIC), Junkbusters Corp. and the
Privacy Foundation, among others — said they will file a formal complaint
with the Federal Trade Commission (FTC) on Thursday alleging that the
Windows XP operating system steers users to sign up for Microsoft’s Passport
authentication system — something the group said constitutes an unfair and
deceptive practice.

The group said it will ask for an injunction, preventing Microsoft from
shipping Windows XP until the FTC investigates the complaint. The group said
it will also ask for an investigation and other relief.

Microsoft is scheduled to ship Windows XP on Oct. 25 of this year.

Passport is a ‘sign-in once and go’ system, which gives a user a single
log-in and password which can be used to enter a host of Microsoft and
Microsoft partner sites. The system stores user information, including
credit card and other personal data, allowing a user to utilize features
like the Passport Digital Wallet, which automatically enters that
information into an e-commerce form when the user goes shopping on the
Internet.


The system has been in use for some time by the 100+ million subscribers to
Microsoft’s Web-based Hotmail e-mail service. But the company is hoping its
importance will skyrocket next year when it rolls out its Hailstorm
services. Hailstorm is an integral component of the company’s guiding .NET
strategy, designed to free users from reliance solely on the PC as a way to
access the Internet. Hailstorm’s part on the .NET stage is that of an
enabler. It allows users to access their information in the same way through
a PC, a PDA or a smart phone.

From Microsoft’s description: “Based on the Passport user authentication
system, HailStorm permits applications and services to cooperate for the
user’s benefit, as well as allowing users, groups, and organizations to
share and collaborate. For instance, with HailStorm services, booking a
flight using an online travel reservation service becomes much simpler
because with the user’s consent, the travel service automatically access the
user’s preferences and payment. If you’re traveling on business, and your
company has travel policies you need to adhere to, your individual
affiliation with your company’s HailStorm group identity will make it
possible for the travel service to automatically show you only the choices
that meet both your preferences and your company’s requirements. Once
you’ve chosen your flight, the travel service can use HailStorm, with your
explicit permission, to figure out which calendaring service you use and
automatically schedule the itinerary onto your calendar, automatically
updating that itinerary and notifying you if your flight will be late. And
through HailStorm, you can share that live flight itinerary with whomever
youre going to visit so that they will also know when and where to expect
you. The information in your HailStorm-enabled calendar can then be
accessed through your PC, someone else’s PC, a smart phone, a PDA, or any
other smart connected device.”

All the information gathered through Passport (and presumably Hailstorm,
when it’s launched) is stored on a Microsoft database, which the group
argues puts Microsoft at the center of a great deal of e-commerce and other
online activity. Even if Microsoft does not use that information itself or
share it with third-parties, as the company claims, the group said privacy
is still a major concern because Microsoft has been hacked a number of
times.

“It has never been or view that the Microsoft .NET platform and associated
services [like Passport, Digital Wallet and Hailstorm] is a privacy-friendly
platform,” said Marc Rotenberg, executive director of EPIC.

Jason Catlett, president of Junkbusters, noted that in August 1999, when
Hotmail was added to the Passport system, security was such that it was
fairly easy for someone to log-in to Hotmail and read any other Hotmail
user’s e-mail.

“There’s a claim that Microsoft makes when it’s collecting personal
information for Passport that ‘any information provided to Microsoft remains
secure and private,'” Catlett said. “That simply does not stand up.”


And in the complaint, the group said it will claim that the way Passport has
been bundled with Windows XP is designed to goad people into signing up for
the service. When computers running Windows XP first log onto the Internet,
XP tells users that they need a Passport to utilize some of XP’s new
Internet communication features like Windows Messenger. XP then prompts the
users to sign up for one.

“It is Microsoft’s monopoly power in the operating system market that allows
it to coerce, from consumers, personal information that the consumers would
not otherwise volunteer,” Catlett said.

He continued, “The other information aggregators have to get the consumer to
sign up for the service on the merits of the service, but Microsoft is able
to coerce the consumer.”

He added that many consumers have signed up with Passport in order to get
access to Hotmail, and, “Suddenly, without many of them noticing, they have
Passport accounts and are part of this database.” At that point, he said,
the information is able to be used by a great number of other parties.

Microsoft could not be reached for comment as of this writing. However, it
maintains that its Passport feature enhances consumer privacy rather than
endangers it. The second of its Passport
Privacy Principles
is “Member Control, Choice and Consent.”

“You are in complete control of which Web sites receive the Personal
Information in your Passport profile and Passport wallet,” the principles
state. “Your Personal Information and accompanying profile information, is
not given to a Web site unless you explicitly choose to provide it by
clicking the Passport sign-in or express purchase/wallet link on that site
or as referenced above. Your email address will be shared with Microsoft and
with the Web site you are registering from, and you can choose to share with
other Passport web sites when you choose to sign into those web sites.
Microsoft will not share, sell, or use your Personal Information in any way
not described in this privacy statement without your consent.”

The policy goes on to say, “From time to time, Passport will report average
age, gender, and other aggregate membership statistics to our participating
sites. These reports will not include Personal Information that identifies
you or allows others to contact you.”

News Around the Web