Microsoft Said to Have New Security Plans

UPDATED: Microsoft’s next operating system, code-named Longhorn,
will feature a new personal data repository, according to a news report
Monday.

The service, called Info-cards, would reside on the user’s PC and aggregate
personal information like names, credit card numbers and mailing addresses, and will allow people to use them when they shop or conduct business online, Microsoft executives said in a Wall Street Journal report.

Users will be able to create unique cards for certain types of
transactions, such as one for shopping online and another for filling out an
online application. They all use an encrypted format to foil information theft
and technology like digital certificates to
curb phishing attacks.

According to Microsoft officials in the report, some of them named and others anonymous, the technology will be built
using open technology protocols to allow the Info-card service to run in a
non-Windows environment, like Linux, as well as interoperate with federated
identity management software like those created through the Liberty Alliance.

Microsoft officials were not available for comment at press time. A beta
version of Longhorn
is expected in June, with a final release sometime in 2006.

John Pescatore, vice president and research fellow at Gartner Research, said
the Info-card service sounds like a variation of Microsoft’s digital wallet
product under Hailstorm and Passport, where the browser securely stored user
data and sent it to Web sites if it chose to do so.

Hailstorm was originally launched in
March 2001 as a software-as-a-service (SaaS) play, a set of
user-centric Web services designed to meet the needs and usage patterns of
the individual.

The difficulty in Microsoft’s plans for a safe Info-card, Pescatore said,
will be getting the Web browser to identify when a user is visiting a site
that’s legitimate or a site harvesting personal data for criminal use.

“How can I be really sure that I’m at a Web site I can trust? How do I fight phishing before I decide to exchange these secure credentials or allow this information out?”

The answer goes beyond mere digital certificates, which don’t do the trick,
Pescatore said, because if the phisher can fool a person into visiting
citibank3.com, it’s an easy enough process to get a digital certificate
to verify they are really visiting citibank3.com. What Microsoft needs,
he said, is something like the technology provided by WholeSecurity, which
scans a Web site’s HTML for clues into the site’s purpose.

Microsoft already has business dealings with the company. Last month, the
company was identified as one of the initial participants in WholeSecurity’s
Phish Report Network, a database containing reported and known phishing
sites.

Outside security concerns, Pescatore said the Info-card launch will face
some hesitation from developers and users who still remember the security
vulnerabilities associated with Passport. He said that at least the
Info-card doesn’t require people to store their information on Microsoft
servers. But people are still going to take longer to trust first-generation
Microsoft products.

He expects it to take a year for people to give the
rumored Internet Explorer (IE) 7 time to showcase the technology, around the
time Longhorn shows up.

“Give this Info-card approach a year or so for people to bang on it and see
if there are going to be problems found in it like Passport before anybody
leaps on it,” he said.

The news comes at a time when the concerns over personal information
security are on the minds of consumers.

Data broker ChoicePoint admitted earlier this year that the credit reports, addresses and Social Security numbers of as many as 145,000 people might have been compromised in an ID theft criminal ring.

Another data broker, LexisNexis, reported earlier this month a similar database breach at one of its subsidiaries, Seisint.

And in February, Bank of America reported it lost one
of the data tapes used to store personal information, affecting 1.2 million
federal employees.

The Redmond, Wash., company has dabbled in personal information repositories
for some time, notably through Passport.
Similar to the Info-card concept, Passport was designed to be a federated
identity management solution to its users, allowing single sign-on
authentication through merchant sites worldwide.

The technology in time drew 14 million users to its service, but privacy
groups and analysts soon came out against the service, which stores the
personal information on Microsoft servers rather than within the user’s
computer.

Numerous vulnerabilities were discovered over the years, which ate away at the credibility of the system, prompting research firm Gartner to state in 2003 that Passport couldn’t be trusted for use at financial institutions and businesses.

Privacy advocates like the Electronic Privacy Information Center and
the Center for Media Education filed a complaint against Microsoft’s service
to the Federal Trade Commission in 2001.

The groups claimed Windows XP encouraged people to sign up for the Passport service, which they stated in the filing was an unfair and deceptive practice.

Microsoft cut a deal with the FTC the following year, agreeing to 20 years of independent,
third-party audits of its Passport technology to assuage privacy and
security concerns.

In December 2004, online auctioneer giant eBay announced
it was dropping Passport.

News Around the Web