Privacy groups attack Microsoft - again

 

Gallery

Posted on 17 Aug 2001 at 16:58

The complaints mount up as Windows XP nears launch.

Privacy groups have requested an injunction and investigation against Microsoft, claiming that the software company is engaging in "unfair and deceptive trade practices."

Last month the Electronic Privacy Information Center (EPIC) sent a complaint to the Federal Trade Commission, predicting that Windows XP would be the primary means for consumers to gain Internet access, and that Microsoft intended to glean personal data from the millions of users via its .Net system.

The meat of the argument is that Microsoft currently holds the world's largest database of Internet users, which it will be able to share with its business partners and so degrade the privacy of those users. Windows XP virtually forces users to subscribe to the Passport service, tying them into this database.

Passport is intended to make e-commerce and other services that require authentication easy to use. Instead of typing in your name and credit card number a user simply needs to log into Passport and compatible systems will 'know' all they need to about that user.

For example, Hotmail users need to log in to the Hotmail system using a username and password in order to access e-mail. Plenty of online stores operate in the same way, requiring you to log in but then remembering your email address, credit card numbers and address. This is convenient, but how much more convenient would it be to just log in at Hotmail and have, for example, Amazon instantly recognise you and allow you to pay for goods immediately?

But that convenience comes at a price, according to EPIC and 12 other organisations, which claim that Microsoft has not made sufficiently stiff stipulations about security levels to participating Web sites. Such sites are required to post a privacy policy, but Microsoft does not specify the level of security this policy must cover. The FTC complaint expresses a fear that consumers will automatically assume that Microsoft has taken big steps to protect their data, when in fact it probably hasn't.

Since the first complaint Microsoft reduced the amount of information users were required to give to obtain a Passport. Now an e-mail address, country, state and post code is considered sufficient. Additionally, partner sites must support the Platform for Privacy Preferences (P3P). But a second complaint has now been filed, criticising P3P as being confusing and without teeth.

"P3P is a complicated and confusing language for web sites to describe their privacy policies in a machine readable format that fails to provide any assurance of compliance with baseline privacy standards, including the FTC's own privacy standards."

Additionally, it appears that Windows XP will prevent users from running many current personal firewall products. The developers must provide XP-compatible drivers before such programs may be run.

But perhaps most sinister is the claim that there is no way for users to delete their Passports should they decide to remove information about themselves from the Internet. There is a period of one year before an account will expire.

The complaint sums up with, "Contrary to Microsoft's representations, users will have little control over their personal information stored in Passport. The assignment of globally-unique identifiers, the absence of mechanisms to delete information, the inability of Microsoft to provide adequate security, the centralized storage of personal information, and the reduction of online anonymity pose a substantial risk that Passport will harm users' privacy.